diff --git a/Makefile b/Makefile index f8f2901dc4..45fcd6ad15 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,10 @@ $(GOBIN)/wire: wire: $(GOBIN)/wire wire gen ./... +.PHONY: mock +mock: $(GOBIN)/mockery + mockery -all -inpkg -case=snake -dir $(DIR) + .PHONY: deps deps: go get ${u} -d diff --git a/go.mod b/go.mod index 955df782cc..609e30bc9e 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.13 require ( github.com/aquasecurity/fanal v0.0.0-20200413182139-9213b79eba1a github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b - github.com/aquasecurity/trivy-db v0.0.0-20200331122722-2adcf16a2a26 + github.com/aquasecurity/trivy-db v0.0.0-20200408191531-0a25a37ec16f github.com/caarlos0/env/v6 v6.0.0 github.com/cenkalti/backoff v2.2.1+incompatible github.com/cheggaaa/pb/v3 v3.0.3 diff --git a/go.sum b/go.sum index 4ec67ca96f..0abae3c1eb 100644 --- a/go.sum +++ b/go.sum @@ -56,8 +56,14 @@ github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod github.com/aquasecurity/testdocker v0.0.0-20200406162423-9b83286bd1ae h1:MNvPhakB1g45yckXFYqcXReJiPUFUdCrPDMwAH/ewDo= github.com/aquasecurity/testdocker v0.0.0-20200406162423-9b83286bd1ae/go.mod h1:vyPK00Qw+SJfLuGM/7wRo1i02eqhEBRvw0PBmaj41bI= github.com/aquasecurity/trivy v0.1.6/go.mod h1:5hobyhxLzDtxruHzPxpND2PUKOssvGUdE9BocpJUwo4= -github.com/aquasecurity/trivy-db v0.0.0-20200331122722-2adcf16a2a26 h1:KGAZ0FoLGQNYdtSzy4tVPr+/4AxpBQHYdBf+C9joopE= -github.com/aquasecurity/trivy-db v0.0.0-20200331122722-2adcf16a2a26/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw= +github.com/aquasecurity/trivy-db v0.0.0-20200318223623-7d3e67b057d4 h1:DeVT3LzIgKc+5sGhSGusWL+JZ/kiWGjKjQYeshz/gOk= +github.com/aquasecurity/trivy-db v0.0.0-20200318223623-7d3e67b057d4/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw= +github.com/aquasecurity/trivy-db v0.0.0-20200320001732-d65430e7cb51 h1:UDbKEUn5J9SRotdUBI0sUYE8GB8Ctn8YiXhVhZWmrHI= +github.com/aquasecurity/trivy-db v0.0.0-20200320001732-d65430e7cb51/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw= +github.com/aquasecurity/trivy-db v0.0.0-20200327012036-a11aca42bc75 h1:ZErX9Coa8nvxKDR3cHNxY+QKM2YqN71ux2sfdFBp6mY= +github.com/aquasecurity/trivy-db v0.0.0-20200327012036-a11aca42bc75/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw= +github.com/aquasecurity/trivy-db v0.0.0-20200408191531-0a25a37ec16f h1:1A6fTVFWnz19rAWbqUczS7UPbSyjBsVqCRzhWCvB4vQ= +github.com/aquasecurity/trivy-db v0.0.0-20200408191531-0a25a37ec16f/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw= github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA= github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ= github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI= diff --git a/integration/client_server_test.go b/integration/client_server_test.go index 41f03ac126..3a06aadc10 100644 --- a/integration/client_server_test.go +++ b/integration/client_server_test.go @@ -160,16 +160,6 @@ func TestClientServer(t *testing.T) { }, golden: "testdata/centos-7-ignore-unfixed.json.golden", }, - { - name: "centos 7 integration with critical severity", - testArgs: args{ - Version: "dev", - IgnoreUnfixed: true, - Severity: []string{"CRITICAL"}, - Input: "testdata/fixtures/centos-7.tar.gz", - }, - golden: "testdata/centos-7-critical.json.golden", - }, { name: "centos 7 integration with low and high severity", testArgs: args{ diff --git a/integration/standalone_test.go b/integration/standalone_test.go index a4d18d2128..60dab54107 100644 --- a/integration/standalone_test.go +++ b/integration/standalone_test.go @@ -168,18 +168,6 @@ func TestRun_WithTar(t *testing.T) { }, golden: "testdata/centos-7-ignore-unfixed.json.golden", }, - { - name: "centos 7 integration with critical severity", - testArgs: args{ - Version: "dev", - SkipUpdate: true, - IgnoreUnfixed: true, - Severity: []string{"CRITICAL"}, - Format: "json", - Input: "testdata/fixtures/centos-7.tar.gz", - }, - golden: "testdata/centos-7-critical.json.golden", - }, { name: "centos 7 integration with low and high severity", testArgs: args{ diff --git a/integration/testdata/alpine-310-ignore-cveids.json.golden b/integration/testdata/alpine-310-ignore-cveids.json.golden index f1a279ec27..9b5eb4574f 100644 --- a/integration/testdata/alpine-310-ignore-cveids.json.golden +++ b/integration/testdata/alpine-310-ignore-cveids.json.golden @@ -1,7 +1,35 @@ [ { "Target": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)", + "Type": "alpine", "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-1551", + "PkgName": "openssl", + "InstalledVersion": "1.1.1c-r0", + "FixedVersion": "1.1.1d-r2", + "Layer": { + "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" + }, + "SeveritySource": "nvd", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" + ] + }, { "VulnerabilityID": "CVE-2019-1547", "PkgName": "openssl", @@ -10,6 +38,7 @@ "Layer": { "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" }, + "SeveritySource": "nvd", "Title": "openssl: side-channel weak encryption vulnerability", "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "LOW", diff --git a/integration/testdata/alpine-310-ignore-unfixed.json.golden b/integration/testdata/alpine-310-ignore-unfixed.json.golden index 9b1d8ce7b4..bbb9e926b6 100644 --- a/integration/testdata/alpine-310-ignore-unfixed.json.golden +++ b/integration/testdata/alpine-310-ignore-unfixed.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)", + "Type": "alpine", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2019-1549", @@ -10,6 +11,7 @@ "Layer": { "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in fork()", "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "Severity": "MEDIUM", @@ -22,6 +24,33 @@ "https://www.openssl.org/news/secadv/20190910.txt" ] }, + { + "VulnerabilityID": "CVE-2019-1551", + "PkgName": "openssl", + "InstalledVersion": "1.1.1c-r0", + "FixedVersion": "1.1.1d-r2", + "Layer": { + "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" + }, + "SeveritySource": "nvd", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" + ] + }, { "VulnerabilityID": "CVE-2019-1563", "PkgName": "openssl", @@ -30,6 +59,7 @@ "Layer": { "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "MEDIUM", @@ -52,6 +82,7 @@ "Layer": { "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" }, + "SeveritySource": "nvd", "Title": "openssl: side-channel weak encryption vulnerability", "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "LOW", diff --git a/integration/testdata/alpine-310-medium-high.json.golden b/integration/testdata/alpine-310-medium-high.json.golden index f6e6da4767..fc87d2e66f 100644 --- a/integration/testdata/alpine-310-medium-high.json.golden +++ b/integration/testdata/alpine-310-medium-high.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)", + "Type": "alpine", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2019-1549", @@ -10,6 +11,7 @@ "Layer": { "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in fork()", "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "Severity": "MEDIUM", @@ -22,6 +24,33 @@ "https://www.openssl.org/news/secadv/20190910.txt" ] }, + { + "VulnerabilityID": "CVE-2019-1551", + "PkgName": "openssl", + "InstalledVersion": "1.1.1c-r0", + "FixedVersion": "1.1.1d-r2", + "Layer": { + "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" + }, + "SeveritySource": "nvd", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" + ] + }, { "VulnerabilityID": "CVE-2019-1563", "PkgName": "openssl", @@ -30,6 +59,7 @@ "Layer": { "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "MEDIUM", diff --git a/integration/testdata/alpine-310.json.golden b/integration/testdata/alpine-310.json.golden index 9b1d8ce7b4..bbb9e926b6 100644 --- a/integration/testdata/alpine-310.json.golden +++ b/integration/testdata/alpine-310.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)", + "Type": "alpine", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2019-1549", @@ -10,6 +11,7 @@ "Layer": { "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in fork()", "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "Severity": "MEDIUM", @@ -22,6 +24,33 @@ "https://www.openssl.org/news/secadv/20190910.txt" ] }, + { + "VulnerabilityID": "CVE-2019-1551", + "PkgName": "openssl", + "InstalledVersion": "1.1.1c-r0", + "FixedVersion": "1.1.1d-r2", + "Layer": { + "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" + }, + "SeveritySource": "nvd", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" + ] + }, { "VulnerabilityID": "CVE-2019-1563", "PkgName": "openssl", @@ -30,6 +59,7 @@ "Layer": { "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "MEDIUM", @@ -52,6 +82,7 @@ "Layer": { "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0" }, + "SeveritySource": "nvd", "Title": "openssl: side-channel weak encryption vulnerability", "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "LOW", diff --git a/integration/testdata/alpine-39.json.golden b/integration/testdata/alpine-39.json.golden index 1b58a6176b..18300d6829 100644 --- a/integration/testdata/alpine-39.json.golden +++ b/integration/testdata/alpine-39.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/alpine-39.tar.gz (alpine 3.9.4)", + "Type": "alpine", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2019-14697", @@ -10,10 +11,12 @@ "Layer": { "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81" }, + "SeveritySource": "nvd", "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.", "Severity": "HIGH", "References": [ "http://www.openwall.com/lists/oss-security/2019/08/06/4", + "https://security.gentoo.org/glsa/202003-13", "https://www.openwall.com/lists/musl/2019/08/06/1" ] }, @@ -25,6 +28,7 @@ "Layer": { "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in fork()", "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).", "Severity": "MEDIUM", @@ -37,6 +41,33 @@ "https://www.openssl.org/news/secadv/20190910.txt" ] }, + { + "VulnerabilityID": "CVE-2019-1551", + "PkgName": "openssl", + "InstalledVersion": "1.1.1b-r1", + "FixedVersion": "1.1.1d-r2", + "Layer": { + "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81" + }, + "SeveritySource": "nvd", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" + ] + }, { "VulnerabilityID": "CVE-2019-1563", "PkgName": "openssl", @@ -45,6 +76,7 @@ "Layer": { "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "MEDIUM", @@ -67,6 +99,7 @@ "Layer": { "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81" }, + "SeveritySource": "nvd", "Title": "openssl: side-channel weak encryption vulnerability", "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "LOW", diff --git a/integration/testdata/amazon-1.json.golden b/integration/testdata/amazon-1.json.golden index 1b471bf4a7..c88fb65a82 100644 --- a/integration/testdata/amazon-1.json.golden +++ b/integration/testdata/amazon-1.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/amazon-1.tar.gz (amazon AMI release 2018.03)", + "Type": "amazon", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2019-5481", @@ -10,13 +11,15 @@ "Layer": { "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" }, + "SeveritySource": "amazon", "Title": "curl: double free due to subsequent call of realloc()", "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" ] @@ -29,10 +32,13 @@ "Layer": { "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" }, + "SeveritySource": "amazon", "Title": "curl: heap buffer overflow in function tftp_receive_packet()", "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5482.html", @@ -41,6 +47,76 @@ "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" ] }, + { + "VulnerabilityID": "CVE-2019-18218", + "PkgName": "file-libs", + "InstalledVersion": "5.34-3.37.amzn1", + "FixedVersion": "5.37-8.48.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "file: heap-based buffer overflow in cdf_read_property_info in cdf.c", + "Description": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).", + "Severity": "MEDIUM", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218", + "https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84", + "https://lists.debian.org/debian-lts-announce/2019/10/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV6PFCEYHYALMTT45QE2U5C5TEJZQPXJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VBK6XOJR6OVWT2FUEBO7V7KCOSSLAP52/", + "https://usn.ubuntu.com/4172-1/", + "https://usn.ubuntu.com/4172-2/", + "https://www.debian.org/security/2019/dsa-4550" + ] + }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.175.amzn1", + "FixedVersion": "2.17-292.178.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.175.amzn1", + "FixedVersion": "2.17-292.178.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, { "VulnerabilityID": "CVE-2019-5481", "PkgName": "libcurl", @@ -49,13 +125,15 @@ "Layer": { "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" }, + "SeveritySource": "amazon", "Title": "curl: double free due to subsequent call of realloc()", "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" ] @@ -68,10 +146,13 @@ "Layer": { "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" }, + "SeveritySource": "amazon", "Title": "curl: heap buffer overflow in function tftp_receive_packet()", "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5482.html", @@ -80,6 +161,46 @@ "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" ] }, + { + "VulnerabilityID": "CVE-2019-12290", + "PkgName": "libidn2", + "InstalledVersion": "0.16-1.2.amzn1", + "FixedVersion": "2.3.0-1.4.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.", + "Severity": "MEDIUM", + "References": [ + "https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5", + "https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de", + "https://gitlab.com/libidn/libidn2/merge_requests/71", + "https://usn.ubuntu.com/4168-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18224", + "PkgName": "libidn2", + "InstalledVersion": "0.16-1.2.amzn1", + "FixedVersion": "2.3.0-1.4.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c", + "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224", + "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c", + "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/", + "https://usn.ubuntu.com/4168-1/" + ] + }, { "VulnerabilityID": "CVE-2019-9511", "PkgName": "libnghttp2", @@ -88,10 +209,13 @@ "Layer": { "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" }, + "SeveritySource": "amazon", "Title": "HTTP/2: large amount of data requests leads to denial of service", "Description": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9511.html", + "http://linux.oracle.com/errata/ELSA-2019-2925.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511", "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "https://kb.cert.org/vuls/id/605641/", @@ -119,10 +243,13 @@ "Layer": { "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" }, + "SeveritySource": "amazon", "Title": "HTTP/2: flood using PRIORITY frames results in excessive resource consumption", "Description": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9513.html", + "http://linux.oracle.com/errata/ELSA-2019-2925.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513", "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "https://kb.cert.org/vuls/id/605641/", @@ -142,6 +269,905 @@ "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", "https://www.synology.com/security/advisory/Synology_SA_19_33" ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nspr", + "InstalledVersion": "4.19.0-1.43.amzn1", + "FixedVersion": "4.21.0-1.43.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nspr", + "InstalledVersion": "4.19.0-1.43.amzn1", + "FixedVersion": "4.21.0-1.43.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nspr", + "InstalledVersion": "4.19.0-1.43.amzn1", + "FixedVersion": "4.21.0-1.43.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nspr", + "InstalledVersion": "4.19.0-1.43.amzn1", + "FixedVersion": "4.21.0-1.43.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.42.amzn1", + "FixedVersion": "3.44.0-8.44.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.42.amzn1", + "FixedVersion": "3.44.0-8.44.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.42.amzn1", + "FixedVersion": "3.44.0-8.44.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.42.amzn1", + "FixedVersion": "3.44.0-8.44.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.42.amzn1", + "FixedVersion": "3.44.0-8.44.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.42.amzn1", + "FixedVersion": "3.44.0-8.44.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.42.amzn1", + "FixedVersion": "3.44.0-8.44.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.42.amzn1", + "FixedVersion": "3.44.0-8.44.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-5.82.amzn1", + "FixedVersion": "3.44.0-7.84.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-util", + "InstalledVersion": "3.36.0-1.54.amzn1", + "FixedVersion": "3.44.0-4.56.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-util", + "InstalledVersion": "3.36.0-1.54.amzn1", + "FixedVersion": "3.44.0-4.56.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-util", + "InstalledVersion": "3.36.0-1.54.amzn1", + "FixedVersion": "3.44.0-4.56.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss-util", + "InstalledVersion": "3.36.0-1.54.amzn1", + "FixedVersion": "3.44.0-4.56.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "openssl", + "InstalledVersion": "1:1.0.2k-16.150.amzn1", + "FixedVersion": "1:1.0.2k-16.151.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "HIGH", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, + { + "VulnerabilityID": "CVE-2019-16056", + "PkgName": "python27", + "InstalledVersion": "2.7.16-1.129.amzn1", + "FixedVersion": "2.7.16-1.130.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "python: email.utils.parseaddr wrongly parses email addresses", + "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056", + "https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" + ] + }, + { + "VulnerabilityID": "CVE-2019-16935", + "PkgName": "python27", + "InstalledVersion": "2.7.16-1.129.amzn1", + "FixedVersion": "2.7.16-1.131.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field", + "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue38243", + "https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897", + "https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213", + "https://github.com/python/cpython/pull/16373", + "https://security.netapp.com/advisory/ntap-20191017-0004/", + "https://usn.ubuntu.com/4151-1/", + "https://usn.ubuntu.com/4151-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-16056", + "PkgName": "python27-libs", + "InstalledVersion": "2.7.16-1.129.amzn1", + "FixedVersion": "2.7.16-1.130.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "python: email.utils.parseaddr wrongly parses email addresses", + "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056", + "https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" + ] + }, + { + "VulnerabilityID": "CVE-2019-16935", + "PkgName": "python27-libs", + "InstalledVersion": "2.7.16-1.129.amzn1", + "FixedVersion": "2.7.16-1.131.amzn1", + "Layer": { + "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf" + }, + "SeveritySource": "amazon", + "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field", + "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue38243", + "https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897", + "https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213", + "https://github.com/python/cpython/pull/16373", + "https://security.netapp.com/advisory/ntap-20191017-0004/", + "https://usn.ubuntu.com/4151-1/", + "https://usn.ubuntu.com/4151-2/" + ] } ] } diff --git a/integration/testdata/amazon-2.json.golden b/integration/testdata/amazon-2.json.golden index c7af987660..fc16f7389e 100644 --- a/integration/testdata/amazon-2.json.golden +++ b/integration/testdata/amazon-2.json.golden @@ -1,7 +1,52 @@ [ { "Target": "testdata/fixtures/amazon-2.tar.gz (amazon 2 (Karoo))", + "Type": "amazon", "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-5481", + "PkgName": "curl", + "InstalledVersion": "7.61.1-9.amzn2.0.1", + "FixedVersion": "7.61.1-12.amzn2.0.1", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "curl: double free due to subsequent call of realloc()", + "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "curl", + "InstalledVersion": "7.61.1-9.amzn2.0.1", + "FixedVersion": "7.61.1-12.amzn2.0.1", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, { "VulnerabilityID": "CVE-2019-5435", "PkgName": "curl", @@ -10,9 +55,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "curl: Integer overflows in curl_url_set() function", "Description": "An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://curl.haxx.se/docs/CVE-2019-5435.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435", @@ -28,9 +74,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", @@ -40,6 +87,249 @@ "https://security.netapp.com/advisory/ntap-20190606-0004/" ] }, + { + "VulnerabilityID": "CVE-2018-16062", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.170-4.amzn2", + "FixedVersion": "0.176-2.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", + "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23541", + "https://sourceware.org/git/?p=elfutils.git;a=commit;h=29e31978ba51c1051743a503ee325b5ebc03d7e9", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-16402", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.170-4.amzn2", + "FixedVersion": "0.176-2.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", + "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-16403", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.170-4.amzn2", + "FixedVersion": "0.176-2.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", + "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23529", + "https://sourceware.org/git/?p=elfutils.git;a=commit;h=6983e59b727458a6c64d9659c85f08218bc4fcda", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18310", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.170-4.amzn2", + "FixedVersion": "0.176-2.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", + "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18520", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.170-4.amzn2", + "FixedVersion": "0.176-2.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "elfutils: eu-size cannot handle recursive ar files", + "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18521", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.170-4.amzn2", + "FixedVersion": "0.176-2.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", + "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7149", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.170-4.amzn2", + "FixedVersion": "0.176-2.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", + "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7150", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.170-4.amzn2", + "FixedVersion": "0.176-2.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", + "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7664", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.170-4.amzn2", + "FixedVersion": "0.176-2.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", + "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" + ] + }, + { + "VulnerabilityID": "CVE-2019-7665", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.170-4.amzn2", + "FixedVersion": "0.176-2.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", + "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18218", + "PkgName": "file-libs", + "InstalledVersion": "5.11-33.amzn2.0.2", + "FixedVersion": "5.11-35.amzn2.0.2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "file: heap-based buffer overflow in cdf_read_property_info in cdf.c", + "Description": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).", + "Severity": "MEDIUM", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218", + "https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84", + "https://lists.debian.org/debian-lts-announce/2019/10/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV6PFCEYHYALMTT45QE2U5C5TEJZQPXJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VBK6XOJR6OVWT2FUEBO7V7KCOSSLAP52/", + "https://usn.ubuntu.com/4172-1/", + "https://usn.ubuntu.com/4172-2/", + "https://www.debian.org/security/2019/dsa-4550" + ] + }, { "VulnerabilityID": "CVE-2019-12450", "PkgName": "glib2", @@ -48,10 +338,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress", "Description": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-12450.html", + "http://linux.oracle.com/errata/ELSA-2019-3530.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450", "https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174", "https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html", @@ -61,6 +354,50 @@ "https://usn.ubuntu.com/4014-2/" ] }, + { + "VulnerabilityID": "CVE-2019-5481", + "PkgName": "libcurl", + "InstalledVersion": "7.61.1-9.amzn2.0.1", + "FixedVersion": "7.61.1-12.amzn2.0.1", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "curl: double free due to subsequent call of realloc()", + "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "libcurl", + "InstalledVersion": "7.61.1-9.amzn2.0.1", + "FixedVersion": "7.61.1-12.amzn2.0.1", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, { "VulnerabilityID": "CVE-2019-5435", "PkgName": "libcurl", @@ -69,9 +406,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "curl: Integer overflows in curl_url_set() function", "Description": "An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://curl.haxx.se/docs/CVE-2019-5435.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435", @@ -87,9 +425,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", @@ -99,6 +438,46 @@ "https://security.netapp.com/advisory/ntap-20190606-0004/" ] }, + { + "VulnerabilityID": "CVE-2019-12290", + "PkgName": "libidn2", + "InstalledVersion": "2.0.4-1.amzn2.0.2", + "FixedVersion": "2.3.0-1.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.", + "Severity": "MEDIUM", + "References": [ + "https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5", + "https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de", + "https://gitlab.com/libidn/libidn2/merge_requests/71", + "https://usn.ubuntu.com/4168-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18224", + "PkgName": "libidn2", + "InstalledVersion": "2.0.4-1.amzn2.0.2", + "FixedVersion": "2.3.0-1.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c", + "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224", + "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c", + "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/", + "https://usn.ubuntu.com/4168-1/" + ] + }, { "VulnerabilityID": "CVE-2019-9511", "PkgName": "libnghttp2", @@ -107,10 +486,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "HTTP/2: large amount of data requests leads to denial of service", "Description": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9511.html", + "http://linux.oracle.com/errata/ELSA-2019-2925.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511", "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "https://kb.cert.org/vuls/id/605641/", @@ -138,10 +520,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "HTTP/2: flood using PRIORITY frames results in excessive resource consumption", "Description": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9513.html", + "http://linux.oracle.com/errata/ELSA-2019-2925.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513", "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "https://kb.cert.org/vuls/id/605641/", @@ -170,10 +555,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3858.html", + "http://linux.oracle.com/errata/ELSA-2019-2136.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -200,10 +588,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "libssh2: Out-of-bounds reads with specially crafted SSH packets", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3861.html", + "http://linux.oracle.com/errata/ELSA-2019-2136.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3861", @@ -224,10 +615,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3862.html", + "http://linux.oracle.com/errata/ELSA-2019-4693.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -254,9 +648,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "libxml2: Use after free via namespace node in XPointer ranges", "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", - "Severity": "CRITICAL", + "Severity": "MEDIUM", "References": [ "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", @@ -283,9 +678,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "libxml2: Mishandling parameter-entity references", "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://xmlsoft.org/news.html", "https://bugzilla.gnome.org/show_bug.cgi?id=766956", @@ -302,9 +698,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -319,9 +716,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -336,6 +734,7 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", "Severity": "MEDIUM", @@ -353,6 +752,7 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", "Severity": "MEDIUM", @@ -370,9 +770,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -387,9 +788,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -404,6 +806,7 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", "Severity": "MEDIUM", @@ -421,6 +824,7 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", "Severity": "MEDIUM", @@ -438,9 +842,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -455,9 +860,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -472,6 +878,7 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", "Severity": "MEDIUM", @@ -489,6 +896,7 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", "Severity": "MEDIUM", @@ -499,21 +907,57 @@ ] }, { - "VulnerabilityID": "CVE-2018-12404", + "VulnerabilityID": "CVE-2019-11729", "PkgName": "nss", "InstalledVersion": "3.36.0-7.amzn2", - "FixedVersion": "3.44.0-4.amzn2.0.2", + "FixedVersion": "3.44.0-7.amzn2", "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, - "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", - "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", - "Severity": "MEDIUM", + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", - "http://www.securityfocus.com/bid/107260", - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.amzn2", + "FixedVersion": "3.44.0-7.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { @@ -524,10 +968,233 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.amzn2", + "FixedVersion": "3.44.0-4.amzn2.0.2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.amzn2", + "FixedVersion": "3.44.0-8.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.amzn2", + "FixedVersion": "3.44.0-8.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.amzn2", + "FixedVersion": "3.44.0-8.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.amzn2", + "FixedVersion": "3.44.0-8.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.amzn2", + "FixedVersion": "3.44.0-7.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.amzn2", + "FixedVersion": "3.44.0-7.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.amzn2", + "FixedVersion": "3.44.0-4.amzn2.0.2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -558,28 +1225,88 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" ] }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.amzn2", + "FixedVersion": "3.44.0-7.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.amzn2", + "FixedVersion": "3.44.0-7.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2018-0495", - "PkgName": "nss-sysinit", + "PkgName": "nss-tools", "InstalledVersion": "3.36.0-7.amzn2", "FixedVersion": "3.44.0-4.amzn2.0.2", "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -610,10 +1337,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -621,53 +1351,124 @@ ] }, { - "VulnerabilityID": "CVE-2018-0495", - "PkgName": "nss-tools", - "InstalledVersion": "3.36.0-7.amzn2", - "FixedVersion": "3.44.0-4.amzn2.0.2", + "VulnerabilityID": "CVE-2019-1547", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-16.amzn2.1.1", + "FixedVersion": "1:1.0.2k-19.amzn2.0.3", "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "SeveritySource": "amazon", + "Title": "openssl: side-channel weak encryption vulnerability", + "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "HIGH", "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://arxiv.org/abs/1909.01785", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" ] }, { - "VulnerabilityID": "CVE-2019-5010", - "PkgName": "python", - "InstalledVersion": "2.7.14-58.amzn2.0.4", - "FixedVersion": "2.7.16-1.amzn2.0.1", + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-16.amzn2.1.1", + "FixedVersion": "1:1.0.2k-19.amzn2.0.3", "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", + "SeveritySource": "amazon", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "HIGH", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, + { + "VulnerabilityID": "CVE-2018-0734", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-16.amzn2.1.1", + "FixedVersion": "1:1.0.2k-19.amzn2.0.1", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "openssl: timing side channel attack in the DSA signature algorithm", + "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0734.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html", + "http://www.securityfocus.com/bid/105758", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7", + "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", + "https://security.netapp.com/advisory/ntap-20181105-0002/", + "https://security.netapp.com/advisory/ntap-20190118-0002/", + "https://security.netapp.com/advisory/ntap-20190423-0002/", + "https://usn.ubuntu.com/3840-1/", + "https://www.debian.org/security/2018/dsa-4348", + "https://www.debian.org/security/2018/dsa-4355", + "https://www.openssl.org/news/secadv/20181030.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "https://www.tenable.com/security/tns-2018-16", + "https://www.tenable.com/security/tns-2018-17" + ] + }, + { + "VulnerabilityID": "CVE-2019-1559", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-16.amzn2.1.1", + "FixedVersion": "1:1.0.2k-19.amzn2.0.1", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "openssl: 0-byte record padding oracle", + "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-1559.html", + "http://linux.oracle.com/errata/ELSA-2019-2471.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", + "http://www.securityfocus.com/bid/107174", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", + "https://github.com/RUB-NDS/TLS-Padding-Oracles", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", + "https://security.gentoo.org/glsa/201903-10", + "https://security.netapp.com/advisory/ntap-20190301-0001/", + "https://security.netapp.com/advisory/ntap-20190301-0002/", + "https://security.netapp.com/advisory/ntap-20190423-0002/", + "https://support.f5.com/csp/article/K18549143", + "https://usn.ubuntu.com/3899-1/", + "https://www.debian.org/security/2019/dsa-4400", + "https://www.openssl.org/news/secadv/20190226.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.tenable.com/security/tns-2019-02", + "https://www.tenable.com/security/tns-2019-03" ] }, { @@ -678,15 +1479,20 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib", - "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", - "Severity": "MEDIUM", + "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1060.html", + "http://linux.oracle.com/errata/ELSA-2018-3041.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html", "http://www.securitytracker.com/id/1042001", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3041", "https://access.redhat.com/errata/RHSA-2018:3505", "https://access.redhat.com/errata/RHSA-2019:1260", + "https://access.redhat.com/errata/RHSA-2019:3725", "https://bugs.python.org/issue32981", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1060", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060", @@ -702,7 +1508,8 @@ "https://usn.ubuntu.com/3817-1/", "https://usn.ubuntu.com/3817-2/", "https://www.debian.org/security/2018/dsa-4306", - "https://www.debian.org/security/2018/dsa-4307" + "https://www.debian.org/security/2018/dsa-4307", + "https://www.oracle.com/security-alerts/cpujan2020.html" ] }, { @@ -713,10 +1520,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib", "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1061.html", + "http://linux.oracle.com/errata/ELSA-2018-3041.html", "http://www.securitytracker.com/id/1042001", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3041", @@ -748,9 +1558,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data", "Description": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "https://bugs.python.org/issue34656", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20406", @@ -774,19 +1585,57 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc", "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-10160.html", + "http://linux.oracle.com/errata/ELSA-2019-1587.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html", "https://access.redhat.com/errata/RHSA-2019:1587", + "https://access.redhat.com/errata/RHSA-2019:1700", + "https://access.redhat.com/errata/RHSA-2019:2437", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160", "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", - "https://security.netapp.com/advisory/ntap-20190617-0003/" + "https://security.netapp.com/advisory/ntap-20190617-0003/", + "https://usn.ubuntu.com/4127-1/", + "https://usn.ubuntu.com/4127-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5010", + "PkgName": "python", + "InstalledVersion": "2.7.14-58.amzn2.0.4", + "FixedVersion": "2.7.16-1.amzn2.0.1", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", + "Description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5010.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", + "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758" ] }, { @@ -797,10 +1646,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", @@ -832,6 +1684,30 @@ "https://security.netapp.com/advisory/ntap-20190517-0001/" ] }, + { + "VulnerabilityID": "CVE-2019-16056", + "PkgName": "python", + "InstalledVersion": "2.7.14-58.amzn2.0.4", + "FixedVersion": "2.7.16-4.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "python: email.utils.parseaddr wrongly parses email addresses", + "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056", + "https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" + ] + }, { "VulnerabilityID": "CVE-2019-9948", "PkgName": "python", @@ -840,10 +1716,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", "http://www.securityfocus.com/bid/107549", @@ -854,22 +1733,6 @@ "https://security.netapp.com/advisory/ntap-20190404-0004/" ] }, - { - "VulnerabilityID": "CVE-2019-5010", - "PkgName": "python-libs", - "InstalledVersion": "2.7.14-58.amzn2.0.4", - "FixedVersion": "2.7.16-1.amzn2.0.1", - "Layer": { - "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" - }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" - ] - }, { "VulnerabilityID": "CVE-2018-1060", "PkgName": "python-libs", @@ -878,15 +1741,20 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib", - "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", - "Severity": "MEDIUM", + "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1060.html", + "http://linux.oracle.com/errata/ELSA-2018-3041.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html", "http://www.securitytracker.com/id/1042001", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3041", "https://access.redhat.com/errata/RHSA-2018:3505", "https://access.redhat.com/errata/RHSA-2019:1260", + "https://access.redhat.com/errata/RHSA-2019:3725", "https://bugs.python.org/issue32981", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1060", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060", @@ -902,7 +1770,8 @@ "https://usn.ubuntu.com/3817-1/", "https://usn.ubuntu.com/3817-2/", "https://www.debian.org/security/2018/dsa-4306", - "https://www.debian.org/security/2018/dsa-4307" + "https://www.debian.org/security/2018/dsa-4307", + "https://www.oracle.com/security-alerts/cpujan2020.html" ] }, { @@ -913,10 +1782,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib", "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1061.html", + "http://linux.oracle.com/errata/ELSA-2018-3041.html", "http://www.securitytracker.com/id/1042001", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3041", @@ -948,9 +1820,10 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data", "Description": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "https://bugs.python.org/issue34656", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20406", @@ -974,19 +1847,57 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc", "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-10160.html", + "http://linux.oracle.com/errata/ELSA-2019-1587.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html", "https://access.redhat.com/errata/RHSA-2019:1587", + "https://access.redhat.com/errata/RHSA-2019:1700", + "https://access.redhat.com/errata/RHSA-2019:2437", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160", "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", - "https://security.netapp.com/advisory/ntap-20190617-0003/" + "https://security.netapp.com/advisory/ntap-20190617-0003/", + "https://usn.ubuntu.com/4127-1/", + "https://usn.ubuntu.com/4127-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5010", + "PkgName": "python-libs", + "InstalledVersion": "2.7.14-58.amzn2.0.4", + "FixedVersion": "2.7.16-1.amzn2.0.1", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", + "Description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5010.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", + "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758" ] }, { @@ -997,10 +1908,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", @@ -1032,6 +1946,30 @@ "https://security.netapp.com/advisory/ntap-20190517-0001/" ] }, + { + "VulnerabilityID": "CVE-2019-16056", + "PkgName": "python-libs", + "InstalledVersion": "2.7.14-58.amzn2.0.4", + "FixedVersion": "2.7.16-4.amzn2", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "python: email.utils.parseaddr wrongly parses email addresses", + "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056", + "https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" + ] + }, { "VulnerabilityID": "CVE-2019-9948", "PkgName": "python-libs", @@ -1040,10 +1978,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", "http://www.securityfocus.com/bid/107549", @@ -1054,6 +1995,30 @@ "https://security.netapp.com/advisory/ntap-20190404-0004/" ] }, + { + "VulnerabilityID": "CVE-2019-13734", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.amzn2.0.2", + "FixedVersion": "3.7.17-8.amzn2.1.1", + "Layer": { + "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" + }, + "SeveritySource": "amazon", + "Title": "sqlite: fts3: improve shadow table corruption detection", + "Description": "Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-13734.html", + "http://linux.oracle.com/errata/ELSA-2020-0273.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025466", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, { "VulnerabilityID": "CVE-2019-12735", "PkgName": "vim-minimal", @@ -1062,10 +2027,13 @@ "Layer": { "DiffID": "sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6" }, + "SeveritySource": "amazon", "Title": "vim/neovim: ':source!' command allows arbitrary command execution via modelines", "Description": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-12735.html", + "http://linux.oracle.com/errata/ELSA-2019-1774.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html", diff --git a/integration/testdata/centos-6.json.golden b/integration/testdata/centos-6.json.golden index 03bf920838..5ac3d6eaf9 100644 --- a/integration/testdata/centos-6.json.golden +++ b/integration/testdata/centos-6.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/centos-6.tar.gz (centos 6.10)", + "Type": "centos", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2015-5186", @@ -9,6 +10,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "Audit: log terminal emulator escape sequences handling", "Description": "Audit before 2.4.4 in Linux does not sanitize escape characters in filenames.", "Severity": "MEDIUM", @@ -20,252 +22,6 @@ "https://people.redhat.com/sgrubb/audit/ChangeLog" ] }, - { - "VulnerabilityID": "CVE-2014-6277", - "PkgName": "bash", - "InstalledVersion": "4.1.2-48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "bash: uninitialized here document closing delimiter pointer use", - "Description": "GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.", - "Severity": "CRITICAL", - "References": [ - "http://jvn.jp/en/jp/JVN55667175/index.html", - "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126", - "http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html", - "http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html", - "http://linux.oracle.com/errata/ELSA-2014-3093", - "http://linux.oracle.com/errata/ELSA-2014-3094", - "http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html", - "http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html", - "http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html", - "http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html", - "http://marc.info/?l=bugtraq\u0026m=141330468527613\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141345648114150\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383026420882\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383081521087\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383196021590\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383244821813\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383304022067\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383353622268\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383465822787\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141450491804793\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141576728022234\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577137423233\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577241923505\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577297623641\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141585637922673\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141879528318582\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142118135300698\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142289270617409\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358026505815\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358078406056\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142721162228379\u0026w=2", - "http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html", - "http://secunia.com/advisories/58200", - "http://secunia.com/advisories/59907", - "http://secunia.com/advisories/59961", - "http://secunia.com/advisories/60024", - "http://secunia.com/advisories/60034", - "http://secunia.com/advisories/60044", - "http://secunia.com/advisories/60055", - "http://secunia.com/advisories/60063", - "http://secunia.com/advisories/60193", - "http://secunia.com/advisories/60325", - "http://secunia.com/advisories/60433", - "http://secunia.com/advisories/61065", - "http://secunia.com/advisories/61128", - "http://secunia.com/advisories/61129", - "http://secunia.com/advisories/61283", - "http://secunia.com/advisories/61287", - "http://secunia.com/advisories/61291", - "http://secunia.com/advisories/61312", - "http://secunia.com/advisories/61313", - "http://secunia.com/advisories/61328", - "http://secunia.com/advisories/61442", - "http://secunia.com/advisories/61471", - "http://secunia.com/advisories/61485", - "http://secunia.com/advisories/61503", - "http://secunia.com/advisories/61550", - "http://secunia.com/advisories/61552", - "http://secunia.com/advisories/61565", - "http://secunia.com/advisories/61603", - "http://secunia.com/advisories/61633", - "http://secunia.com/advisories/61641", - "http://secunia.com/advisories/61643", - "http://secunia.com/advisories/61654", - "http://secunia.com/advisories/61703", - "http://secunia.com/advisories/61780", - "http://secunia.com/advisories/61816", - "http://secunia.com/advisories/61857", - "http://secunia.com/advisories/62312", - "http://secunia.com/advisories/62343", - "http://support.apple.com/HT204244", - "http://support.novell.com/security/cve/CVE-2014-6277.html", - "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685541", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685604", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685733", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685749", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685914", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686131", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686246", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686445", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686479", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686494", - "http://www-01.ibm.com/support/docview.wss?uid=swg21687079", - "http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:164", - "http://www.novell.com/support/kb/doc.php?id=7015721", - "http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html", - "http://www.qnap.com/i/en/support/con_show.php?cid=61", - "http://www.ubuntu.com/usn/USN-2380-1", - "http://www.vmware.com/security/advisories/VMSA-2014-0010.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277", - "https://kb.bluecoat.com/index?page=content\u0026id=SA82", - "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10648", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10085", - "https://support.apple.com/HT205267", - "https://support.citrix.com/article/CTX200217", - "https://support.citrix.com/article/CTX200223", - "https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04497075", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04518183", - "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk102673\u0026src=securityAlerts", - "https://www.suse.com/support/shellshock/" - ] - }, - { - "VulnerabilityID": "CVE-2014-6278", - "PkgName": "bash", - "InstalledVersion": "4.1.2-48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "bash: incorrect parsing of function definitions with nested command substitutions", - "Description": "GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.", - "Severity": "CRITICAL", - "References": [ - "http://jvn.jp/en/jp/JVN55667175/index.html", - "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126", - "http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html", - "http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html", - "http://linux.oracle.com/errata/ELSA-2014-3093", - "http://linux.oracle.com/errata/ELSA-2014-3094", - "http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html", - "http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html", - "http://marc.info/?l=bugtraq\u0026m=141330468527613\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141345648114150\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383026420882\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383081521087\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383196021590\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383244821813\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383304022067\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383353622268\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383465822787\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141450491804793\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141576728022234\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577137423233\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577241923505\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577297623641\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141585637922673\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141879528318582\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142118135300698\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358026505815\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358078406056\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142721162228379\u0026w=2", - "http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html", - "http://packetstormsecurity.com/files/137344/Sun-Secure-Global-Desktop-Oracle-Global-Desktop-Shellshock.html", - "http://secunia.com/advisories/58200", - "http://secunia.com/advisories/59907", - "http://secunia.com/advisories/59961", - "http://secunia.com/advisories/60024", - "http://secunia.com/advisories/60034", - "http://secunia.com/advisories/60044", - "http://secunia.com/advisories/60055", - "http://secunia.com/advisories/60063", - "http://secunia.com/advisories/60193", - "http://secunia.com/advisories/60325", - "http://secunia.com/advisories/60433", - "http://secunia.com/advisories/61065", - "http://secunia.com/advisories/61128", - "http://secunia.com/advisories/61129", - "http://secunia.com/advisories/61283", - "http://secunia.com/advisories/61287", - "http://secunia.com/advisories/61291", - "http://secunia.com/advisories/61312", - "http://secunia.com/advisories/61313", - "http://secunia.com/advisories/61328", - "http://secunia.com/advisories/61442", - "http://secunia.com/advisories/61471", - "http://secunia.com/advisories/61485", - "http://secunia.com/advisories/61503", - "http://secunia.com/advisories/61550", - "http://secunia.com/advisories/61552", - "http://secunia.com/advisories/61565", - "http://secunia.com/advisories/61603", - "http://secunia.com/advisories/61633", - "http://secunia.com/advisories/61641", - "http://secunia.com/advisories/61643", - "http://secunia.com/advisories/61654", - "http://secunia.com/advisories/61703", - "http://secunia.com/advisories/61780", - "http://secunia.com/advisories/61816", - "http://secunia.com/advisories/61857", - "http://secunia.com/advisories/62312", - "http://secunia.com/advisories/62343", - "http://support.novell.com/security/cve/CVE-2014-6278.html", - "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685541", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685604", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685733", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685749", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685914", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686131", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686246", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686445", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686479", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686494", - "http://www-01.ibm.com/support/docview.wss?uid=swg21687079", - "http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:164", - "http://www.novell.com/support/kb/doc.php?id=7015721", - "http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html", - "http://www.qnap.com/i/en/support/con_show.php?cid=61", - "http://www.ubuntu.com/usn/USN-2380-1", - "http://www.vmware.com/security/advisories/VMSA-2014-0010.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=1147414", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278", - "https://kb.bluecoat.com/index?page=content\u0026id=SA82", - "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10648", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10085", - "https://security-tracker.debian.org/tracker/CVE-2014-6278", - "https://support.citrix.com/article/CTX200217", - "https://support.citrix.com/article/CTX200223", - "https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04497075", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04518183", - "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk102673\u0026src=securityAlerts", - "https://www.exploit-db.com/exploits/39568/", - "https://www.exploit-db.com/exploits/39887/", - "https://www.suse.com/support/shellshock/" - ] - }, { "VulnerabilityID": "CVE-2019-9924", "PkgName": "bash", @@ -273,9 +29,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bash: BASH_CMD is writable in restricted bash shells", "Description": "rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00049.html", @@ -285,6 +42,27 @@ "https://security.netapp.com/advisory/ntap-20190411-0001/" ] }, + { + "VulnerabilityID": "CVE-2018-5743", + "PkgName": "bind-libs", + "InstalledVersion": "32:9.8.2-0.68.rc1.el6_10.1", + "FixedVersion": "32:9.8.2-0.68.rc1.el6_10.3", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "bind: Limiting simultaneous TCP clients is ineffective", + "Description": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.6, 9.12.0 -\u003e 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -\u003e 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -\u003e 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-5743.html", + "http://linux.oracle.com/errata/ELSA-2019-1492.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743", + "https://kb.isc.org/docs/cve-2018-5743", + "https://support.f5.com/csp/article/K74009656?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.synology.com/security/advisory/Synology_SA_19_20" + ] + }, { "VulnerabilityID": "CVE-2011-0414", "PkgName": "bind-libs", @@ -292,9 +70,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bind: named lockup with IXFR or DDNS update and a high query rate", "Description": "ISC BIND 9.7.1 through 9.7.2-P3, when configured as an authoritative server, allows remote attackers to cause a denial of service (deadlock and daemon hang) by sending a query at the time of (1) an IXFR transfer or (2) a DDNS update.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", "http://secunia.com/advisories/43439", @@ -312,19 +91,42 @@ ] }, { - "VulnerabilityID": "CVE-2018-5743", + "VulnerabilityID": "CVE-2018-5741", "PkgName": "bind-libs", "InstalledVersion": "32:9.8.2-0.68.rc1.el6_10.1", - "FixedVersion": "32:9.8.2-0.68.rc1.el6_10.3", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "bind: Limiting simultaneous TCP clients is ineffective", - "Description": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.6, 9.12.0 -\u003e 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -\u003e 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -\u003e 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies", + "Description": "To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.", + "Severity": "MEDIUM", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743", - "https://kb.isc.org/docs/cve-2018-5743" + "http://linux.oracle.com/cve/CVE-2018-5741.html", + "http://linux.oracle.com/errata/ELSA-2019-2057.html", + "http://www.securityfocus.com/bid/105379", + "http://www.securitytracker.com/id/1041674", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741", + "https://kb.isc.org/docs/cve-2018-5741", + "https://security.gentoo.org/glsa/201903-13", + "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03927en_us" + ] + }, + { + "VulnerabilityID": "CVE-2013-5661", + "PkgName": "bind-libs", + "InstalledVersion": "32:9.8.2-0.68.rc1.el6_10.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "DNS response rate limiting can simplify cache poisoning attacks", + "Description": "Cache Poisoning issue exists in DNS Response Rate Limiting.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5661", + "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5661", + "https://security-tracker.debian.org/tracker/CVE-2013-5661" ] }, { @@ -334,9 +136,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bind: Improper restriction of zone size limit", "Description": "ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/07/06/3", "http://www.securityfocus.com/bid/91611", @@ -352,25 +155,6 @@ "https://security.gentoo.org/glsa/201610-07" ] }, - { - "VulnerabilityID": "CVE-2018-5741", - "PkgName": "bind-libs", - "InstalledVersion": "32:9.8.2-0.68.rc1.el6_10.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies", - "Description": "To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105379", - "http://www.securitytracker.com/id/1041674", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741", - "https://kb.isc.org/docs/cve-2018-5741", - "https://security.gentoo.org/glsa/201903-13", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03927en_us" - ] - }, { "VulnerabilityID": "CVE-2018-5745", "PkgName": "bind-libs", @@ -378,25 +162,18 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bind: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys", "Description": "\"managed-keys\" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.5-P1, 9.12.0 -\u003e 9.12.3-P1, and versions 9.9.3-S1 -\u003e 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -\u003e 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-5745.html", + "http://linux.oracle.com/errata/ELSA-2019-3552.html", + "https://access.redhat.com/errata/RHSA-2019:3552", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5745", "https://kb.isc.org/docs/cve-2018-5745" ] }, - { - "VulnerabilityID": "CVE-2013-5661", - "PkgName": "bind-libs", - "InstalledVersion": "32:9.8.2-0.68.rc1.el6_10.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "DNS response rate limiting can simplify cache poisoning attacks", - "Description": "No description is available for this CVE.", - "Severity": "LOW" - }, { "VulnerabilityID": "CVE-2019-6465", "PkgName": "bind-libs", @@ -404,14 +181,39 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bind: Controls for zone transfers may not be properly applied to DLZs if the zones are writable", "Description": "Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.5-P2, 9.12.0 -\u003e 9.12.3-P2, and versions 9.9.3-S1 -\u003e 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -\u003e 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-6465.html", + "http://linux.oracle.com/errata/ELSA-2019-3552.html", + "https://access.redhat.com/errata/RHSA-2019:3552", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6465", "https://kb.isc.org/docs/cve-2019-6465" ] }, + { + "VulnerabilityID": "CVE-2018-5743", + "PkgName": "bind-utils", + "InstalledVersion": "32:9.8.2-0.68.rc1.el6_10.1", + "FixedVersion": "32:9.8.2-0.68.rc1.el6_10.3", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "bind: Limiting simultaneous TCP clients is ineffective", + "Description": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.6, 9.12.0 -\u003e 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -\u003e 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -\u003e 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-5743.html", + "http://linux.oracle.com/errata/ELSA-2019-1492.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743", + "https://kb.isc.org/docs/cve-2018-5743", + "https://support.f5.com/csp/article/K74009656?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.synology.com/security/advisory/Synology_SA_19_20" + ] + }, { "VulnerabilityID": "CVE-2011-0414", "PkgName": "bind-utils", @@ -419,9 +221,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bind: named lockup with IXFR or DDNS update and a high query rate", "Description": "ISC BIND 9.7.1 through 9.7.2-P3, when configured as an authoritative server, allows remote attackers to cause a denial of service (deadlock and daemon hang) by sending a query at the time of (1) an IXFR transfer or (2) a DDNS update.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", "http://secunia.com/advisories/43439", @@ -439,19 +242,42 @@ ] }, { - "VulnerabilityID": "CVE-2018-5743", + "VulnerabilityID": "CVE-2018-5741", "PkgName": "bind-utils", "InstalledVersion": "32:9.8.2-0.68.rc1.el6_10.1", - "FixedVersion": "32:9.8.2-0.68.rc1.el6_10.3", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "bind: Limiting simultaneous TCP clients is ineffective", - "Description": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.6, 9.12.0 -\u003e 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -\u003e 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -\u003e 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies", + "Description": "To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.", + "Severity": "MEDIUM", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743", - "https://kb.isc.org/docs/cve-2018-5743" + "http://linux.oracle.com/cve/CVE-2018-5741.html", + "http://linux.oracle.com/errata/ELSA-2019-2057.html", + "http://www.securityfocus.com/bid/105379", + "http://www.securitytracker.com/id/1041674", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741", + "https://kb.isc.org/docs/cve-2018-5741", + "https://security.gentoo.org/glsa/201903-13", + "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03927en_us" + ] + }, + { + "VulnerabilityID": "CVE-2013-5661", + "PkgName": "bind-utils", + "InstalledVersion": "32:9.8.2-0.68.rc1.el6_10.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "DNS response rate limiting can simplify cache poisoning attacks", + "Description": "Cache Poisoning issue exists in DNS Response Rate Limiting.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5661", + "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5661", + "https://security-tracker.debian.org/tracker/CVE-2013-5661" ] }, { @@ -461,9 +287,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bind: Improper restriction of zone size limit", "Description": "ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/07/06/3", "http://www.securityfocus.com/bid/91611", @@ -479,25 +306,6 @@ "https://security.gentoo.org/glsa/201610-07" ] }, - { - "VulnerabilityID": "CVE-2018-5741", - "PkgName": "bind-utils", - "InstalledVersion": "32:9.8.2-0.68.rc1.el6_10.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies", - "Description": "To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105379", - "http://www.securitytracker.com/id/1041674", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741", - "https://kb.isc.org/docs/cve-2018-5741", - "https://security.gentoo.org/glsa/201903-13", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03927en_us" - ] - }, { "VulnerabilityID": "CVE-2018-5745", "PkgName": "bind-utils", @@ -505,25 +313,18 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bind: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys", "Description": "\"managed-keys\" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.5-P1, 9.12.0 -\u003e 9.12.3-P1, and versions 9.9.3-S1 -\u003e 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -\u003e 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-5745.html", + "http://linux.oracle.com/errata/ELSA-2019-3552.html", + "https://access.redhat.com/errata/RHSA-2019:3552", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5745", "https://kb.isc.org/docs/cve-2018-5745" ] }, - { - "VulnerabilityID": "CVE-2013-5661", - "PkgName": "bind-utils", - "InstalledVersion": "32:9.8.2-0.68.rc1.el6_10.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "DNS response rate limiting can simplify cache poisoning attacks", - "Description": "No description is available for this CVE.", - "Severity": "LOW" - }, { "VulnerabilityID": "CVE-2019-6465", "PkgName": "bind-utils", @@ -531,14 +332,72 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bind: Controls for zone transfers may not be properly applied to DLZs if the zones are writable", "Description": "Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.5-P2, 9.12.0 -\u003e 9.12.3-P2, and versions 9.9.3-S1 -\u003e 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -\u003e 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-6465.html", + "http://linux.oracle.com/errata/ELSA-2019-3552.html", + "https://access.redhat.com/errata/RHSA-2019:3552", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6465", "https://kb.isc.org/docs/cve-2019-6465" ] }, + { + "VulnerabilityID": "CVE-2012-3509", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libiberty: integer overflow, leading to heap-buffer overflow by processing certain file headers via bfd binary", + "Description": "Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the \"addition of CHUNK_HEADER_SIZE to the length,\" which triggers a heap-based buffer overflow.", + "Severity": "MEDIUM", + "References": [ + "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54411", + "http://gcc.gnu.org/ml/gcc-patches/2012-08/msg01986.html", + "http://security-tracker.debian.org/tracker/CVE-2012-3509", + "http://www.mandriva.com/security/advisories?name=MDVSA-2015:029", + "http://www.openwall.com/lists/oss-security/2012/08/29/3", + "http://www.securityfocus.com/bid/55281", + "http://www.ubuntu.com/usn/USN-2496-1", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3509", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/78135" + ] + }, + { + "VulnerabilityID": "CVE-2014-8484", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: invalid read flaw in libbfd", + "Description": "The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2014-8484.html", + "http://linux.oracle.com/errata/ELSA-2015-2079.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145262.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145328.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145742.html", + "http://openwall.com/lists/oss-security/2014/10/23/5", + "http://secunia.com/advisories/62241", + "http://secunia.com/advisories/62746", + "http://www.mandriva.com/security/advisories?name=MDVSA-2015:029", + "http://www.openwall.com/lists/oss-security/2014/10/26/2", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", + "http://www.securityfocus.com/bid/70714", + "http://www.ubuntu.com/usn/USN-2496-1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1156272", + "https://security.gentoo.org/glsa/201612-24", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17509", + "https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd25671c6f202c4a5108883caa2adb24ff6f361f" + ] + }, { "VulnerabilityID": "CVE-2014-8485", "PkgName": "binutils", @@ -546,11 +405,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: lack of range checking leading to controlled write in _bfd_elf_setup_sections()", "Description": "The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lcamtuf.blogspot.co.uk/2014/10/psa-dont-run-strings-on-untrusted-files.html", + "http://linux.oracle.com/cve/CVE-2014-8485.html", + "http://linux.oracle.com/errata/ELSA-2015-2079.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145262.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145328.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145742.html", @@ -568,6 +430,130 @@ "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=493a33860c71cac998f1a56d6d87d6faa801fbaa" ] }, + { + "VulnerabilityID": "CVE-2014-8737", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: directory traversal vulnerability", + "Description": "Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2014-8737.html", + "http://linux.oracle.com/errata/ELSA-2015-2079.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145256.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145352.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145746.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147346.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147354.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148427.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148438.html", + "http://secunia.com/advisories/62241", + "http://secunia.com/advisories/62746", + "http://www.mandriva.com/security/advisories?name=MDVSA-2015:029", + "http://www.openwall.com/lists/oss-security/2014/11/13/1", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", + "http://www.securityfocus.com/bid/70908", + "http://www.ubuntu.com/usn/USN-2496-1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1162655", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737", + "https://security.gentoo.org/glsa/201612-24", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17533", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17552", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dd9b91de2149ee81d47f708e7b0bbf57da10ad42" + ] + }, + { + "VulnerabilityID": "CVE-2017-6965", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer overflow in target_specific_reloc_handling in readelf", + "Description": "readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6965", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21137" + ] + }, + { + "VulnerabilityID": "CVE-2017-6966", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: Use-after-free in target_specific_reloc_handling in readelf", + "Description": "readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6966", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21139" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000876", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: integer overflow leads to heap-based buffer overflow in objdump", + "Description": "binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000876.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", + "http://www.securityfocus.com/bid/106304", + "https://access.redhat.com/errata/RHSA-2019:2075", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23994", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f" + ] + }, + { + "VulnerabilityID": "CVE-2018-20673", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libiberty: Integer overflow in demangle_template() function", + "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106454", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" + ] + }, + { + "VulnerabilityID": "CVE-2019-9077", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer overflow in function process_mips_specific in readelf.c", + "Description": "An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/107139", + "https://security.netapp.com/advisory/ntap-20190314-0003/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24243", + "https://support.f5.com/csp/article/K00056379" + ] + }, { "VulnerabilityID": "CVE-2014-8501", "PkgName": "binutils", @@ -575,10 +561,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: out-of-bounds write when parsing specially crafted PE executable", "Description": "The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2014-8501.html", + "http://linux.oracle.com/errata/ELSA-2015-2079.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145262.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145328.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145742.html", @@ -607,10 +596,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)", "Description": "Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2014-8502.html", + "http://linux.oracle.com/errata/ELSA-2015-2079.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145262.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145328.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145742.html", @@ -638,10 +630,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: stack overflow in objdump when parsing specially crafted ihex file", "Description": "Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2014-8503.html", + "http://linux.oracle.com/errata/ELSA-2015-2079.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145262.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145328.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145742.html", @@ -669,10 +664,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: stack overflow in the SREC parser", "Description": "Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2014-8504.html", + "http://linux.oracle.com/errata/ELSA-2015-2079.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145262.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145328.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145742.html", @@ -694,152 +692,6 @@ "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=708d7d0d11f0f2d776171979aa3479e8e12a38a0" ] }, - { - "VulnerabilityID": "CVE-2014-9939", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: buffer overflow in ihex.c", - "Description": "ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.", - "Severity": "HIGH", - "References": [ - "http://www.openwall.com/lists/oss-security/2015/07/31/6", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9939", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18750", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e27a9d5f22f9f7ead11738b1546d0b5c737266b" - ] - }, - { - "VulnerabilityID": "CVE-2017-13716", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: Memory leak with the C++ symbol demangler routine in libiberty", - "Description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" - ] - }, - { - "VulnerabilityID": "CVE-2017-14930", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: Memory leak in decode_line_info", - "Description": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14930", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22191" - ] - }, - { - "VulnerabilityID": "CVE-2017-7614", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: NULL pointer dereference in bfd_elf_final_link function", - "Description": "elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.", - "Severity": "HIGH", - "References": [ - "https://blogs.gentoo.org/ago/2017/04/05/binutils-two-null-pointer-dereference-in-elflink-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7614", - "https://security.gentoo.org/glsa/201709-02" - ] - }, - { - "VulnerabilityID": "CVE-2017-8421", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: Memory exhaustion in objdump via a crafted PE file", - "Description": "The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8421", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21440" - ] - }, - { - "VulnerabilityID": "CVE-2018-12699", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: heap-based buffer overflow in finish_stab in stabs.c", - "Description": "finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/104540", - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", - "https://security.gentoo.org/glsa/201908-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" - ] - }, - { - "VulnerabilityID": "CVE-2012-3509", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libiberty: integer overflow, leading to heap-buffer overflow by processing certain file headers via bfd binary", - "Description": "Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the \"addition of CHUNK_HEADER_SIZE to the length,\" which triggers a heap-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54411", - "http://gcc.gnu.org/ml/gcc-patches/2012-08/msg01986.html", - "http://security-tracker.debian.org/tracker/CVE-2012-3509", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:029", - "http://www.openwall.com/lists/oss-security/2012/08/29/3", - "http://www.securityfocus.com/bid/55281", - "http://www.ubuntu.com/usn/USN-2496-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3509", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/78135" - ] - }, - { - "VulnerabilityID": "CVE-2014-8484", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: invalid read flaw in libbfd", - "Description": "The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.", - "Severity": "MEDIUM", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145262.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145328.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145742.html", - "http://openwall.com/lists/oss-security/2014/10/23/5", - "http://secunia.com/advisories/62241", - "http://secunia.com/advisories/62746", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:029", - "http://www.openwall.com/lists/oss-security/2014/10/26/2", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", - "http://www.securityfocus.com/bid/70714", - "http://www.ubuntu.com/usn/USN-2496-1", - "https://bugzilla.redhat.com/show_bug.cgi?id=1156272", - "https://security.gentoo.org/glsa/201612-24", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17509", - "https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd25671c6f202c4a5108883caa2adb24ff6f361f" - ] - }, { "VulnerabilityID": "CVE-2014-8738", "PkgName": "binutils", @@ -847,10 +699,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: out of bounds memory write", "Description": "The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2014-8738.html", + "http://linux.oracle.com/errata/ELSA-2015-2079.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147346.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147354.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148427.html", @@ -871,6 +726,24 @@ "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bb0d867169d7e9743d229804106a8fbcab7f3b3f" ] }, + { + "VulnerabilityID": "CVE-2014-9939", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: buffer overflow in ihex.c", + "Description": "ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2015/07/31/6", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9939", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18750", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e27a9d5f22f9f7ead11738b1546d0b5c737266b" + ] + }, { "VulnerabilityID": "CVE-2015-8538", "PkgName": "binutils", @@ -878,9 +751,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libdwarf: Out-of-bounds read in dwarf_leb.c", "Description": "dwarf_leb.c in libdwarf allows attackers to cause a denial of service (SIGSEGV).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2015/12/10/3", "https://bugzilla.redhat.com/show_bug.cgi?id=1291299", @@ -894,9 +768,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Exploitable buffer overflow", "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90103", @@ -912,9 +787,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array btypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -929,9 +805,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -946,9 +823,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to integer overflow", "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90017", @@ -963,9 +841,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Write access violation", "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90019", @@ -980,9 +859,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90016", @@ -998,9 +878,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -1016,9 +897,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -1027,25 +909,6 @@ "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" ] }, - { - "VulnerabilityID": "CVE-2016-6131", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler", - "Description": "The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/06/30/4", - "http://www.openwall.com/lists/oss-security/2016/06/30/7", - "http://www.securityfocus.com/bid/91519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696", - "https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html" - ] - }, { "VulnerabilityID": "CVE-2017-12449", "PkgName": "binutils", @@ -1053,9 +916,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: out of bounds heap read in _bfd_vms_save_sized_string function", "Description": "The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12449", "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" @@ -1068,9 +932,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: out of bounds stack read in _bfd_xcoff_read_ar_hdr function", "Description": "The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12451", "https://sourceware.org/bugzilla/show_bug.cgi?id=21786" @@ -1083,9 +948,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: out of bounds heap read in bfd_mach_o_i386_canonicalize_one_reloc function", "Description": "The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12452", "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" @@ -1098,9 +964,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: out of bounds heap read in __bfd_vms_slurp_eeom function", "Description": "The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12453", "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" @@ -1113,9 +980,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Arbitrary memory read in _bfd_vms_slurp_egs function", "Description": "The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12454", "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" @@ -1128,9 +996,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: out of bounds heap read in evax_bfd_print_emh function", "Description": "The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12455", "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" @@ -1143,9 +1012,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: out of bounds heap read in read_symbol_stabs_debugging_inf function", "Description": "The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12456", "https://security.gentoo.org/glsa/201801-01", @@ -1159,9 +1029,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in bfd_make_section_with_flags function", "Description": "The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12457", "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" @@ -1174,9 +1045,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: out of bounds heap read in nlm_swap_auxiliary_headers_in function", "Description": "The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12458", "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" @@ -1189,9 +1061,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based 1 byte buffer over-write in elf_read_notes function in bfd/elf.c", "Description": "The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/100292", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12799", @@ -1206,9 +1079,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Stack-based buffer over-read in getsym function in tekhex.c", "Description": "The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/100462", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12967", @@ -1223,15 +1097,31 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in the setup_group function", "Description": "The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/100499", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13710", "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0c54f69295208331faab9bc5e995111a35672f9b" ] }, + { + "VulnerabilityID": "CVE-2017-13716", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory leak with the C++ symbol demangler routine in libiberty", + "Description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ] + }, { "VulnerabilityID": "CVE-2017-13757", "PkgName": "binutils", @@ -1239,9 +1129,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: heap-based buffer over-read in elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/100532", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13757", @@ -1256,9 +1147,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer over-read in the decode_line_info function", "Description": "The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/100623", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14128", @@ -1274,9 +1166,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer over-read in the read_section function", "Description": "The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/100624", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14129", @@ -1292,9 +1185,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer over-read in the _bfd_elf_parse_attributes function", "Description": "The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/100625", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14130", @@ -1310,9 +1204,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: heap-based buffer over-read in bfd_getl16 function in peXXigen.c", "Description": "The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14529", "https://sourceware.org/bugzilla/show_bug.cgi?id=22113", @@ -1327,9 +1222,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap buffer overflow in the *_get_synthetic_symtab functions", "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/09/25/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14729", @@ -1345,14 +1241,31 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Integer overflow in the *_get_synthetic_symtab functions", "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14745", "https://sourceware.org/bugzilla/show_bug.cgi?id=22148" ] }, + { + "VulnerabilityID": "CVE-2017-14930", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory leak in decode_line_info", + "Description": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14930", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22191" + ] + }, { "VulnerabilityID": "CVE-2017-14932", "PkgName": "binutils", @@ -1360,9 +1273,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Infinite loop in the decode_line_info", "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14932", "https://sourceware.org/bugzilla/show_bug.cgi?id=22204", @@ -1376,9 +1290,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Infinite loop in read_formatted_entries", "Description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101203", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14933", @@ -1395,9 +1310,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Infinite loop in process_debug_info", "Description": "process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101204", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14934", @@ -1412,9 +1328,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Excessive memory allocation in _bfd_elf_slurp_version_tables", "Description": "_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101212", "https://blogs.gentoo.org/ago/2017/09/26/binutils-memory-allocation-failure-in-_bfd_elf_slurp_version_tables-elf-c/", @@ -1430,9 +1347,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer over-read in the decode_line_info", "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101216", "https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c/", @@ -1449,9 +1367,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in the scan_unit_for_symbols", "Description": "scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/09/26/binutils-null-pointer-dereference-in-scan_unit_for_symbols-dwarf2-c/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14940", @@ -1466,9 +1385,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in the *_get_synthetic_symtab functions", "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14974", "https://sourceware.org/bugzilla/show_bug.cgi?id=22163", @@ -1482,9 +1402,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer overflow in parse_die", "Description": "dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-parse_die-dwarf1-c/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15020", @@ -1499,9 +1420,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer over-read in bfd_get_debug_link_info_1", "Description": "bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-bfd_getl32-opncls-c/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15021", @@ -1516,9 +1438,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in dwarf2.c", "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15022", @@ -1533,9 +1456,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in read_formatted_entries", "Description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101611", "https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c/", @@ -1552,9 +1476,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Infinite recursion in find_abstract_instance_name", "Description": "find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/10/03/binutils-infinite-loop-in-find_abstract_instance_name-dwarf2-c/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15024", @@ -1569,9 +1494,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Divide-by-zero in decode_line_info", "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/10/03/binutils-divide-by-zero-in-decode_line_info-dwarf2-c/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15025", @@ -1586,9 +1512,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Memory leak in _bfd_dwarf2_cleanup_debug_info", "Description": "_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15225", "https://sourceware.org/bugzilla/show_bug.cgi?id=22212", @@ -1602,9 +1529,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Invalid memory read in find_abstract_instance_name", "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101610", "https://blogs.gentoo.org/ago/2017/10/24/binutils-invalid-memory-read-in-find_abstract_instance_name-dwarf2-c/", @@ -1621,9 +1549,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in the concat_filename", "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101613", "https://blogs.gentoo.org/ago/2017/10/24/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023/", @@ -1639,9 +1568,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Excessive memory allocation in elfcomm.c", "Description": "elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a \"buffer overflow on fuzzed archive header,\" related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101608", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15996", @@ -1657,9 +1587,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Invalid memory access in the coff_slurp_line_table function", "Description": "The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16826", "https://security.gentoo.org/glsa/201811-17", @@ -1674,9 +1605,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Invalid free in the aout_get_external_symbols function", "Description": "The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16827", "https://security.gentoo.org/glsa/201811-17", @@ -1691,9 +1623,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Integer overflow in the display_debug_frames function", "Description": "The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16828", "https://security.gentoo.org/glsa/201811-17", @@ -1708,9 +1641,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds read in the _bfd_elf_parse_gnu_properties function", "Description": "The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16829", "https://security.gentoo.org/glsa/201811-17", @@ -1725,9 +1659,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Segmentation fault in the print_gnu_property_note function", "Description": "The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101941", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16830", @@ -1743,9 +1678,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Integer overflow in coffgen.c", "Description": "coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16831", "https://security.gentoo.org/glsa/201811-17", @@ -1760,9 +1696,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Segmentation fault in the pe_bfd_read_buildid function", "Description": "The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16832", "https://security.gentoo.org/glsa/201811-17", @@ -1777,9 +1714,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer over-read in bfd_getl32", "Description": "elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17080", "https://security.gentoo.org/glsa/201811-17", @@ -1793,9 +1731,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Memory access violation via a crafted COFF binary", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17121", "https://security.gentoo.org/glsa/201811-17", @@ -1810,9 +1749,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Excessive memory allocation in the dump_relocs_in_section function", "Description": "The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17122", "https://security.gentoo.org/glsa/201811-17", @@ -1827,9 +1767,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in the coff_slurp_reloc_table function", "Description": "The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17123", "https://security.gentoo.org/glsa/201811-17", @@ -1844,9 +1785,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap buffer overflow in the _bfd_coff_read_string_table function", "Description": "The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17124", "https://security.gentoo.org/glsa/201811-17", @@ -1861,9 +1803,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Buffer over-read in the _bfd_elf_get_symbol_version_string function", "Description": "nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17125", "https://security.gentoo.org/glsa/201811-17", @@ -1878,9 +1821,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Invalid memory access in the load_debug_section function", "Description": "The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17126", "https://security.gentoo.org/glsa/201811-17", @@ -1888,38 +1832,6 @@ "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f425ec6600b69e39eb605f3128806ff688137ea8" ] }, - { - "VulnerabilityID": "CVE-2017-6965", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: Heap-based buffer overflow in target_specific_reloc_handling in readelf", - "Description": "readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6965", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21137" - ] - }, - { - "VulnerabilityID": "CVE-2017-6966", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: Use-after-free in target_specific_reloc_handling in readelf", - "Description": "readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6966", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21139" - ] - }, { "VulnerabilityID": "CVE-2017-6969", "PkgName": "binutils", @@ -1927,9 +1839,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer over-read in readelf when processing corrupt RL78 binaries", "Description": "readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97065", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969", @@ -1944,9 +1857,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Null pointer dereference in dump_section_as_bytes function in readelf", "Description": "The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/96994", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209", @@ -1961,9 +1875,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer over-reads in objdump", "Description": "objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/96992", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210", @@ -1978,9 +1893,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Global buffer overflow when attempting to unget EOF character", "Description": "GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7223", "https://security.gentoo.org/glsa/201801-01", @@ -1994,9 +1910,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Invalid write in find_nearest_line function", "Description": "The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97277", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7224", @@ -2011,9 +1928,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Null pointer dereference and invalid write in find_nearest_line function in addr2line", "Description": "The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97275", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7225", @@ -2028,9 +1946,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer over-read in pe_ILF_object_p function in libbfd", "Description": "The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7226", "https://sourceware.org/bugzilla/show_bug.cgi?id=20905" @@ -2043,9 +1962,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer overflow in ld due to missing null termination", "Description": "GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\\0' termination of a name field in ldlex.l.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97209", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7227", @@ -2060,9 +1980,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds read in bfd_elf_final_link function", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97217", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7299", @@ -2076,9 +1997,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-buffer overflow in aout_link_add_symbols function", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97219", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7300", @@ -2092,9 +2014,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Off-by-one error in aout_link_add_symbols function", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97218", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7301", @@ -2108,9 +2031,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds read in wap_std_reloc_out function", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97216", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7302", @@ -2124,9 +2048,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds read in find_link function", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97213", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7303", @@ -2140,15 +2065,33 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds read in copy_special_section_fields function", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97215", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304", "https://sourceware.org/bugzilla/show_bug.cgi?id=20931" ] }, + { + "VulnerabilityID": "CVE-2017-7614", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in bfd_elf_final_link function", + "Description": "elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/04/05/binutils-two-null-pointer-dereference-in-elflink-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7614", + "https://security.gentoo.org/glsa/201709-02" + ] + }, { "VulnerabilityID": "CVE-2017-8392", "PkgName": "binutils", @@ -2156,9 +2099,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in the _bfd_dwarf2_find_nearest_line function", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://security.gentoo.org/glsa/201709-02", "https://sourceware.org/bugzilla/show_bug.cgi?id=21409" @@ -2171,9 +2115,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds read due to wrong assumption for objcopy and strip", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8393", "https://security.gentoo.org/glsa/201709-02", @@ -2187,9 +2132,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in the _bfd_elf_large_com_section", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8394", "https://security.gentoo.org/glsa/201709-02", @@ -2203,9 +2149,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds write in the _bfd_generic_get_section_contents function", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8395", "https://security.gentoo.org/glsa/201709-02", @@ -2219,9 +2166,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds read in the existing reloc offset range tests", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8396", "https://security.gentoo.org/glsa/201709-02", @@ -2235,9 +2183,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds read and write while processing binary containing reloc(s) with negative addresses", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8397", "https://security.gentoo.org/glsa/201709-02", @@ -2251,15 +2200,33 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds read while dumping the debug information from a corrupt binary", "Description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8398", "https://security.gentoo.org/glsa/201709-02", "https://sourceware.org/bugzilla/show_bug.cgi?id=21438" ] }, + { + "VulnerabilityID": "CVE-2017-8421", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory exhaustion in objdump via a crafted PE file", + "Description": "The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8421", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21440" + ] + }, { "VulnerabilityID": "CVE-2017-9038", "PkgName": "binutils", @@ -2267,9 +2234,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-buffer overflow in the byte_get_little_endian", "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/98589", "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", @@ -2285,9 +2253,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Memory consumption via many program headers", "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/98580", "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", @@ -2303,9 +2272,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in the process_mips_specific_function", "Description": "GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/98579", "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", @@ -2321,9 +2291,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap buffer overflow in the process_mips_specific function", "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/98598", "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", @@ -2340,9 +2311,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Invalid variable type in readelf.c", "Description": "readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9042", @@ -2357,9 +2329,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Shift exponent too large for type unsigned long in readelf.c", "Description": "readelf.c in GNU Binutils 2017-04-12 has a \"shift exponent too large for type unsigned long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/98591", "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", @@ -2374,9 +2347,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Out-of-bounds read in the print_symbol_for_build_attribute function", "Description": "The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/98587", "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", @@ -2390,9 +2364,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Global buffer over-read in print_insn_score16 function while disassembling corrupt score binary", "Description": "The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99105", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9742", @@ -2408,9 +2383,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Global buffer over-read in print_insn_score32 function while disassembling corrupt score binary", "Description": "The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99106", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9743", @@ -2425,9 +2401,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Address violation in sh_elf_set_mach_from_flags function when disassembling a corrupt SH binary", "Description": "The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99108", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9744", @@ -2441,9 +2418,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap buffer over-read in _bfd_vms_slurp_etir function when handling VMS alpha binaries", "Description": "The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99109", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9745", @@ -2457,9 +2435,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap buffer over-read in disassemble_bytes function when disassembling a corrupt binary", "Description": "The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99117", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9746", @@ -2475,9 +2454,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Stack-based buffer over-read in ieee_archive_p function while disassembling corrupt IEEE binary", "Description": "The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99114", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9747", @@ -2492,9 +2472,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Stack-based buffer over-read in ieee_object_p function", "Description": "The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99110", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9748", @@ -2509,9 +2490,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Global buffer over-read in *regs* macros when disassembling corrupt bfin binary", "Description": "The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99113", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9749", @@ -2527,9 +2509,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Global buffer over-read in opcodes/rx-decode.opc when disassembling a corrupt RX binary", "Description": "opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99118", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9750", @@ -2545,9 +2528,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Stack-based buffer over-read in opcodes/rl78-decode.opc when disassembling a corrupt RL78 binary", "Description": "opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99111", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9751", @@ -2562,9 +2546,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap buffer over-read in f_bfd_vms_get_value function when processing a corrupt Alpha VMA binary", "Description": "bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99122", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9752", @@ -2578,9 +2563,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Address violation in versados_mkobject function when disassembling a corrupt versados binary", "Description": "The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99116", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9753", @@ -2594,9 +2580,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Stack-based buffer over-read in process_otr function", "Description": "The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99125", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9754", @@ -2610,9 +2597,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Global buffer over-read in opcodes/i386-dis.c while checking invalid registers", "Description": "opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99124", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9755", @@ -2627,9 +2615,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Address violation in aarch64_ext_ldst_reglist function when disassembling corrupt aarch64 binary", "Description": "The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99103", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9756", @@ -2645,9 +2634,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: stack-based buffer over-read in getvalue function", "Description": "The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99307", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9954", @@ -2662,32 +2652,16 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: heap buffer over-read in get_build_id function", "Description": "The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99573", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9955", "https://sourceware.org/bugzilla/show_bug.cgi?id=21665" ] }, - { - "VulnerabilityID": "CVE-2018-1000876", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: integer overflow leads to heap-based buffer overflow in objdump", - "Description": "binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106304", - "https://access.redhat.com/errata/RHSA-2019:2075", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23994", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f" - ] - }, { "VulnerabilityID": "CVE-2018-10373", "PkgName": "binutils", @@ -2695,10 +2669,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in dwarf2.c:concat_filename() allows for denial of service via crafted file", "Description": "concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-10373.html", + "http://linux.oracle.com/errata/ELSA-2018-3032.html", "http://www.securityfocus.com/bid/104000", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3032", @@ -2714,10 +2691,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in elf.c", "Description": "The ignore_section_sym function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a \"SECTION\" type that has a \"0\" value, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file, as demonstrated by objcopy.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-10535.html", + "http://linux.oracle.com/errata/ELSA-2018-3032.html", "http://www.securityfocus.com/bid/104021", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3032", @@ -2733,10 +2713,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Stack Exhaustion in the demangling functions provided by libiberty", "Description": "An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12641.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", "https://access.redhat.com/errata/RHSA-2019:2075", "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763099", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452", @@ -2751,10 +2734,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in work_stuff_copy_to_from in cplus-dem.c.", "Description": "A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12697.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", "http://www.securityfocus.com/bid/104538", "https://access.redhat.com/errata/RHSA-2019:2075", "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", @@ -2770,9 +2756,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: excessive memory consumption in demangle_template in cplus-dem.c", "Description": "demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the \"Create an array for saving the template argument values\" XNEWVEC call. This can occur during execution of objdump.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/104539", "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", @@ -2781,6 +2768,25 @@ "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" ] }, + { + "VulnerabilityID": "CVE-2018-12699", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer overflow in finish_stab in stabs.c", + "Description": "finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/104540", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" + ] + }, { "VulnerabilityID": "CVE-2018-12700", "PkgName": "binutils", @@ -2788,9 +2794,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Stack Exhaustion in debug_write_type in debug.c", "Description": "A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/104541", "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", @@ -2806,9 +2813,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Uncontrolled Resource Consumption in remember_Ktype in cplus-dem.c", "Description": "remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763101", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453", @@ -2822,10 +2830,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Uncontrolled Resource Consumption in execution of nm", "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-13033.html", + "http://linux.oracle.com/errata/ELSA-2018-3032.html", "http://www.securityfocus.com/bid/104584", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3032", @@ -2835,15 +2846,55 @@ ] }, { - "VulnerabilityID": "CVE-2018-14038", + "VulnerabilityID": "CVE-2018-17358", "PkgName": "binutils", "InstalledVersion": "2.20.51.0.2-5.48.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "libbfd: remote dos via crafted file in function aout_32_swap_std_reloc_out in aoutx.h", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-7642. Reason: This candidate is a reservation duplicate of CVE-2018-7642. Notes: All CVE users should reference CVE-2018-7642 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", - "Severity": "MEDIUM" + "SeveritySource": "redhat", + "Title": "binutils: invalid memory access in _bfd_stab_section_find_nearest_line in syms.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23686" + ] + }, + { + "VulnerabilityID": "CVE-2018-17359", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: invalid memory access in bfd_zalloc in opncls.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23686" + ] + }, + { + "VulnerabilityID": "CVE-2018-17360", + "PkgName": "binutils", + "InstalledVersion": "2.20.51.0.2-5.48.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer over-read in bfd_getl32 in libbfd.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23685" + ] }, { "VulnerabilityID": "CVE-2018-17794", @@ -2852,9 +2903,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in libiberty/cplus-dem.c:work_stuff_copy_to_from() via crafted input", "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350" ] @@ -2866,10 +2918,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Stack consumption problem caused by the cplus_demangle_type", "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335" ] }, @@ -2880,10 +2935,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Integer overflow in cplus-dem.c:get_count() allows for denial of service", "Description": "The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "http://www.securityfocus.com/bid/105689", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602", "https://sourceware.org/bugzilla/show_bug.cgi?id=23767" @@ -2896,10 +2954,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Stack exhaustion in cp-demangle.c allows for denial of service", "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "http://www.securityfocus.com/bid/105693", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636" ] @@ -2911,10 +2972,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: heap-based buffer over-read in sec_merge_hash_lookup in merge.c", "Description": "A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "http://www.securityfocus.com/bid/105754", "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18605", "https://security.netapp.com/advisory/ntap-20190307-0003/", @@ -2929,10 +2993,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in _bfd_add_merge_section in merge_strings function in merge.c", "Description": "An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "http://www.securityfocus.com/bid/105754", "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18606", "https://security.netapp.com/advisory/ntap-20190307-0003/", @@ -2947,10 +3014,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in elf_link_input_bfd in elflink.c", "Description": "An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "http://www.securityfocus.com/bid/105754", "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18607", "https://security.netapp.com/advisory/ntap-20190307-0003/", @@ -2965,9 +3035,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Recursive Stack Overflow within function d_name, d_encoding, and d_local_name in cp-demangle.c", "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681" ] @@ -2979,9 +3050,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: infinite recursion in next_is_type_qual and cplus_demangle_type functions in cp-demangle.c", "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675" ] @@ -2993,9 +3065,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer overflow in bfd_elf32_swap_phdr_in function resulting in a denial of service", "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/106144", "https://security.gentoo.org/glsa/201908-01", @@ -3011,9 +3084,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Integer overflow due to the IS_CONTAINED_BY_LMA macro resulting in a denial of service", "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/106144", "https://security.gentoo.org/glsa/201908-01", @@ -3029,9 +3103,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: memory leak in _bfd_generic_read_minisymbols function in syms.c", "Description": "The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/106142", "https://security.gentoo.org/glsa/201908-01", @@ -3048,30 +3123,19 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20657.html", + "http://linux.oracle.com/errata/ELSA-2019-3352.html", "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", "https://support.f5.com/csp/article/K62602089" ] }, - { - "VulnerabilityID": "CVE-2018-20673", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libiberty: Integer overflow in demangle_template() function", - "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106454", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" - ] - }, { "VulnerabilityID": "CVE-2018-6323", "PkgName": "binutils", @@ -3079,10 +3143,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Integer overflow in elf_object_p function in elfcode.h", "Description": "The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "http://www.securityfocus.com/bid/102821", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6323", "https://sourceware.org/bugzilla/show_bug.cgi?id=22746", @@ -3096,10 +3163,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Unchecked strnlen in opncls.c:bfd_get_debug_link_info_1() can allow lead to denial of service", "Description": "The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "http://www.securityfocus.com/bid/103030", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6759", "https://security.gentoo.org/glsa/201811-17", @@ -3113,10 +3183,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: out of bounds read in elf_parse_notes function in elf.c file in libbfd library", "Description": "The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "http://www.securityfocus.com/bid/103103", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6872", "https://security.gentoo.org/glsa/201811-17", @@ -3131,10 +3204,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Improper bounds check in coffgen.c:coff_pointerize_aux() allows for denial of service when parsing a crafted COFF file", "Description": "In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-7208.html", + "http://linux.oracle.com/errata/ELSA-2018-3032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "http://www.securityfocus.com/bid/103077", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3032", @@ -3150,10 +3228,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: integer overflow via an ELF file with corrupt dwarf1 debug information in libbfd library", "Description": "The parse_die function in dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer overflow and application crash) via an ELF file with corrupt dwarf1 debug information, as demonstrated by nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-7568.html", + "http://linux.oracle.com/errata/ELSA-2018-3032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3032", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7568", @@ -3168,10 +3251,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: integer underflow or overflow via an ELF file with a corrupt DWARF FORM block in libbfd library", "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer underflow or overflow, and application crash) via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-7569.html", + "http://linux.oracle.com/errata/ELSA-2018-3032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3032", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7569", @@ -3186,10 +3274,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in swap_std_reloc_in function in aoutx.h resulting in crash", "Description": "The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-7642.html", + "http://linux.oracle.com/errata/ELSA-2018-3032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3032", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7642", @@ -3205,10 +3298,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Integer overflow in the display_debug_ranges function resulting in crash", "Description": "The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-7643.html", + "http://linux.oracle.com/errata/ELSA-2018-3032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "http://www.securityfocus.com/bid/103264", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3032", @@ -3224,10 +3322,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: Crash in elf.c:bfd_section_from_shdr() with crafted executable", "Description": "The bfd_section_from_shdr function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (segmentation fault) via a large attribute section.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-8945.html", + "http://linux.oracle.com/errata/ELSA-2018-3032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3032", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8945", @@ -3235,35 +3338,6 @@ "https://sourceware.org/bugzilla/show_bug.cgi?id=22809" ] }, - { - "VulnerabilityID": "CVE-2018-9138", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: Stack Exhaustion in the the C++ demangling functions provided by libiberty", - "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=23008" - ] - }, - { - "VulnerabilityID": "CVE-2018-9996", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: Stack-overflow in libiberty/cplus-dem.c causes crash", - "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/103733", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304" - ] - }, { "VulnerabilityID": "CVE-2019-9070", "PkgName": "binutils", @@ -3271,9 +3345,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "binutils: heap-based buffer over-read in function d_expression_1 in cp-demangle.c", "Description": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. It is a heap-based buffer over-read in d_expression_1 in cp-demangle.c after many recursive calls.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107147", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89395", @@ -3282,56 +3357,6 @@ "https://support.f5.com/csp/article/K13534168" ] }, - { - "VulnerabilityID": "CVE-2019-9077", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: heap-based buffer overflow in function process_mips_specific in readelf.c", - "Description": "An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/107139", - "https://security.netapp.com/advisory/ntap-20190314-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24243", - "https://support.f5.com/csp/article/K00056379" - ] - }, - { - "VulnerabilityID": "CVE-2014-8737", - "PkgName": "binutils", - "InstalledVersion": "2.20.51.0.2-5.48.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "binutils: directory traversal vulnerability", - "Description": "Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.", - "Severity": "LOW", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145256.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145352.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145746.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147346.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147354.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148427.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148438.html", - "http://secunia.com/advisories/62241", - "http://secunia.com/advisories/62746", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:029", - "http://www.openwall.com/lists/oss-security/2014/11/13/1", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", - "http://www.securityfocus.com/bid/70908", - "http://www.ubuntu.com/usn/USN-2496-1", - "https://bugzilla.redhat.com/show_bug.cgi?id=1162655", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737", - "https://security.gentoo.org/glsa/201612-24", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17533", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17552", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dd9b91de2149ee81d47f708e7b0bbf57da10ad42" - ] - }, { "VulnerabilityID": "CVE-2016-3189", "PkgName": "bzip2", @@ -3339,9 +3364,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bzip2: heap use after free in bzip2recover", "Description": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/06/20/1", "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", @@ -3359,9 +3385,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "bzip2: heap use after free in bzip2recover", "Description": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/06/20/1", "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", @@ -3372,6 +3399,37 @@ "https://security.gentoo.org/glsa/201708-08" ] }, + { + "VulnerabilityID": "CVE-2016-2781", + "PkgName": "coreutils", + "InstalledVersion": "8.4-47.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", + "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/02/28/2", + "http://www.openwall.com/lists/oss-security/2016/02/28/3" + ] + }, + { + "VulnerabilityID": "CVE-2017-18018", + "PkgName": "coreutils", + "InstalledVersion": "8.4-47.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "coreutils: race condition vulnerability in chown and chgrp", + "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", + "Severity": "MEDIUM", + "References": [ + "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2014-9471", "PkgName": "coreutils", @@ -3379,9 +3437,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "coreutils: memory corruption flaw in parse_datetime()", "Description": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://advisories.mageia.org/MGASA-2015-0029.html", "http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872", @@ -3403,6 +3462,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "coreutils: \"time of check to time of use\" race condition fts.c", "Description": "fts.c in coreutils 8.4 allows local users to delete arbitrary files.", "Severity": "LOW", @@ -3419,9 +3479,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "coreutils: heap buffer overflow in sort(1) keycompare_mb()", - "Description": "No description is available for this CVE.", - "Severity": "LOW" + "Description": "The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2015/05/15/1", + "https://bugzilla.suse.com/show_bug.cgi?id=928749", + "https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940" + ] }, { "VulnerabilityID": "CVE-2015-4042", @@ -3430,20 +3496,26 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "coreutils: possible buffer overflow in keycompare_mb()", - "Description": "No description is available for this CVE.", - "Severity": "LOW" + "Description": "Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2015/05/15/1", + "https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940" + ] }, { "VulnerabilityID": "CVE-2016-2781", - "PkgName": "coreutils", + "PkgName": "coreutils-libs", "InstalledVersion": "8.4-47.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/28/2", "http://www.openwall.com/lists/oss-security/2016/02/28/3" @@ -3451,14 +3523,15 @@ }, { "VulnerabilityID": "CVE-2017-18018", - "PkgName": "coreutils", + "PkgName": "coreutils-libs", "InstalledVersion": "8.4-47.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "coreutils: race condition vulnerability in chown and chgrp", "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html" ] @@ -3470,9 +3543,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "coreutils: memory corruption flaw in parse_datetime()", "Description": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://advisories.mageia.org/MGASA-2015-0029.html", "http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872", @@ -3494,6 +3568,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "coreutils: \"time of check to time of use\" race condition fts.c", "Description": "fts.c in coreutils 8.4 allows local users to delete arbitrary files.", "Severity": "LOW", @@ -3510,9 +3585,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "coreutils: heap buffer overflow in sort(1) keycompare_mb()", - "Description": "No description is available for this CVE.", - "Severity": "LOW" + "Description": "The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2015/05/15/1", + "https://bugzilla.suse.com/show_bug.cgi?id=928749", + "https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940" + ] }, { "VulnerabilityID": "CVE-2015-4042", @@ -3521,37 +3602,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "coreutils: possible buffer overflow in keycompare_mb()", - "Description": "No description is available for this CVE.", - "Severity": "LOW" - }, - { - "VulnerabilityID": "CVE-2016-2781", - "PkgName": "coreutils-libs", - "InstalledVersion": "8.4-47.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", - "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "Description": "Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings.", "Severity": "LOW", "References": [ - "http://www.openwall.com/lists/oss-security/2016/02/28/2", - "http://www.openwall.com/lists/oss-security/2016/02/28/3" - ] - }, - { - "VulnerabilityID": "CVE-2017-18018", - "PkgName": "coreutils-libs", - "InstalledVersion": "8.4-47.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "coreutils: race condition vulnerability in chown and chgrp", - "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "Severity": "LOW", - "References": [ - "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html" + "http://openwall.com/lists/oss-security/2015/05/15/1", + "https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940" ] }, { @@ -3561,10 +3618,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "cpio: heap-based buffer overflow flaw in list_file()", "Description": "Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2014-9112.html", + "http://linux.oracle.com/errata/ELSA-2015-2108.html", "http://seclists.org/fulldisclosure/2014/Nov/74", "http://secunia.com/advisories/60167", "http://secunia.com/advisories/62145", @@ -3579,25 +3639,6 @@ "https://savannah.gnu.org/bugs/?43709" ] }, - { - "VulnerabilityID": "CVE-2016-2037", - "PkgName": "cpio", - "InstalledVersion": "2.10-13.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "cpio: out of bounds write", - "Description": "The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2016/dsa-3483", - "http://www.openwall.com/lists/oss-security/2016/01/19/4", - "http://www.openwall.com/lists/oss-security/2016/01/22/4", - "http://www.securityfocus.com/bid/82293", - "http://www.securitytracker.com/id/1035067", - "http://www.ubuntu.com/usn/USN-2906-1" - ] - }, { "VulnerabilityID": "CVE-2015-1197", "PkgName": "cpio", @@ -3605,6 +3646,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "cpio: directory traversal through symlinks", "Description": "cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.", "Severity": "LOW", @@ -3620,6 +3662,26 @@ "https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html" ] }, + { + "VulnerabilityID": "CVE-2016-2037", + "PkgName": "cpio", + "InstalledVersion": "2.10-13.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "cpio: out of bounds write", + "Description": "The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2016/dsa-3483", + "http://www.openwall.com/lists/oss-security/2016/01/19/4", + "http://www.openwall.com/lists/oss-security/2016/01/22/4", + "http://www.securityfocus.com/bid/82293", + "http://www.securitytracker.com/id/1035067", + "http://www.ubuntu.com/usn/USN-2906-1" + ] + }, { "VulnerabilityID": "CVE-2016-6318", "PkgName": "cracklib", @@ -3627,9 +3689,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "cracklib: Stack-based buffer overflow when parsing large GECOS field", "Description": "Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-08/msg00122.html", "http://www.openwall.com/lists/oss-security/2016/08/16/2", @@ -3645,9 +3708,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "cracklib: Stack-based buffer overflow when parsing large GECOS field", "Description": "Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-08/msg00122.html", "http://www.openwall.com/lists/oss-security/2016/08/16/2", @@ -3656,132 +3720,6 @@ "https://security.gentoo.org/glsa/201612-25" ] }, - { - "VulnerabilityID": "CVE-2018-14618", - "PkgName": "curl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: NTLM password overflow via integer overflow", - "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", - "Severity": "CRITICAL", - "References": [ - "http://www.securitytracker.com/id/1041605", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", - "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", - "https://curl.haxx.se/docs/CVE-2018-14618.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", - "https://security.gentoo.org/glsa/201903-03", - "https://usn.ubuntu.com/3765-1/", - "https://usn.ubuntu.com/3765-2/", - "https://www.debian.org/security/2018/dsa-4286" - ] - }, - { - "VulnerabilityID": "CVE-2016-7167", - "PkgName": "curl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: escape and unescape integer overflows", - "Description": "Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/92975", - "http://www.securitytracker.com/id/1036813", - "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2016\u0026m=slackware-security.538632", - "https://access.redhat.com/errata/RHSA-2017:2016", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/docs/adv_20160914.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167", - "https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B3IU2FRXQNU6UJIQT4NGLWWTP2GJQXO7/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTH54DFOS4TSYPG5XKJDGAG4XPAR4T7M/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMRWVISG7VUCYRMF23A2UHMYD72VQWAK/", - "https://security.gentoo.org/glsa/201701-47" - ] - }, - { - "VulnerabilityID": "CVE-2016-8618", - "PkgName": "curl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: Double-free in curl_maprintf", - "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94098", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", - "https://curl.haxx.se/docs/adv_20161102D.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8619", - "PkgName": "curl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: Double-free in krb5 code", - "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94100", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", - "https://curl.haxx.se/CVE-2016-8619.patch", - "https://curl.haxx.se/docs/adv_20161102E.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2018-1000120", - "PkgName": "curl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: FTP path trickery leads to NIL byte out of bounds write", - "Description": "A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/103414", - "http://www.securitytracker.com/id/1040531", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3157", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://access.redhat.com/errata/RHSA-2019:1543", - "https://curl.haxx.se/docs/adv_2018-9cd6.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120", - "https://lists.debian.org/debian-lts-announce/2018/03/msg00012.html", - "https://usn.ubuntu.com/3598-1/", - "https://usn.ubuntu.com/3598-2/", - "https://www.debian.org/security/2018/dsa-4136", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" - ] - }, { "VulnerabilityID": "CVE-2015-3153", "PkgName": "curl", @@ -3789,6 +3727,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: sensitive HTTP server headers also sent to proxies", "Description": "The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.", "Severity": "MEDIUM", @@ -3810,38 +3749,6 @@ "https://support.apple.com/kb/HT205031" ] }, - { - "VulnerabilityID": "CVE-2016-0755", - "PkgName": "curl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: NTLM credentials not-checked for proxy connection re-use", - "Description": "The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.", - "Severity": "MEDIUM", - "References": [ - "http://curl.haxx.se/docs/adv_20160127A.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176546.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177342.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177383.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176413.html", - "http://lists.opensuse.org/opensuse-updates/2016-02/msg00031.html", - "http://lists.opensuse.org/opensuse-updates/2016-02/msg00044.html", - "http://lists.opensuse.org/opensuse-updates/2016-02/msg00047.html", - "http://packetstormsecurity.com/files/135695/Slackware-Security-Advisory-curl-Updates.html", - "http://www.debian.org/security/2016/dsa-3455", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/82307", - "http://www.securitytracker.com/id/1034882", - "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2016\u0026m=slackware-security.519965", - "http://www.ubuntu.com/usn/USN-2882-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755", - "https://security.gentoo.org/glsa/201701-47", - "https://support.apple.com/HT207170" - ] - }, { "VulnerabilityID": "CVE-2016-5419", "PkgName": "curl", @@ -3849,10 +3756,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: TLS session resumption client cert bypass", "Description": "curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5419.html", + "http://linux.oracle.com/errata/ELSA-2016-2575.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html", "http://rhn.redhat.com/errata/RHSA-2016-2575.html", @@ -3875,6 +3785,253 @@ "https://www.tenable.com/security/tns-2016-18" ] }, + { + "VulnerabilityID": "CVE-2016-8615", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: Cookie injection for other servers", + "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8615.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94096", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", + "https://curl.haxx.se/CVE-2016-8615.patch", + "https://curl.haxx.se/docs/adv_20161102A.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8617", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: Out-of-bounds write via unchecked multiplication", + "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8617.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94097", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", + "https://curl.haxx.se/CVE-2016-8617.patch", + "https://curl.haxx.se/docs/adv_20161102C.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8618", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in curl_maprintf", + "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8618.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94098", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", + "https://curl.haxx.se/docs/adv_20161102D.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8619", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in krb5 code", + "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8619.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94100", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", + "https://curl.haxx.se/CVE-2016-8619.patch", + "https://curl.haxx.se/docs/adv_20161102E.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8624", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: Invalid URL parsing with '#'", + "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8624.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94103", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", + "https://curl.haxx.se/docs/adv_20161102J.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8625", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: IDNA 2003 makes curl use wrong host", + "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8625.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.securityfocus.com/bid/94107", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", + "https://curl.haxx.se/CVE-2016-8625.patch", + "https://curl.haxx.se/docs/adv_20161102K.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2017-1000254", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP PWD response parser out of bounds read", + "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3992", + "http://www.securityfocus.com/bid/101115", + "http://www.securitytracker.com/id/1039509", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://curl.haxx.se/673d0cd8.patch", + "https://curl.haxx.se/docs/adv_20171004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", + "https://security.gentoo.org/glsa/201712-04", + "https://support.apple.com/HT208331" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000120", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP path trickery leads to NIL byte out of bounds write", + "Description": "A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000120.html", + "http://linux.oracle.com/errata/ELSA-2018-3157.html", + "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/103414", + "http://www.securitytracker.com/id/1040531", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3157", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://access.redhat.com/errata/RHSA-2019:1543", + "https://curl.haxx.se/docs/adv_2018-9cd6.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120", + "https://lists.debian.org/debian-lts-announce/2018/03/msg00012.html", + "https://usn.ubuntu.com/3598-1/", + "https://usn.ubuntu.com/3598-2/", + "https://www.debian.org/security/2018/dsa-4136", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + ] + }, + { + "VulnerabilityID": "CVE-2016-0755", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: NTLM credentials not-checked for proxy connection re-use", + "Description": "The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.", + "Severity": "LOW", + "References": [ + "http://curl.haxx.se/docs/adv_20160127A.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176546.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177342.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177383.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176413.html", + "http://lists.opensuse.org/opensuse-updates/2016-02/msg00031.html", + "http://lists.opensuse.org/opensuse-updates/2016-02/msg00044.html", + "http://lists.opensuse.org/opensuse-updates/2016-02/msg00047.html", + "http://packetstormsecurity.com/files/135695/Slackware-Security-Advisory-curl-Updates.html", + "http://www.debian.org/security/2016/dsa-3455", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/82307", + "http://www.securitytracker.com/id/1034882", + "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2016\u0026m=slackware-security.519965", + "http://www.ubuntu.com/usn/USN-2882-1", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755", + "https://security.gentoo.org/glsa/201701-47", + "https://support.apple.com/HT207170" + ] + }, { "VulnerabilityID": "CVE-2016-5420", "PkgName": "curl", @@ -3882,10 +4039,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: Re-using connection with wrong client cert", "Description": "curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5420.html", + "http://linux.oracle.com/errata/ELSA-2016-2575.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html", "http://rhn.redhat.com/errata/RHSA-2016-2575.html", @@ -3914,10 +4074,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: Incorrect reuse of client certificates", "Description": "curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-7141.html", + "http://linux.oracle.com/errata/ELSA-2016-2575.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html", "http://rhn.redhat.com/errata/RHSA-2016-2575.html", "http://rhn.redhat.com/errata/RHSA-2016-2957.html", @@ -3934,27 +4097,33 @@ ] }, { - "VulnerabilityID": "CVE-2016-8615", + "VulnerabilityID": "CVE-2016-7167", "PkgName": "curl", "InstalledVersion": "7.19.7-53.el6_9", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "curl: Cookie injection for other servers", - "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "curl: escape and unescape integer overflows", + "Description": "Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-7167.html", + "http://linux.oracle.com/errata/ELSA-2017-2016.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94096", - "http://www.securitytracker.com/id/1037192", + "http://www.securityfocus.com/bid/92975", + "http://www.securitytracker.com/id/1036813", + "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2016\u0026m=slackware-security.538632", + "https://access.redhat.com/errata/RHSA-2017:2016", "https://access.redhat.com/errata/RHSA-2018:2486", "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", - "https://curl.haxx.se/CVE-2016-8615.patch", - "https://curl.haxx.se/docs/adv_20161102A.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" + "https://curl.haxx.se/docs/adv_20160914.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B3IU2FRXQNU6UJIQT4NGLWWTP2GJQXO7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTH54DFOS4TSYPG5XKJDGAG4XPAR4T7M/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMRWVISG7VUCYRMF23A2UHMYD72VQWAK/", + "https://security.gentoo.org/glsa/201701-47" ] }, { @@ -3964,10 +4133,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: Case insensitive password comparison", "Description": "A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8616.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94094", "http://www.securitytracker.com/id/1037192", @@ -3981,30 +4153,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8617", - "PkgName": "curl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: Out-of-bounds write via unchecked multiplication", - "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94097", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", - "https://curl.haxx.se/CVE-2016-8617.patch", - "https://curl.haxx.se/docs/adv_20161102C.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-8621", "PkgName": "curl", @@ -4012,10 +4160,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: curl_getdate out-of-bounds read", "Description": "The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8621.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94101", "http://www.securitytracker.com/id/1037192", @@ -4036,10 +4187,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: Use-after-free via shared cookies", "Description": "A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8623.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94106", "http://www.securitytracker.com/id/1037192", @@ -4053,52 +4207,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8624", - "PkgName": "curl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: Invalid URL parsing with '#'", - "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94103", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", - "https://curl.haxx.se/docs/adv_20161102J.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8625", - "PkgName": "curl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: IDNA 2003 makes curl use wrong host", - "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/94107", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", - "https://curl.haxx.se/CVE-2016-8625.patch", - "https://curl.haxx.se/docs/adv_20161102K.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-9586", "PkgName": "curl", @@ -4106,9 +4214,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: printf floating point buffer overflow", "Description": "curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/95019", @@ -4129,9 +4238,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: TFTP sends more than buffer size", "Description": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.debian.org/security/2017/dsa-3992", "http://www.securityfocus.com/bid/100286", @@ -4144,26 +4254,50 @@ ] }, { - "VulnerabilityID": "CVE-2017-1000254", + "VulnerabilityID": "CVE-2017-7407", "PkgName": "curl", "InstalledVersion": "7.19.7-53.el6_9", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "curl: FTP PWD response parser out of bounds read", - "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "curl: --write-out out of bounds read", + "Description": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.", + "Severity": "LOW", "References": [ - "http://www.debian.org/security/2017/dsa-3992", - "http://www.securityfocus.com/bid/101115", - "http://www.securitytracker.com/id/1039509", - "https://access.redhat.com/errata/RHSA-2018:2486", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/673d0cd8.patch", - "https://curl.haxx.se/docs/adv_20171004.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", - "https://security.gentoo.org/glsa/201712-04", - "https://support.apple.com/HT208331" + "https://curl.haxx.se/docs/adv_20170403.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407", + "https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13", + "https://security.gentoo.org/glsa/201709-14" + ] + }, + { + "VulnerabilityID": "CVE-2018-14618", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: NTLM password overflow via integer overflow", + "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-14618.html", + "http://linux.oracle.com/errata/ELSA-2019-1880.html", + "http://www.securitytracker.com/id/1041605", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2018-14618.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", + "https://security.gentoo.org/glsa/201903-03", + "https://usn.ubuntu.com/3765-1/", + "https://usn.ubuntu.com/3765-2/", + "https://www.debian.org/security/2018/dsa-4286" ] }, { @@ -4173,10 +4307,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting", "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16842.html", + "http://linux.oracle.com/errata/ELSA-2019-2181.html", "http://www.securitytracker.com/id/1042014", "https://access.redhat.com/errata/RHSA-2019:2181", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842", @@ -4197,9 +4334,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", @@ -4209,25 +4347,6 @@ "https://security.netapp.com/advisory/ntap-20190606-0004/" ] }, - { - "VulnerabilityID": "CVE-2017-7407", - "PkgName": "curl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: --write-out out of bounds read", - "Description": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.", - "Severity": "LOW", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/docs/adv_20170403.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407", - "https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13", - "https://security.gentoo.org/glsa/201709-14" - ] - }, { "VulnerabilityID": "CVE-2017-10140", "PkgName": "db4", @@ -4235,6 +4354,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libdb: Reads DB_CONFIG from the current working directory", "Description": "Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.", "Severity": "MEDIUM", @@ -4252,6 +4372,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libdb: Reads DB_CONFIG from the current working directory", "Description": "Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.", "Severity": "MEDIUM", @@ -4263,20 +4384,30 @@ ] }, { - "VulnerabilityID": "CVE-2011-2533", + "VulnerabilityID": "CVE-2019-12749", "PkgName": "dbus-libs", "InstalledVersion": "1:1.2.24-9.el6", + "FixedVersion": "1:1.2.24-11.el6_10", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "dbus: Possibility of symlink attack in /tmp during compilation", - "Description": "The configure script in D-Bus (aka DBus) 1.2.x before 1.2.28 allows local users to overwrite arbitrary files via a symlink attack on an unspecified file in /tmp/.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass", + "Description": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.", + "Severity": "HIGH", "References": [ - "http://cgit.freedesktop.org/dbus/dbus/tree/NEWS?h=dbus-1.2", - "http://www.securitytracker.com/id?1025720", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2533", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/68173" + "http://linux.oracle.com/cve/CVE-2019-12749.html", + "http://linux.oracle.com/errata/ELSA-2019-3707.html", + "http://www.openwall.com/lists/oss-security/2019/06/11/2", + "http://www.securityfocus.com/bid/108751", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00005.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/", + "https://seclists.org/bugtraq/2019/Jun/16", + "https://usn.ubuntu.com/4015-1/", + "https://usn.ubuntu.com/4015-2/", + "https://www.debian.org/security/2019/dsa-4462", + "https://www.openwall.com/lists/oss-security/2019/06/11/2" ] }, { @@ -4286,9 +4417,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service flaw in dbus-daemon", "Description": "The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0266.html", "http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8\u0026id=24c590703ca47eb71ddef453de43126b90954567", @@ -4312,9 +4444,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in file descriptor passing feature", "Description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0294.html", "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", @@ -4336,9 +4469,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service when forwarding invalid file descriptors", "Description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0294.html", "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", @@ -4354,6 +4488,24 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533" ] }, + { + "VulnerabilityID": "CVE-2011-2533", + "PkgName": "dbus-libs", + "InstalledVersion": "1:1.2.24-9.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "dbus: Possibility of symlink attack in /tmp during compilation", + "Description": "The configure script in D-Bus (aka DBus) 1.2.x before 1.2.28 allows local users to overwrite arbitrary files via a symlink attack on an unspecified file in /tmp/.", + "Severity": "LOW", + "References": [ + "http://cgit.freedesktop.org/dbus/dbus/tree/NEWS?h=dbus-1.2", + "http://www.securitytracker.com/id?1025720", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2533", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/68173" + ] + }, { "VulnerabilityID": "CVE-2014-3636", "PkgName": "dbus-libs", @@ -4361,6 +4513,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service by queuing or splitting file descriptors", "Description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.", "Severity": "LOW", @@ -4384,6 +4537,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service by creating unkillable D-Bus connections", "Description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.", "Severity": "LOW", @@ -4409,6 +4563,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in method call handling", "Description": "The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.", "Severity": "LOW", @@ -4434,6 +4589,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service flaw in incomplete connection handling", "Description": "The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.", "Severity": "LOW", @@ -4452,30 +4608,6 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3639" ] }, - { - "VulnerabilityID": "CVE-2019-12749", - "PkgName": "dbus-libs", - "InstalledVersion": "1:1.2.24-9.el6", - "FixedVersion": "1:1.2.24-11.el6_10", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass", - "Description": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.", - "Severity": "LOW", - "References": [ - "http://www.openwall.com/lists/oss-security/2019/06/11/2", - "http://www.securityfocus.com/bid/108751", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00005.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/", - "https://seclists.org/bugtraq/2019/Jun/16", - "https://usn.ubuntu.com/4015-1/", - "https://usn.ubuntu.com/4015-2/", - "https://www.debian.org/security/2019/dsa-4462", - "https://www.openwall.com/lists/oss-security/2019/06/11/2" - ] - }, { "VulnerabilityID": "CVE-2016-10254", "PkgName": "elfutils-libelf", @@ -4483,9 +4615,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in allocate_elf", "Description": "The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/2", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h/", @@ -4502,9 +4635,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)", "Description": "The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/1", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c/", @@ -4522,9 +4656,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the handle_gnu_hash function", "Description": "The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98608", @@ -4541,9 +4676,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the ebl_object_note_type_name function", "Description": "The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98609", @@ -4561,9 +4697,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in elf_compress.c", "Description": "elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609", @@ -4578,9 +4715,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_group function", "Description": "The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c", @@ -4597,9 +4735,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_symtab_shndx function", "Description": "The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c", @@ -4616,9 +4755,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_sysv_hash function", "Description": "The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_sysv_hash-elflint-c", @@ -4635,9 +4775,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: elflint.c does not validate the number of sections and segments", "Description": "elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-xcalloc-xmalloc-c", @@ -4654,10 +4795,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", @@ -4674,10 +4818,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", @@ -4693,10 +4840,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", @@ -4711,10 +4861,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: eu-size cannot handle recursive ar files", "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", @@ -4729,10 +4882,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", @@ -4747,10 +4903,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", @@ -4765,10 +4924,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" @@ -4781,10 +4943,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", @@ -4792,6 +4957,61 @@ "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2012-6702", + "PkgName": "expat", + "InstalledVersion": "2.0.1-13.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "expat: Using XML_Parse before rand() results into non-random output", + "Description": "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2016/dsa-3597", + "http://www.openwall.com/lists/oss-security/2016/06/03/8", + "http://www.openwall.com/lists/oss-security/2016/06/04/1", + "http://www.securityfocus.com/bid/91483", + "http://www.ubuntu.com/usn/USN-3010-1", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702", + "https://security.gentoo.org/glsa/201701-21", + "https://source.android.com/security/bulletin/2016-11-01.html", + "https://www.tenable.com/security/tns-2016-20" + ] + }, + { + "VulnerabilityID": "CVE-2013-0340", + "PkgName": "expat", + "InstalledVersion": "2.0.1-13.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "expat: internal entity expansion", + "Description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", + "Severity": "MEDIUM", + "References": [ + "http://openwall.com/lists/oss-security/2013/02/22/3", + "http://securitytracker.com/id?1028213", + "http://www.openwall.com/lists/oss-security/2013/04/12/6", + "http://www.osvdb.org/90634", + "http://www.securityfocus.com/bid/58233", + "https://security.gentoo.org/glsa/201701-21" + ] + }, + { + "VulnerabilityID": "CVE-2013-0341", + "PkgName": "expat", + "InstalledVersion": "2.0.1-13.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "expat: external entity expansion", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "MEDIUM" + }, { "VulnerabilityID": "CVE-2015-2716", "PkgName": "expat", @@ -4799,10 +5019,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "Mozilla: Buffer overflow when parsing compressed XML (MFSA 2015-54)", + "SeveritySource": "redhat", + "Title": "expat: Integer overflow leading to buffer overflow in XML_GetBuffer()", "Description": "Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-2716.html", + "http://linux.oracle.com/errata/ELSA-2015-1012.html", "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html", "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00054.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00000.html", @@ -4832,9 +5055,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "expat: Little entropy used for hash initialization", "Description": "The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.debian.org/security/2016/dsa-3597", "http://www.openwall.com/lists/oss-security/2016/06/04/4", @@ -4856,9 +5080,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "firefox: Possible integer overflow to fix inside XML_Parse in Expat", "Description": "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox \u003c 50.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/94337", "http://www.securitytracker.com/id/1037298", @@ -4870,58 +5095,6 @@ "https://www.mozilla.org/security/advisories/mfsa2016-89/" ] }, - { - "VulnerabilityID": "CVE-2012-6702", - "PkgName": "expat", - "InstalledVersion": "2.0.1-13.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "expat: Using XML_Parse before rand() results into non-random output", - "Description": "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2016/dsa-3597", - "http://www.openwall.com/lists/oss-security/2016/06/03/8", - "http://www.openwall.com/lists/oss-security/2016/06/04/1", - "http://www.securityfocus.com/bid/91483", - "http://www.ubuntu.com/usn/USN-3010-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702", - "https://security.gentoo.org/glsa/201701-21", - "https://source.android.com/security/bulletin/2016-11-01.html", - "https://www.tenable.com/security/tns-2016-20" - ] - }, - { - "VulnerabilityID": "CVE-2013-0340", - "PkgName": "expat", - "InstalledVersion": "2.0.1-13.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "expat: internal entity expansion", - "Description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", - "Severity": "MEDIUM", - "References": [ - "http://openwall.com/lists/oss-security/2013/02/22/3", - "http://securitytracker.com/id?1028213", - "http://www.openwall.com/lists/oss-security/2013/04/12/6", - "http://www.osvdb.org/90634", - "http://www.securityfocus.com/bid/58233", - "https://security.gentoo.org/glsa/201701-21" - ] - }, - { - "VulnerabilityID": "CVE-2013-0341", - "PkgName": "expat", - "InstalledVersion": "2.0.1-13.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "expat: external entity expansion", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "MEDIUM" - }, { "VulnerabilityID": "CVE-2015-8865", "PkgName": "file", @@ -4929,9 +5102,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "file: Buffer over-write in finfo_open with malformed magic file", "Description": "The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://bugs.gw.com/view.php?id=522", "http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e", @@ -4963,9 +5137,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "file: out-of-bounds read via a crafted ELF file", "Description": "The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00027.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00053.html", @@ -4983,9 +5158,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "file: Buffer over-write in finfo_open with malformed magic file", "Description": "The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://bugs.gw.com/view.php?id=522", "http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e", @@ -5017,9 +5193,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "file: out-of-bounds read via a crafted ELF file", "Description": "The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00027.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00053.html", @@ -5030,27 +5207,6 @@ "https://usn.ubuntu.com/3686-2/" ] }, - { - "VulnerabilityID": "CVE-2015-2327", - "PkgName": "glib2", - "InstalledVersion": "2.28.8-10.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pcre: infinite recursion compiling pattern with zero-repeated groups that include recursive back reference (8.36/19)", - "Description": "PCRE before 8.36 mishandles the /(((a\\2)|(a*)\\g\u003c-1\u003e))*/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.fortiguard.com/advisory/FG-VD-15-010/", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/74924", - "https://bugs.exim.org/show_bug.cgi?id=1503", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2327", - "https://jira.mongodb.org/browse/SERVER-17252" - ] - }, { "VulnerabilityID": "CVE-2015-8385", "PkgName": "glib2", @@ -5058,10 +5214,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: buffer overflow caused by named forward reference to duplicate group number (8.38/30)", "Description": "PCRE before 8.38 mishandles the /(?|(\\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2015-8385.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -5075,119 +5234,6 @@ "https://security.gentoo.org/glsa/201607-02" ] }, - { - "VulnerabilityID": "CVE-2015-8386", - "PkgName": "glib2", - "InstalledVersion": "2.28.8-10.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pcre: Buffer overflow caused by lookbehind assertion (8.38/6)", - "Description": "PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/82990", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8386", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8387", - "PkgName": "glib2", - "InstalledVersion": "2.28.8-10.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pcre: Integer overflow in subroutine calls (8.38/8)", - "Description": "PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8387", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8388", - "PkgName": "glib2", - "InstalledVersion": "2.28.8-10.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)", - "Description": "PCRE before 8.38 mishandles the /(?=di(?\u003c=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/85576", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8388", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8390", - "PkgName": "glib2", - "InstalledVersion": "2.28.8-10.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pcre: uninitialized memory read triggered by malformed posix character class (8.38/22)", - "Description": "PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8390", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8394", - "PkgName": "glib2", - "InstalledVersion": "2.28.8-10.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", - "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, { "VulnerabilityID": "CVE-2016-3191", "PkgName": "glib2", @@ -5195,10 +5241,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12)", "Description": "The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2016-3191.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://vcs.pcre.org/pcre2?view=revision\u0026revision=489", "http://vcs.pcre.org/pcre?view=revision\u0026revision=1631", @@ -5215,41 +5264,6 @@ "https://www.tenable.com/security/tns-2016-18" ] }, - { - "VulnerabilityID": "CVE-2017-11164", - "PkgName": "glib2", - "InstalledVersion": "2.28.8-10.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", - "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "Severity": "HIGH", - "References": [ - "http://openwall.com/lists/oss-security/2017/07/11/3", - "http://www.securityfocus.com/bid/99575" - ] - }, - { - "VulnerabilityID": "CVE-2018-16428", - "PkgName": "glib2", - "InstalledVersion": "2.28.8-10.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glib2: NULL pointer dereference in g_markup_parse_context_end_parse() function in gmarkup.c", - "Description": "In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/105210", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16428", - "https://gitlab.gnome.org/GNOME/glib/commit/fccef3cc822af74699cca84cd202719ae61ca3b9", - "https://gitlab.gnome.org/GNOME/glib/issues/1364", - "https://lists.debian.org/debian-lts-announce/2019/07/msg00029.html", - "https://usn.ubuntu.com/3767-1/", - "https://usn.ubuntu.com/3767-2/" - ] - }, { "VulnerabilityID": "CVE-2012-0039", "PkgName": "glib2", @@ -5257,6 +5271,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glib2: hash table collisions CPU usage DoS", "Description": "** DISPUTED ** GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.", "Severity": "MEDIUM", @@ -5267,6 +5282,28 @@ "https://bugzilla.redhat.com/show_bug.cgi?id=772720" ] }, + { + "VulnerabilityID": "CVE-2015-2327", + "PkgName": "glib2", + "InstalledVersion": "2.28.8-10.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "pcre: infinite recursion compiling pattern with zero-repeated groups that include recursive back reference (8.36/19)", + "Description": "PCRE before 8.36 mishandles the /(((a\\2)|(a*)\\g\u003c-1\u003e))*/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://rhn.redhat.com/errata/RHSA-2016-2750.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.fortiguard.com/advisory/FG-VD-15-010/", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/74924", + "https://bugs.exim.org/show_bug.cgi?id=1503", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2327", + "https://jira.mongodb.org/browse/SERVER-17252" + ] + }, { "VulnerabilityID": "CVE-2015-3217", "PkgName": "glib2", @@ -5274,10 +5311,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: stack overflow caused by mishandled group empty match (8.38/11)", "Description": "PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-3217.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre?view=revision\u0026revision=1566", @@ -5298,10 +5338,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)", "Description": "Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-5073.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?revision=1609\u0026view=markup", @@ -5318,6 +5361,160 @@ "https://security.gentoo.org/glsa/201607-02" ] }, + { + "VulnerabilityID": "CVE-2015-8387", + "PkgName": "glib2", + "InstalledVersion": "2.28.8-10.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "pcre: Integer overflow in subroutine calls (8.38/8)", + "Description": "PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8387", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8388", + "PkgName": "glib2", + "InstalledVersion": "2.28.8-10.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)", + "Description": "PCRE before 8.38 mishandles the /(?=di(?\u003c=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2015-8388.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-2750.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/85576", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8388", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8390", + "PkgName": "glib2", + "InstalledVersion": "2.28.8-10.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "pcre: uninitialized memory read triggered by malformed posix character class (8.38/22)", + "Description": "PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8390", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8394", + "PkgName": "glib2", + "InstalledVersion": "2.28.8-10.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", + "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2019-9633", + "PkgName": "glib2", + "InstalledVersion": "2.28.8-10.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glib: g_socket_client_connected_callback in gio/gsocketclient.c allows to cause denial of service", + "Description": "gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/107391", + "https://gitlab.gnome.org/GNOME/glib/issues/1649" + ] + }, + { + "VulnerabilityID": "CVE-2015-8386", + "PkgName": "glib2", + "InstalledVersion": "2.28.8-10.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "pcre: Buffer overflow caused by lookbehind assertion (8.38/6)", + "Description": "PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2015-8386.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-2750.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/82990", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8386", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2017-11164", + "PkgName": "glib2", + "InstalledVersion": "2.28.8-10.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", + "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/07/11/3", + "http://www.securityfocus.com/bid/99575" + ] + }, { "VulnerabilityID": "CVE-2017-7244", "PkgName": "glib2", @@ -5325,9 +5522,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)", "Description": "The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -5343,9 +5541,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -5360,9 +5559,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -5370,6 +5570,27 @@ "https://security.gentoo.org/glsa/201710-25" ] }, + { + "VulnerabilityID": "CVE-2018-16428", + "PkgName": "glib2", + "InstalledVersion": "2.28.8-10.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glib2: NULL pointer dereference in g_markup_parse_context_end_parse() function in gmarkup.c", + "Description": "In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/105210", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16428", + "https://gitlab.gnome.org/GNOME/glib/commit/fccef3cc822af74699cca84cd202719ae61ca3b9", + "https://gitlab.gnome.org/GNOME/glib/issues/1364", + "https://lists.debian.org/debian-lts-announce/2019/07/msg00029.html", + "https://usn.ubuntu.com/3767-1/", + "https://usn.ubuntu.com/3767-2/" + ] + }, { "VulnerabilityID": "CVE-2018-16429", "PkgName": "glib2", @@ -5377,9 +5598,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glib2: Out-of-bounds read in g_markup_parse_context_parse() in gmarkup.c", "Description": "GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16429", "https://gitlab.gnome.org/GNOME/glib/commit/cec71705406f0b2790422f0c1aa0ff3b4b464b1b", @@ -5390,85 +5612,54 @@ ] }, { - "VulnerabilityID": "CVE-2019-9633", - "PkgName": "glib2", - "InstalledVersion": "2.28.8-10.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glib: g_socket_client_connected_callback in gio/gsocketclient.c allows to cause denial of service", - "Description": "gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/107391", - "https://gitlab.gnome.org/GNOME/glib/issues/1649" - ] - }, - { - "VulnerabilityID": "CVE-2017-16231", - "PkgName": "glib2", - "InstalledVersion": "2.28.8-10.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", - "Description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", - "Severity": "LOW", - "References": [ - "http://packetstormsecurity.com/files/150897/PCRE-8.41-Buffer-Overflow.html", - "http://seclists.org/fulldisclosure/2018/Dec/33", - "http://www.openwall.com/lists/oss-security/2017/11/01/11", - "http://www.openwall.com/lists/oss-security/2017/11/01/3", - "http://www.openwall.com/lists/oss-security/2017/11/01/7", - "http://www.openwall.com/lists/oss-security/2017/11/01/8", - "http://www.securityfocus.com/bid/101688", - "https://bugs.exim.org/show_bug.cgi?id=2047" - ] - }, - { - "VulnerabilityID": "CVE-2017-16997", + "VulnerabilityID": "CVE-2018-1000001", "PkgName": "glibc", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries", - "Description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.", - "Severity": "CRITICAL", - "References": [ - "http://www.securityfocus.com/bid/102228", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3092", - "https://bugs.debian.org/884615", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16997", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22625", - "https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html" - ] - }, - { - "VulnerabilityID": "CVE-2010-0015", - "PkgName": "glibc", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc NIS password hash disclosure", - "Description": "nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.", + "SeveritySource": "redhat", + "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation", + "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", "Severity": "HIGH", "References": [ - "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560333", - "http://marc.info/?l=oss-security\u0026m=126320356003425\u0026w=2", - "http://marc.info/?l=oss-security\u0026m=126320570505651\u0026w=2", - "http://sourceware.org/bugzilla/show_bug.cgi?id=11134", - "http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062\u0026view=markup", - "http://www.mandriva.com/security/advisories?name=MDVSA-2010:111", - "http://www.mandriva.com/security/advisories?name=MDVSA-2010:112", - "http://www.openwall.com/lists/oss-security/2010/01/07/3", - "http://www.openwall.com/lists/oss-security/2010/01/08/1", - "http://www.openwall.com/lists/oss-security/2010/01/08/2", - "http://www.openwall.com/lists/oss-security/2010/01/11/6", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0015", - "https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.html" + "http://linux.oracle.com/cve/CVE-2018-1000001.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", + "http://seclists.org/oss-sec/2018/q1/38", + "http://www.securityfocus.com/bid/102525", + "http://www.securitytracker.com/id/1040162", + "https://access.redhat.com/errata/RHSA-2018:0805", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000001", + "https://security.netapp.com/advisory/ntap-20190404-0003/", + "https://usn.ubuntu.com/3534-1/", + "https://usn.ubuntu.com/3536-1/", + "https://www.exploit-db.com/exploits/43775/", + "https://www.exploit-db.com/exploits/44889/", + "https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/" + ] + }, + { + "VulnerabilityID": "CVE-2009-5155", + "PkgName": "glibc", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", + "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", + "https://support.f5.com/csp/article/K64119434" ] }, { @@ -5478,9 +5669,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: strcoll() integer overflow leading to buffer overflow", "Description": "Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", "http://seclists.org/fulldisclosure/2019/Jun/18", @@ -5497,78 +5689,91 @@ ] }, { - "VulnerabilityID": "CVE-2014-4043", + "VulnerabilityID": "CVE-2012-4424", "PkgName": "glibc", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: posix_spawn_file_actions_addopen fails to copy the path argument", - "Description": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "glibc: alloca() stack overflow in the strcoll() interface", + "Description": "Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.", + "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.html", - "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", - "http://seclists.org/fulldisclosure/2019/Jun/18", - "http://www.mandriva.com/security/advisories?name=MDVSA-2014:152", - "http://www.securityfocus.com/bid/68006", - "https://bugzilla.redhat.com/show_bug.cgi?id=1109263", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/93784", - "https://seclists.org/bugtraq/2019/Jun/14", - "https://security.gentoo.org/glsa/201503-04", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17048", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=ChangeLog;h=3020b9ac232315df362521aeaf85f21cb9926db8;hp=d86e73963dd9fb5e21b1a28326630337226812aa;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=posix/spawn_faction_addopen.c;h=40800b8e6e81341501c0fb8a91009529e2048dec;hp=47f62425b696a4fdd511b2a057746322eb6518db;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89e435f3559c53084498e9baad22172b64429362" + "http://sourceware.org/bugzilla/show_bug.cgi?id=14547", + "http://www.mandriva.com/security/advisories?name=MDVSA-2013:283", + "http://www.mandriva.com/security/advisories?name=MDVSA-2013:284", + "http://www.openwall.com/lists/oss-security/2012/09/13/16", + "http://www.ubuntu.com/usn/USN-1991-1", + "https://bugzilla.redhat.com/show_bug.cgi?id=858238", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4424", + "https://security.gentoo.org/glsa/201503-04" ] }, { - "VulnerabilityID": "CVE-2014-9402", + "VulnerabilityID": "CVE-2015-8983", "PkgName": "glibc", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: denial of service in getnetbyname function", - "Description": "The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "glibc: _IO_wstr_overflow integer overflow", + "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", + "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html", - "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", - "http://seclists.org/fulldisclosure/2019/Jun/18", - "http://www.openwall.com/lists/oss-security/2014/12/18/1", - "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", - "http://www.securityfocus.com/bid/71670", - "http://www.ubuntu.com/usn/USN-2519-1", - "https://access.redhat.com/errata/RHSA-2018:0805", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402", - "https://seclists.org/bugtraq/2019/Jun/14", - "https://security.gentoo.org/glsa/201602-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17630" + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/72740", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", + "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" ] }, { - "VulnerabilityID": "CVE-2016-4429", + "VulnerabilityID": "CVE-2016-1234", "PkgName": "glibc", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", - "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", + "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", + "Severity": "MEDIUM", "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", - "http://www.securityfocus.com/bid/102073", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", - "https://source.android.com/security/bulletin/2017-12-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", - "https://usn.ubuntu.com/3759-1/", - "https://usn.ubuntu.com/3759-2/" + "http://www.openwall.com/lists/oss-security/2016/03/07/16", + "http://www.securityfocus.com/bid/84204", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", + "https://security.gentoo.org/glsa/201702-11", + "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" + ] + }, + { + "VulnerabilityID": "CVE-2017-16997", + "PkgName": "glibc", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries", + "Description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-16997.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", + "http://www.securityfocus.com/bid/102228", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3092", + "https://bugs.debian.org/884615", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16997", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22625", + "https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html" ] }, { @@ -5578,9 +5783,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: memory leak in sunrpc when decoding malformed XDR", "Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2017/05/05/2", "http://www.securityfocus.com/bid/98339", @@ -5589,30 +5795,6 @@ "https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html" ] }, - { - "VulnerabilityID": "CVE-2018-1000001", - "PkgName": "glibc", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation", - "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", - "Severity": "HIGH", - "References": [ - "http://seclists.org/oss-sec/2018/q1/38", - "http://www.securityfocus.com/bid/102525", - "http://www.securitytracker.com/id/1040162", - "https://access.redhat.com/errata/RHSA-2018:0805", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000001", - "https://security.netapp.com/advisory/ntap-20190404-0003/", - "https://usn.ubuntu.com/3534-1/", - "https://usn.ubuntu.com/3536-1/", - "https://www.exploit-db.com/exploits/43775/", - "https://www.exploit-db.com/exploits/44889/", - "https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/" - ] - }, { "VulnerabilityID": "CVE-2018-11236", "PkgName": "glibc", @@ -5620,10 +5802,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow", "Description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-11236.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/104255", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", @@ -5642,17 +5827,21 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, @@ -5663,9 +5852,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.securityfocus.com/bid/107160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", @@ -5679,74 +5869,30 @@ ] }, { - "VulnerabilityID": "CVE-2009-5155", + "VulnerabilityID": "CVE-2010-0015", "PkgName": "glibc", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", - "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "glibc NIS password hash disclosure", + "Description": "nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.", + "Severity": "LOW", "References": [ - "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", - "https://support.f5.com/csp/article/K64119434" - ] - }, - { - "VulnerabilityID": "CVE-2010-4051", - "PkgName": "glibc", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine", - "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", - "Severity": "MEDIUM", - "References": [ - "http://cxib.net/stuff/proftpd.gnu.c", - "http://seclists.org/fulldisclosure/2011/Jan/78", - "http://secunia.com/advisories/42547", - "http://securityreason.com/achievement_securityalert/93", - "http://securityreason.com/securityalert/8003", - "http://securitytracker.com/id?1024832", - "http://www.exploit-db.com/exploits/15935", - "http://www.kb.cert.org/vuls/id/912279", - "http://www.securityfocus.com/archive/1/515589/100/0/threaded", - "http://www.securityfocus.com/bid/45233", - "https://bugzilla.redhat.com/show_bug.cgi?id=645859" - ] - }, - { - "VulnerabilityID": "CVE-2010-4052", - "PkgName": "glibc", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine", - "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", - "Severity": "MEDIUM", - "References": [ - "http://cxib.net/stuff/proftpd.gnu.c", - "http://seclists.org/fulldisclosure/2011/Jan/78", - "http://secunia.com/advisories/42547", - "http://securityreason.com/achievement_securityalert/93", - "http://securityreason.com/securityalert/8003", - "http://securitytracker.com/id?1024832", - "http://www.exploit-db.com/exploits/15935", - "http://www.kb.cert.org/vuls/id/912279", - "http://www.securityfocus.com/archive/1/515589/100/0/threaded", - "http://www.securityfocus.com/bid/45233", - "https://bugzilla.redhat.com/show_bug.cgi?id=645859" + "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560333", + "http://marc.info/?l=oss-security\u0026m=126320356003425\u0026w=2", + "http://marc.info/?l=oss-security\u0026m=126320570505651\u0026w=2", + "http://sourceware.org/bugzilla/show_bug.cgi?id=11134", + "http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062\u0026view=markup", + "http://www.mandriva.com/security/advisories?name=MDVSA-2010:111", + "http://www.mandriva.com/security/advisories?name=MDVSA-2010:112", + "http://www.openwall.com/lists/oss-security/2010/01/07/3", + "http://www.openwall.com/lists/oss-security/2010/01/08/1", + "http://www.openwall.com/lists/oss-security/2010/01/08/2", + "http://www.openwall.com/lists/oss-security/2010/01/11/6", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0015", + "https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.html" ] }, { @@ -5756,9 +5902,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", @@ -5766,24 +5913,24 @@ ] }, { - "VulnerabilityID": "CVE-2012-4424", + "VulnerabilityID": "CVE-2011-5320", "PkgName": "glibc", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: alloca() stack overflow in the strcoll() interface", - "Description": "Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "glibc: scanf implementation crashes on certain inputs", + "Description": "scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s.", + "Severity": "LOW", "References": [ - "http://sourceware.org/bugzilla/show_bug.cgi?id=14547", - "http://www.mandriva.com/security/advisories?name=MDVSA-2013:283", - "http://www.mandriva.com/security/advisories?name=MDVSA-2013:284", - "http://www.openwall.com/lists/oss-security/2012/09/13/16", - "http://www.ubuntu.com/usn/USN-1991-1", - "https://bugzilla.redhat.com/show_bug.cgi?id=858238", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4424", - "https://security.gentoo.org/glsa/201503-04" + "http://www.openwall.com/lists/oss-security/2015/03/12/14", + "https://bugzilla.redhat.com/show_bug.cgi?id=1196745", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5320", + "https://marc.info/?l=gimp-developer\u0026m=129567990905823\u0026w=2", + "https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c4", + "https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=20b38e0", + "https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0" ] }, { @@ -5793,9 +5940,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: PTR_MANGLE does not initialize to a random value for the pointer guard when compiling static executables", "Description": "The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://hmarco.org/bugs/CVE-2013-4788.html", "http://seclists.org/fulldisclosure/2015/Sep/23", @@ -5807,6 +5955,34 @@ "https://security.gentoo.org/glsa/201503-04" ] }, + { + "VulnerabilityID": "CVE-2014-4043", + "PkgName": "glibc", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: posix_spawn_file_actions_addopen fails to copy the path argument", + "Description": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.html", + "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", + "http://seclists.org/fulldisclosure/2019/Jun/18", + "http://www.mandriva.com/security/advisories?name=MDVSA-2014:152", + "http://www.securityfocus.com/bid/68006", + "https://bugzilla.redhat.com/show_bug.cgi?id=1109263", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/93784", + "https://seclists.org/bugtraq/2019/Jun/14", + "https://security.gentoo.org/glsa/201503-04", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17048", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=ChangeLog;h=3020b9ac232315df362521aeaf85f21cb9926db8;hp=d86e73963dd9fb5e21b1a28326630337226812aa;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=posix/spawn_faction_addopen.c;h=40800b8e6e81341501c0fb8a91009529e2048dec;hp=47f62425b696a4fdd511b2a057746322eb6518db;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89e435f3559c53084498e9baad22172b64429362" + ] + }, { "VulnerabilityID": "CVE-2014-8121", "PkgName": "glibc", @@ -5814,10 +5990,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Unexpected closing of nss_files databases after lookups causes denial of service", "Description": "DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2014-8121.html", + "http://linux.oracle.com/errata/ELSA-2015-0327.html", "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00019.html", "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html", "http://rhn.redhat.com/errata/RHSA-2015-0327.html", @@ -5830,6 +6009,34 @@ "https://sourceware.org/ml/libc-alpha/2015-02/msg00617.html" ] }, + { + "VulnerabilityID": "CVE-2014-9402", + "PkgName": "glibc", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: denial of service in getnetbyname function", + "Description": "The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2014-9402.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", + "http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html", + "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", + "http://seclists.org/fulldisclosure/2019/Jun/18", + "http://www.openwall.com/lists/oss-security/2014/12/18/1", + "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", + "http://www.securityfocus.com/bid/71670", + "http://www.ubuntu.com/usn/USN-2519-1", + "https://access.redhat.com/errata/RHSA-2018:0805", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402", + "https://seclists.org/bugtraq/2019/Jun/14", + "https://security.gentoo.org/glsa/201602-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17630" + ] + }, { "VulnerabilityID": "CVE-2015-5180", "PkgName": "glibc", @@ -5837,10 +6044,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: DNS resolver NULL pointer dereference with crafted record type", "Description": "res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2015-5180.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://www.securityfocus.com/bid/99324", "http://www.ubuntu.com/usn/USN-3239-1", "http://www.ubuntu.com/usn/USN-3239-2", @@ -5854,6 +6064,38 @@ "https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html" ] }, + { + "VulnerabilityID": "CVE-2015-8777", + "PkgName": "glibc", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: LD_POINTER_GUARD in the environment is not sanitized", + "Description": "The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable.", + "Severity": "LOW", + "References": [ + "http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html", + "http://linux.oracle.com/cve/CVE-2015-8777.html", + "http://linux.oracle.com/errata/ELSA-2017-1916.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177404.html", + "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html", + "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00037.html", + "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00038.html", + "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00039.html", + "http://www.debian.org/security/2016/dsa-3480", + "http://www.openwall.com/lists/oss-security/2016/01/20/1", + "http://www.securityfocus.com/bid/81469", + "http://www.securitytracker.com/id/1034811", + "http://www.ubuntu.com/usn/USN-2985-1", + "http://www.ubuntu.com/usn/USN-2985-2", + "https://access.redhat.com/errata/RHSA-2017:1916", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777", + "https://security.gentoo.org/glsa/201702-11", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18928" + ] + }, { "VulnerabilityID": "CVE-2015-8982", "PkgName": "glibc", @@ -5861,9 +6103,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: multiple overflows in strxfrm()", "Description": "Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2015/02/13/3", "http://www.openwall.com/lists/oss-security/2017/02/14/9", @@ -5873,25 +6116,6 @@ "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed" ] }, - { - "VulnerabilityID": "CVE-2015-8983", - "PkgName": "glibc", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc: _IO_wstr_overflow integer overflow", - "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/72740", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", - "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" - ] - }, { "VulnerabilityID": "CVE-2015-8984", "PkgName": "glibc", @@ -5899,9 +6123,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: potential denial of service in internal_fnmatch()", "Description": "The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2015/02/26/5", "http://www.openwall.com/lists/oss-security/2017/02/14/9", @@ -5919,9 +6144,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -5937,37 +6163,16 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" ] }, - { - "VulnerabilityID": "CVE-2016-1234", - "PkgName": "glibc", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", - "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", - "Severity": "MEDIUM", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", - "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", - "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www.openwall.com/lists/oss-security/2016/03/07/16", - "http://www.securityfocus.com/bid/84204", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", - "https://security.gentoo.org/glsa/201702-11", - "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" - ] - }, { "VulnerabilityID": "CVE-2016-3075", "PkgName": "glibc", @@ -5975,10 +6180,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Stack overflow in nss_dns_getnetbyname_r", "Description": "Stack-based buffer overflow in the nss_dns implementation of the getnetbyname function in GNU C Library (aka glibc) before 2.24 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a long name.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-3075.html", + "http://linux.oracle.com/errata/ELSA-2016-2573.html", "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", @@ -5998,9 +6206,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: stack (frame) overflow in getaddrinfo() when called with AF_INET, AF_INET6 (incomplete fix for CVE-2013-4458)", "Description": "Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", @@ -6013,6 +6222,30 @@ "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9" ] }, + { + "VulnerabilityID": "CVE-2016-4429", + "PkgName": "glibc", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", + "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", + "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", + "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", + "http://www.securityfocus.com/bid/102073", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", + "https://source.android.com/security/bulletin/2017-12-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", + "https://usn.ubuntu.com/3759-1/", + "https://usn.ubuntu.com/3759-2/" + ] + }, { "VulnerabilityID": "CVE-2017-12132", "PkgName": "glibc", @@ -6020,10 +6253,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://www.securityfocus.com/bid/100598", "https://access.redhat.com/errata/RHSA-2018:0805", "https://arxiv.org/pdf/1205.4011.pdf", @@ -6038,9 +6274,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Memory leak in glob with GLOB_TILDE", "Description": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101517", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671", @@ -6048,98 +6285,54 @@ ] }, { - "VulnerabilityID": "CVE-2011-5320", - "PkgName": "glibc", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc: scanf implementation crashes on certain inputs", - "Description": "scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s.", - "Severity": "LOW", - "References": [ - "http://www.openwall.com/lists/oss-security/2015/03/12/14", - "https://bugzilla.redhat.com/show_bug.cgi?id=1196745", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5320", - "https://marc.info/?l=gimp-developer\u0026m=129567990905823\u0026w=2", - "https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c4", - "https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=20b38e0", - "https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0" - ] - }, - { - "VulnerabilityID": "CVE-2015-8777", - "PkgName": "glibc", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc: LD_POINTER_GUARD in the environment is not sanitized", - "Description": "The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable.", - "Severity": "LOW", - "References": [ - "http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177404.html", - "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html", - "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00037.html", - "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00038.html", - "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00039.html", - "http://www.debian.org/security/2016/dsa-3480", - "http://www.openwall.com/lists/oss-security/2016/01/20/1", - "http://www.securityfocus.com/bid/81469", - "http://www.securitytracker.com/id/1034811", - "http://www.ubuntu.com/usn/USN-2985-1", - "http://www.ubuntu.com/usn/USN-2985-2", - "https://access.redhat.com/errata/RHSA-2017:1916", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777", - "https://security.gentoo.org/glsa/201702-11", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18928" - ] - }, - { - "VulnerabilityID": "CVE-2017-16997", + "VulnerabilityID": "CVE-2018-1000001", "PkgName": "glibc-common", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries", - "Description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.", - "Severity": "CRITICAL", - "References": [ - "http://www.securityfocus.com/bid/102228", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3092", - "https://bugs.debian.org/884615", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16997", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22625", - "https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html" - ] - }, - { - "VulnerabilityID": "CVE-2010-0015", - "PkgName": "glibc-common", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc NIS password hash disclosure", - "Description": "nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.", + "SeveritySource": "redhat", + "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation", + "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", "Severity": "HIGH", "References": [ - "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560333", - "http://marc.info/?l=oss-security\u0026m=126320356003425\u0026w=2", - "http://marc.info/?l=oss-security\u0026m=126320570505651\u0026w=2", - "http://sourceware.org/bugzilla/show_bug.cgi?id=11134", - "http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062\u0026view=markup", - "http://www.mandriva.com/security/advisories?name=MDVSA-2010:111", - "http://www.mandriva.com/security/advisories?name=MDVSA-2010:112", - "http://www.openwall.com/lists/oss-security/2010/01/07/3", - "http://www.openwall.com/lists/oss-security/2010/01/08/1", - "http://www.openwall.com/lists/oss-security/2010/01/08/2", - "http://www.openwall.com/lists/oss-security/2010/01/11/6", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0015", - "https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.html" + "http://linux.oracle.com/cve/CVE-2018-1000001.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", + "http://seclists.org/oss-sec/2018/q1/38", + "http://www.securityfocus.com/bid/102525", + "http://www.securitytracker.com/id/1040162", + "https://access.redhat.com/errata/RHSA-2018:0805", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000001", + "https://security.netapp.com/advisory/ntap-20190404-0003/", + "https://usn.ubuntu.com/3534-1/", + "https://usn.ubuntu.com/3536-1/", + "https://www.exploit-db.com/exploits/43775/", + "https://www.exploit-db.com/exploits/44889/", + "https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/" + ] + }, + { + "VulnerabilityID": "CVE-2009-5155", + "PkgName": "glibc-common", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", + "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", + "https://support.f5.com/csp/article/K64119434" ] }, { @@ -6149,9 +6342,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: strcoll() integer overflow leading to buffer overflow", "Description": "Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", "http://seclists.org/fulldisclosure/2019/Jun/18", @@ -6168,78 +6362,91 @@ ] }, { - "VulnerabilityID": "CVE-2014-4043", + "VulnerabilityID": "CVE-2012-4424", "PkgName": "glibc-common", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: posix_spawn_file_actions_addopen fails to copy the path argument", - "Description": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "glibc: alloca() stack overflow in the strcoll() interface", + "Description": "Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.", + "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.html", - "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", - "http://seclists.org/fulldisclosure/2019/Jun/18", - "http://www.mandriva.com/security/advisories?name=MDVSA-2014:152", - "http://www.securityfocus.com/bid/68006", - "https://bugzilla.redhat.com/show_bug.cgi?id=1109263", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/93784", - "https://seclists.org/bugtraq/2019/Jun/14", - "https://security.gentoo.org/glsa/201503-04", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17048", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=ChangeLog;h=3020b9ac232315df362521aeaf85f21cb9926db8;hp=d86e73963dd9fb5e21b1a28326630337226812aa;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=posix/spawn_faction_addopen.c;h=40800b8e6e81341501c0fb8a91009529e2048dec;hp=47f62425b696a4fdd511b2a057746322eb6518db;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89e435f3559c53084498e9baad22172b64429362" + "http://sourceware.org/bugzilla/show_bug.cgi?id=14547", + "http://www.mandriva.com/security/advisories?name=MDVSA-2013:283", + "http://www.mandriva.com/security/advisories?name=MDVSA-2013:284", + "http://www.openwall.com/lists/oss-security/2012/09/13/16", + "http://www.ubuntu.com/usn/USN-1991-1", + "https://bugzilla.redhat.com/show_bug.cgi?id=858238", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4424", + "https://security.gentoo.org/glsa/201503-04" ] }, { - "VulnerabilityID": "CVE-2014-9402", + "VulnerabilityID": "CVE-2015-8983", "PkgName": "glibc-common", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: denial of service in getnetbyname function", - "Description": "The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "glibc: _IO_wstr_overflow integer overflow", + "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", + "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html", - "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", - "http://seclists.org/fulldisclosure/2019/Jun/18", - "http://www.openwall.com/lists/oss-security/2014/12/18/1", - "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", - "http://www.securityfocus.com/bid/71670", - "http://www.ubuntu.com/usn/USN-2519-1", - "https://access.redhat.com/errata/RHSA-2018:0805", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402", - "https://seclists.org/bugtraq/2019/Jun/14", - "https://security.gentoo.org/glsa/201602-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17630" + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/72740", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", + "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" ] }, { - "VulnerabilityID": "CVE-2016-4429", + "VulnerabilityID": "CVE-2016-1234", "PkgName": "glibc-common", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", - "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", + "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", + "Severity": "MEDIUM", "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", - "http://www.securityfocus.com/bid/102073", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", - "https://source.android.com/security/bulletin/2017-12-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", - "https://usn.ubuntu.com/3759-1/", - "https://usn.ubuntu.com/3759-2/" + "http://www.openwall.com/lists/oss-security/2016/03/07/16", + "http://www.securityfocus.com/bid/84204", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", + "https://security.gentoo.org/glsa/201702-11", + "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" + ] + }, + { + "VulnerabilityID": "CVE-2017-16997", + "PkgName": "glibc-common", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries", + "Description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-16997.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", + "http://www.securityfocus.com/bid/102228", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3092", + "https://bugs.debian.org/884615", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16997", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22625", + "https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html" ] }, { @@ -6249,9 +6456,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: memory leak in sunrpc when decoding malformed XDR", "Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2017/05/05/2", "http://www.securityfocus.com/bid/98339", @@ -6260,30 +6468,6 @@ "https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html" ] }, - { - "VulnerabilityID": "CVE-2018-1000001", - "PkgName": "glibc-common", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation", - "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", - "Severity": "HIGH", - "References": [ - "http://seclists.org/oss-sec/2018/q1/38", - "http://www.securityfocus.com/bid/102525", - "http://www.securitytracker.com/id/1040162", - "https://access.redhat.com/errata/RHSA-2018:0805", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000001", - "https://security.netapp.com/advisory/ntap-20190404-0003/", - "https://usn.ubuntu.com/3534-1/", - "https://usn.ubuntu.com/3536-1/", - "https://www.exploit-db.com/exploits/43775/", - "https://www.exploit-db.com/exploits/44889/", - "https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/" - ] - }, { "VulnerabilityID": "CVE-2018-11236", "PkgName": "glibc-common", @@ -6291,10 +6475,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow", "Description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-11236.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/104255", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", @@ -6313,17 +6500,21 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, @@ -6334,9 +6525,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.securityfocus.com/bid/107160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", @@ -6350,74 +6542,30 @@ ] }, { - "VulnerabilityID": "CVE-2009-5155", + "VulnerabilityID": "CVE-2010-0015", "PkgName": "glibc-common", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", - "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "glibc NIS password hash disclosure", + "Description": "nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.", + "Severity": "LOW", "References": [ - "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", - "https://support.f5.com/csp/article/K64119434" - ] - }, - { - "VulnerabilityID": "CVE-2010-4051", - "PkgName": "glibc-common", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine", - "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", - "Severity": "MEDIUM", - "References": [ - "http://cxib.net/stuff/proftpd.gnu.c", - "http://seclists.org/fulldisclosure/2011/Jan/78", - "http://secunia.com/advisories/42547", - "http://securityreason.com/achievement_securityalert/93", - "http://securityreason.com/securityalert/8003", - "http://securitytracker.com/id?1024832", - "http://www.exploit-db.com/exploits/15935", - "http://www.kb.cert.org/vuls/id/912279", - "http://www.securityfocus.com/archive/1/515589/100/0/threaded", - "http://www.securityfocus.com/bid/45233", - "https://bugzilla.redhat.com/show_bug.cgi?id=645859" - ] - }, - { - "VulnerabilityID": "CVE-2010-4052", - "PkgName": "glibc-common", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine", - "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", - "Severity": "MEDIUM", - "References": [ - "http://cxib.net/stuff/proftpd.gnu.c", - "http://seclists.org/fulldisclosure/2011/Jan/78", - "http://secunia.com/advisories/42547", - "http://securityreason.com/achievement_securityalert/93", - "http://securityreason.com/securityalert/8003", - "http://securitytracker.com/id?1024832", - "http://www.exploit-db.com/exploits/15935", - "http://www.kb.cert.org/vuls/id/912279", - "http://www.securityfocus.com/archive/1/515589/100/0/threaded", - "http://www.securityfocus.com/bid/45233", - "https://bugzilla.redhat.com/show_bug.cgi?id=645859" + "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560333", + "http://marc.info/?l=oss-security\u0026m=126320356003425\u0026w=2", + "http://marc.info/?l=oss-security\u0026m=126320570505651\u0026w=2", + "http://sourceware.org/bugzilla/show_bug.cgi?id=11134", + "http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062\u0026view=markup", + "http://www.mandriva.com/security/advisories?name=MDVSA-2010:111", + "http://www.mandriva.com/security/advisories?name=MDVSA-2010:112", + "http://www.openwall.com/lists/oss-security/2010/01/07/3", + "http://www.openwall.com/lists/oss-security/2010/01/08/1", + "http://www.openwall.com/lists/oss-security/2010/01/08/2", + "http://www.openwall.com/lists/oss-security/2010/01/11/6", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0015", + "https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.html" ] }, { @@ -6427,9 +6575,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", @@ -6437,24 +6586,24 @@ ] }, { - "VulnerabilityID": "CVE-2012-4424", + "VulnerabilityID": "CVE-2011-5320", "PkgName": "glibc-common", "InstalledVersion": "2.12-1.212.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "glibc: alloca() stack overflow in the strcoll() interface", - "Description": "Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "glibc: scanf implementation crashes on certain inputs", + "Description": "scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s.", + "Severity": "LOW", "References": [ - "http://sourceware.org/bugzilla/show_bug.cgi?id=14547", - "http://www.mandriva.com/security/advisories?name=MDVSA-2013:283", - "http://www.mandriva.com/security/advisories?name=MDVSA-2013:284", - "http://www.openwall.com/lists/oss-security/2012/09/13/16", - "http://www.ubuntu.com/usn/USN-1991-1", - "https://bugzilla.redhat.com/show_bug.cgi?id=858238", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4424", - "https://security.gentoo.org/glsa/201503-04" + "http://www.openwall.com/lists/oss-security/2015/03/12/14", + "https://bugzilla.redhat.com/show_bug.cgi?id=1196745", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5320", + "https://marc.info/?l=gimp-developer\u0026m=129567990905823\u0026w=2", + "https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c4", + "https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=20b38e0", + "https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0" ] }, { @@ -6464,9 +6613,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: PTR_MANGLE does not initialize to a random value for the pointer guard when compiling static executables", "Description": "The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://hmarco.org/bugs/CVE-2013-4788.html", "http://seclists.org/fulldisclosure/2015/Sep/23", @@ -6478,6 +6628,34 @@ "https://security.gentoo.org/glsa/201503-04" ] }, + { + "VulnerabilityID": "CVE-2014-4043", + "PkgName": "glibc-common", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: posix_spawn_file_actions_addopen fails to copy the path argument", + "Description": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.html", + "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", + "http://seclists.org/fulldisclosure/2019/Jun/18", + "http://www.mandriva.com/security/advisories?name=MDVSA-2014:152", + "http://www.securityfocus.com/bid/68006", + "https://bugzilla.redhat.com/show_bug.cgi?id=1109263", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/93784", + "https://seclists.org/bugtraq/2019/Jun/14", + "https://security.gentoo.org/glsa/201503-04", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17048", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=ChangeLog;h=3020b9ac232315df362521aeaf85f21cb9926db8;hp=d86e73963dd9fb5e21b1a28326630337226812aa;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=posix/spawn_faction_addopen.c;h=40800b8e6e81341501c0fb8a91009529e2048dec;hp=47f62425b696a4fdd511b2a057746322eb6518db;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89e435f3559c53084498e9baad22172b64429362" + ] + }, { "VulnerabilityID": "CVE-2014-8121", "PkgName": "glibc-common", @@ -6485,10 +6663,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Unexpected closing of nss_files databases after lookups causes denial of service", "Description": "DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2014-8121.html", + "http://linux.oracle.com/errata/ELSA-2015-0327.html", "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00019.html", "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html", "http://rhn.redhat.com/errata/RHSA-2015-0327.html", @@ -6501,6 +6682,34 @@ "https://sourceware.org/ml/libc-alpha/2015-02/msg00617.html" ] }, + { + "VulnerabilityID": "CVE-2014-9402", + "PkgName": "glibc-common", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: denial of service in getnetbyname function", + "Description": "The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2014-9402.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", + "http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html", + "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", + "http://seclists.org/fulldisclosure/2019/Jun/18", + "http://www.openwall.com/lists/oss-security/2014/12/18/1", + "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", + "http://www.securityfocus.com/bid/71670", + "http://www.ubuntu.com/usn/USN-2519-1", + "https://access.redhat.com/errata/RHSA-2018:0805", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402", + "https://seclists.org/bugtraq/2019/Jun/14", + "https://security.gentoo.org/glsa/201602-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17630" + ] + }, { "VulnerabilityID": "CVE-2015-5180", "PkgName": "glibc-common", @@ -6508,10 +6717,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: DNS resolver NULL pointer dereference with crafted record type", "Description": "res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2015-5180.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://www.securityfocus.com/bid/99324", "http://www.ubuntu.com/usn/USN-3239-1", "http://www.ubuntu.com/usn/USN-3239-2", @@ -6525,6 +6737,38 @@ "https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html" ] }, + { + "VulnerabilityID": "CVE-2015-8777", + "PkgName": "glibc-common", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: LD_POINTER_GUARD in the environment is not sanitized", + "Description": "The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable.", + "Severity": "LOW", + "References": [ + "http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html", + "http://linux.oracle.com/cve/CVE-2015-8777.html", + "http://linux.oracle.com/errata/ELSA-2017-1916.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177404.html", + "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html", + "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00037.html", + "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00038.html", + "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00039.html", + "http://www.debian.org/security/2016/dsa-3480", + "http://www.openwall.com/lists/oss-security/2016/01/20/1", + "http://www.securityfocus.com/bid/81469", + "http://www.securitytracker.com/id/1034811", + "http://www.ubuntu.com/usn/USN-2985-1", + "http://www.ubuntu.com/usn/USN-2985-2", + "https://access.redhat.com/errata/RHSA-2017:1916", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777", + "https://security.gentoo.org/glsa/201702-11", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18928" + ] + }, { "VulnerabilityID": "CVE-2015-8982", "PkgName": "glibc-common", @@ -6532,9 +6776,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: multiple overflows in strxfrm()", "Description": "Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2015/02/13/3", "http://www.openwall.com/lists/oss-security/2017/02/14/9", @@ -6544,25 +6789,6 @@ "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed" ] }, - { - "VulnerabilityID": "CVE-2015-8983", - "PkgName": "glibc-common", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc: _IO_wstr_overflow integer overflow", - "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/72740", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", - "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" - ] - }, { "VulnerabilityID": "CVE-2015-8984", "PkgName": "glibc-common", @@ -6570,9 +6796,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: potential denial of service in internal_fnmatch()", "Description": "The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2015/02/26/5", "http://www.openwall.com/lists/oss-security/2017/02/14/9", @@ -6590,9 +6817,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -6608,37 +6836,16 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" ] }, - { - "VulnerabilityID": "CVE-2016-1234", - "PkgName": "glibc-common", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", - "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", - "Severity": "MEDIUM", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", - "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", - "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www.openwall.com/lists/oss-security/2016/03/07/16", - "http://www.securityfocus.com/bid/84204", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", - "https://security.gentoo.org/glsa/201702-11", - "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" - ] - }, { "VulnerabilityID": "CVE-2016-3075", "PkgName": "glibc-common", @@ -6646,10 +6853,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Stack overflow in nss_dns_getnetbyname_r", "Description": "Stack-based buffer overflow in the nss_dns implementation of the getnetbyname function in GNU C Library (aka glibc) before 2.24 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a long name.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-3075.html", + "http://linux.oracle.com/errata/ELSA-2016-2573.html", "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", @@ -6669,9 +6879,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: stack (frame) overflow in getaddrinfo() when called with AF_INET, AF_INET6 (incomplete fix for CVE-2013-4458)", "Description": "Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", @@ -6684,6 +6895,30 @@ "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9" ] }, + { + "VulnerabilityID": "CVE-2016-4429", + "PkgName": "glibc-common", + "InstalledVersion": "2.12-1.212.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", + "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", + "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", + "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", + "http://www.securityfocus.com/bid/102073", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", + "https://source.android.com/security/bulletin/2017-12-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", + "https://usn.ubuntu.com/3759-1/", + "https://usn.ubuntu.com/3759-2/" + ] + }, { "VulnerabilityID": "CVE-2017-12132", "PkgName": "glibc-common", @@ -6691,10 +6926,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://www.securityfocus.com/bid/100598", "https://access.redhat.com/errata/RHSA-2018:0805", "https://arxiv.org/pdf/1205.4011.pdf", @@ -6709,64 +6947,16 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "glibc: Memory leak in glob with GLOB_TILDE", "Description": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101517", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671", "https://sourceware.org/bugzilla/show_bug.cgi?id=22325" ] }, - { - "VulnerabilityID": "CVE-2011-5320", - "PkgName": "glibc-common", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc: scanf implementation crashes on certain inputs", - "Description": "scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s.", - "Severity": "LOW", - "References": [ - "http://www.openwall.com/lists/oss-security/2015/03/12/14", - "https://bugzilla.redhat.com/show_bug.cgi?id=1196745", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5320", - "https://marc.info/?l=gimp-developer\u0026m=129567990905823\u0026w=2", - "https://sourceware.org/bugzilla/show_bug.cgi?id=13138#c4", - "https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=20b38e0", - "https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0" - ] - }, - { - "VulnerabilityID": "CVE-2015-8777", - "PkgName": "glibc-common", - "InstalledVersion": "2.12-1.212.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "glibc: LD_POINTER_GUARD in the environment is not sanitized", - "Description": "The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable.", - "Severity": "LOW", - "References": [ - "http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177404.html", - "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html", - "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00037.html", - "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00038.html", - "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00039.html", - "http://www.debian.org/security/2016/dsa-3480", - "http://www.openwall.com/lists/oss-security/2016/01/20/1", - "http://www.securityfocus.com/bid/81469", - "http://www.securitytracker.com/id/1034811", - "http://www.ubuntu.com/usn/USN-2985-1", - "http://www.ubuntu.com/usn/USN-2985-2", - "https://access.redhat.com/errata/RHSA-2017:1916", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777", - "https://security.gentoo.org/glsa/201702-11", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18928" - ] - }, { "VulnerabilityID": "CVE-2014-4617", "PkgName": "gnupg2", @@ -6774,6 +6964,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gnupg: infinite loop when decompressing data packets", "Description": "The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.", "Severity": "MEDIUM", @@ -6793,22 +6984,6 @@ "http://www.ubuntu.com/usn/USN-2258-1" ] }, - { - "VulnerabilityID": "CVE-2018-9234", - "PkgName": "gnupg2", - "InstalledVersion": "2.0.14-9.el6_10", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys", - "Description": "GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234", - "https://dev.gnupg.org/T3844", - "https://usn.ubuntu.com/3675-1/" - ] - }, { "VulnerabilityID": "CVE-2019-13050", "PkgName": "gnupg2", @@ -6816,6 +6991,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "GnuPG: interaction between the sks-keyserver code and GnuPG allows for a Certificate Spamming Attack which leads to persistent DoS", "Description": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.", "Severity": "MEDIUM", @@ -6833,9 +7009,17 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack)", - "Description": "No description is available for this CVE.", - "Severity": "LOW" + "Description": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.", + "Severity": "LOW", + "References": [ + "http://www.cs.tau.ac.il/~tromer/radioexp/", + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" + ] }, { "VulnerabilityID": "CVE-2015-0837", @@ -6844,11 +7028,17 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libgcrypt: last-level cache side-channel attack", - "Description": "No description is available for this CVE.", + "Description": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837" + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837", + "https://ieeexplore.ieee.org/document/7163050", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" ] }, { @@ -6858,10 +7048,17 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gnupg2: invalid memory read using a garbled keyring", - "Description": "No description is available for this CVE.", + "Description": "The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.", "Severity": "LOW", "References": [ + "http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648", + "http://www.debian.org/security/2015/dsa-3184", + "http://www.openwall.com/lists/oss-security/2015/02/13/14", + "http://www.openwall.com/lists/oss-security/2015/02/14/6", + "http://www.securitytracker.com/id/1031876", + "https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1606" ] }, @@ -6872,11 +7069,38 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gnupg2: memcpy with overlapping ranges (keybox_search.c)", - "Description": "No description is available for this CVE.", + "Description": "kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and \"memcpy with overlapping ranges.\"", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1607" + "http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392", + "http://www.openwall.com/lists/oss-security/2015/02/13/14", + "http://www.openwall.com/lists/oss-security/2015/02/14/6", + "http://www.securityfocus.com/bid/72610", + "http://www.ubuntu.com/usn/usn-2554-1/", + "https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1607", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000361.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000362.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-9234", + "PkgName": "gnupg2", + "InstalledVersion": "2.0.14-9.el6_10", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys", + "Description": "GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234", + "https://dev.gnupg.org/T3844", + "https://usn.ubuntu.com/3675-1/" ] }, { @@ -6886,9 +7110,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gpgme: heap-based buffer overflow in gpgsm status handler", "Description": "Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to \"different line lengths in a specific order.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77", "http://seclists.org/oss-sec/2014/q3/266", @@ -6906,6 +7131,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "groff: improper handling of failed attempts to create temporary directories in eqn2graph/pic2graph/grap2graph", "Description": "The (1) contrib/eqn2graph/eqn2graph.sh, (2) contrib/grap2graph/grap2graph.sh, and (3) contrib/pic2graph/pic2graph.sh scripts in GNU troff (aka groff) 1.21 and earlier do not properly handle certain failed attempts to create temporary directories, which might allow local users to overwrite arbitrary files via a symlink attack on a file in a temporary directory, a different vulnerability than CVE-2004-1296.", "Severity": "LOW", @@ -6919,6 +7145,27 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5080" ] }, + { + "VulnerabilityID": "CVE-2011-0283", + "PkgName": "krb5-libs", + "InstalledVersion": "1.10.3-65.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "krb5: uninitialized pointer use in krb5kdc leads to KDC crash", + "Description": "The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request packet that does not trigger a response packet.", + "Severity": "MEDIUM", + "References": [ + "http://secunia.com/advisories/43260", + "http://securityreason.com/securityalert/8073", + "http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt", + "http://www.securityfocus.com/archive/1/516299/100/0/threaded", + "http://www.securityfocus.com/bid/46272", + "http://www.securitytracker.com/id?1025037", + "http://www.vupen.com/english/advisories/2011/0330" + ] + }, { "VulnerabilityID": "CVE-2011-4151", "PkgName": "krb5-libs", @@ -6926,9 +7173,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "CVE-2011-1527 CVE-2011-1528 CVE-2011-1529 CVE-2011-4151 krb5: KDC denial of service vulnerabilities (MITKRB5-SA-2011-006)", "Description": "The krb5_db2_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4, when the db2 (aka Berkeley DB) back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, a different vulnerability than CVE-2011-1528.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt", "http://www.kb.cert.org/vuls/id/659251", @@ -6936,6 +7184,36 @@ "https://exchange.xforce.ibmcloud.com/vulnerabilities/70891" ] }, + { + "VulnerabilityID": "CVE-2014-5351", + "PkgName": "krb5-libs", + "InstalledVersion": "1.10.3-65.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "krb5: current keys returned when randomizing the keys for a service principal", + "Description": "The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.", + "Severity": "MEDIUM", + "References": [ + "http://advisories.mageia.org/MGASA-2014-0477.html", + "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018", + "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html", + "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html", + "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html", + "http://security.gentoo.org/glsa/glsa-201412-53.xml", + "http://www.mandriva.com/security/advisories?name=MDVSA-2014:224", + "http://www.securityfocus.com/bid/70380", + "http://www.securitytracker.com/id/1031003", + "http://www.ubuntu.com/usn/USN-2498-1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1145425", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/97028", + "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca", + "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html" + ] + }, { "VulnerabilityID": "CVE-2015-2695", "PkgName": "krb5-libs", @@ -6943,9 +7221,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "krb5: SPNEGO context aliasing bugs", "Description": "lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244", "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00006.html", @@ -6968,9 +7247,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "krb5: IAKERB context aliasing flaw", "Description": "lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted IAKERB packet that is mishandled during a gss_inquire_context call.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244", "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00006.html", @@ -6985,44 +7265,6 @@ "https://security.gentoo.org/glsa/201611-14" ] }, - { - "VulnerabilityID": "CVE-2017-11462", - "PkgName": "krb5-libs", - "InstalledVersion": "1.10.3-65.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "krb5: Automatic sec context deletion could lead to double-free", - "Description": "Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.", - "Severity": "HIGH", - "References": [ - "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598", - "https://bugzilla.redhat.com/show_bug.cgi?id=1488873", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11462", - "https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/" - ] - }, - { - "VulnerabilityID": "CVE-2011-0283", - "PkgName": "krb5-libs", - "InstalledVersion": "1.10.3-65.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "krb5: uninitialized pointer use in krb5kdc leads to KDC crash", - "Description": "The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request packet that does not trigger a response packet.", - "Severity": "MEDIUM", - "References": [ - "http://secunia.com/advisories/43260", - "http://securityreason.com/securityalert/8073", - "http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt", - "http://www.securityfocus.com/archive/1/516299/100/0/threaded", - "http://www.securityfocus.com/bid/46272", - "http://www.securitytracker.com/id?1025037", - "http://www.vupen.com/english/advisories/2011/0330" - ] - }, { "VulnerabilityID": "CVE-2015-2697", "PkgName": "krb5-libs", @@ -7030,6 +7272,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "krb5: build_principal() memory flaw", "Description": "The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '\\0' character in a long realm field within a TGS request.", "Severity": "MEDIUM", @@ -7048,6 +7291,72 @@ "https://security.gentoo.org/glsa/201611-14" ] }, + { + "VulnerabilityID": "CVE-2017-11368", + "PkgName": "krb5-libs", + "InstalledVersion": "1.10.3-65.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure", + "Description": "In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-11368.html", + "http://linux.oracle.com/errata/ELSA-2018-0666.html", + "http://www.securityfocus.com/bid/100291", + "https://access.redhat.com/errata/RHSA-2018:0666", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11368", + "https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HNWXM6OQU7G23MG7XWIOBRGP43ECLDT/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBUTXMNZWMVJLQ4NDX5OQFPUVCJRLV3W/" + ] + }, + { + "VulnerabilityID": "CVE-2018-20217", + "PkgName": "krb5-libs", + "InstalledVersion": "1.10.3-65.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "krb5: Reachable assertion in the KDC using S4U2Self requests", + "Description": "A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.", + "Severity": "MEDIUM", + "References": [ + "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217", + "https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086", + "https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/", + "https://security.netapp.com/advisory/ntap-20190416-0006/" + ] + }, + { + "VulnerabilityID": "CVE-2016-3119", + "PkgName": "krb5-libs", + "InstalledVersion": "1.10.3-65.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "krb5: null pointer dereference in kadmin", + "Description": "The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-3119.html", + "http://linux.oracle.com/errata/ELSA-2016-2591.html", + "http://lists.opensuse.org/opensuse-updates/2016-04/msg00007.html", + "http://lists.opensuse.org/opensuse-updates/2016-04/msg00055.html", + "http://rhn.redhat.com/errata/RHSA-2016-2591.html", + "http://www.securityfocus.com/bid/85392", + "http://www.securitytracker.com/id/1035399", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3119", + "https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99", + "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html" + ] + }, { "VulnerabilityID": "CVE-2016-3120", "PkgName": "krb5-libs", @@ -7055,11 +7364,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "krb5: S4U2Self KDC crash when anon is restricted", "Description": "The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8458", + "http://linux.oracle.com/cve/CVE-2016-3120.html", + "http://linux.oracle.com/errata/ELSA-2016-2591.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00035.html", "http://rhn.redhat.com/errata/RHSA-2016-2591.html", "http://web.mit.edu/kerberos/krb5-1.13/", @@ -7073,51 +7385,22 @@ ] }, { - "VulnerabilityID": "CVE-2017-11368", + "VulnerabilityID": "CVE-2017-11462", "PkgName": "krb5-libs", "InstalledVersion": "1.10.3-65.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure", - "Description": "In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "krb5: Automatic sec context deletion could lead to double-free", + "Description": "Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.", + "Severity": "LOW", "References": [ - "http://www.securityfocus.com/bid/100291", - "https://access.redhat.com/errata/RHSA-2018:0666", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11368", - "https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HNWXM6OQU7G23MG7XWIOBRGP43ECLDT/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBUTXMNZWMVJLQ4NDX5OQFPUVCJRLV3W/" - ] - }, - { - "VulnerabilityID": "CVE-2018-5709", - "PkgName": "krb5-libs", - "InstalledVersion": "1.10.3-65.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "krb5: integer overflow in dbentry-\u003en_key_data in kadmin/dbutil/dump.c", - "Description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "Severity": "MEDIUM", - "References": [ - "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow" - ] - }, - { - "VulnerabilityID": "CVE-2018-5710", - "PkgName": "krb5-libs", - "InstalledVersion": "1.10.3-65.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "krb5: null pointer deference in strlen function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c", - "Description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function \"strlen\" is getting a \"NULL\" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5710", - "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service(DoS)" + "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598", + "https://bugzilla.redhat.com/show_bug.cgi?id=1488873", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11462", + "https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/" ] }, { @@ -7127,10 +7410,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "krb5: null dereference in kadmind or DN container check bypass by supplying special crafted data", "Description": "MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-5729.html", + "http://linux.oracle.com/errata/ELSA-2018-3071.html", "http://www.securitytracker.com/id/1042071", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3071", @@ -7150,10 +7436,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "krb5: DN container check bypass by supplying special crafted data", "Description": "MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a \"linkdn\" and \"containerdn\" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-5730.html", + "http://linux.oracle.com/errata/ELSA-2018-3071.html", "http://www.securitytracker.com/id/1042071", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3071", @@ -7166,75 +7455,6 @@ "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIFUL3CPM4S5TOXTTOCQ3CUZN6XCXUTR/" ] }, - { - "VulnerabilityID": "CVE-2014-5351", - "PkgName": "krb5-libs", - "InstalledVersion": "1.10.3-65.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "krb5: current keys returned when randomizing the keys for a service principal", - "Description": "The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.", - "Severity": "LOW", - "References": [ - "http://advisories.mageia.org/MGASA-2014-0477.html", - "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018", - "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html", - "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html", - "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html", - "http://security.gentoo.org/glsa/glsa-201412-53.xml", - "http://www.mandriva.com/security/advisories?name=MDVSA-2014:224", - "http://www.securityfocus.com/bid/70380", - "http://www.securitytracker.com/id/1031003", - "http://www.ubuntu.com/usn/USN-2498-1", - "https://bugzilla.redhat.com/show_bug.cgi?id=1145425", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/97028", - "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca", - "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html" - ] - }, - { - "VulnerabilityID": "CVE-2016-3119", - "PkgName": "krb5-libs", - "InstalledVersion": "1.10.3-65.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "krb5: null pointer dereference in kadmin", - "Description": "The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.", - "Severity": "LOW", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2016-04/msg00007.html", - "http://lists.opensuse.org/opensuse-updates/2016-04/msg00055.html", - "http://rhn.redhat.com/errata/RHSA-2016-2591.html", - "http://www.securityfocus.com/bid/85392", - "http://www.securitytracker.com/id/1035399", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3119", - "https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99", - "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html" - ] - }, - { - "VulnerabilityID": "CVE-2018-20217", - "PkgName": "krb5-libs", - "InstalledVersion": "1.10.3-65.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "krb5: Reachable assertion in the KDC using S4U2Self requests", - "Description": "A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.", - "Severity": "LOW", - "References": [ - "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217", - "https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086", - "https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/", - "https://security.netapp.com/advisory/ntap-20190416-0006/" - ] - }, { "VulnerabilityID": "CVE-2014-9488", "PkgName": "less", @@ -7242,9 +7462,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "less: out of bounds read access in is_utf8_well_formed()", "Description": "The is_utf8_well_formed function in GNU less before 475 allows remote attackers to have unspecified impact via malformed UTF-8 characters, which triggers an out-of-bounds read.", - "Severity": "CRITICAL", + "Severity": "LOW", "References": [ "http://advisories.mageia.org/MGASA-2015-0139.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159449.html", @@ -7261,9 +7482,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -7284,11 +7506,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 fuse: unprivileged user can unmount arbitrary locations via symlink attack", "Description": "FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333", + "http://linux.oracle.com/cve/CVE-2010-3879.html", + "http://linux.oracle.com/errata/ELSA-2011-1083.html", "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053792.html", "http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077247.html", "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", @@ -7311,27 +7536,6 @@ "https://exchange.xforce.ibmcloud.com/vulnerabilities/62986" ] }, - { - "VulnerabilityID": "CVE-2016-5011", - "PkgName": "libblkid", - "InstalledVersion": "2.17.2-12.28.el6_9.2", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", - "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", - "Severity": "MEDIUM", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-2605.html", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", - "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", - "http://www.openwall.com/lists/oss-security/2016/07/11/2", - "http://www.securityfocus.com/bid/91683", - "http://www.securitytracker.com/id/1036272", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011", - "https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3" - ] - }, { "VulnerabilityID": "CVE-2011-0541", "PkgName": "libblkid", @@ -7339,11 +7543,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "CVE-2010-3879 CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 fuse: unprivileged user can unmount arbitrary locations via symlink attack", "Description": "fuse 2.8.5 and earlier does not properly handle when /etc/mtab cannot be updated, which allows local users to unmount arbitrary directories via a symlink attack.", "Severity": "LOW", "References": [ "http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f", + "http://linux.oracle.com/cve/CVE-2011-0541.html", + "http://linux.oracle.com/errata/ELSA-2011-1083.html", "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", "http://www.openwall.com/lists/oss-security/2011/02/02/2", "http://www.openwall.com/lists/oss-security/2011/02/03/5", @@ -7358,11 +7565,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "CVE-2010-3879 CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 fuse: unprivileged user can unmount arbitrary locations via symlink attack", "Description": "fusermount in fuse 2.8.5 and earlier does not perform a chdir to / before performing a mount or umount, which allows local users to unmount arbitrary directories via unspecified vectors.", "Severity": "LOW", "References": [ "http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873", + "http://linux.oracle.com/cve/CVE-2011-0542.html", + "http://linux.oracle.com/errata/ELSA-2011-1083.html", "http://www.openwall.com/lists/oss-security/2011/02/02/2", "http://www.openwall.com/lists/oss-security/2011/02/03/5", "http://www.openwall.com/lists/oss-security/2011/02/08/4", @@ -7376,11 +7586,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "CVE-2010-3879 CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 fuse: unprivileged user can unmount arbitrary locations via symlink attack", "Description": "Certain legacy functionality in fusermount in fuse 2.8.5 and earlier, when util-linux does not support the --no-canonicalize option, allows local users to bypass intended access restrictions and unmount arbitrary directories via a symlink attack.", "Severity": "LOW", "References": [ "http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47", + "http://linux.oracle.com/cve/CVE-2011-0543.html", + "http://linux.oracle.com/errata/ELSA-2011-1083.html", "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", "http://www.openwall.com/lists/oss-security/2011/02/02/2", "http://www.openwall.com/lists/oss-security/2011/02/03/5", @@ -7388,37 +7601,6 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0543" ] }, - { - "VulnerabilityID": "CVE-2011-1676", - "PkgName": "libblkid", - "InstalledVersion": "2.17.2-12.28.el6_9.2", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "util-linux: mount does not remove /etc/mtab.tmp after failed mount entry addition", - "Description": "mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations.", - "Severity": "LOW", - "References": [ - "http://openwall.com/lists/oss-security/2011/03/04/10", - "http://openwall.com/lists/oss-security/2011/03/04/11", - "http://openwall.com/lists/oss-security/2011/03/04/12", - "http://openwall.com/lists/oss-security/2011/03/04/9", - "http://openwall.com/lists/oss-security/2011/03/05/3", - "http://openwall.com/lists/oss-security/2011/03/05/7", - "http://openwall.com/lists/oss-security/2011/03/07/9", - "http://openwall.com/lists/oss-security/2011/03/14/16", - "http://openwall.com/lists/oss-security/2011/03/14/5", - "http://openwall.com/lists/oss-security/2011/03/14/7", - "http://openwall.com/lists/oss-security/2011/03/15/6", - "http://openwall.com/lists/oss-security/2011/03/22/4", - "http://openwall.com/lists/oss-security/2011/03/22/6", - "http://openwall.com/lists/oss-security/2011/03/31/3", - "http://openwall.com/lists/oss-security/2011/03/31/4", - "http://openwall.com/lists/oss-security/2011/04/01/2", - "https://bugzilla.redhat.com/show_bug.cgi?id=688980", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/66704" - ] - }, { "VulnerabilityID": "CVE-2015-5218", "PkgName": "libblkid", @@ -7426,6 +7608,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -7439,6 +7622,30 @@ "https://www.kernel.org/pub/linux/utils/util-linux/v2.27/v2.27-ReleaseNotes" ] }, + { + "VulnerabilityID": "CVE-2016-5011", + "PkgName": "libblkid", + "InstalledVersion": "2.17.2-12.28.el6_9.2", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", + "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-5011.html", + "http://linux.oracle.com/errata/ELSA-2016-2605.html", + "http://rhn.redhat.com/errata/RHSA-2016-2605.html", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", + "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", + "http://www.openwall.com/lists/oss-security/2016/07/11/2", + "http://www.securityfocus.com/bid/91683", + "http://www.securitytracker.com/id/1036272", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011", + "https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3" + ] + }, { "VulnerabilityID": "CVE-2015-0247", "PkgName": "libcom_err", @@ -7446,6 +7653,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check leading to heap buffer overflow (oCERT-015-002)", "Description": "Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image.", "Severity": "MEDIUM", @@ -7477,9 +7685,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "e2fsprogs: potential buffer overflow in closefs() (incomplete CVE-2015-0247 fix)", "Description": "Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://advisories.mageia.org/MGASA-2015-0088.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/150606.html", @@ -7497,132 +7706,6 @@ "https://security.gentoo.org/glsa/201507-22" ] }, - { - "VulnerabilityID": "CVE-2018-14618", - "PkgName": "libcurl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: NTLM password overflow via integer overflow", - "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", - "Severity": "CRITICAL", - "References": [ - "http://www.securitytracker.com/id/1041605", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", - "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", - "https://curl.haxx.se/docs/CVE-2018-14618.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", - "https://security.gentoo.org/glsa/201903-03", - "https://usn.ubuntu.com/3765-1/", - "https://usn.ubuntu.com/3765-2/", - "https://www.debian.org/security/2018/dsa-4286" - ] - }, - { - "VulnerabilityID": "CVE-2016-7167", - "PkgName": "libcurl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: escape and unescape integer overflows", - "Description": "Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/92975", - "http://www.securitytracker.com/id/1036813", - "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2016\u0026m=slackware-security.538632", - "https://access.redhat.com/errata/RHSA-2017:2016", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/docs/adv_20160914.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167", - "https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B3IU2FRXQNU6UJIQT4NGLWWTP2GJQXO7/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTH54DFOS4TSYPG5XKJDGAG4XPAR4T7M/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMRWVISG7VUCYRMF23A2UHMYD72VQWAK/", - "https://security.gentoo.org/glsa/201701-47" - ] - }, - { - "VulnerabilityID": "CVE-2016-8618", - "PkgName": "libcurl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: Double-free in curl_maprintf", - "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94098", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", - "https://curl.haxx.se/docs/adv_20161102D.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8619", - "PkgName": "libcurl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: Double-free in krb5 code", - "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94100", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", - "https://curl.haxx.se/CVE-2016-8619.patch", - "https://curl.haxx.se/docs/adv_20161102E.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2018-1000120", - "PkgName": "libcurl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: FTP path trickery leads to NIL byte out of bounds write", - "Description": "A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/103414", - "http://www.securitytracker.com/id/1040531", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3157", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://access.redhat.com/errata/RHSA-2019:1543", - "https://curl.haxx.se/docs/adv_2018-9cd6.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120", - "https://lists.debian.org/debian-lts-announce/2018/03/msg00012.html", - "https://usn.ubuntu.com/3598-1/", - "https://usn.ubuntu.com/3598-2/", - "https://www.debian.org/security/2018/dsa-4136", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" - ] - }, { "VulnerabilityID": "CVE-2015-3153", "PkgName": "libcurl", @@ -7630,6 +7713,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: sensitive HTTP server headers also sent to proxies", "Description": "The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.", "Severity": "MEDIUM", @@ -7651,38 +7735,6 @@ "https://support.apple.com/kb/HT205031" ] }, - { - "VulnerabilityID": "CVE-2016-0755", - "PkgName": "libcurl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: NTLM credentials not-checked for proxy connection re-use", - "Description": "The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.", - "Severity": "MEDIUM", - "References": [ - "http://curl.haxx.se/docs/adv_20160127A.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176546.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177342.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177383.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176413.html", - "http://lists.opensuse.org/opensuse-updates/2016-02/msg00031.html", - "http://lists.opensuse.org/opensuse-updates/2016-02/msg00044.html", - "http://lists.opensuse.org/opensuse-updates/2016-02/msg00047.html", - "http://packetstormsecurity.com/files/135695/Slackware-Security-Advisory-curl-Updates.html", - "http://www.debian.org/security/2016/dsa-3455", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/82307", - "http://www.securitytracker.com/id/1034882", - "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2016\u0026m=slackware-security.519965", - "http://www.ubuntu.com/usn/USN-2882-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755", - "https://security.gentoo.org/glsa/201701-47", - "https://support.apple.com/HT207170" - ] - }, { "VulnerabilityID": "CVE-2016-5419", "PkgName": "libcurl", @@ -7690,10 +7742,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: TLS session resumption client cert bypass", "Description": "curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5419.html", + "http://linux.oracle.com/errata/ELSA-2016-2575.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html", "http://rhn.redhat.com/errata/RHSA-2016-2575.html", @@ -7716,6 +7771,253 @@ "https://www.tenable.com/security/tns-2016-18" ] }, + { + "VulnerabilityID": "CVE-2016-8615", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: Cookie injection for other servers", + "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8615.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94096", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", + "https://curl.haxx.se/CVE-2016-8615.patch", + "https://curl.haxx.se/docs/adv_20161102A.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8617", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: Out-of-bounds write via unchecked multiplication", + "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8617.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94097", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", + "https://curl.haxx.se/CVE-2016-8617.patch", + "https://curl.haxx.se/docs/adv_20161102C.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8618", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in curl_maprintf", + "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8618.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94098", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", + "https://curl.haxx.se/docs/adv_20161102D.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8619", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in krb5 code", + "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8619.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94100", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", + "https://curl.haxx.se/CVE-2016-8619.patch", + "https://curl.haxx.se/docs/adv_20161102E.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8624", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: Invalid URL parsing with '#'", + "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8624.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94103", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", + "https://curl.haxx.se/docs/adv_20161102J.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8625", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: IDNA 2003 makes curl use wrong host", + "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8625.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.securityfocus.com/bid/94107", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", + "https://curl.haxx.se/CVE-2016-8625.patch", + "https://curl.haxx.se/docs/adv_20161102K.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2017-1000254", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP PWD response parser out of bounds read", + "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3992", + "http://www.securityfocus.com/bid/101115", + "http://www.securitytracker.com/id/1039509", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://curl.haxx.se/673d0cd8.patch", + "https://curl.haxx.se/docs/adv_20171004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", + "https://security.gentoo.org/glsa/201712-04", + "https://support.apple.com/HT208331" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000120", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP path trickery leads to NIL byte out of bounds write", + "Description": "A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000120.html", + "http://linux.oracle.com/errata/ELSA-2018-3157.html", + "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/103414", + "http://www.securitytracker.com/id/1040531", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3157", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://access.redhat.com/errata/RHSA-2019:1543", + "https://curl.haxx.se/docs/adv_2018-9cd6.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120", + "https://lists.debian.org/debian-lts-announce/2018/03/msg00012.html", + "https://usn.ubuntu.com/3598-1/", + "https://usn.ubuntu.com/3598-2/", + "https://www.debian.org/security/2018/dsa-4136", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + ] + }, + { + "VulnerabilityID": "CVE-2016-0755", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: NTLM credentials not-checked for proxy connection re-use", + "Description": "The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.", + "Severity": "LOW", + "References": [ + "http://curl.haxx.se/docs/adv_20160127A.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176546.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177342.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177383.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176413.html", + "http://lists.opensuse.org/opensuse-updates/2016-02/msg00031.html", + "http://lists.opensuse.org/opensuse-updates/2016-02/msg00044.html", + "http://lists.opensuse.org/opensuse-updates/2016-02/msg00047.html", + "http://packetstormsecurity.com/files/135695/Slackware-Security-Advisory-curl-Updates.html", + "http://www.debian.org/security/2016/dsa-3455", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/82307", + "http://www.securitytracker.com/id/1034882", + "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2016\u0026m=slackware-security.519965", + "http://www.ubuntu.com/usn/USN-2882-1", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755", + "https://security.gentoo.org/glsa/201701-47", + "https://support.apple.com/HT207170" + ] + }, { "VulnerabilityID": "CVE-2016-5420", "PkgName": "libcurl", @@ -7723,10 +8025,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: Re-using connection with wrong client cert", "Description": "curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5420.html", + "http://linux.oracle.com/errata/ELSA-2016-2575.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html", "http://rhn.redhat.com/errata/RHSA-2016-2575.html", @@ -7755,10 +8060,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: Incorrect reuse of client certificates", "Description": "curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-7141.html", + "http://linux.oracle.com/errata/ELSA-2016-2575.html", "http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html", "http://rhn.redhat.com/errata/RHSA-2016-2575.html", "http://rhn.redhat.com/errata/RHSA-2016-2957.html", @@ -7775,27 +8083,33 @@ ] }, { - "VulnerabilityID": "CVE-2016-8615", + "VulnerabilityID": "CVE-2016-7167", "PkgName": "libcurl", "InstalledVersion": "7.19.7-53.el6_9", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "curl: Cookie injection for other servers", - "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "curl: escape and unescape integer overflows", + "Description": "Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-7167.html", + "http://linux.oracle.com/errata/ELSA-2017-2016.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94096", - "http://www.securitytracker.com/id/1037192", + "http://www.securityfocus.com/bid/92975", + "http://www.securitytracker.com/id/1036813", + "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2016\u0026m=slackware-security.538632", + "https://access.redhat.com/errata/RHSA-2017:2016", "https://access.redhat.com/errata/RHSA-2018:2486", "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", - "https://curl.haxx.se/CVE-2016-8615.patch", - "https://curl.haxx.se/docs/adv_20161102A.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" + "https://curl.haxx.se/docs/adv_20160914.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B3IU2FRXQNU6UJIQT4NGLWWTP2GJQXO7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTH54DFOS4TSYPG5XKJDGAG4XPAR4T7M/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMRWVISG7VUCYRMF23A2UHMYD72VQWAK/", + "https://security.gentoo.org/glsa/201701-47" ] }, { @@ -7805,10 +8119,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: Case insensitive password comparison", "Description": "A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8616.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94094", "http://www.securitytracker.com/id/1037192", @@ -7822,30 +8139,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8617", - "PkgName": "libcurl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: Out-of-bounds write via unchecked multiplication", - "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94097", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", - "https://curl.haxx.se/CVE-2016-8617.patch", - "https://curl.haxx.se/docs/adv_20161102C.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-8621", "PkgName": "libcurl", @@ -7853,10 +8146,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: curl_getdate out-of-bounds read", "Description": "The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8621.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94101", "http://www.securitytracker.com/id/1037192", @@ -7877,10 +8173,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: Use-after-free via shared cookies", "Description": "A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8623.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94106", "http://www.securitytracker.com/id/1037192", @@ -7894,52 +8193,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8624", - "PkgName": "libcurl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: Invalid URL parsing with '#'", - "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94103", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", - "https://curl.haxx.se/docs/adv_20161102J.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8625", - "PkgName": "libcurl", - "InstalledVersion": "7.19.7-53.el6_9", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "curl: IDNA 2003 makes curl use wrong host", - "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/94107", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", - "https://curl.haxx.se/CVE-2016-8625.patch", - "https://curl.haxx.se/docs/adv_20161102K.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-9586", "PkgName": "libcurl", @@ -7947,9 +8200,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: printf floating point buffer overflow", "Description": "curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/95019", @@ -7970,9 +8224,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: TFTP sends more than buffer size", "Description": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.debian.org/security/2017/dsa-3992", "http://www.securityfocus.com/bid/100286", @@ -7985,26 +8240,50 @@ ] }, { - "VulnerabilityID": "CVE-2017-1000254", + "VulnerabilityID": "CVE-2017-7407", "PkgName": "libcurl", "InstalledVersion": "7.19.7-53.el6_9", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "curl: FTP PWD response parser out of bounds read", - "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "curl: --write-out out of bounds read", + "Description": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.", + "Severity": "LOW", "References": [ - "http://www.debian.org/security/2017/dsa-3992", - "http://www.securityfocus.com/bid/101115", - "http://www.securitytracker.com/id/1039509", - "https://access.redhat.com/errata/RHSA-2018:2486", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/673d0cd8.patch", - "https://curl.haxx.se/docs/adv_20171004.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", - "https://security.gentoo.org/glsa/201712-04", - "https://support.apple.com/HT208331" + "https://curl.haxx.se/docs/adv_20170403.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407", + "https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13", + "https://security.gentoo.org/glsa/201709-14" + ] + }, + { + "VulnerabilityID": "CVE-2018-14618", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.el6_9", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "curl: NTLM password overflow via integer overflow", + "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-14618.html", + "http://linux.oracle.com/errata/ELSA-2019-1880.html", + "http://www.securitytracker.com/id/1041605", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2018-14618.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", + "https://security.gentoo.org/glsa/201903-03", + "https://usn.ubuntu.com/3765-1/", + "https://usn.ubuntu.com/3765-2/", + "https://www.debian.org/security/2018/dsa-4286" ] }, { @@ -8014,10 +8293,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting", "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16842.html", + "http://linux.oracle.com/errata/ELSA-2019-2181.html", "http://www.securitytracker.com/id/1042014", "https://access.redhat.com/errata/RHSA-2019:2181", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842", @@ -8038,9 +8320,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", @@ -8051,22 +8334,22 @@ ] }, { - "VulnerabilityID": "CVE-2017-7407", - "PkgName": "libcurl", - "InstalledVersion": "7.19.7-53.el6_9", + "VulnerabilityID": "CVE-2002-2439", + "PkgName": "libgcc", + "InstalledVersion": "4.4.7-23.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "curl: --write-out out of bounds read", - "Description": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "gcc: Integer overflow can occur during the computation of the memory region size for new[] operator", + "Description": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.", + "Severity": "MEDIUM", "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/docs/adv_20170403.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407", - "https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13", - "https://security.gentoo.org/glsa/201709-14" + "https://access.redhat.com/security/cve/cve-2002-2439", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2002-2439", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2439", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351", + "https://security-tracker.debian.org/tracker/CVE-2002-2439" ] }, { @@ -8076,9 +8359,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: integer overflow flaws in libgfortran", "Description": "Multiple integer overflows in libgfortran might allow remote attackers to execute arbitrary code or cause a denial of service (Fortran application crash) via vectors related to array allocation.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2014/07/24/1", "http://www.openwall.com/lists/oss-security/2014/07/31/6", @@ -8095,9 +8379,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gc: Integer overflow in GC_MALLOC_ATOMIC", "Description": "Integer overflow vulnerability in bdwgc before 2016-09-27 allows attackers to cause client of bdwgc denial of service (heap buffer overflow crash) and possibly execute arbitrary code via huge allocation.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-12/msg00089.html", "http://lists.opensuse.org/opensuse-updates/2016-12/msg00115.html", @@ -8107,6 +8392,22 @@ "https://github.com/ivmai/bdwgc/issues/135" ] }, + { + "VulnerabilityID": "CVE-2018-20673", + "PkgName": "libgcc", + "InstalledVersion": "4.4.7-23.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libiberty: Integer overflow in demangle_template() function", + "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106454", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" + ] + }, { "VulnerabilityID": "CVE-2015-5276", "PkgName": "libgcc", @@ -8114,9 +8415,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Predictable randomness from std::random_device", "Description": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2015-11/msg00054.html", "http://lists.opensuse.org/opensuse-updates/2016-04/msg00052.html", @@ -8132,9 +8434,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Exploitable buffer overflow", "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90103", @@ -8150,9 +8453,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array btypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -8167,9 +8471,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -8184,9 +8489,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to integer overflow", "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90017", @@ -8201,9 +8507,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Write access violation", "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90019", @@ -8218,9 +8525,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90016", @@ -8236,9 +8544,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -8254,9 +8563,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -8265,25 +8575,6 @@ "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" ] }, - { - "VulnerabilityID": "CVE-2016-6131", - "PkgName": "libgcc", - "InstalledVersion": "4.4.7-23.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler", - "Description": "The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/06/30/4", - "http://www.openwall.com/lists/oss-security/2016/06/30/7", - "http://www.securityfocus.com/bid/91519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696", - "https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html" - ] - }, { "VulnerabilityID": "CVE-2018-20657", "PkgName": "libgcc", @@ -8291,42 +8582,36 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20657.html", + "http://linux.oracle.com/errata/ELSA-2019-3352.html", "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", "https://support.f5.com/csp/article/K62602089" ] }, { - "VulnerabilityID": "CVE-2018-20673", - "PkgName": "libgcc", - "InstalledVersion": "4.4.7-23.el6", + "VulnerabilityID": "CVE-2014-5270", + "PkgName": "libgcrypt", + "InstalledVersion": "1.4.5-12.el6_8", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "libiberty: Integer overflow in demangle_template() function", - "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", + "SeveritySource": "redhat", + "Title": "libgcrypt: ELGAMAL side-channel attack", + "Description": "Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.", "Severity": "MEDIUM", "References": [ - "http://www.securityfocus.com/bid/106454", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" - ] - }, - { - "VulnerabilityID": "CVE-2002-2439", - "PkgName": "libgcc", - "InstalledVersion": "4.4.7-23.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "gcc: Integer overflow can occur during the computation of the memory region size for new[] operator", - "Description": "No description is available for this CVE.", - "Severity": "LOW", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2439" + "http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html", + "http://openwall.com/lists/oss-security/2014/08/16/2", + "http://www.cs.tau.ac.il/~tromer/handsoff/", + "http://www.debian.org/security/2014/dsa-3024", + "http://www.debian.org/security/2014/dsa-3073" ] }, { @@ -8336,6 +8621,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libgcrypt: Use of left-to-right sliding window method allows full RSA key recovery", "Description": "libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.", "Severity": "MEDIUM", @@ -8362,6 +8648,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack", "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)", "Severity": "MEDIUM", @@ -8380,26 +8667,16 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack)", - "Description": "No description is available for this CVE.", - "Severity": "LOW" - }, - { - "VulnerabilityID": "CVE-2014-5270", - "PkgName": "libgcrypt", - "InstalledVersion": "1.4.5-12.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libgcrypt: ELGAMAL side-channel attack", - "Description": "Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.", + "Description": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.", "Severity": "LOW", "References": [ - "http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html", - "http://openwall.com/lists/oss-security/2014/08/16/2", - "http://www.cs.tau.ac.il/~tromer/handsoff/", - "http://www.debian.org/security/2014/dsa-3024", - "http://www.debian.org/security/2014/dsa-3073" + "http://www.cs.tau.ac.il/~tromer/radioexp/", + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" ] }, { @@ -8409,11 +8686,17 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libgcrypt: last-level cache side-channel attack", - "Description": "No description is available for this CVE.", + "Description": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837" + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837", + "https://ieeexplore.ieee.org/document/7163050", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" ] }, { @@ -8423,9 +8706,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libidn: out-of-bounds read with stringprep on invalid UTF-8", "Description": "The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c279", "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162537.html", @@ -8440,24 +8724,6 @@ "https://github.com/jabberd2/jabberd2/issues/85" ] }, - { - "VulnerabilityID": "CVE-2017-14062", - "PkgName": "libidn", - "InstalledVersion": "1.18-2.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libidn2: Integer overflow in puny_decode.c/decode_digit", - "Description": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.", - "Severity": "HIGH", - "References": [ - "http://www.debian.org/security/2017/dsa-3988", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062", - "https://gitlab.com/libidn/libidn2/blob/master/NEWS", - "https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd", - "https://lists.debian.org/debian-lts-announce/2018/07/msg00040.html" - ] - }, { "VulnerabilityID": "CVE-2015-8948", "PkgName": "libidn", @@ -8465,9 +8731,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libidn: Out-of-bounds read due to use of fgets with fixed-size buffer", "Description": "idn in GNU libidn before 1.33 might allow remote attackers to obtain sensitive memory information by reading a zero byte as input, which triggers an out-of-bounds read.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=570e68886c41c2e765e6218cb317d9a9a447a041", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00005.html", @@ -8488,9 +8755,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libidn: Out of bounds stack read in idna_to_ascii_4i", "Description": "The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via 64 bytes of input.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00098.html", @@ -8511,9 +8779,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libidn: Out-of-bounds read when reading zero byte as input", "Description": "idn in libidn before 1.33 might allow remote attackers to obtain sensitive memory information by reading a zero byte as input, which triggers an out-of-bounds read, a different vulnerability than CVE-2015-8948.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=5e3cb9c7b5bf0ce665b9d68f5ddf095af5c9ba60", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00005.html", @@ -8532,9 +8801,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libidn: Crash when given invalid UTF-8 data on input", "Description": "The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted UTF-8 data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1fbee57ef3c72db2206dd87e4162108b2f425555", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00005.html", @@ -8548,6 +8818,25 @@ "https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html" ] }, + { + "VulnerabilityID": "CVE-2017-14062", + "PkgName": "libidn", + "InstalledVersion": "1.18-2.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libidn2: Integer overflow in puny_decode.c/decode_digit", + "Description": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2017/dsa-3988", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062", + "https://gitlab.com/libidn/libidn2/blob/master/NEWS", + "https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd", + "https://lists.debian.org/debian-lts-announce/2018/07/msg00040.html" + ] + }, { "VulnerabilityID": "CVE-2019-3855", "PkgName": "libssh2", @@ -8556,10 +8845,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libssh2: Integer overflow in transport read resulting in out of bounds write", "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3855.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -8580,27 +8872,6 @@ "https://www.libssh2.org/CVE-2019-3855.html" ] }, - { - "VulnerabilityID": "CVE-2015-1782", - "PkgName": "libssh2", - "InstalledVersion": "1.4.2-2.el6_7.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libssh2: Using SSH_MSG_KEXINIT data unbounded", - "Description": "The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.", - "Severity": "MEDIUM", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151943.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152362.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153933.html", - "http://www.debian.org/security/2015/dsa-3182", - "http://www.libssh2.org/adv_20150311.html", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:148", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", - "http://www.securityfocus.com/bid/73061" - ] - }, { "VulnerabilityID": "CVE-2019-3856", "PkgName": "libssh2", @@ -8609,10 +8880,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write", "Description": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3856.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://access.redhat.com/errata/RHSA-2019:0679", @@ -8635,10 +8909,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write", "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3857.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://access.redhat.com/errata/RHSA-2019:0679", @@ -8653,6 +8930,35 @@ "https://www.libssh2.org/CVE-2019-3857.html" ] }, + { + "VulnerabilityID": "CVE-2019-3863", + "PkgName": "libssh2", + "InstalledVersion": "1.4.2-2.el6_7.1", + "FixedVersion": "1.4.2-3.el6_10.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes", + "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3863.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", + "https://access.redhat.com/errata/RHSA-2019:0679", + "https://access.redhat.com/errata/RHSA-2019:1175", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", + "https://seclists.org/bugtraq/2019/Apr/25", + "https://security.netapp.com/advisory/ntap-20190327-0005/", + "https://www.debian.org/security/2019/dsa-4431", + "https://www.libssh2.org/CVE-2019-3863.html" + ] + }, { "VulnerabilityID": "CVE-2019-3858", "PkgName": "libssh2", @@ -8660,10 +8966,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3858.html", + "http://linux.oracle.com/errata/ELSA-2019-2136.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -8689,6 +8998,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", @@ -8722,6 +9032,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libssh2: Out-of-bounds reads with specially crafted SFTP packets", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", @@ -8745,10 +9056,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libssh2: Out-of-bounds reads with specially crafted SSH packets", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3861.html", + "http://linux.oracle.com/errata/ELSA-2019-2136.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3861", @@ -8768,10 +9082,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3862.html", + "http://linux.oracle.com/errata/ELSA-2019-4693.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -8791,29 +9108,46 @@ ] }, { - "VulnerabilityID": "CVE-2019-3863", + "VulnerabilityID": "CVE-2015-1782", "PkgName": "libssh2", "InstalledVersion": "1.4.2-2.el6_7.1", - "FixedVersion": "1.4.2-3.el6_10.1", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes", - "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.", + "SeveritySource": "redhat", + "Title": "libssh2: Using SSH_MSG_KEXINIT data unbounded", + "Description": "The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2015-1782.html", + "http://linux.oracle.com/errata/ELSA-2015-2140.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151943.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152362.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153933.html", + "http://www.debian.org/security/2015/dsa-3182", + "http://www.libssh2.org/adv_20150311.html", + "http://www.mandriva.com/security/advisories?name=MDVSA-2015:148", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", + "http://www.securityfocus.com/bid/73061" + ] + }, + { + "VulnerabilityID": "CVE-2002-2439", + "PkgName": "libstdc++", + "InstalledVersion": "4.4.7-23.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "gcc: Integer overflow can occur during the computation of the memory region size for new[] operator", + "Description": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.", "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", - "https://access.redhat.com/errata/RHSA-2019:0679", - "https://access.redhat.com/errata/RHSA-2019:1175", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", - "https://seclists.org/bugtraq/2019/Apr/25", - "https://security.netapp.com/advisory/ntap-20190327-0005/", - "https://www.debian.org/security/2019/dsa-4431", - "https://www.libssh2.org/CVE-2019-3863.html" + "https://access.redhat.com/security/cve/cve-2002-2439", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2002-2439", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2439", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351", + "https://security-tracker.debian.org/tracker/CVE-2002-2439" ] }, { @@ -8823,9 +9157,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: integer overflow flaws in libgfortran", "Description": "Multiple integer overflows in libgfortran might allow remote attackers to execute arbitrary code or cause a denial of service (Fortran application crash) via vectors related to array allocation.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2014/07/24/1", "http://www.openwall.com/lists/oss-security/2014/07/31/6", @@ -8842,9 +9177,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gc: Integer overflow in GC_MALLOC_ATOMIC", "Description": "Integer overflow vulnerability in bdwgc before 2016-09-27 allows attackers to cause client of bdwgc denial of service (heap buffer overflow crash) and possibly execute arbitrary code via huge allocation.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-12/msg00089.html", "http://lists.opensuse.org/opensuse-updates/2016-12/msg00115.html", @@ -8854,6 +9190,22 @@ "https://github.com/ivmai/bdwgc/issues/135" ] }, + { + "VulnerabilityID": "CVE-2018-20673", + "PkgName": "libstdc++", + "InstalledVersion": "4.4.7-23.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libiberty: Integer overflow in demangle_template() function", + "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106454", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" + ] + }, { "VulnerabilityID": "CVE-2015-5276", "PkgName": "libstdc++", @@ -8861,9 +9213,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Predictable randomness from std::random_device", "Description": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2015-11/msg00054.html", "http://lists.opensuse.org/opensuse-updates/2016-04/msg00052.html", @@ -8879,9 +9232,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Exploitable buffer overflow", "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90103", @@ -8897,9 +9251,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array btypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -8914,9 +9269,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -8931,9 +9287,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to integer overflow", "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90017", @@ -8948,9 +9305,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Write access violation", "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90019", @@ -8965,9 +9323,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90016", @@ -8983,9 +9342,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -9001,9 +9361,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -9012,25 +9373,6 @@ "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" ] }, - { - "VulnerabilityID": "CVE-2016-6131", - "PkgName": "libstdc++", - "InstalledVersion": "4.4.7-23.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler", - "Description": "The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/06/30/4", - "http://www.openwall.com/lists/oss-security/2016/06/30/7", - "http://www.securityfocus.com/bid/91519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696", - "https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html" - ] - }, { "VulnerabilityID": "CVE-2018-20657", "PkgName": "libstdc++", @@ -9038,89 +9380,17 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106444", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", - "https://support.f5.com/csp/article/K62602089" - ] - }, - { - "VulnerabilityID": "CVE-2018-20673", - "PkgName": "libstdc++", - "InstalledVersion": "4.4.7-23.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libiberty: Integer overflow in demangle_template() function", - "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106454", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" - ] - }, - { - "VulnerabilityID": "CVE-2002-2439", - "PkgName": "libstdc++", - "InstalledVersion": "4.4.7-23.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "gcc: Integer overflow can occur during the computation of the memory region size for new[] operator", - "Description": "No description is available for this CVE.", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2439" - ] - }, - { - "VulnerabilityID": "CVE-2015-2806", - "PkgName": "libtasn1", - "InstalledVersion": "2.3-6.el6_5", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libtasn1: stack overflow in asn1_der_decoding", - "Description": "Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.", - "Severity": "CRITICAL", - "References": [ - "http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=4d4f992826a4962790ecd0cce6fbba4a415ce149", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154741.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154805.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155117.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155270.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155435.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155483.html", - "http://www.debian.org/security/2015/dsa-3220", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:193", - "http://www.openwall.com/lists/oss-security/2015/03/29/4", - "http://www.openwall.com/lists/oss-security/2015/03/31/2", - "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", - "http://www.securityfocus.com/bid/73436", - "http://www.securitytracker.com/id/1032080", - "http://www.ubuntu.com/usn/USN-2559-1", - "https://access.redhat.com/errata/RHSA-2017:1860", - "https://security.gentoo.org/glsa/201509-04" - ] - }, - { - "VulnerabilityID": "CVE-2018-1000654", - "PkgName": "libtasn1", - "InstalledVersion": "2.3-6.el6_5", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion", - "Description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", - "http://www.securityfocus.com/bid/105151", - "https://gitlab.com/gnutls/libtasn1/issues/4" + "http://linux.oracle.com/cve/CVE-2018-20657.html", + "http://linux.oracle.com/errata/ELSA-2019-3352.html", + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" ] }, { @@ -9130,10 +9400,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libtasn1: heap overflow flaw in _asn1_extract_der_octet()", "Description": "The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.5 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted certificate.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-3622.html", + "http://linux.oracle.com/errata/ELSA-2017-1860.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158225.html", "http://lists.opensuse.org/opensuse-updates/2015-08/msg00014.html", "http://lists.opensuse.org/opensuse-updates/2016-06/msg00047.html", @@ -9158,6 +9431,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libtasn1: infinite loop while parsing DER certificates", "Description": "The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.", "Severity": "MEDIUM", @@ -9178,6 +9452,39 @@ "https://security.gentoo.org/glsa/201703-05" ] }, + { + "VulnerabilityID": "CVE-2015-2806", + "PkgName": "libtasn1", + "InstalledVersion": "2.3-6.el6_5", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libtasn1: stack overflow in asn1_der_decoding", + "Description": "Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors.", + "Severity": "LOW", + "References": [ + "http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=4d4f992826a4962790ecd0cce6fbba4a415ce149", + "http://linux.oracle.com/cve/CVE-2015-2806.html", + "http://linux.oracle.com/errata/ELSA-2017-1860.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154741.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154805.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155117.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155270.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155435.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155483.html", + "http://www.debian.org/security/2015/dsa-3220", + "http://www.mandriva.com/security/advisories?name=MDVSA-2015:193", + "http://www.openwall.com/lists/oss-security/2015/03/29/4", + "http://www.openwall.com/lists/oss-security/2015/03/31/2", + "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", + "http://www.securityfocus.com/bid/73436", + "http://www.securitytracker.com/id/1032080", + "http://www.ubuntu.com/usn/USN-2559-1", + "https://access.redhat.com/errata/RHSA-2017:1860", + "https://security.gentoo.org/glsa/201509-04" + ] + }, { "VulnerabilityID": "CVE-2017-10790", "PkgName": "libtasn1", @@ -9185,9 +9492,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libtasn1: NULL pointer dereference in the _asn1_check_identifier function", "Description": "The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464141", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790", @@ -9203,9 +9511,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libtasn1: Stack-based buffer overflow in asn1_find_node()", "Description": "Two errors in the \"asn1_find_node()\" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=5520704d075802df25ce4ffccc010ba1641bd484", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", @@ -9219,17 +9528,21 @@ ] }, { - "VulnerabilityID": "CVE-2012-5644", - "PkgName": "libuser", - "InstalledVersion": "0.56.13-8.el6_7", + "VulnerabilityID": "CVE-2018-1000654", + "PkgName": "libtasn1", + "InstalledVersion": "2.3-6.el6_5", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "libuser: (Complete) Information disclosure when moving user's home directory", - "Description": "No description is available for this CVE.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion", + "Description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", + "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5644" + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", + "http://www.securityfocus.com/bid/105151", + "https://gitlab.com/gnutls/libtasn1/issues/4" ] }, { @@ -9239,11 +9552,36 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libuser: TOCTOU race conditions by copying and removing directory trees", - "Description": "No description is available for this CVE.", + "Description": "libuser 0.56 and 0.57 has a TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees.", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5630" + "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102068.html", + "https://access.redhat.com/security/cve/cve-2012-5630", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5630", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5630", + "https://security-tracker.debian.org/tracker/CVE-2012-5630", + "https://www.securityfocus.com/bid/59285" + ] + }, + { + "VulnerabilityID": "CVE-2012-5644", + "PkgName": "libuser", + "InstalledVersion": "0.56.13-8.el6_7", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libuser: (Complete) Information disclosure when moving user's home directory", + "Description": "libuser has information disclosure when moving user's home directory", + "Severity": "LOW", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102068.html", + "https://access.redhat.com/security/cve/cve-2012-5644", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5644", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5644", + "https://security-tracker.debian.org/tracker/CVE-2012-5644" ] }, { @@ -9253,9 +9591,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -9276,11 +9615,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 fuse: unprivileged user can unmount arbitrary locations via symlink attack", "Description": "FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602333", + "http://linux.oracle.com/cve/CVE-2010-3879.html", + "http://linux.oracle.com/errata/ELSA-2011-1083.html", "http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053792.html", "http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077247.html", "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", @@ -9303,27 +9645,6 @@ "https://exchange.xforce.ibmcloud.com/vulnerabilities/62986" ] }, - { - "VulnerabilityID": "CVE-2016-5011", - "PkgName": "libuuid", - "InstalledVersion": "2.17.2-12.28.el6_9.2", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", - "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", - "Severity": "MEDIUM", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-2605.html", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", - "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", - "http://www.openwall.com/lists/oss-security/2016/07/11/2", - "http://www.securityfocus.com/bid/91683", - "http://www.securitytracker.com/id/1036272", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011", - "https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3" - ] - }, { "VulnerabilityID": "CVE-2011-0541", "PkgName": "libuuid", @@ -9331,11 +9652,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "CVE-2010-3879 CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 fuse: unprivileged user can unmount arbitrary locations via symlink attack", "Description": "fuse 2.8.5 and earlier does not properly handle when /etc/mtab cannot be updated, which allows local users to unmount arbitrary directories via a symlink attack.", "Severity": "LOW", "References": [ "http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=bf5ffb5fd8558bd799791834def431c0cee5a11f", + "http://linux.oracle.com/cve/CVE-2011-0541.html", + "http://linux.oracle.com/errata/ELSA-2011-1083.html", "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", "http://www.openwall.com/lists/oss-security/2011/02/02/2", "http://www.openwall.com/lists/oss-security/2011/02/03/5", @@ -9350,11 +9674,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "CVE-2010-3879 CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 fuse: unprivileged user can unmount arbitrary locations via symlink attack", "Description": "fusermount in fuse 2.8.5 and earlier does not perform a chdir to / before performing a mount or umount, which allows local users to unmount arbitrary directories via unspecified vectors.", "Severity": "LOW", "References": [ "http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=1e7607ff89c65b005f69e27aeb1649d624099873", + "http://linux.oracle.com/cve/CVE-2011-0542.html", + "http://linux.oracle.com/errata/ELSA-2011-1083.html", "http://www.openwall.com/lists/oss-security/2011/02/02/2", "http://www.openwall.com/lists/oss-security/2011/02/03/5", "http://www.openwall.com/lists/oss-security/2011/02/08/4", @@ -9368,11 +9695,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "CVE-2010-3879 CVE-2011-0541 CVE-2011-0542 CVE-2011-0543 fuse: unprivileged user can unmount arbitrary locations via symlink attack", "Description": "Certain legacy functionality in fusermount in fuse 2.8.5 and earlier, when util-linux does not support the --no-canonicalize option, allows local users to bypass intended access restrictions and unmount arbitrary directories via a symlink attack.", "Severity": "LOW", "References": [ "http://fuse.git.sourceforge.net/git/gitweb.cgi?p=fuse/fuse;a=commit;h=cbd3a2a84068aae6e3fe32939d88470d712dbf47", + "http://linux.oracle.com/cve/CVE-2011-0543.html", + "http://linux.oracle.com/errata/ELSA-2011-1083.html", "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html", "http://www.openwall.com/lists/oss-security/2011/02/02/2", "http://www.openwall.com/lists/oss-security/2011/02/03/5", @@ -9380,37 +9710,6 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0543" ] }, - { - "VulnerabilityID": "CVE-2011-1676", - "PkgName": "libuuid", - "InstalledVersion": "2.17.2-12.28.el6_9.2", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "util-linux: mount does not remove /etc/mtab.tmp after failed mount entry addition", - "Description": "mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations.", - "Severity": "LOW", - "References": [ - "http://openwall.com/lists/oss-security/2011/03/04/10", - "http://openwall.com/lists/oss-security/2011/03/04/11", - "http://openwall.com/lists/oss-security/2011/03/04/12", - "http://openwall.com/lists/oss-security/2011/03/04/9", - "http://openwall.com/lists/oss-security/2011/03/05/3", - "http://openwall.com/lists/oss-security/2011/03/05/7", - "http://openwall.com/lists/oss-security/2011/03/07/9", - "http://openwall.com/lists/oss-security/2011/03/14/16", - "http://openwall.com/lists/oss-security/2011/03/14/5", - "http://openwall.com/lists/oss-security/2011/03/14/7", - "http://openwall.com/lists/oss-security/2011/03/15/6", - "http://openwall.com/lists/oss-security/2011/03/22/4", - "http://openwall.com/lists/oss-security/2011/03/22/6", - "http://openwall.com/lists/oss-security/2011/03/31/3", - "http://openwall.com/lists/oss-security/2011/03/31/4", - "http://openwall.com/lists/oss-security/2011/04/01/2", - "https://bugzilla.redhat.com/show_bug.cgi?id=688980", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/66704" - ] - }, { "VulnerabilityID": "CVE-2015-5218", "PkgName": "libuuid", @@ -9418,6 +9717,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -9432,173 +9732,27 @@ ] }, { - "VulnerabilityID": "CVE-2016-4658", - "PkgName": "libxml2", - "InstalledVersion": "2.7.6-21.el6_8.1", + "VulnerabilityID": "CVE-2016-5011", + "PkgName": "libuuid", + "InstalledVersion": "2.17.2-12.28.el6_9.2", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "libxml2: Use after free via namespace node in XPointer ranges", - "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", - "Severity": "CRITICAL", + "SeveritySource": "redhat", + "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", + "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", + "Severity": "LOW", "References": [ - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html", - "http://www.securityfocus.com/bid/93054", - "http://www.securitytracker.com/id/1036858", - "http://www.securitytracker.com/id/1038623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658", - "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b", - "https://github.com/sparklemotion/nokogiri/issues/1615", - "https://security.gentoo.org/glsa/201701-37", - "https://support.apple.com/HT207141", - "https://support.apple.com/HT207142", - "https://support.apple.com/HT207143", - "https://support.apple.com/HT207170" - ] - }, - { - "VulnerabilityID": "CVE-2017-16931", - "PkgName": "libxml2", - "InstalledVersion": "2.7.6-21.el6_8.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libxml2: Mishandling parameter-entity references", - "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", - "Severity": "HIGH", - "References": [ - "http://xmlsoft.org/news.html", - "https://bugzilla.gnome.org/show_bug.cgi?id=766956", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931", - "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html" - ] - }, - { - "VulnerabilityID": "CVE-2017-7375", - "PkgName": "libxml2", - "InstalledVersion": "2.7.6-21.el6_8.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libxml2: Missing validation for external entities in xmlParsePEReference", - "Description": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/98877", - "http://www.securitytracker.com/id/1038623", - "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", - "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375", - "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", - "https://security.gentoo.org/glsa/201711-01", - "https://source.android.com/security/bulletin/2017-06-01", - "https://www.debian.org/security/2017/dsa-3952" - ] - }, - { - "VulnerabilityID": "CVE-2013-0339", - "PkgName": "libxml2", - "InstalledVersion": "2.7.6-21.el6_8.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libxml2: CPU consumption DoS and other effects when performing string substitutions during external entities expansion", - "Description": "libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.html", - "http://openwall.com/lists/oss-security/2013/02/21/24", - "http://openwall.com/lists/oss-security/2013/02/22/3", - "http://seclists.org/oss-sec/2013/q4/182", - "http://seclists.org/oss-sec/2013/q4/184", - "http://seclists.org/oss-sec/2013/q4/188", - "http://secunia.com/advisories/52662", - "http://secunia.com/advisories/54172", - "http://secunia.com/advisories/55568", - "http://www.debian.org/security/2013/dsa-2652", - "http://www.openwall.com/lists/oss-security/2013/04/12/6", - "http://www.ubuntu.com/usn/USN-1904-1", - "http://www.ubuntu.com/usn/USN-1904-2", - "https://bugzilla.redhat.com/show_bug.cgi?id=915149", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0339", - "https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f" - ] - }, - { - "VulnerabilityID": "CVE-2015-8806", - "PkgName": "libxml2", - "InstalledVersion": "2.7.6-21.el6_8.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libxml2: heap-buffer overread in dict.c", - "Description": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"\u003c!DOCTYPE html\" substring in a crafted HTML document.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/02/03/5", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/82071", - "http://www.ubuntu.com/usn/USN-2994-1", - "http://www.ubuntu.com/usn/usn-2994-1/", - "https://bugzilla.gnome.org/show_bug.cgi?id=749115", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806", - "https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028", - "https://github.com/sparklemotion/nokogiri/issues/1473", - "https://mail.gnome.org/archives/xml/2016-May/msg00023.html", - "https://security.gentoo.org/glsa/201701-37", - "https://www.debian.org/security/2016/dsa-3593" - ] - }, - { - "VulnerabilityID": "CVE-2016-2073", - "PkgName": "libxml2", - "InstalledVersion": "2.7.6-21.el6_8.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libxml2: out-of-bounds read in htmlParseNameComplex()", - "Description": "The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/01/25/6", - "http://www.openwall.com/lists/oss-security/2016/01/26/7", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/85267", - "http://www.securitytracker.com/id/1035011", - "http://www.ubuntu.com/usn/USN-2994-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073", - "https://security.gentoo.org/glsa/201701-37", - "https://www.debian.org/security/2016/dsa-3593" - ] - }, - { - "VulnerabilityID": "CVE-2016-4483", - "PkgName": "libxml2", - "InstalledVersion": "2.7.6-21.el6_8.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libxml2: out-of-bounds read", - "Description": "The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.", - "Severity": "MEDIUM", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-2957.html", - "http://www.debian.org/security/2016/dsa-3593", - "http://www.openwall.com/lists/oss-security/2016/05/03/8", - "http://www.openwall.com/lists/oss-security/2016/05/04/7", - "http://www.openwall.com/lists/oss-security/2016/06/07/4", - "http://www.openwall.com/lists/oss-security/2016/06/07/5", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/90013", - "http://www.securitytracker.com/id/1036348", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483", - "https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd", - "https://security.gentoo.org/glsa/201701-37", - "https://www.tenable.com/security/tns-2016-18" + "http://linux.oracle.com/cve/CVE-2016-5011.html", + "http://linux.oracle.com/errata/ELSA-2016-2605.html", + "http://rhn.redhat.com/errata/RHSA-2016-2605.html", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", + "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", + "http://www.openwall.com/lists/oss-security/2016/07/11/2", + "http://www.securityfocus.com/bid/91683", + "http://www.securitytracker.com/id/1036272", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5011", + "https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3" ] }, { @@ -9608,9 +9762,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "libxml2: use after free triggered by XPointer paths beginning with range-to", + "SeveritySource": "redhat", + "Title": "libxml2: Use after free triggered by XPointer paths beginning with range-to", "Description": "Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html", "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", @@ -9641,6 +9796,92 @@ "https://support.apple.com/HT207170" ] }, + { + "VulnerabilityID": "CVE-2013-0339", + "PkgName": "libxml2", + "InstalledVersion": "2.7.6-21.el6_8.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libxml2: CPU consumption DoS and other effects when performing string substitutions during external entities expansion", + "Description": "libxml2 through 2.9.1 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because libxml2 already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed and each affected application would need its own CVE.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00002.html", + "http://openwall.com/lists/oss-security/2013/02/21/24", + "http://openwall.com/lists/oss-security/2013/02/22/3", + "http://seclists.org/oss-sec/2013/q4/182", + "http://seclists.org/oss-sec/2013/q4/184", + "http://seclists.org/oss-sec/2013/q4/188", + "http://secunia.com/advisories/52662", + "http://secunia.com/advisories/54172", + "http://secunia.com/advisories/55568", + "http://www.debian.org/security/2013/dsa-2652", + "http://www.openwall.com/lists/oss-security/2013/04/12/6", + "http://www.ubuntu.com/usn/USN-1904-1", + "http://www.ubuntu.com/usn/USN-1904-2", + "https://bugzilla.redhat.com/show_bug.cgi?id=915149", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0339", + "https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f" + ] + }, + { + "VulnerabilityID": "CVE-2016-4483", + "PkgName": "libxml2", + "InstalledVersion": "2.7.6-21.el6_8.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libxml2: out-of-bounds read", + "Description": "The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.", + "Severity": "MEDIUM", + "References": [ + "http://rhn.redhat.com/errata/RHSA-2016-2957.html", + "http://www.debian.org/security/2016/dsa-3593", + "http://www.openwall.com/lists/oss-security/2016/05/03/8", + "http://www.openwall.com/lists/oss-security/2016/05/04/7", + "http://www.openwall.com/lists/oss-security/2016/06/07/4", + "http://www.openwall.com/lists/oss-security/2016/06/07/5", + "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", + "http://www.securityfocus.com/bid/90013", + "http://www.securitytracker.com/id/1036348", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483", + "https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd", + "https://security.gentoo.org/glsa/201701-37", + "https://www.tenable.com/security/tns-2016-18" + ] + }, + { + "VulnerabilityID": "CVE-2016-4658", + "PkgName": "libxml2", + "InstalledVersion": "2.7.6-21.el6_8.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Use after free via namespace node in XPointer ranges", + "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", + "Severity": "MEDIUM", + "References": [ + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html", + "http://www.securityfocus.com/bid/93054", + "http://www.securitytracker.com/id/1036858", + "http://www.securitytracker.com/id/1038623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658", + "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b", + "https://github.com/sparklemotion/nokogiri/issues/1615", + "https://security.gentoo.org/glsa/201701-37", + "https://support.apple.com/HT207141", + "https://support.apple.com/HT207142", + "https://support.apple.com/HT207143", + "https://support.apple.com/HT207170" + ] + }, { "VulnerabilityID": "CVE-2016-9318", "PkgName": "libxml2", @@ -9648,6 +9889,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libxml2: XML External Entity vulnerability", "Description": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.", "Severity": "MEDIUM", @@ -9667,6 +9909,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libxml2: Heap buffer overflow in xmlAddID", "Description": "A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.", "Severity": "MEDIUM", @@ -9679,6 +9922,25 @@ "https://source.android.com/security/bulletin/2017-06-01" ] }, + { + "VulnerabilityID": "CVE-2017-16931", + "PkgName": "libxml2", + "InstalledVersion": "2.7.6-21.el6_8.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Mishandling parameter-entity references", + "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", + "Severity": "MEDIUM", + "References": [ + "http://xmlsoft.org/news.html", + "https://bugzilla.gnome.org/show_bug.cgi?id=766956", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931", + "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html" + ] + }, { "VulnerabilityID": "CVE-2017-16932", "PkgName": "libxml2", @@ -9686,6 +9948,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libxml2: Infinite recursion in parameter entities", "Description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.", "Severity": "MEDIUM", @@ -9702,18 +9965,26 @@ ] }, { - "VulnerabilityID": "CVE-2017-8872", + "VulnerabilityID": "CVE-2017-7375", "PkgName": "libxml2", "InstalledVersion": "2.7.6-21.el6_8.1", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "libxml2: Out-of-bounds read in htmlParseTryOrFinish", - "Description": "The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.", + "SeveritySource": "redhat", + "Title": "libxml2: Missing validation for external entities in xmlParsePEReference", + "Description": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", "Severity": "MEDIUM", "References": [ - "https://bugzilla.gnome.org/show_bug.cgi?id=775200", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872" + "http://www.securityfocus.com/bid/98877", + "http://www.securitytracker.com/id/1038623", + "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", + "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375", + "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", + "https://security.gentoo.org/glsa/201711-01", + "https://source.android.com/security/bulletin/2017-06-01", + "https://www.debian.org/security/2017/dsa-3952" ] }, { @@ -9723,6 +9994,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libxml2: Buffer overflow in function xmlSnprintfElementContent", "Description": "A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content-\u003etype is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content-\u003eprefix is appended to buf (if it actually fits) whereupon (ii) content-\u003ename is written to the buffer. However, the check for whether the content-\u003ename actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.", "Severity": "MEDIUM", @@ -9734,24 +10006,6 @@ "https://security.gentoo.org/glsa/201711-01" ] }, - { - "VulnerabilityID": "CVE-2017-9048", - "PkgName": "libxml2", - "InstalledVersion": "2.7.6-21.el6_8.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "libxml2: Stack-based buffer overflow in function xmlSnprintfElementContent", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 \u003c size. This vulnerability causes programs that use libxml2, such as PHP, to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98556", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048", - "https://security.gentoo.org/glsa/201711-01" - ] - }, { "VulnerabilityID": "CVE-2017-9049", "PkgName": "libxml2", @@ -9759,6 +10013,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libxml2: Heap-based buffer over-read in function xmlDictComputeFastKey", "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.", "Severity": "MEDIUM", @@ -9777,6 +10032,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libxml2: Heap-based buffer over-read in function xmlDictAddString", "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.", "Severity": "MEDIUM", @@ -9804,7 +10060,8 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "libxml2: NULL pointer dereference in xpath.c:xmlXPathCompOpEval() can allow attackers to cause a denial of service", + "SeveritySource": "redhat", + "Title": "libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c", "Description": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.", "Severity": "MEDIUM", "References": [ @@ -9828,6 +10085,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "libxml2: Null pointer dereference in xmlSaveDoc implementation", "Description": "** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states \"I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser.\"", "Severity": "LOW", @@ -9840,6 +10098,41 @@ "https://security.gentoo.org/glsa/201711-01" ] }, + { + "VulnerabilityID": "CVE-2017-8872", + "PkgName": "libxml2", + "InstalledVersion": "2.7.6-21.el6_8.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Out-of-bounds read in htmlParseTryOrFinish", + "Description": "The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.", + "Severity": "LOW", + "References": [ + "https://bugzilla.gnome.org/show_bug.cgi?id=775200", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872" + ] + }, + { + "VulnerabilityID": "CVE-2017-9048", + "PkgName": "libxml2", + "InstalledVersion": "2.7.6-21.el6_8.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Stack-based buffer overflow in function xmlSnprintfElementContent", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 \u003c size. This vulnerability causes programs that use libxml2, such as PHP, to crash.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98556", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048", + "https://security.gentoo.org/glsa/201711-01" + ] + }, { "VulnerabilityID": "CVE-2014-5461", "PkgName": "lua", @@ -9847,6 +10140,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "lua: overflow flaw in vararg functions", "Description": "Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.", "Severity": "MEDIUM", @@ -9875,9 +10169,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -9891,9 +10186,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -9907,9 +10203,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -9923,9 +10220,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -9939,9 +10237,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -9955,9 +10254,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -9971,9 +10271,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -9987,9 +10288,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -10003,9 +10305,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -10019,9 +10322,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -10035,9 +10339,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -10046,6 +10351,21 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2018-10754", + "PkgName": "ncurses", + "InstalledVersion": "5.7-4.20090207.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "ncurses", @@ -10053,9 +10373,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -10068,28 +10389,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_name_match", "Description": "** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643753", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217" ] }, - { - "VulnerabilityID": "CVE-2018-10754", - "PkgName": "ncurses", - "InstalledVersion": "5.7-4.20090207.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "LOW", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" - ] - }, { "VulnerabilityID": "CVE-2017-10685", "PkgName": "ncurses-base", @@ -10097,9 +10405,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -10113,9 +10422,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -10129,9 +10439,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -10145,9 +10456,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -10161,9 +10473,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -10177,9 +10490,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -10193,9 +10507,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -10209,9 +10524,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -10225,9 +10541,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -10241,9 +10558,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -10257,9 +10575,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -10268,6 +10587,21 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2018-10754", + "PkgName": "ncurses-base", + "InstalledVersion": "5.7-4.20090207.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "ncurses-base", @@ -10275,9 +10609,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -10290,28 +10625,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_name_match", "Description": "** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643753", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217" ] }, - { - "VulnerabilityID": "CVE-2018-10754", - "PkgName": "ncurses-base", - "InstalledVersion": "5.7-4.20090207.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "LOW", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" - ] - }, { "VulnerabilityID": "CVE-2017-10685", "PkgName": "ncurses-libs", @@ -10319,9 +10641,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -10335,9 +10658,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -10351,9 +10675,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -10367,9 +10692,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -10383,9 +10709,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -10399,9 +10726,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -10415,9 +10743,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -10431,9 +10760,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -10447,9 +10777,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -10463,9 +10794,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -10479,9 +10811,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -10490,6 +10823,21 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2018-10754", + "PkgName": "ncurses-libs", + "InstalledVersion": "5.7-4.20090207.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "ncurses-libs", @@ -10497,9 +10845,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -10512,28 +10861,15 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_name_match", "Description": "** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643753", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217" ] }, - { - "VulnerabilityID": "CVE-2018-10754", - "PkgName": "ncurses-libs", - "InstalledVersion": "5.7-4.20090207.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "LOW", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" - ] - }, { "VulnerabilityID": "CVE-2016-1951", "PkgName": "nspr", @@ -10541,9 +10877,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "nspr: Memory allocation issue related to PR_*printf functions", "Description": "Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable Runtime (NSPR) before 4.12 allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long string to a PR_*printf function.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.securityfocus.com/bid/92385", "http://www.securitytracker.com/id/1036590", @@ -10562,9 +10899,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "nvd", "Title": "nss: /pkcs11.txt and /secmod.db files read on initialization", "Description": "** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was \"Strange behavior, but we're not treating this as a security bug.\"", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ "http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file-planting.html", "http://code.google.com/p/chromium/issues/detail?id=97426", @@ -10576,6 +10914,23 @@ "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13414" ] }, + { + "VulnerabilityID": "CVE-2013-0743", + "PkgName": "nss", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: Dis-trust TURKTRUST mis-issued *.google.com certificate", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA at the suggestion of the CVE project team. The candidate had been associated with a correct report of a security problem, but not a problem that is categorized as a vulnerability within CVE. Compromised or unauthorized SSL certificates are not within CVE's scope. Notes: none.", + "Severity": "HIGH", + "References": [ + "http://googleonlinesecurity.blogspot.in/2013/01/enhancing-digital-certificate-security.html", + "http://www.mozilla.org/security/announce/2013/mfsa2013-20.html", + "https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/" + ] + }, { "VulnerabilityID": "CVE-2011-3389", "PkgName": "nss", @@ -10583,6 +10938,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)", "Description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "Severity": "MEDIUM", @@ -10597,6 +10953,8 @@ "http://eprint.iacr.org/2006/136", "http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html", "http://isc.sans.edu/diary/SSL+TLS+part+3+/11635", + "http://linux.oracle.com/cve/CVE-2011-3389.html", + "http://linux.oracle.com/errata/ELSA-2011-1380.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html", "http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html", @@ -10677,45 +11035,6 @@ "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752" ] }, - { - "VulnerabilityID": "CVE-2011-5094", - "PkgName": "nss", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: DoS via repeated SSL session renegotiations", - "Description": "** DISPUTED ** Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.", - "Severity": "MEDIUM", - "References": [ - "http://orchilles.com/2011/03/ssl-renegotiation-dos.html", - "http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html", - "http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07553.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07564.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07567.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07576.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07577.html", - "http://www.openwall.com/lists/oss-security/2011/07/08/2", - "https://bugzilla.redhat.com/show_bug.cgi?id=707065" - ] - }, - { - "VulnerabilityID": "CVE-2013-0743", - "PkgName": "nss", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: Dis-trust TURKTRUST mis-issued *.google.com certificate", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA at the suggestion of the CVE project team. The candidate had been associated with a correct report of a security problem, but not a problem that is categorized as a vulnerability within CVE. Compromised or unauthorized SSL certificates are not within CVE's scope. Notes: none.", - "Severity": "MEDIUM", - "References": [ - "http://googleonlinesecurity.blogspot.in/2013/01/enhancing-digital-certificate-security.html", - "http://www.mozilla.org/security/announce/2013/mfsa2013-20.html", - "https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/" - ] - }, { "VulnerabilityID": "CVE-2013-2566", "PkgName": "nss", @@ -10723,6 +11042,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Attack against RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.", "Severity": "MEDIUM", @@ -10757,6 +11077,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -10764,6 +11085,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -10872,11 +11195,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)", "Description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", "Severity": "MEDIUM", "References": [ "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759", + "http://linux.oracle.com/cve/CVE-2016-2183.html", + "http://linux.oracle.com/errata/ELSA-2018-2123.html", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "http://rhn.redhat.com/errata/RHSA-2017-0337.html", @@ -10909,6 +11235,7 @@ "https://access.redhat.com/errata/RHSA-2017:3240", "https://access.redhat.com/errata/RHSA-2018:2123", "https://access.redhat.com/errata/RHSA-2019:1245", + "https://access.redhat.com/errata/RHSA-2019:2859", "https://access.redhat.com/security/cve/cve-2016-2183", "https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/", "https://bto.bluecoat.com/security-advisory/sa133", @@ -10941,6 +11268,7 @@ "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008", "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.sigsac.org/ccs/CCS2016/accepted-papers/", "https://www.tenable.com/security/tns-2016-16", "https://www.tenable.com/security/tns-2016-20", @@ -10956,6 +11284,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "nss: Insufficient timing side-channel resistance in divSpoiler", "Description": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50.", "Severity": "MEDIUM", @@ -10980,6 +11309,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "nss: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA", "Description": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.", "Severity": "MEDIUM", @@ -10989,57 +11319,6 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9574" ] }, - { - "VulnerabilityID": "CVE-2018-12384", - "PkgName": "nss", - "InstalledVersion": "3.36.0-8.el6", - "FixedVersion": "3.36.0-9.el6_10", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello", - "Description": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.", - "Severity": "MEDIUM", - "References": [ - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12384", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes", - "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" - ] - }, - { - "VulnerabilityID": "CVE-2018-12404", - "PkgName": "nss", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", - "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", - "http://www.securityfocus.com/bid/107260", - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" - ] - }, - { - "VulnerabilityID": "CVE-2018-18508", - "PkgName": "nss", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", - "Description": "No description is available for this CVE.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" - ] - }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss", @@ -11047,10 +11326,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -11073,6 +11355,118 @@ "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, + { + "VulnerabilityID": "CVE-2018-12384", + "PkgName": "nss", + "InstalledVersion": "3.36.0-8.el6", + "FixedVersion": "3.36.0-9.el6_10", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello", + "Description": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12384.html", + "http://linux.oracle.com/errata/ELSA-2018-2898.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12384", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2018-18508", + "PkgName": "nss", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18508.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2011-5094", + "PkgName": "nss", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: DoS via repeated SSL session renegotiations", + "Description": "** DISPUTED ** Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.", + "Severity": "LOW", + "References": [ + "http://orchilles.com/2011/03/ssl-renegotiation-dos.html", + "http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html", + "http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07553.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07564.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07567.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07576.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07577.html", + "http://www.openwall.com/lists/oss-security/2011/07/08/2", + "https://bugzilla.redhat.com/show_bug.cgi?id=707065" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn", + "InstalledVersion": "3.14.3-23.3.el6_8", + "FixedVersion": "3.44.0-6.el6_10", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2015-2613", "PkgName": "nss-softokn", @@ -11080,6 +11474,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "NSS / JCE: missing EC parameter validation in ECDH_Derive() (OpenJDK JCE, 8075833)", "Description": "Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE.", "Severity": "MEDIUM", @@ -11107,6 +11502,25 @@ "https://security.gentoo.org/glsa/201603-14" ] }, + { + "VulnerabilityID": "CVE-2017-7781", + "PkgName": "nss-softokn", + "InstalledVersion": "3.14.3-23.3.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", + "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/100383", + "http://www.securitytracker.com/id/1039124", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", + "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", + "https://www.mozilla.org/security/advisories/mfsa2017-18/" + ] + }, { "VulnerabilityID": "CVE-2016-1938", "PkgName": "nss-softokn", @@ -11114,9 +11528,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "Mozilla NSS: Errors in mp_div and mp_exptmod cryptographic functions", "Description": "The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html", "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html", @@ -11145,21 +11560,31 @@ ] }, { - "VulnerabilityID": "CVE-2017-7781", - "PkgName": "nss-softokn", + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn-freebl", "InstalledVersion": "3.14.3-23.3.el6_8", + "FixedVersion": "3.44.0-6.el6_10", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", - "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securityfocus.com/bid/100383", - "http://www.securitytracker.com/id/1039124", - "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", - "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", - "https://www.mozilla.org/security/advisories/mfsa2017-18/" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { @@ -11169,6 +11594,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "NSS / JCE: missing EC parameter validation in ECDH_Derive() (OpenJDK JCE, 8075833)", "Description": "Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE.", "Severity": "MEDIUM", @@ -11196,6 +11622,25 @@ "https://security.gentoo.org/glsa/201603-14" ] }, + { + "VulnerabilityID": "CVE-2017-7781", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.14.3-23.3.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", + "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/100383", + "http://www.securitytracker.com/id/1039124", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", + "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", + "https://www.mozilla.org/security/advisories/mfsa2017-18/" + ] + }, { "VulnerabilityID": "CVE-2016-1938", "PkgName": "nss-softokn-freebl", @@ -11203,9 +11648,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "Mozilla NSS: Errors in mp_div and mp_exptmod cryptographic functions", "Description": "The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html", "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html", @@ -11233,24 +11679,6 @@ "https://security.gentoo.org/glsa/201701-46" ] }, - { - "VulnerabilityID": "CVE-2017-7781", - "PkgName": "nss-softokn-freebl", - "InstalledVersion": "3.14.3-23.3.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", - "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100383", - "http://www.securitytracker.com/id/1039124", - "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", - "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", - "https://www.mozilla.org/security/advisories/mfsa2017-18/" - ] - }, { "VulnerabilityID": "CVE-2011-3640", "PkgName": "nss-sysinit", @@ -11258,9 +11686,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "nvd", "Title": "nss: /pkcs11.txt and /secmod.db files read on initialization", "Description": "** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was \"Strange behavior, but we're not treating this as a security bug.\"", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ "http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file-planting.html", "http://code.google.com/p/chromium/issues/detail?id=97426", @@ -11272,6 +11701,23 @@ "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13414" ] }, + { + "VulnerabilityID": "CVE-2013-0743", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: Dis-trust TURKTRUST mis-issued *.google.com certificate", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA at the suggestion of the CVE project team. The candidate had been associated with a correct report of a security problem, but not a problem that is categorized as a vulnerability within CVE. Compromised or unauthorized SSL certificates are not within CVE's scope. Notes: none.", + "Severity": "HIGH", + "References": [ + "http://googleonlinesecurity.blogspot.in/2013/01/enhancing-digital-certificate-security.html", + "http://www.mozilla.org/security/announce/2013/mfsa2013-20.html", + "https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/" + ] + }, { "VulnerabilityID": "CVE-2011-3389", "PkgName": "nss-sysinit", @@ -11279,6 +11725,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)", "Description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "Severity": "MEDIUM", @@ -11293,6 +11740,8 @@ "http://eprint.iacr.org/2006/136", "http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html", "http://isc.sans.edu/diary/SSL+TLS+part+3+/11635", + "http://linux.oracle.com/cve/CVE-2011-3389.html", + "http://linux.oracle.com/errata/ELSA-2011-1380.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html", "http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html", @@ -11373,45 +11822,6 @@ "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752" ] }, - { - "VulnerabilityID": "CVE-2011-5094", - "PkgName": "nss-sysinit", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: DoS via repeated SSL session renegotiations", - "Description": "** DISPUTED ** Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.", - "Severity": "MEDIUM", - "References": [ - "http://orchilles.com/2011/03/ssl-renegotiation-dos.html", - "http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html", - "http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07553.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07564.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07567.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07576.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07577.html", - "http://www.openwall.com/lists/oss-security/2011/07/08/2", - "https://bugzilla.redhat.com/show_bug.cgi?id=707065" - ] - }, - { - "VulnerabilityID": "CVE-2013-0743", - "PkgName": "nss-sysinit", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: Dis-trust TURKTRUST mis-issued *.google.com certificate", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA at the suggestion of the CVE project team. The candidate had been associated with a correct report of a security problem, but not a problem that is categorized as a vulnerability within CVE. Compromised or unauthorized SSL certificates are not within CVE's scope. Notes: none.", - "Severity": "MEDIUM", - "References": [ - "http://googleonlinesecurity.blogspot.in/2013/01/enhancing-digital-certificate-security.html", - "http://www.mozilla.org/security/announce/2013/mfsa2013-20.html", - "https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/" - ] - }, { "VulnerabilityID": "CVE-2013-2566", "PkgName": "nss-sysinit", @@ -11419,6 +11829,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Attack against RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.", "Severity": "MEDIUM", @@ -11453,6 +11864,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -11460,6 +11872,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -11568,11 +11982,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)", "Description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", "Severity": "MEDIUM", "References": [ "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759", + "http://linux.oracle.com/cve/CVE-2016-2183.html", + "http://linux.oracle.com/errata/ELSA-2018-2123.html", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "http://rhn.redhat.com/errata/RHSA-2017-0337.html", @@ -11605,6 +12022,7 @@ "https://access.redhat.com/errata/RHSA-2017:3240", "https://access.redhat.com/errata/RHSA-2018:2123", "https://access.redhat.com/errata/RHSA-2019:1245", + "https://access.redhat.com/errata/RHSA-2019:2859", "https://access.redhat.com/security/cve/cve-2016-2183", "https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/", "https://bto.bluecoat.com/security-advisory/sa133", @@ -11637,6 +12055,7 @@ "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008", "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.sigsac.org/ccs/CCS2016/accepted-papers/", "https://www.tenable.com/security/tns-2016-16", "https://www.tenable.com/security/tns-2016-20", @@ -11652,6 +12071,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "nss: Insufficient timing side-channel resistance in divSpoiler", "Description": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50.", "Severity": "MEDIUM", @@ -11676,6 +12096,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "nss: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA", "Description": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.", "Severity": "MEDIUM", @@ -11685,57 +12106,6 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9574" ] }, - { - "VulnerabilityID": "CVE-2018-12384", - "PkgName": "nss-sysinit", - "InstalledVersion": "3.36.0-8.el6", - "FixedVersion": "3.36.0-9.el6_10", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello", - "Description": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.", - "Severity": "MEDIUM", - "References": [ - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12384", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes", - "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" - ] - }, - { - "VulnerabilityID": "CVE-2018-12404", - "PkgName": "nss-sysinit", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", - "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", - "http://www.securityfocus.com/bid/107260", - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" - ] - }, - { - "VulnerabilityID": "CVE-2018-18508", - "PkgName": "nss-sysinit", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", - "Description": "No description is available for this CVE.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" - ] - }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss-sysinit", @@ -11743,10 +12113,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -11769,6 +12142,90 @@ "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, + { + "VulnerabilityID": "CVE-2018-12384", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-8.el6", + "FixedVersion": "3.36.0-9.el6_10", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello", + "Description": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12384.html", + "http://linux.oracle.com/errata/ELSA-2018-2898.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12384", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2018-18508", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18508.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2011-5094", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: DoS via repeated SSL session renegotiations", + "Description": "** DISPUTED ** Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.", + "Severity": "LOW", + "References": [ + "http://orchilles.com/2011/03/ssl-renegotiation-dos.html", + "http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html", + "http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07553.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07564.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07567.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07576.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07577.html", + "http://www.openwall.com/lists/oss-security/2011/07/08/2", + "https://bugzilla.redhat.com/show_bug.cgi?id=707065" + ] + }, { "VulnerabilityID": "CVE-2011-3640", "PkgName": "nss-tools", @@ -11776,9 +12233,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "nvd", "Title": "nss: /pkcs11.txt and /secmod.db files read on initialization", "Description": "** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was \"Strange behavior, but we're not treating this as a security bug.\"", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ "http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file-planting.html", "http://code.google.com/p/chromium/issues/detail?id=97426", @@ -11790,6 +12248,23 @@ "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13414" ] }, + { + "VulnerabilityID": "CVE-2013-0743", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: Dis-trust TURKTRUST mis-issued *.google.com certificate", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA at the suggestion of the CVE project team. The candidate had been associated with a correct report of a security problem, but not a problem that is categorized as a vulnerability within CVE. Compromised or unauthorized SSL certificates are not within CVE's scope. Notes: none.", + "Severity": "HIGH", + "References": [ + "http://googleonlinesecurity.blogspot.in/2013/01/enhancing-digital-certificate-security.html", + "http://www.mozilla.org/security/announce/2013/mfsa2013-20.html", + "https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/" + ] + }, { "VulnerabilityID": "CVE-2011-3389", "PkgName": "nss-tools", @@ -11797,6 +12272,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)", "Description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "Severity": "MEDIUM", @@ -11811,6 +12287,8 @@ "http://eprint.iacr.org/2006/136", "http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html", "http://isc.sans.edu/diary/SSL+TLS+part+3+/11635", + "http://linux.oracle.com/cve/CVE-2011-3389.html", + "http://linux.oracle.com/errata/ELSA-2011-1380.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html", "http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html", @@ -11891,45 +12369,6 @@ "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752" ] }, - { - "VulnerabilityID": "CVE-2011-5094", - "PkgName": "nss-tools", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: DoS via repeated SSL session renegotiations", - "Description": "** DISPUTED ** Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.", - "Severity": "MEDIUM", - "References": [ - "http://orchilles.com/2011/03/ssl-renegotiation-dos.html", - "http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html", - "http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07553.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07564.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07567.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07576.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07577.html", - "http://www.openwall.com/lists/oss-security/2011/07/08/2", - "https://bugzilla.redhat.com/show_bug.cgi?id=707065" - ] - }, - { - "VulnerabilityID": "CVE-2013-0743", - "PkgName": "nss-tools", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: Dis-trust TURKTRUST mis-issued *.google.com certificate", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA at the suggestion of the CVE project team. The candidate had been associated with a correct report of a security problem, but not a problem that is categorized as a vulnerability within CVE. Compromised or unauthorized SSL certificates are not within CVE's scope. Notes: none.", - "Severity": "MEDIUM", - "References": [ - "http://googleonlinesecurity.blogspot.in/2013/01/enhancing-digital-certificate-security.html", - "http://www.mozilla.org/security/announce/2013/mfsa2013-20.html", - "https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/" - ] - }, { "VulnerabilityID": "CVE-2013-2566", "PkgName": "nss-tools", @@ -11937,6 +12376,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Attack against RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.", "Severity": "MEDIUM", @@ -11971,6 +12411,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -11978,6 +12419,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -12086,11 +12529,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)", "Description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", "Severity": "MEDIUM", "References": [ "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759", + "http://linux.oracle.com/cve/CVE-2016-2183.html", + "http://linux.oracle.com/errata/ELSA-2018-2123.html", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "http://rhn.redhat.com/errata/RHSA-2017-0337.html", @@ -12123,6 +12569,7 @@ "https://access.redhat.com/errata/RHSA-2017:3240", "https://access.redhat.com/errata/RHSA-2018:2123", "https://access.redhat.com/errata/RHSA-2019:1245", + "https://access.redhat.com/errata/RHSA-2019:2859", "https://access.redhat.com/security/cve/cve-2016-2183", "https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/", "https://bto.bluecoat.com/security-advisory/sa133", @@ -12155,6 +12602,7 @@ "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008", "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.sigsac.org/ccs/CCS2016/accepted-papers/", "https://www.tenable.com/security/tns-2016-16", "https://www.tenable.com/security/tns-2016-20", @@ -12170,6 +12618,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "nss: Insufficient timing side-channel resistance in divSpoiler", "Description": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50.", "Severity": "MEDIUM", @@ -12194,6 +12643,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "nss: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA", "Description": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.", "Severity": "MEDIUM", @@ -12203,57 +12653,6 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9574" ] }, - { - "VulnerabilityID": "CVE-2018-12384", - "PkgName": "nss-tools", - "InstalledVersion": "3.36.0-8.el6", - "FixedVersion": "3.36.0-9.el6_10", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello", - "Description": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.", - "Severity": "MEDIUM", - "References": [ - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12384", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes", - "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" - ] - }, - { - "VulnerabilityID": "CVE-2018-12404", - "PkgName": "nss-tools", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", - "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", - "http://www.securityfocus.com/bid/107260", - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" - ] - }, - { - "VulnerabilityID": "CVE-2018-18508", - "PkgName": "nss-tools", - "InstalledVersion": "3.36.0-8.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", - "Description": "No description is available for this CVE.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" - ] - }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss-tools", @@ -12261,10 +12660,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -12287,6 +12689,90 @@ "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, + { + "VulnerabilityID": "CVE-2018-12384", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-8.el6", + "FixedVersion": "3.36.0-9.el6_10", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello", + "Description": "When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12384.html", + "http://linux.oracle.com/errata/ELSA-2018-2898.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12384", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.5_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2018-18508", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18508.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2011-5094", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-8.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "nss: DoS via repeated SSL session renegotiations", + "Description": "** DISPUTED ** Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.", + "Severity": "LOW", + "References": [ + "http://orchilles.com/2011/03/ssl-renegotiation-dos.html", + "http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html", + "http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07553.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07564.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07567.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07576.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07577.html", + "http://www.openwall.com/lists/oss-security/2011/07/08/2", + "https://bugzilla.redhat.com/show_bug.cgi?id=707065" + ] + }, { "VulnerabilityID": "CVE-2009-3767", "PkgName": "openldap", @@ -12294,10 +12780,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "OpenLDAP: Doesn't properly handle NULL character in subject Common Name", "Description": "libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2009-3767.html", + "http://linux.oracle.com/errata/ELSA-2010-0198.html", "http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html", "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036138.html", "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html", @@ -12317,54 +12806,6 @@ "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7274" ] }, - { - "VulnerabilityID": "CVE-2011-4079", - "PkgName": "openldap", - "InstalledVersion": "2.4.40-16.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "openldap: one-byte buffer overflow in slapd", - "Description": "Off-by-one error in the UTF8StringNormalize function in OpenLDAP 2.4.26 and earlier allows remote attackers to cause a denial of service (slapd crash) via a zero-length string that triggers a heap-based buffer overflow, as demonstrated using an empty postalAddressAttribute value in an LDIF entry.", - "Severity": "MEDIUM", - "References": [ - "http://secunia.com/advisories/46599", - "http://security.gentoo.org/glsa/glsa-201406-36.xml", - "http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=507238713b71208ec4f262f312cb495a302df9e9", - "http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7059;selectid=7059", - "http://www.openwall.com/lists/oss-security/2011/10/26/5", - "http://www.openwall.com/lists/oss-security/2011/10/26/9", - "http://www.securityfocus.com/bid/50384", - "http://www.ubuntu.com/usn/USN-1266-1", - "https://bugzilla.redhat.com/show_bug.cgi?id=749324", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4079", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/70991" - ] - }, - { - "VulnerabilityID": "CVE-2015-1546", - "PkgName": "openldap", - "InstalledVersion": "2.4.40-16.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "openldap: slapd crash in valueReturnFilter cleanup", - "Description": "Double free vulnerability in the get_vrFilter function in servers/slapd/filter.c in OpenLDAP 2.4.40 allows remote attackers to cause a denial of service (crash) via a crafted search query with a matched values control.", - "Severity": "MEDIUM", - "References": [ - "http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html", - "http://lists.opensuse.org/opensuse-updates/2015-07/msg00069.html", - "http://secunia.com/advisories/62787", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:073", - "http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a", - "http://www.openldap.org/its/?findid=8046", - "http://www.openwall.com/lists/oss-security/2015/02/07/3", - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/100938", - "https://support.apple.com/HT204659" - ] - }, { "VulnerabilityID": "CVE-2015-3276", "PkgName": "openldap", @@ -12372,10 +12813,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "openldap: incorrect multi-keyword mode cipherstring parsing", "Description": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-3276.html", + "http://linux.oracle.com/errata/ELSA-2015-2131.html", "http://rhn.redhat.com/errata/RHSA-2015-2131.html", "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "http://www.securitytracker.com/id/1034221", @@ -12389,10 +12833,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "openldap: Double free vulnerability in servers/slapd/back-mdb/search.c", "Description": "servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2017-9287.html", + "http://linux.oracle.com/errata/ELSA-2017-1852.html", "http://www.debian.org/security/2017/dsa-3868", "http://www.openldap.org/its/?findid=8655", "http://www.securityfocus.com/bid/98736", @@ -12409,6 +12856,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "openldap-servers: /usr/libexec/openldap/generate-server-cert.sh create world readable password file", "Description": "/usr/libexec/openldap/generate-server-cert.sh in openldap-servers sets weak permissions for the TLS certificate, which allows local users to obtain the TLS certificate by leveraging a race condition between the creation of the certificate, and the chmod to protect it.", "Severity": "LOW", @@ -12416,46 +12864,6 @@ "https://bugzilla.redhat.com/show_bug.cgi?id=1346120" ] }, - { - "VulnerabilityID": "CVE-2017-14159", - "PkgName": "openldap", - "InstalledVersion": "2.4.40-16.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "openldap: Privilege escalation via PID file manipulation", - "Description": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.", - "Severity": "LOW", - "References": [ - "http://www.openldap.org/its/index.cgi?findid=8703" - ] - }, - { - "VulnerabilityID": "CVE-2011-1473", - "PkgName": "openssl", - "InstalledVersion": "1.0.1e-57.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "openssl: DoS via repeated SSL session renegotiations", - "Description": "** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.", - "Severity": "MEDIUM", - "References": [ - "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html", - "http://marc.info/?l=bugtraq\u0026m=133951357207000\u0026w=2", - "http://orchilles.com/2011/03/ssl-renegotiation-dos.html", - "http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html", - "http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07553.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07564.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07567.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07576.html", - "http://www.ietf.org/mail-archive/web/tls/current/msg07577.html", - "http://www.openwall.com/lists/oss-security/2011/07/08/2", - "https://bugzilla.redhat.com/show_bug.cgi?id=707065", - "https://lists.apache.org/thread.html/142b93d261e8ac7c5ceffdce848d622404abc1c286bbc999f43a9e10@%3Cdev.rocketmq.apache.org%3E" - ] - }, { "VulnerabilityID": "CVE-2011-3389", "PkgName": "openssl", @@ -12463,6 +12871,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)", "Description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "Severity": "MEDIUM", @@ -12477,6 +12886,8 @@ "http://eprint.iacr.org/2006/136", "http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html", "http://isc.sans.edu/diary/SSL+TLS+part+3+/11635", + "http://linux.oracle.com/cve/CVE-2011-3389.html", + "http://linux.oracle.com/errata/ELSA-2011-1380.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html", "http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html", @@ -12564,6 +12975,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Attack against RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.", "Severity": "MEDIUM", @@ -12598,6 +13010,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -12605,6 +13018,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -12713,11 +13128,14 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)", "Description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", "Severity": "MEDIUM", "References": [ "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759", + "http://linux.oracle.com/cve/CVE-2016-2183.html", + "http://linux.oracle.com/errata/ELSA-2018-2123.html", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "http://rhn.redhat.com/errata/RHSA-2017-0337.html", @@ -12750,6 +13168,7 @@ "https://access.redhat.com/errata/RHSA-2017:3240", "https://access.redhat.com/errata/RHSA-2018:2123", "https://access.redhat.com/errata/RHSA-2019:1245", + "https://access.redhat.com/errata/RHSA-2019:2859", "https://access.redhat.com/security/cve/cve-2016-2183", "https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/", "https://bto.bluecoat.com/security-advisory/sa133", @@ -12782,6 +13201,7 @@ "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008", "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.sigsac.org/ccs/CCS2016/accepted-papers/", "https://www.tenable.com/security/tns-2016-16", "https://www.tenable.com/security/tns-2016-20", @@ -12791,41 +13211,39 @@ ] }, { - "VulnerabilityID": "CVE-2017-3735", + "VulnerabilityID": "CVE-2018-0495", "PkgName": "openssl", "InstalledVersion": "1.0.1e-57.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "openssl: Malformed X.509 IPAdressFamily could cause OOB read", - "Description": "While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.", + "SeveritySource": "redhat", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", "Severity": "MEDIUM", "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", - "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/100515", - "http://www.securitytracker.com/id/1039726", + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", "https://access.redhat.com/errata/RHSA-2018:3505", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3735", - "https://github.com/openssl/openssl/commit/068b963bb7afc57f5bdd723de0dd15e7795d5822", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00011.html", - "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:11.openssl.asc", - "https://security.gentoo.org/glsa/201712-03", - "https://security.netapp.com/advisory/ntap-20170927-0001/", - "https://security.netapp.com/advisory/ntap-20171107-0002/", - "https://support.apple.com/HT208331", - "https://usn.ubuntu.com/3611-2/", - "https://www.debian.org/security/2017/dsa-4017", - "https://www.debian.org/security/2017/dsa-4018", - "https://www.openssl.org/news/secadv/20170828.txt", - "https://www.openssl.org/news/secadv/20171102.txt", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.tenable.com/security/tns-2017-14", - "https://www.tenable.com/security/tns-2017-15" + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, { @@ -12835,10 +13253,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang", "Description": "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0732.html", + "http://linux.oracle.com/errata/ELSA-2018-4249.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/104442", "http://www.securitytracker.com/id/1041090", @@ -12870,6 +13291,196 @@ "https://www.tenable.com/security/tns-2018-17" ] }, + { + "VulnerabilityID": "CVE-2018-0739", + "PkgName": "openssl", + "InstalledVersion": "1.0.1e-57.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service", + "Description": "Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0739.html", + "http://linux.oracle.com/errata/ELSA-2018-4228.html", + "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", + "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/103518", + "http://www.securityfocus.com/bid/105609", + "http://www.securitytracker.com/id/1040576", + "https://access.redhat.com/errata/RHSA-2018:3090", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:0366", + "https://access.redhat.com/errata/RHSA-2019:0367", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9310d45087ae546e27e61ddf8f6367f29848220d", + "https://lists.debian.org/debian-lts-announce/2018/03/msg00033.html", + "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/", + "https://security.gentoo.org/glsa/201811-21", + "https://security.netapp.com/advisory/ntap-20180330-0002/", + "https://security.netapp.com/advisory/ntap-20180726-0002/", + "https://securityadvisories.paloaltonetworks.com/Home/Detail/133", + "https://usn.ubuntu.com/3611-1/", + "https://usn.ubuntu.com/3611-2/", + "https://www.debian.org/security/2018/dsa-4157", + "https://www.debian.org/security/2018/dsa-4158", + "https://www.openssl.org/news/secadv/20180327.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "https://www.tenable.com/security/tns-2018-04", + "https://www.tenable.com/security/tns-2018-06", + "https://www.tenable.com/security/tns-2018-07" + ] + }, + { + "VulnerabilityID": "CVE-2018-5407", + "PkgName": "openssl", + "InstalledVersion": "1.0.1e-57.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)", + "Description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-5407.html", + "http://linux.oracle.com/errata/ELSA-2019-2125.html", + "http://www.securityfocus.com/bid/105897", + "https://access.redhat.com/errata/RHSA-2019:0483", + "https://access.redhat.com/errata/RHSA-2019:0651", + "https://access.redhat.com/errata/RHSA-2019:0652", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407", + "https://eprint.iacr.org/2018/1060.pdf", + "https://github.com/bbbrumley/portsmash", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", + "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", + "https://security.gentoo.org/glsa/201903-10", + "https://security.netapp.com/advisory/ntap-20181126-0001/", + "https://usn.ubuntu.com/3840-1/", + "https://www.debian.org/security/2018/dsa-4348", + "https://www.debian.org/security/2018/dsa-4355", + "https://www.exploit-db.com/exploits/45785/", + "https://www.openssl.org/news/secadv/20181112.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "https://www.tenable.com/security/tns-2018-16", + "https://www.tenable.com/security/tns-2018-17" + ] + }, + { + "VulnerabilityID": "CVE-2019-1559", + "PkgName": "openssl", + "InstalledVersion": "1.0.1e-57.el6", + "FixedVersion": "1.0.1e-58.el6_10", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "openssl: 0-byte record padding oracle", + "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-1559.html", + "http://linux.oracle.com/errata/ELSA-2019-2471.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", + "http://www.securityfocus.com/bid/107174", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", + "https://github.com/RUB-NDS/TLS-Padding-Oracles", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", + "https://security.gentoo.org/glsa/201903-10", + "https://security.netapp.com/advisory/ntap-20190301-0001/", + "https://security.netapp.com/advisory/ntap-20190301-0002/", + "https://security.netapp.com/advisory/ntap-20190423-0002/", + "https://support.f5.com/csp/article/K18549143", + "https://usn.ubuntu.com/3899-1/", + "https://www.debian.org/security/2019/dsa-4400", + "https://www.openssl.org/news/secadv/20190226.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.tenable.com/security/tns-2019-02", + "https://www.tenable.com/security/tns-2019-03" + ] + }, + { + "VulnerabilityID": "CVE-2011-1473", + "PkgName": "openssl", + "InstalledVersion": "1.0.1e-57.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "openssl: DoS via repeated SSL session renegotiations", + "Description": "** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.", + "Severity": "LOW", + "References": [ + "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html", + "http://marc.info/?l=bugtraq\u0026m=133951357207000\u0026w=2", + "http://orchilles.com/2011/03/ssl-renegotiation-dos.html", + "http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html", + "http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07553.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07564.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07567.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07576.html", + "http://www.ietf.org/mail-archive/web/tls/current/msg07577.html", + "http://www.openwall.com/lists/oss-security/2011/07/08/2", + "https://bugzilla.redhat.com/show_bug.cgi?id=707065", + "https://lists.apache.org/thread.html/142b93d261e8ac7c5ceffdce848d622404abc1c286bbc999f43a9e10@%3Cdev.rocketmq.apache.org%3E" + ] + }, + { + "VulnerabilityID": "CVE-2017-3735", + "PkgName": "openssl", + "InstalledVersion": "1.0.1e-57.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "openssl: Malformed X.509 IPAdressFamily could cause OOB read", + "Description": "While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-3735.html", + "http://linux.oracle.com/errata/ELSA-2018-3221.html", + "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", + "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", + "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/100515", + "http://www.securitytracker.com/id/1039726", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3735", + "https://github.com/openssl/openssl/commit/068b963bb7afc57f5bdd723de0dd15e7795d5822", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00011.html", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:11.openssl.asc", + "https://security.gentoo.org/glsa/201712-03", + "https://security.netapp.com/advisory/ntap-20170927-0001/", + "https://security.netapp.com/advisory/ntap-20171107-0002/", + "https://support.apple.com/HT208331", + "https://usn.ubuntu.com/3611-2/", + "https://www.debian.org/security/2017/dsa-4017", + "https://www.debian.org/security/2017/dsa-4018", + "https://www.openssl.org/news/secadv/20170828.txt", + "https://www.openssl.org/news/secadv/20171102.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "https://www.tenable.com/security/tns-2017-14", + "https://www.tenable.com/security/tns-2017-15" + ] + }, { "VulnerabilityID": "CVE-2018-0734", "PkgName": "openssl", @@ -12877,10 +13488,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "openssl: timing side channel attack in the DSA signature algorithm", "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0734.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html", "http://www.securityfocus.com/bid/105758", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734", @@ -12908,10 +13522,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "openssl: timing side channel attack in the ECDSA signature generation", "Description": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0735.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", "http://www.securityfocus.com/bid/105750", "http://www.securitytracker.com/id/1041986", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0735", @@ -12935,10 +13552,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys", "Description": "The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0737.html", + "http://linux.oracle.com/errata/ELSA-2018-4249.html", "http://www.openwall.com/lists/oss-security/2018/04/16/3", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/103766", @@ -12972,175 +13592,6 @@ "https://www.tenable.com/security/tns-2018-17" ] }, - { - "VulnerabilityID": "CVE-2018-0739", - "PkgName": "openssl", - "InstalledVersion": "1.0.1e-57.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service", - "Description": "Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/103518", - "http://www.securityfocus.com/bid/105609", - "http://www.securitytracker.com/id/1040576", - "https://access.redhat.com/errata/RHSA-2018:3090", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:0366", - "https://access.redhat.com/errata/RHSA-2019:0367", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9310d45087ae546e27e61ddf8f6367f29848220d", - "https://lists.debian.org/debian-lts-announce/2018/03/msg00033.html", - "https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/", - "https://security.gentoo.org/glsa/201811-21", - "https://security.netapp.com/advisory/ntap-20180330-0002/", - "https://security.netapp.com/advisory/ntap-20180726-0002/", - "https://securityadvisories.paloaltonetworks.com/Home/Detail/133", - "https://usn.ubuntu.com/3611-1/", - "https://usn.ubuntu.com/3611-2/", - "https://www.debian.org/security/2018/dsa-4157", - "https://www.debian.org/security/2018/dsa-4158", - "https://www.openssl.org/news/secadv/20180327.txt", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.tenable.com/security/tns-2018-04", - "https://www.tenable.com/security/tns-2018-06", - "https://www.tenable.com/security/tns-2018-07" - ] - }, - { - "VulnerabilityID": "CVE-2019-1559", - "PkgName": "openssl", - "InstalledVersion": "1.0.1e-57.el6", - "FixedVersion": "1.0.1e-58.el6_10", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "openssl: 0-byte record padding oracle", - "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", - "http://www.securityfocus.com/bid/107174", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", - "https://github.com/RUB-NDS/TLS-Padding-Oracles", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", - "https://security.gentoo.org/glsa/201903-10", - "https://security.netapp.com/advisory/ntap-20190301-0001/", - "https://security.netapp.com/advisory/ntap-20190301-0002/", - "https://security.netapp.com/advisory/ntap-20190423-0002/", - "https://support.f5.com/csp/article/K18549143", - "https://usn.ubuntu.com/3899-1/", - "https://www.debian.org/security/2019/dsa-4400", - "https://www.openssl.org/news/secadv/20190226.txt", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "https://www.tenable.com/security/tns-2019-02", - "https://www.tenable.com/security/tns-2019-03" - ] - }, - { - "VulnerabilityID": "CVE-2018-0495", - "PkgName": "openssl", - "InstalledVersion": "1.0.1e-57.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", - "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" - ] - }, - { - "VulnerabilityID": "CVE-2018-5407", - "PkgName": "openssl", - "InstalledVersion": "1.0.1e-57.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)", - "Description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.", - "Severity": "LOW", - "References": [ - "http://www.securityfocus.com/bid/105897", - "https://access.redhat.com/errata/RHSA-2019:0483", - "https://access.redhat.com/errata/RHSA-2019:0651", - "https://access.redhat.com/errata/RHSA-2019:0652", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407", - "https://eprint.iacr.org/2018/1060.pdf", - "https://github.com/bbbrumley/portsmash", - "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", - "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", - "https://security.gentoo.org/glsa/201903-10", - "https://security.netapp.com/advisory/ntap-20181126-0001/", - "https://usn.ubuntu.com/3840-1/", - "https://www.debian.org/security/2018/dsa-4348", - "https://www.debian.org/security/2018/dsa-4355", - "https://www.exploit-db.com/exploits/45785/", - "https://www.openssl.org/news/secadv/20181112.txt", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", - "https://www.tenable.com/security/tns-2018-16", - "https://www.tenable.com/security/tns-2018-17" - ] - }, - { - "VulnerabilityID": "CVE-2013-7041", - "PkgName": "pam", - "InstalledVersion": "1.1.1-24.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pam: pam_userdb case insensitive password hash comparison", - "Description": "The pam_userdb module for Pam uses a case-insensitive method to compare hashed passwords, which makes it easier for attackers to guess the password via a brute force attack.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2013/12/09/16", - "http://www.openwall.com/lists/oss-security/2013/12/09/5", - "http://www.securityfocus.com/bid/64180", - "http://www.ubuntu.com/usn/USN-2935-1", - "http://www.ubuntu.com/usn/USN-2935-2", - "http://www.ubuntu.com/usn/USN-2935-3", - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731368", - "https://bugzilla.redhat.com/show_bug.cgi?id=1038555", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7041", - "https://security.gentoo.org/glsa/201605-05" - ] - }, { "VulnerabilityID": "CVE-2014-2583", "PkgName": "pam", @@ -13148,6 +13599,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pam: path traversal issue in pam_timestamp's format_timestamp_name()", "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create arbitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty function, which is used by the format_timestamp_name function.", "Severity": "MEDIUM", @@ -13166,29 +13618,54 @@ ] }, { - "VulnerabilityID": "CVE-2015-8386", + "VulnerabilityID": "CVE-2013-7041", + "PkgName": "pam", + "InstalledVersion": "1.1.1-24.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "pam: pam_userdb case insensitive password hash comparison", + "Description": "The pam_userdb module for Pam uses a case-insensitive method to compare hashed passwords, which makes it easier for attackers to guess the password via a brute force attack.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2013/12/09/16", + "http://www.openwall.com/lists/oss-security/2013/12/09/5", + "http://www.securityfocus.com/bid/64180", + "http://www.ubuntu.com/usn/USN-2935-1", + "http://www.ubuntu.com/usn/USN-2935-2", + "http://www.ubuntu.com/usn/USN-2935-3", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731368", + "https://bugzilla.redhat.com/show_bug.cgi?id=1038555", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7041", + "https://security.gentoo.org/glsa/201605-05" + ] + }, + { + "VulnerabilityID": "CVE-2015-3217", "PkgName": "pcre", "InstalledVersion": "7.8-7.el6", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "pcre: Buffer overflow caused by lookbehind assertion (8.38/6)", - "Description": "PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "pcre: stack overflow caused by mishandled group empty match (8.38/11)", + "Description": "PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/.", + "Severity": "MEDIUM", "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://linux.oracle.com/cve/CVE-2015-3217.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://vcs.pcre.org/pcre?view=revision\u0026revision=1566", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.openwall.com/lists/oss-security/2015/06/03/7", "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/82990", + "http://www.securityfocus.com/bid/75018", "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8386", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" + "https://bugs.exim.org/show_bug.cgi?id=1638", + "https://bugzilla.redhat.com/show_bug.cgi?id=1228283", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3217" ] }, { @@ -13198,9 +13675,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: Integer overflow in subroutine calls (8.38/8)", "Description": "PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -13219,9 +13697,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: uninitialized memory read triggered by malformed posix character class (8.38/22)", "Description": "PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -13240,9 +13719,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -13254,45 +13734,6 @@ "https://security.gentoo.org/glsa/201607-02" ] }, - { - "VulnerabilityID": "CVE-2017-11164", - "PkgName": "pcre", - "InstalledVersion": "7.8-7.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", - "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "Severity": "HIGH", - "References": [ - "http://openwall.com/lists/oss-security/2017/07/11/3", - "http://www.securityfocus.com/bid/99575" - ] - }, - { - "VulnerabilityID": "CVE-2015-3217", - "PkgName": "pcre", - "InstalledVersion": "7.8-7.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pcre: stack overflow caused by mishandled group empty match (8.38/11)", - "Description": "PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/.", - "Severity": "MEDIUM", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre?view=revision\u0026revision=1566", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.openwall.com/lists/oss-security/2015/06/03/7", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/75018", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bugs.exim.org/show_bug.cgi?id=1638", - "https://bugzilla.redhat.com/show_bug.cgi?id=1228283", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3217" - ] - }, { "VulnerabilityID": "CVE-2015-8382", "PkgName": "pcre", @@ -13300,9 +13741,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "php: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)", "Description": "The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.php.net/?p=php-src.git;a=commit;h=c351b47ce85a3a147cfa801fa9f0149ab4160834", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -13316,6 +13758,51 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8382" ] }, + { + "VulnerabilityID": "CVE-2015-8386", + "PkgName": "pcre", + "InstalledVersion": "7.8-7.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "pcre: Buffer overflow caused by lookbehind assertion (8.38/6)", + "Description": "PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2015-8386.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-2750.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/82990", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8386", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2017-11164", + "PkgName": "pcre", + "InstalledVersion": "7.8-7.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", + "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/07/11/3", + "http://www.securityfocus.com/bid/99575" + ] + }, { "VulnerabilityID": "CVE-2017-7244", "PkgName": "pcre", @@ -13323,9 +13810,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)", "Description": "The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -13341,9 +13829,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -13358,9 +13847,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -13368,46 +13858,6 @@ "https://security.gentoo.org/glsa/201710-25" ] }, - { - "VulnerabilityID": "CVE-2017-16231", - "PkgName": "pcre", - "InstalledVersion": "7.8-7.el6", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", - "Description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", - "Severity": "LOW", - "References": [ - "http://packetstormsecurity.com/files/150897/PCRE-8.41-Buffer-Overflow.html", - "http://seclists.org/fulldisclosure/2018/Dec/33", - "http://www.openwall.com/lists/oss-security/2017/11/01/11", - "http://www.openwall.com/lists/oss-security/2017/11/01/3", - "http://www.openwall.com/lists/oss-security/2017/11/01/7", - "http://www.openwall.com/lists/oss-security/2017/11/01/8", - "http://www.securityfocus.com/bid/101688", - "https://bugs.exim.org/show_bug.cgi?id=2047" - ] - }, - { - "VulnerabilityID": "CVE-2018-1121", - "PkgName": "procps", - "InstalledVersion": "3.2.8-45.el6_9.3", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "procps-ng, procps: process hiding through race condition enumerating /proc", - "Description": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.", - "Severity": "MEDIUM", - "References": [ - "http://seclists.org/oss-sec/2018/q2/122", - "http://www.securityfocus.com/bid/104214", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121", - "https://security.gentoo.org/glsa/201805-14", - "https://www.exploit-db.com/exploits/44806/", - "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" - ] - }, { "VulnerabilityID": "CVE-2018-1122", "PkgName": "procps", @@ -13415,10 +13865,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "procps-ng, procps: Local privilege escalation in top", "Description": "procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1122.html", + "http://linux.oracle.com/errata/ELSA-2019-2189.html", "http://seclists.org/oss-sec/2018/q2/122", "http://www.securityfocus.com/bid/104214", "https://access.redhat.com/errata/RHSA-2019:2189", @@ -13433,6 +13886,26 @@ "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" ] }, + { + "VulnerabilityID": "CVE-2018-1121", + "PkgName": "procps", + "InstalledVersion": "3.2.8-45.el6_9.3", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "procps-ng, procps: process hiding through race condition enumerating /proc", + "Description": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.", + "Severity": "LOW", + "References": [ + "http://seclists.org/oss-sec/2018/q2/122", + "http://www.securityfocus.com/bid/104214", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121", + "https://security.gentoo.org/glsa/201805-14", + "https://www.exploit-db.com/exploits/44806/", + "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" + ] + }, { "VulnerabilityID": "CVE-2018-1123", "PkgName": "procps", @@ -13440,9 +13913,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "procps-ng, procps: denial of service in ps via mmap buffer overflow", "Description": "procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maps a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://seclists.org/oss-sec/2018/q2/122", "http://www.securityfocus.com/bid/104214", @@ -13464,9 +13938,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "procps-ng, procps: stack buffer overflow in pgrep", "Description": "procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://seclists.org/oss-sec/2018/q2/122", "http://www.securityfocus.com/bid/104214", @@ -13479,300 +13954,6 @@ "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" ] }, - { - "VulnerabilityID": "CVE-2016-5636", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: Heap overflow in zipimporter module", - "Description": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", - "Severity": "CRITICAL", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-2586.html", - "http://www.openwall.com/lists/oss-security/2016/06/15/15", - "http://www.openwall.com/lists/oss-security/2016/06/16/1", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/91247", - "http://www.securitytracker.com/id/1038138", - "http://www.splunk.com/view/SP-CAAAPSV", - "http://www.splunk.com/view/SP-CAAAPUE", - "https://bugs.python.org/issue26171", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636", - "https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5", - "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2", - "https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS", - "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html", - "https://security.gentoo.org/glsa/201701-18" - ] - }, - { - "VulnerabilityID": "CVE-2017-1000158", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", - "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", - "Severity": "HIGH", - "References": [ - "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", - "http://www.securitytracker.com/id/1039890", - "https://bugs.python.org/issue30657", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", - "https://security.gentoo.org/glsa/201805-02", - "https://www.debian.org/security/2018/dsa-4307" - ] - }, - { - "VulnerabilityID": "CVE-2010-3492", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python accept() implementation in async core is broken", - "Description": "The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.", - "Severity": "MEDIUM", - "References": [ - "http://bugs.python.org/issue6706", - "http://www.mandriva.com/security/advisories?name=MDVSA-2010:215", - "http://www.mandriva.com/security/advisories?name=MDVSA-2010:216", - "http://www.openwall.com/lists/oss-security/2010/09/09/6", - "http://www.openwall.com/lists/oss-security/2010/09/11/2", - "http://www.openwall.com/lists/oss-security/2010/09/22/3", - "http://www.openwall.com/lists/oss-security/2010/09/24/3", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3492", - "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12111" - ] - }, - { - "VulnerabilityID": "CVE-2011-0705", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "Python: SimpleHTTPServer class directory traversal flaw", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "MEDIUM" - }, - { - "VulnerabilityID": "CVE-2013-1664", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "Python xml bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities", - "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", - "Severity": "MEDIUM", - "References": [ - "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", - "http://bugs.python.org/issue17239", - "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html", - "http://rhn.redhat.com/errata/RHSA-2013-0657.html", - "http://rhn.redhat.com/errata/RHSA-2013-0658.html", - "http://rhn.redhat.com/errata/RHSA-2013-0670.html", - "http://ubuntu.com/usn/usn-1757-1", - "http://www.openwall.com/lists/oss-security/2013/02/19/2", - "http://www.openwall.com/lists/oss-security/2013/02/19/4", - "https://bugs.launchpad.net/nova/+bug/1100282", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1664" - ] - }, - { - "VulnerabilityID": "CVE-2013-1665", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities", - "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", - "Severity": "MEDIUM", - "References": [ - "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", - "http://bugs.python.org/issue17239", - "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html", - "http://rhn.redhat.com/errata/RHSA-2013-0657.html", - "http://rhn.redhat.com/errata/RHSA-2013-0658.html", - "http://rhn.redhat.com/errata/RHSA-2013-0670.html", - "http://ubuntu.com/usn/usn-1757-1", - "http://www.debian.org/security/2013/dsa-2634", - "http://www.openwall.com/lists/oss-security/2013/02/19/2", - "http://www.openwall.com/lists/oss-security/2013/02/19/4", - "https://bugs.launchpad.net/keystone/+bug/1100279", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1665" - ] - }, - { - "VulnerabilityID": "CVE-2013-7040", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: hash secret can be recovered remotely", - "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", - "Severity": "MEDIUM", - "References": [ - "http://bugs.python.org/issue14621", - "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", - "http://www.openwall.com/lists/oss-security/2013/12/09/13", - "http://www.openwall.com/lists/oss-security/2013/12/09/3", - "http://www.securityfocus.com/bid/64194", - "https://support.apple.com/kb/HT205031" - ] - }, - { - "VulnerabilityID": "CVE-2014-9365", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: failure to validate certificates in the HTTP client with TLS (PEP 476)", - "Description": "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", - "Severity": "MEDIUM", - "References": [ - "http://bugs.python.org/issue22417", - "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", - "http://www.openwall.com/lists/oss-security/2014/12/11/1", - "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html", - "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html", - "http://www.securityfocus.com/bid/71639", - "https://access.redhat.com/errata/RHSA-2016:1166", - "https://access.redhat.com/errata/RHSA-2017:1162", - "https://access.redhat.com/errata/RHSA-2017:1868", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365", - "https://security.gentoo.org/glsa/201503-10", - "https://support.apple.com/kb/HT205031", - "https://www.python.org/dev/peps/pep-0476/", - "https://www.python.org/downloads/release/python-279/" - ] - }, - { - "VulnerabilityID": "CVE-2018-1000030", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", - "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.python.org/issue31530", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", - "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", - "https://security.gentoo.org/glsa/201811-02", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0" - ] - }, - { - "VulnerabilityID": "CVE-2018-1060", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib", - "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", - "Severity": "MEDIUM", - "References": [ - "http://www.securitytracker.com/id/1042001", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3041", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://bugs.python.org/issue32981", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1060", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060", - "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1", - "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final", - "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03951en_us", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.debian.org/security/2018/dsa-4306", - "https://www.debian.org/security/2018/dsa-4307" - ] - }, - { - "VulnerabilityID": "CVE-2018-1061", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib", - "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", - "Severity": "MEDIUM", - "References": [ - "http://www.securitytracker.com/id/1042001", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3041", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://bugs.python.org/issue32981", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061", - "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1", - "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final", - "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03951en_us", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.debian.org/security/2018/dsa-4306", - "https://www.debian.org/security/2018/dsa-4307" - ] - }, - { - "VulnerabilityID": "CVE-2018-14647", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: Missing salt initialization in _elementtree.c module", - "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105396", - "http://www.securitytracker.com/id/1041740", - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://access.redhat.com/errata/RHSA-2019:2030", - "https://bugs.python.org/issue34623", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.debian.org/security/2018/dsa-4306", - "https://www.debian.org/security/2018/dsa-4307" - ] - }, { "VulnerabilityID": "CVE-2019-9636", "PkgName": "python", @@ -13781,10 +13962,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", @@ -13816,156 +14000,14 @@ "https://security.netapp.com/advisory/ntap-20190517-0001/" ] }, - { - "VulnerabilityID": "CVE-2019-9740", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: CRLF injection via the query part of the url passed to urlopen()", - "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/107466", - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://bugs.python.org/issue36276", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9947", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: CRLF injection via the path part of the url passed to urlopen()", - "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", - "Severity": "MEDIUM", - "References": [ - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://bugs.python.org/issue35906", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", - "https://security.netapp.com/advisory/ntap-20190404-0004/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9948", - "PkgName": "python", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", - "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", - "http://www.securityfocus.com/bid/107549", - "https://bugs.python.org/issue35907", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948", - "https://github.com/python/cpython/pull/11842", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", - "https://security.netapp.com/advisory/ntap-20190404-0004/" - ] - }, - { - "VulnerabilityID": "CVE-2016-5636", - "PkgName": "python-libs", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: Heap overflow in zipimporter module", - "Description": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", - "Severity": "CRITICAL", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-2586.html", - "http://www.openwall.com/lists/oss-security/2016/06/15/15", - "http://www.openwall.com/lists/oss-security/2016/06/16/1", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/91247", - "http://www.securitytracker.com/id/1038138", - "http://www.splunk.com/view/SP-CAAAPSV", - "http://www.splunk.com/view/SP-CAAAPUE", - "https://bugs.python.org/issue26171", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636", - "https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5", - "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2", - "https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS", - "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html", - "https://security.gentoo.org/glsa/201701-18" - ] - }, - { - "VulnerabilityID": "CVE-2017-1000158", - "PkgName": "python-libs", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", - "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", - "Severity": "HIGH", - "References": [ - "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", - "http://www.securitytracker.com/id/1039890", - "https://bugs.python.org/issue30657", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", - "https://security.gentoo.org/glsa/201805-02", - "https://www.debian.org/security/2018/dsa-4307" - ] - }, - { - "VulnerabilityID": "CVE-2010-3492", - "PkgName": "python-libs", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python accept() implementation in async core is broken", - "Description": "The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.", - "Severity": "MEDIUM", - "References": [ - "http://bugs.python.org/issue6706", - "http://www.mandriva.com/security/advisories?name=MDVSA-2010:215", - "http://www.mandriva.com/security/advisories?name=MDVSA-2010:216", - "http://www.openwall.com/lists/oss-security/2010/09/09/6", - "http://www.openwall.com/lists/oss-security/2010/09/11/2", - "http://www.openwall.com/lists/oss-security/2010/09/22/3", - "http://www.openwall.com/lists/oss-security/2010/09/24/3", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3492", - "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12111" - ] - }, - { - "VulnerabilityID": "CVE-2011-0705", - "PkgName": "python-libs", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "Python: SimpleHTTPServer class directory traversal flaw", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "MEDIUM" - }, { "VulnerabilityID": "CVE-2013-1664", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.6.6-66.el6_8", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "Python xml bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities", "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", "Severity": "MEDIUM", @@ -13985,11 +14027,12 @@ }, { "VulnerabilityID": "CVE-2013-1665", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.6.6-66.el6_8", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities", "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", "Severity": "MEDIUM", @@ -14010,11 +14053,12 @@ }, { "VulnerabilityID": "CVE-2013-7040", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.6.6-66.el6_8", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "python: hash secret can be recovered remotely", "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", "Severity": "MEDIUM", @@ -14029,16 +14073,19 @@ }, { "VulnerabilityID": "CVE-2014-9365", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.6.6-66.el6_8", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "python: failure to validate certificates in the HTTP client with TLS (PEP 476)", "Description": "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "Severity": "MEDIUM", "References": [ "http://bugs.python.org/issue22417", + "http://linux.oracle.com/cve/CVE-2014-9365.html", + "http://linux.oracle.com/errata/ELSA-2017-1868.html", "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", "http://www.openwall.com/lists/oss-security/2014/12/11/1", "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html", @@ -14055,70 +14102,43 @@ ] }, { - "VulnerabilityID": "CVE-2018-1000030", - "PkgName": "python-libs", + "VulnerabilityID": "CVE-2017-1000158", + "PkgName": "python", "InstalledVersion": "2.6.6-66.el6_8", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", - "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "SeveritySource": "redhat", + "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", + "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", "Severity": "MEDIUM", "References": [ - "https://bugs.python.org/issue31530", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", - "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", - "https://security.gentoo.org/glsa/201811-02", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0" - ] - }, - { - "VulnerabilityID": "CVE-2018-1060", - "PkgName": "python-libs", - "InstalledVersion": "2.6.6-66.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib", - "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", - "Severity": "MEDIUM", - "References": [ - "http://www.securitytracker.com/id/1042001", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3041", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://bugs.python.org/issue32981", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1060", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060", - "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1", - "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final", - "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1", + "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", + "http://www.securitytracker.com/id/1039890", + "https://bugs.python.org/issue30657", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03951en_us", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.debian.org/security/2018/dsa-4306", + "https://security.gentoo.org/glsa/201805-02", "https://www.debian.org/security/2018/dsa-4307" ] }, { "VulnerabilityID": "CVE-2018-1061", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.6.6-66.el6_8", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib", "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1061.html", + "http://linux.oracle.com/errata/ELSA-2018-3041.html", "http://www.securitytracker.com/id/1042001", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3041", @@ -14144,15 +14164,18 @@ }, { "VulnerabilityID": "CVE-2018-14647", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.6.6-66.el6_8", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "python: Missing salt initialization in _elementtree.c module", "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-14647.html", + "http://linux.oracle.com/errata/ELSA-2019-2030.html", "http://www.securityfocus.com/bid/105396", "http://www.securitytracker.com/id/1041740", "https://access.redhat.com/errata/RHSA-2019:1260", @@ -14169,6 +14192,211 @@ "https://www.debian.org/security/2018/dsa-4307" ] }, + { + "VulnerabilityID": "CVE-2019-9740", + "PkgName": "python", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: CRLF injection via the query part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-9740.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "http://www.securityfocus.com/bid/107466", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://bugs.python.org/issue36276", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/" + ] + }, + { + "VulnerabilityID": "CVE-2019-9947", + "PkgName": "python", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: CRLF injection via the path part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-9947.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://bugs.python.org/issue35906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", + "https://security.netapp.com/advisory/ntap-20190404-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2019-9948", + "PkgName": "python", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", + "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", + "http://www.securityfocus.com/bid/107549", + "https://bugs.python.org/issue35907", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948", + "https://github.com/python/cpython/pull/11842", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://security.netapp.com/advisory/ntap-20190404-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2010-3492", + "PkgName": "python", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python accept() implementation in async core is broken", + "Description": "The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.", + "Severity": "LOW", + "References": [ + "http://bugs.python.org/issue6706", + "http://www.mandriva.com/security/advisories?name=MDVSA-2010:215", + "http://www.mandriva.com/security/advisories?name=MDVSA-2010:216", + "http://www.openwall.com/lists/oss-security/2010/09/09/6", + "http://www.openwall.com/lists/oss-security/2010/09/11/2", + "http://www.openwall.com/lists/oss-security/2010/09/22/3", + "http://www.openwall.com/lists/oss-security/2010/09/24/3", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3492", + "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12111" + ] + }, + { + "VulnerabilityID": "CVE-2016-5636", + "PkgName": "python", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: Heap overflow in zipimporter module", + "Description": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-5636.html", + "http://linux.oracle.com/errata/ELSA-2016-2586.html", + "http://rhn.redhat.com/errata/RHSA-2016-2586.html", + "http://www.openwall.com/lists/oss-security/2016/06/15/15", + "http://www.openwall.com/lists/oss-security/2016/06/16/1", + "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", + "http://www.securityfocus.com/bid/91247", + "http://www.securitytracker.com/id/1038138", + "http://www.splunk.com/view/SP-CAAAPSV", + "http://www.splunk.com/view/SP-CAAAPUE", + "https://bugs.python.org/issue26171", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636", + "https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5", + "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2", + "https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html", + "https://security.gentoo.org/glsa/201701-18" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000030", + "PkgName": "python", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", + "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "Severity": "LOW", + "References": [ + "https://bugs.python.org/issue31530", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", + "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", + "https://security.gentoo.org/glsa/201811-02", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-1060", + "PkgName": "python", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib", + "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-1060.html", + "http://linux.oracle.com/errata/ELSA-2018-3041.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html", + "http://www.securitytracker.com/id/1042001", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3041", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://bugs.python.org/issue32981", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1060", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060", + "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1", + "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final", + "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/", + "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03951en_us", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.debian.org/security/2018/dsa-4306", + "https://www.debian.org/security/2018/dsa-4307", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-9674", + "PkgName": "python", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py", + "Description": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue36260", + "https://bugs.python.org/issue36462", + "https://github.com/python/cpython/blob/master/Lib/zipfile.py", + "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb", + "https://security.netapp.com/advisory/ntap-20200221-0003/", + "https://www.python.org/news/security/" + ] + }, { "VulnerabilityID": "CVE-2019-9636", "PkgName": "python-libs", @@ -14177,10 +14405,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", @@ -14212,6 +14443,198 @@ "https://security.netapp.com/advisory/ntap-20190517-0001/" ] }, + { + "VulnerabilityID": "CVE-2013-1664", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "Python xml bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities", + "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", + "Severity": "MEDIUM", + "References": [ + "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", + "http://bugs.python.org/issue17239", + "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html", + "http://rhn.redhat.com/errata/RHSA-2013-0657.html", + "http://rhn.redhat.com/errata/RHSA-2013-0658.html", + "http://rhn.redhat.com/errata/RHSA-2013-0670.html", + "http://ubuntu.com/usn/usn-1757-1", + "http://www.openwall.com/lists/oss-security/2013/02/19/2", + "http://www.openwall.com/lists/oss-security/2013/02/19/4", + "https://bugs.launchpad.net/nova/+bug/1100282", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1664" + ] + }, + { + "VulnerabilityID": "CVE-2013-1665", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities", + "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", + "Severity": "MEDIUM", + "References": [ + "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", + "http://bugs.python.org/issue17239", + "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html", + "http://rhn.redhat.com/errata/RHSA-2013-0657.html", + "http://rhn.redhat.com/errata/RHSA-2013-0658.html", + "http://rhn.redhat.com/errata/RHSA-2013-0670.html", + "http://ubuntu.com/usn/usn-1757-1", + "http://www.debian.org/security/2013/dsa-2634", + "http://www.openwall.com/lists/oss-security/2013/02/19/2", + "http://www.openwall.com/lists/oss-security/2013/02/19/4", + "https://bugs.launchpad.net/keystone/+bug/1100279", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1665" + ] + }, + { + "VulnerabilityID": "CVE-2013-7040", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: hash secret can be recovered remotely", + "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "Severity": "MEDIUM", + "References": [ + "http://bugs.python.org/issue14621", + "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", + "http://www.openwall.com/lists/oss-security/2013/12/09/13", + "http://www.openwall.com/lists/oss-security/2013/12/09/3", + "http://www.securityfocus.com/bid/64194", + "https://support.apple.com/kb/HT205031" + ] + }, + { + "VulnerabilityID": "CVE-2014-9365", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: failure to validate certificates in the HTTP client with TLS (PEP 476)", + "Description": "The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "Severity": "MEDIUM", + "References": [ + "http://bugs.python.org/issue22417", + "http://linux.oracle.com/cve/CVE-2014-9365.html", + "http://linux.oracle.com/errata/ELSA-2017-1868.html", + "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", + "http://www.openwall.com/lists/oss-security/2014/12/11/1", + "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html", + "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html", + "http://www.securityfocus.com/bid/71639", + "https://access.redhat.com/errata/RHSA-2016:1166", + "https://access.redhat.com/errata/RHSA-2017:1162", + "https://access.redhat.com/errata/RHSA-2017:1868", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365", + "https://security.gentoo.org/glsa/201503-10", + "https://support.apple.com/kb/HT205031", + "https://www.python.org/dev/peps/pep-0476/", + "https://www.python.org/downloads/release/python-279/" + ] + }, + { + "VulnerabilityID": "CVE-2017-1000158", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", + "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", + "Severity": "MEDIUM", + "References": [ + "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", + "http://www.securitytracker.com/id/1039890", + "https://bugs.python.org/issue30657", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", + "https://security.gentoo.org/glsa/201805-02", + "https://www.debian.org/security/2018/dsa-4307" + ] + }, + { + "VulnerabilityID": "CVE-2018-1061", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib", + "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-1061.html", + "http://linux.oracle.com/errata/ELSA-2018-3041.html", + "http://www.securitytracker.com/id/1042001", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3041", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://bugs.python.org/issue32981", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061", + "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1", + "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final", + "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/", + "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03951en_us", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.debian.org/security/2018/dsa-4306", + "https://www.debian.org/security/2018/dsa-4307" + ] + }, + { + "VulnerabilityID": "CVE-2018-14647", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: Missing salt initialization in _elementtree.c module", + "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-14647.html", + "http://linux.oracle.com/errata/ELSA-2019-2030.html", + "http://www.securityfocus.com/bid/105396", + "http://www.securitytracker.com/id/1041740", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://access.redhat.com/errata/RHSA-2019:2030", + "https://bugs.python.org/issue34623", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.debian.org/security/2018/dsa-4306", + "https://www.debian.org/security/2018/dsa-4307" + ] + }, { "VulnerabilityID": "CVE-2019-9740", "PkgName": "python-libs", @@ -14219,10 +14642,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "python: CRLF injection via the query part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9740.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://www.securityfocus.com/bid/107466", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue36276", @@ -14238,10 +14664,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "python: CRLF injection via the path part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9947.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue35906", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", @@ -14257,10 +14686,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", "http://www.securityfocus.com/bid/107549", @@ -14272,19 +14704,140 @@ ] }, { - "VulnerabilityID": "CVE-2016-7091", - "PkgName": "readline", - "InstalledVersion": "6.0-4.el6", + "VulnerabilityID": "CVE-2010-3492", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, - "Title": "sudo: Possible info leak via INPUTRC", - "Description": "sudo: It was discovered that the default sudo configuration on Red Hat Enterprise Linux and possibly other Linux implementations preserves the value of INPUTRC which could lead to information disclosure. A local user with sudo access to a restricted program that uses readline could use this flaw to read content from specially formatted files with elevated privileges provided by sudo.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "python accept() implementation in async core is broken", + "Description": "The asyncore module in Python before 3.2 does not properly handle unsuccessful calls to the accept function, and does not have accompanying documentation describing how daemon applications should handle unsuccessful calls to the accept function, which makes it easier for remote attackers to conduct denial of service attacks that terminate these applications via network connections.", + "Severity": "LOW", "References": [ - "http://www.securityfocus.com/bid/92615", - "https://lists.gnu.org/archive/html/bug-readline/2016-05/msg00009.html", - "https://rhn.redhat.com/errata/RHSA-2016-2593.html" + "http://bugs.python.org/issue6706", + "http://www.mandriva.com/security/advisories?name=MDVSA-2010:215", + "http://www.mandriva.com/security/advisories?name=MDVSA-2010:216", + "http://www.openwall.com/lists/oss-security/2010/09/09/6", + "http://www.openwall.com/lists/oss-security/2010/09/11/2", + "http://www.openwall.com/lists/oss-security/2010/09/22/3", + "http://www.openwall.com/lists/oss-security/2010/09/24/3", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3492", + "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12111" + ] + }, + { + "VulnerabilityID": "CVE-2016-5636", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: Heap overflow in zipimporter module", + "Description": "Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-5636.html", + "http://linux.oracle.com/errata/ELSA-2016-2586.html", + "http://rhn.redhat.com/errata/RHSA-2016-2586.html", + "http://www.openwall.com/lists/oss-security/2016/06/15/15", + "http://www.openwall.com/lists/oss-security/2016/06/16/1", + "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", + "http://www.securityfocus.com/bid/91247", + "http://www.securitytracker.com/id/1038138", + "http://www.splunk.com/view/SP-CAAAPSV", + "http://www.splunk.com/view/SP-CAAAPUE", + "https://bugs.python.org/issue26171", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636", + "https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5", + "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2", + "https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html", + "https://security.gentoo.org/glsa/201701-18" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000030", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", + "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "Severity": "LOW", + "References": [ + "https://bugs.python.org/issue31530", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", + "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", + "https://security.gentoo.org/glsa/201811-02", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-1060", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib", + "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-1060.html", + "http://linux.oracle.com/errata/ELSA-2018-3041.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html", + "http://www.securitytracker.com/id/1042001", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3041", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://bugs.python.org/issue32981", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1060", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060", + "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1", + "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final", + "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/", + "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03951en_us", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.debian.org/security/2018/dsa-4306", + "https://www.debian.org/security/2018/dsa-4307", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-9674", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-66.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py", + "Description": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue36260", + "https://bugs.python.org/issue36462", + "https://github.com/python/cpython/blob/master/Lib/zipfile.py", + "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb", + "https://security.netapp.com/advisory/ntap-20200221-0003/", + "https://www.python.org/news/security/" ] }, { @@ -14294,6 +14847,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "readline: insecure temporary file use in _rl_tropen()", "Description": "The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file.", "Severity": "LOW", @@ -14310,6 +14864,25 @@ "https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135686.html" ] }, + { + "VulnerabilityID": "CVE-2016-7091", + "PkgName": "readline", + "InstalledVersion": "6.0-4.el6", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "sudo: Possible info leak via INPUTRC", + "Description": "sudo: It was discovered that the default sudo configuration on Red Hat Enterprise Linux and possibly other Linux implementations preserves the value of INPUTRC which could lead to information disclosure. A local user with sudo access to a restricted program that uses readline could use this flaw to read content from specially formatted files with elevated privileges provided by sudo.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-7091.html", + "http://linux.oracle.com/errata/ELSA-2016-2593.html", + "http://www.securityfocus.com/bid/92615", + "https://lists.gnu.org/archive/html/bug-readline/2016-05/msg00009.html", + "https://rhn.redhat.com/errata/RHSA-2016-2593.html" + ] + }, { "VulnerabilityID": "CVE-2017-7500", "PkgName": "rpm", @@ -14317,9 +14890,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -14333,6 +14907,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -14348,9 +14923,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -14364,6 +14940,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -14379,9 +14956,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -14395,6 +14973,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -14410,10 +14989,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "setup: nologin listed in /etc/shells violates security expectations", "Description": "setup before version 2.11.4-1.fc28 in Fedora and Red Hat Enterprise Linux added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user's shell being listed in /etc/shells. Under some circumstances, users which had their shell changed to /sbin/nologin could still access the system.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1113.html", + "http://linux.oracle.com/errata/ELSA-2018-3249.html", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3249", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1113" @@ -14426,9 +15008,62 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", - "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.", - "Severity": "LOW" + "Description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2013-4235", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", + "https://security-tracker.debian.org/tracker/CVE-2013-4235" + ] + }, + { + "VulnerabilityID": "CVE-2017-7000", + "PkgName": "sqlite", + "InstalledVersion": "3.6.20-1.el6_7.2", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "chromium-browser: pointer disclosure in sqlite", + "Description": "An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the \"SQLite\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/98767", + "http://www.securityfocus.com/bid/99950", + "https://access.redhat.com/errata/RHSA-2017:1833", + "https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7000", + "https://security.gentoo.org/glsa/201709-15", + "https://support.apple.com/HT207797", + "https://support.apple.com/HT207798", + "https://www.debian.org/security/2017/dsa-3926" + ] + }, + { + "VulnerabilityID": "CVE-2016-6153", + "PkgName": "sqlite", + "InstalledVersion": "3.6.20-1.el6_7.2", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "sqlite: Tempdir selection vulnerability", + "Description": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2016-08/msg00053.html", + "http://www.openwall.com/lists/oss-security/2016/07/01/1", + "http://www.openwall.com/lists/oss-security/2016/07/01/2", + "http://www.securityfocus.com/bid/91546", + "http://www.sqlite.org/cgi/src/info/67985761aa93fb61", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGQTH7V45QVHFDXJAEECHEO3HHD644WZ/", + "https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt", + "https://www.sqlite.org/releaselog/3_13_0.html", + "https://www.tenable.com/security/tns-2016-20" + ] }, { "VulnerabilityID": "CVE-2017-10989", @@ -14437,9 +15072,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "sqlite: Heap-buffer overflow in the getNodeSize function", "Description": "The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00050.html", "http://marc.info/?l=sqlite-users\u0026m=149933696214713\u0026w=2", @@ -14460,29 +15096,6 @@ "https://usn.ubuntu.com/4019-2/" ] }, - { - "VulnerabilityID": "CVE-2016-6153", - "PkgName": "sqlite", - "InstalledVersion": "3.6.20-1.el6_7.2", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "sqlite: Tempdir selection vulnerability", - "Description": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2016-08/msg00053.html", - "http://www.openwall.com/lists/oss-security/2016/07/01/1", - "http://www.openwall.com/lists/oss-security/2016/07/01/2", - "http://www.securityfocus.com/bid/91546", - "http://www.sqlite.org/cgi/src/info/67985761aa93fb61", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGQTH7V45QVHFDXJAEECHEO3HHD644WZ/", - "https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt", - "https://www.sqlite.org/releaselog/3_13_0.html", - "https://www.tenable.com/security/tns-2016-20" - ] - }, { "VulnerabilityID": "CVE-2017-13685", "PkgName": "sqlite", @@ -14490,9 +15103,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "sqlite: Local DoS via dump_callback function", "Description": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg105314.html", "http://www.securityfocus.com/bid/100521", @@ -14506,37 +15120,16 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "sqlite: NULL pointer dereference in tableColumnList", "Description": "SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15286", "https://github.com/Ha0Team/crash-of-sqlite3/blob/master/poc.md" ] }, - { - "VulnerabilityID": "CVE-2017-7000", - "PkgName": "sqlite", - "InstalledVersion": "3.6.20-1.el6_7.2", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "chromium-browser: pointer disclosure in sqlite", - "Description": "An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the \"SQLite\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98767", - "http://www.securityfocus.com/bid/99950", - "https://access.redhat.com/errata/RHSA-2017:1833", - "https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7000", - "https://security.gentoo.org/glsa/201709-15", - "https://support.apple.com/HT207797", - "https://support.apple.com/HT207798", - "https://www.debian.org/security/2017/dsa-3926" - ] - }, { "VulnerabilityID": "CVE-2016-6321", "PkgName": "tar", @@ -14544,6 +15137,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "tar: Bypassing the extract path name", "Description": "Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.", "Severity": "MEDIUM", @@ -14562,23 +15156,6 @@ "https://sintonen.fi/advisories/tar-extract-pathname-bypass.txt" ] }, - { - "VulnerabilityID": "CVE-2019-9923", - "PkgName": "tar", - "InstalledVersion": "2:1.23-15.el6_8", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", - "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", - "Severity": "MEDIUM", - "References": [ - "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", - "http://savannah.gnu.org/bugs/?55369", - "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" - ] - }, { "VulnerabilityID": "CVE-2018-20482", "PkgName": "tar", @@ -14586,6 +15163,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "tar: Infinite read loop in sparse_dump_region function in sparse.c", "Description": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).", "Severity": "LOW", @@ -14602,6 +15180,24 @@ "https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug" ] }, + { + "VulnerabilityID": "CVE-2019-9923", + "PkgName": "tar", + "InstalledVersion": "2:1.23-15.el6_8", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", + "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", + "Severity": "LOW", + "References": [ + "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", + "http://savannah.gnu.org/bugs/?55369", + "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" + ] + }, { "VulnerabilityID": "CVE-2019-12735", "PkgName": "vim-minimal", @@ -14610,10 +15206,13 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "vim/neovim: ':source!' command allows arbitrary command execution via modelines", "Description": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-12735.html", + "http://linux.oracle.com/errata/ELSA-2019-1774.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html", @@ -14631,6 +15230,60 @@ "https://www.debian.org/security/2019/dsa-4467" ] }, + { + "VulnerabilityID": "CVE-2017-1000382", + "PkgName": "vim-minimal", + "InstalledVersion": "2:7.4.629-5.el6_8.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "vim: Ignores umask when creating a swap file", + "Description": "VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.", + "Severity": "LOW", + "References": [ + "http://security.cucumberlinux.com/security/details.php?id=120", + "http://www.openwall.com/lists/oss-security/2017/10/31/1" + ] + }, + { + "VulnerabilityID": "CVE-2017-11109", + "PkgName": "vim-minimal", + "InstalledVersion": "2:7.4.629-5.el6_8.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "vim: Use-after-free via crafted file", + "Description": "Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1468492", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11109", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11109.html" + ] + }, + { + "VulnerabilityID": "CVE-2017-17087", + "PkgName": "vim-minimal", + "InstalledVersion": "2:7.4.629-5.el6_8.1", + "Layer": { + "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" + }, + "SeveritySource": "redhat", + "Title": "vim: Sets the group ownership of a .swp file to the editor's primary group", + "Description": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/11/27/2", + "http://security.cucumberlinux.com/security/details.php?id=166", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17087", + "https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8", + "https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html" + ] + }, { "VulnerabilityID": "CVE-2017-5953", "PkgName": "vim-minimal", @@ -14638,9 +15291,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "vim: Tree length values not validated properly when handling a spell file", "Description": "vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.debian.org/security/2017/dsa-3786", "http://www.securityfocus.com/bid/96217", @@ -14658,9 +15312,10 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "vim: Integer overflow at an unserialize_uep memory allocation site", "Description": "An integer overflow at an unserialize_uep memory allocation site would occur for vim before patch 8.0.0378, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/96448", "http://www.securitytracker.com/id/1037949", @@ -14671,57 +15326,6 @@ "https://security.gentoo.org/glsa/201706-26" ] }, - { - "VulnerabilityID": "CVE-2017-11109", - "PkgName": "vim-minimal", - "InstalledVersion": "2:7.4.629-5.el6_8.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "vim: Use-after-free via crafted file", - "Description": "Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance.", - "Severity": "MEDIUM", - "References": [ - "https://bugzilla.redhat.com/show_bug.cgi?id=1468492", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11109", - "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11109.html" - ] - }, - { - "VulnerabilityID": "CVE-2017-1000382", - "PkgName": "vim-minimal", - "InstalledVersion": "2:7.4.629-5.el6_8.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "vim: Ignores umask when creating a swap file", - "Description": "VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.", - "Severity": "LOW", - "References": [ - "http://security.cucumberlinux.com/security/details.php?id=120", - "http://www.openwall.com/lists/oss-security/2017/10/31/1" - ] - }, - { - "VulnerabilityID": "CVE-2017-17087", - "PkgName": "vim-minimal", - "InstalledVersion": "2:7.4.629-5.el6_8.1", - "Layer": { - "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" - }, - "Title": "vim: Sets the group ownership of a .swp file to the editor's primary group", - "Description": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.", - "Severity": "LOW", - "References": [ - "http://openwall.com/lists/oss-security/2017/11/27/2", - "http://security.cucumberlinux.com/security/details.php?id=166", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17087", - "https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8", - "https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ", - "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html" - ] - }, { "VulnerabilityID": "CVE-2015-4035", "PkgName": "xz-libs", @@ -14729,6 +15333,7 @@ "Layer": { "DiffID": "sha256:af6bf1987c2eb07d73f33836b0d8fd825d7c785273526b077e46780e8b4b2ae9" }, + "SeveritySource": "redhat", "Title": "xzgrep: incorrect parsing of filenames containing a semicolon", "Description": "scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.", "Severity": "MEDIUM", diff --git a/integration/testdata/centos-7-critical.json.golden b/integration/testdata/centos-7-critical.json.golden deleted file mode 100644 index f83ddfb694..0000000000 --- a/integration/testdata/centos-7-critical.json.golden +++ /dev/null @@ -1,162 +0,0 @@ -[ - { - "Target": "testdata/fixtures/centos-7.tar.gz (centos 7.6.1810)", - "Vulnerabilities": [ - { - "VulnerabilityID": "CVE-2018-14618", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "FixedVersion": "7.29.0-51.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: NTLM password overflow via integer overflow", - "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", - "Severity": "CRITICAL", - "References": [ - "http://www.securitytracker.com/id/1041605", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", - "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", - "https://curl.haxx.se/docs/CVE-2018-14618.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", - "https://security.gentoo.org/glsa/201903-03", - "https://usn.ubuntu.com/3765-1/", - "https://usn.ubuntu.com/3765-2/", - "https://www.debian.org/security/2018/dsa-4286" - ] - }, - { - "VulnerabilityID": "CVE-2018-14618", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "FixedVersion": "7.29.0-51.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: NTLM password overflow via integer overflow", - "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", - "Severity": "CRITICAL", - "References": [ - "http://www.securitytracker.com/id/1041605", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", - "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", - "https://curl.haxx.se/docs/CVE-2018-14618.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", - "https://security.gentoo.org/glsa/201903-03", - "https://usn.ubuntu.com/3765-1/", - "https://usn.ubuntu.com/3765-2/", - "https://www.debian.org/security/2018/dsa-4286" - ] - }, - { - "VulnerabilityID": "CVE-2019-3855", - "PkgName": "libssh2", - "InstalledVersion": "1.4.3-12.el7", - "FixedVersion": "1.4.3-12.el7_6.2", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libssh2: Integer overflow in transport read resulting in out of bounds write", - "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "CRITICAL", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", - "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", - "http://www.openwall.com/lists/oss-security/2019/03/18/3", - "http://www.securityfocus.com/bid/107485", - "https://access.redhat.com/errata/RHSA-2019:0679", - "https://access.redhat.com/errata/RHSA-2019:1175", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3855", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/", - "https://seclists.org/bugtraq/2019/Apr/25", - "https://seclists.org/bugtraq/2019/Mar/25", - "https://security.netapp.com/advisory/ntap-20190327-0005/", - "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767", - "https://www.debian.org/security/2019/dsa-4431", - "https://www.libssh2.org/CVE-2019-3855.html" - ] - }, - { - "VulnerabilityID": "CVE-2018-15686", - "PkgName": "systemd", - "InstalledVersion": "219-62.el7_6.5", - "FixedVersion": "219-67.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec", - "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.", - "Severity": "CRITICAL", - "References": [ - "http://www.securityfocus.com/bid/105747", - "https://access.redhat.com/errata/RHSA-2019:2091", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686", - "https://github.com/systemd/systemd/pull/10519", - "https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html", - "https://security.gentoo.org/glsa/201810-10", - "https://usn.ubuntu.com/3816-1/", - "https://www.exploit-db.com/exploits/45714/" - ] - }, - { - "VulnerabilityID": "CVE-2018-15686", - "PkgName": "systemd-libs", - "InstalledVersion": "219-62.el7_6.5", - "FixedVersion": "219-67.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec", - "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.", - "Severity": "CRITICAL", - "References": [ - "http://www.securityfocus.com/bid/105747", - "https://access.redhat.com/errata/RHSA-2019:2091", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686", - "https://github.com/systemd/systemd/pull/10519", - "https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html", - "https://security.gentoo.org/glsa/201810-10", - "https://usn.ubuntu.com/3816-1/", - "https://www.exploit-db.com/exploits/45714/" - ] - }, - { - "VulnerabilityID": "CVE-2019-12735", - "PkgName": "vim-minimal", - "InstalledVersion": "2:7.4.160-5.el7", - "FixedVersion": "2:7.4.160-6.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "vim/neovim: ':source!' command allows arbitrary command execution via modelines", - "Description": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.", - "Severity": "CRITICAL", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html", - "http://www.securityfocus.com/bid/108724", - "https://bugs.debian.org/930020", - "https://bugs.debian.org/930024", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735", - "https://github.com/neovim/neovim/pull/10082", - "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md", - "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/", - "https://usn.ubuntu.com/4016-1/", - "https://usn.ubuntu.com/4016-2/", - "https://www.debian.org/security/2019/dsa-4467" - ] - } - ] - } -] \ No newline at end of file diff --git a/integration/testdata/centos-7-ignore-unfixed.json.golden b/integration/testdata/centos-7-ignore-unfixed.json.golden index 4c53ef69af..24a5f49e5a 100644 --- a/integration/testdata/centos-7-ignore-unfixed.json.golden +++ b/integration/testdata/centos-7-ignore-unfixed.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/centos-7.tar.gz (centos 7.6.1810)", + "Type": "centos", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2018-5743", @@ -10,12 +11,17 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "bind: Limiting simultaneous TCP clients is ineffective", "Description": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.6, 9.12.0 -\u003e 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -\u003e 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -\u003e 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-5743.html", + "http://linux.oracle.com/errata/ELSA-2019-1492.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743", - "https://kb.isc.org/docs/cve-2018-5743" + "https://kb.isc.org/docs/cve-2018-5743", + "https://support.f5.com/csp/article/K74009656?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.synology.com/security/advisory/Synology_SA_19_20" ] }, { @@ -26,10 +32,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies", "Description": "To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-5741.html", + "http://linux.oracle.com/errata/ELSA-2019-2057.html", "http://www.securityfocus.com/bid/105379", "http://www.securitytracker.com/id/1041674", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741", @@ -46,10 +55,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: integer overflow leads to heap-based buffer overflow in objdump", "Description": "binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000876.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", "http://www.securityfocus.com/bid/106304", "https://access.redhat.com/errata/RHSA-2019:2075", "https://sourceware.org/bugzilla/show_bug.cgi?id=23994", @@ -64,10 +76,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: Stack Exhaustion in the demangling functions provided by libiberty", "Description": "An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12641.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", "https://access.redhat.com/errata/RHSA-2019:2075", "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763099", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452", @@ -83,10 +98,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: NULL pointer dereference in work_stuff_copy_to_from in cplus-dem.c.", "Description": "A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12697.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", "http://www.securityfocus.com/bid/104538", "https://access.redhat.com/errata/RHSA-2019:2075", "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", @@ -103,10 +121,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: NTLM password overflow via integer overflow", "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", - "Severity": "CRITICAL", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-14618.html", + "http://linux.oracle.com/errata/ELSA-2019-1880.html", "http://www.securitytracker.com/id/1041605", "https://access.redhat.com/errata/RHSA-2018:3558", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", @@ -128,10 +149,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting", "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16842.html", + "http://linux.oracle.com/errata/ELSA-2019-2181.html", "http://www.securitytracker.com/id/1042014", "https://access.redhat.com/errata/RHSA-2019:2181", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842", @@ -145,23 +169,6 @@ "https://www.debian.org/security/2018/dsa-4331" ] }, - { - "VulnerabilityID": "CVE-2018-16402", - "PkgName": "elfutils-default-yama-scope", - "InstalledVersion": "0.172-2.el7", - "FixedVersion": "0.176-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", - "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", - "https://usn.ubuntu.com/4012-1/" - ] - }, { "VulnerabilityID": "CVE-2018-16062", "PkgName": "elfutils-default-yama-scope", @@ -170,10 +177,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", @@ -183,6 +193,26 @@ "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2018-16402", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", + "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", + "https://usn.ubuntu.com/4012-1/" + ] + }, { "VulnerabilityID": "CVE-2018-16403", "PkgName": "elfutils-default-yama-scope", @@ -191,10 +221,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", @@ -211,10 +244,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", @@ -230,10 +266,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: eu-size cannot handle recursive ar files", "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", @@ -249,10 +288,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", @@ -268,10 +310,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", @@ -287,10 +332,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", @@ -306,10 +354,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" @@ -323,10 +374,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", @@ -334,23 +388,6 @@ "https://usn.ubuntu.com/4012-1/" ] }, - { - "VulnerabilityID": "CVE-2018-16402", - "PkgName": "elfutils-libelf", - "InstalledVersion": "0.172-2.el7", - "FixedVersion": "0.176-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", - "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", - "https://usn.ubuntu.com/4012-1/" - ] - }, { "VulnerabilityID": "CVE-2018-16062", "PkgName": "elfutils-libelf", @@ -359,10 +396,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", @@ -372,6 +412,26 @@ "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2018-16402", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", + "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", + "https://usn.ubuntu.com/4012-1/" + ] + }, { "VulnerabilityID": "CVE-2018-16403", "PkgName": "elfutils-libelf", @@ -380,10 +440,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", @@ -400,10 +463,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", @@ -419,10 +485,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: eu-size cannot handle recursive ar files", "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", @@ -438,10 +507,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", @@ -457,10 +529,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", @@ -476,10 +551,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", @@ -495,10 +573,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" @@ -512,10 +593,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", @@ -523,23 +607,6 @@ "https://usn.ubuntu.com/4012-1/" ] }, - { - "VulnerabilityID": "CVE-2018-16402", - "PkgName": "elfutils-libs", - "InstalledVersion": "0.172-2.el7", - "FixedVersion": "0.176-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", - "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", - "https://usn.ubuntu.com/4012-1/" - ] - }, { "VulnerabilityID": "CVE-2018-16062", "PkgName": "elfutils-libs", @@ -548,10 +615,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", @@ -561,6 +631,26 @@ "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2018-16402", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", + "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", + "https://usn.ubuntu.com/4012-1/" + ] + }, { "VulnerabilityID": "CVE-2018-16403", "PkgName": "elfutils-libs", @@ -569,10 +659,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", @@ -589,10 +682,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", @@ -608,10 +704,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: eu-size cannot handle recursive ar files", "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", @@ -627,10 +726,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", @@ -646,10 +748,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", @@ -665,10 +770,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", @@ -684,10 +792,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" @@ -701,10 +812,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", @@ -720,10 +834,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", "http://www.securityfocus.com/bid/106672", "https://access.redhat.com/errata/RHSA-2019:2118", @@ -740,10 +857,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", "http://www.securityfocus.com/bid/106672", "https://access.redhat.com/errata/RHSA-2019:2118", @@ -760,10 +880,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: NTLM password overflow via integer overflow", "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", - "Severity": "CRITICAL", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-14618.html", + "http://linux.oracle.com/errata/ELSA-2019-1880.html", "http://www.securitytracker.com/id/1041605", "https://access.redhat.com/errata/RHSA-2018:3558", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", @@ -785,10 +908,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting", "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16842.html", + "http://linux.oracle.com/errata/ELSA-2019-2181.html", "http://www.securitytracker.com/id/1042014", "https://access.redhat.com/errata/RHSA-2019:2181", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842", @@ -810,10 +936,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Integer overflow in transport read resulting in out of bounds write", "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3855.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -842,10 +971,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write", "Description": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3856.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://access.redhat.com/errata/RHSA-2019:0679", @@ -868,10 +1000,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write", "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3857.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://access.redhat.com/errata/RHSA-2019:0679", @@ -886,6 +1021,35 @@ "https://www.libssh2.org/CVE-2019-3857.html" ] }, + { + "VulnerabilityID": "CVE-2019-3863", + "PkgName": "libssh2", + "InstalledVersion": "1.4.3-12.el7", + "FixedVersion": "1.4.3-12.el7_6.2", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes", + "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3863.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", + "https://access.redhat.com/errata/RHSA-2019:0679", + "https://access.redhat.com/errata/RHSA-2019:1175", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", + "https://seclists.org/bugtraq/2019/Apr/25", + "https://security.netapp.com/advisory/ntap-20190327-0005/", + "https://www.debian.org/security/2019/dsa-4431", + "https://www.libssh2.org/CVE-2019-3863.html" + ] + }, { "VulnerabilityID": "CVE-2019-3858", "PkgName": "libssh2", @@ -894,10 +1058,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3858.html", + "http://linux.oracle.com/errata/ELSA-2019-2136.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -924,10 +1091,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Out-of-bounds reads with specially crafted SSH packets", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3861.html", + "http://linux.oracle.com/errata/ELSA-2019-2136.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3861", @@ -948,10 +1118,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3862.html", + "http://linux.oracle.com/errata/ELSA-2019-4693.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -971,29 +1144,40 @@ ] }, { - "VulnerabilityID": "CVE-2019-3863", - "PkgName": "libssh2", - "InstalledVersion": "1.4.3-12.el7", - "FixedVersion": "1.4.3-12.el7_6.2", + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nspr", + "InstalledVersion": "4.19.0-1.el7_5", + "FixedVersion": "4.21.0-1.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes", - "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.", + "SeveritySource": "redhat", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", - "https://access.redhat.com/errata/RHSA-2019:0679", - "https://access.redhat.com/errata/RHSA-2019:1175", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", - "https://seclists.org/bugtraq/2019/Apr/25", - "https://security.netapp.com/advisory/ntap-20190327-0005/", - "https://www.debian.org/security/2019/dsa-4431", - "https://www.libssh2.org/CVE-2019-3863.html" + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, { @@ -1004,10 +1188,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -1015,17 +1202,48 @@ ] }, { - "VulnerabilityID": "CVE-2018-0495", - "PkgName": "nspr", - "InstalledVersion": "4.19.0-1.el7_5", - "FixedVersion": "4.21.0-1.el7", + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -1056,10 +1274,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -1067,17 +1288,74 @@ ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11729", "PkgName": "nss", "InstalledVersion": "3.36.0-7.1.el7_6", - "FixedVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-8.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-5.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -1108,10 +1386,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -1119,17 +1400,74 @@ ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11729", "PkgName": "nss-softokn", "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-8.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-8.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.el7_5", "FixedVersion": "3.44.0-5.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -1160,10 +1498,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -1171,17 +1512,74 @@ ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11729", "PkgName": "nss-softokn-freebl", "InstalledVersion": "3.36.0-5.el7_5", - "FixedVersion": "3.44.0-5.el7", + "FixedVersion": "3.44.0-8.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -1212,10 +1610,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -1223,17 +1624,74 @@ ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11729", "PkgName": "nss-sysinit", "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", "FixedVersion": "3.44.0-4.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -1264,10 +1722,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -1275,17 +1736,74 @@ ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11729", "PkgName": "nss-tools", "InstalledVersion": "3.36.0-7.1.el7_6", - "FixedVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-util", + "InstalledVersion": "3.36.0-1.1.el7_6", + "FixedVersion": "3.44.0-4.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-util", + "InstalledVersion": "3.36.0-1.1.el7_6", + "FixedVersion": "3.44.0-3.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -1316,10 +1834,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -1327,67 +1848,65 @@ ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11729", "PkgName": "nss-util", "InstalledVersion": "3.36.0-1.1.el7_6", - "FixedVersion": "3.44.0-3.el7", + "FixedVersion": "3.44.0-4.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" ] }, { - "VulnerabilityID": "CVE-2018-0734", + "VulnerabilityID": "CVE-2018-5407", "PkgName": "openssl-libs", "InstalledVersion": "1:1.0.2k-16.el7", - "FixedVersion": "1:1.0.2k-19.el7", + "FixedVersion": "1:1.0.2k-16.el7_6.1", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "openssl: timing side channel attack in the DSA signature algorithm", - "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", + "SeveritySource": "redhat", + "Title": "openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)", + "Description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.", "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html", - "http://www.securityfocus.com/bid/105758", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7", + "http://linux.oracle.com/cve/CVE-2018-5407.html", + "http://linux.oracle.com/errata/ELSA-2019-2125.html", + "http://www.securityfocus.com/bid/105897", + "https://access.redhat.com/errata/RHSA-2019:0483", + "https://access.redhat.com/errata/RHSA-2019:0651", + "https://access.redhat.com/errata/RHSA-2019:0652", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407", + "https://eprint.iacr.org/2018/1060.pdf", + "https://github.com/bbbrumley/portsmash", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", - "https://security.netapp.com/advisory/ntap-20181105-0002/", - "https://security.netapp.com/advisory/ntap-20190118-0002/", - "https://security.netapp.com/advisory/ntap-20190423-0002/", + "https://security.gentoo.org/glsa/201903-10", + "https://security.netapp.com/advisory/ntap-20181126-0001/", "https://usn.ubuntu.com/3840-1/", "https://www.debian.org/security/2018/dsa-4348", "https://www.debian.org/security/2018/dsa-4355", - "https://www.openssl.org/news/secadv/20181030.txt", + "https://www.exploit-db.com/exploits/45785/", + "https://www.openssl.org/news/secadv/20181112.txt", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.tenable.com/security/tns-2018-16", "https://www.tenable.com/security/tns-2018-17" ] @@ -1400,10 +1919,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "openssl: 0-byte record padding oracle", "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-1559.html", + "http://linux.oracle.com/errata/ELSA-2019-2471.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", @@ -1429,36 +1951,36 @@ ] }, { - "VulnerabilityID": "CVE-2018-5407", + "VulnerabilityID": "CVE-2018-0734", "PkgName": "openssl-libs", "InstalledVersion": "1:1.0.2k-16.el7", - "FixedVersion": "1:1.0.2k-16.el7_6.1", + "FixedVersion": "1:1.0.2k-19.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)", - "Description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.", + "SeveritySource": "redhat", + "Title": "openssl: timing side channel attack in the DSA signature algorithm", + "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", "Severity": "LOW", "References": [ - "http://www.securityfocus.com/bid/105897", - "https://access.redhat.com/errata/RHSA-2019:0483", - "https://access.redhat.com/errata/RHSA-2019:0651", - "https://access.redhat.com/errata/RHSA-2019:0652", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407", - "https://eprint.iacr.org/2018/1060.pdf", - "https://github.com/bbbrumley/portsmash", - "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", + "http://linux.oracle.com/cve/CVE-2018-0734.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html", + "http://www.securityfocus.com/bid/105758", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7", "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", - "https://security.gentoo.org/glsa/201903-10", - "https://security.netapp.com/advisory/ntap-20181126-0001/", + "https://security.netapp.com/advisory/ntap-20181105-0002/", + "https://security.netapp.com/advisory/ntap-20190118-0002/", + "https://security.netapp.com/advisory/ntap-20190423-0002/", "https://usn.ubuntu.com/3840-1/", "https://www.debian.org/security/2018/dsa-4348", "https://www.debian.org/security/2018/dsa-4355", - "https://www.exploit-db.com/exploits/45785/", - "https://www.openssl.org/news/secadv/20181112.txt", + "https://www.openssl.org/news/secadv/20181030.txt", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.tenable.com/security/tns-2018-16", "https://www.tenable.com/security/tns-2018-17" ] @@ -1471,10 +1993,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "procps-ng, procps: Local privilege escalation in top", "Description": "procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1122.html", + "http://linux.oracle.com/errata/ELSA-2019-2189.html", "http://seclists.org/oss-sec/2018/q2/122", "http://www.securityfocus.com/bid/104214", "https://access.redhat.com/errata/RHSA-2019:2189", @@ -1489,50 +2014,6 @@ "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" ] }, - { - "VulnerabilityID": "CVE-2019-5010", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" - ] - }, - { - "VulnerabilityID": "CVE-2018-14647", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: Missing salt initialization in _elementtree.c module", - "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105396", - "http://www.securitytracker.com/id/1041740", - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://access.redhat.com/errata/RHSA-2019:2030", - "https://bugs.python.org/issue34623", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.debian.org/security/2018/dsa-4306", - "https://www.debian.org/security/2018/dsa-4307" - ] - }, { "VulnerabilityID": "CVE-2019-10160", "PkgName": "python", @@ -1541,19 +2022,35 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc", "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-10160.html", + "http://linux.oracle.com/errata/ELSA-2019-1587.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html", "https://access.redhat.com/errata/RHSA-2019:1587", + "https://access.redhat.com/errata/RHSA-2019:1700", + "https://access.redhat.com/errata/RHSA-2019:2437", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160", "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", - "https://security.netapp.com/advisory/ntap-20190617-0003/" + "https://security.netapp.com/advisory/ntap-20190617-0003/", + "https://usn.ubuntu.com/4127-1/", + "https://usn.ubuntu.com/4127-2/" ] }, { @@ -1564,10 +2061,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", @@ -1599,96 +2099,21 @@ "https://security.netapp.com/advisory/ntap-20190517-0001/" ] }, - { - "VulnerabilityID": "CVE-2019-9740", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: CRLF injection via the query part of the url passed to urlopen()", - "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/107466", - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://bugs.python.org/issue36276", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9947", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: CRLF injection via the path part of the url passed to urlopen()", - "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", - "Severity": "MEDIUM", - "References": [ - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://bugs.python.org/issue35906", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", - "https://security.netapp.com/advisory/ntap-20190404-0004/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9948", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", - "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", - "http://www.securityfocus.com/bid/107549", - "https://bugs.python.org/issue35907", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948", - "https://github.com/python/cpython/pull/11842", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", - "https://security.netapp.com/advisory/ntap-20190404-0004/" - ] - }, - { - "VulnerabilityID": "CVE-2019-5010", - "PkgName": "python-libs", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" - ] - }, { "VulnerabilityID": "CVE-2018-14647", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.7.5-76.el7", "FixedVersion": "2.7.5-86.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: Missing salt initialization in _elementtree.c module", "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-14647.html", + "http://linux.oracle.com/errata/ELSA-2019-2030.html", "http://www.securityfocus.com/bid/105396", "http://www.securitytracker.com/id/1041740", "https://access.redhat.com/errata/RHSA-2019:1260", @@ -1705,6 +2130,99 @@ "https://www.debian.org/security/2018/dsa-4307" ] }, + { + "VulnerabilityID": "CVE-2019-5010", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", + "Description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5010.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", + "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758" + ] + }, + { + "VulnerabilityID": "CVE-2019-9740", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: CRLF injection via the query part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-9740.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "http://www.securityfocus.com/bid/107466", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://bugs.python.org/issue36276", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/" + ] + }, + { + "VulnerabilityID": "CVE-2019-9947", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: CRLF injection via the path part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-9947.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://bugs.python.org/issue35906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", + "https://security.netapp.com/advisory/ntap-20190404-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2019-9948", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", + "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", + "http://www.securityfocus.com/bid/107549", + "https://bugs.python.org/issue35907", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948", + "https://github.com/python/cpython/pull/11842", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://security.netapp.com/advisory/ntap-20190404-0004/" + ] + }, { "VulnerabilityID": "CVE-2019-10160", "PkgName": "python-libs", @@ -1713,19 +2231,35 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc", "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-10160.html", + "http://linux.oracle.com/errata/ELSA-2019-1587.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html", "https://access.redhat.com/errata/RHSA-2019:1587", + "https://access.redhat.com/errata/RHSA-2019:1700", + "https://access.redhat.com/errata/RHSA-2019:2437", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160", "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", - "https://security.netapp.com/advisory/ntap-20190617-0003/" + "https://security.netapp.com/advisory/ntap-20190617-0003/", + "https://usn.ubuntu.com/4127-1/", + "https://usn.ubuntu.com/4127-2/" ] }, { @@ -1736,10 +2270,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", @@ -1771,6 +2308,59 @@ "https://security.netapp.com/advisory/ntap-20190517-0001/" ] }, + { + "VulnerabilityID": "CVE-2018-14647", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Missing salt initialization in _elementtree.c module", + "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-14647.html", + "http://linux.oracle.com/errata/ELSA-2019-2030.html", + "http://www.securityfocus.com/bid/105396", + "http://www.securitytracker.com/id/1041740", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://access.redhat.com/errata/RHSA-2019:2030", + "https://bugs.python.org/issue34623", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.debian.org/security/2018/dsa-4306", + "https://www.debian.org/security/2018/dsa-4307" + ] + }, + { + "VulnerabilityID": "CVE-2019-5010", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", + "Description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5010.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", + "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758" + ] + }, { "VulnerabilityID": "CVE-2019-9740", "PkgName": "python-libs", @@ -1779,10 +2369,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: CRLF injection via the query part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9740.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://www.securityfocus.com/bid/107466", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue36276", @@ -1799,10 +2392,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: CRLF injection via the path part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9947.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue35906", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", @@ -1819,10 +2415,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", "http://www.securityfocus.com/bid/107549", @@ -1833,6 +2432,30 @@ "https://security.netapp.com/advisory/ntap-20190404-0004/" ] }, + { + "VulnerabilityID": "CVE-2019-13734", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "FixedVersion": "3.7.17-8.el7_7.1", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: fts3: improve shadow table corruption detection", + "Description": "Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-13734.html", + "http://linux.oracle.com/errata/ELSA-2020-0273.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025466", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, { "VulnerabilityID": "CVE-2018-15686", "PkgName": "systemd", @@ -1841,10 +2464,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec", "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.", - "Severity": "CRITICAL", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-15686.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "http://www.securityfocus.com/bid/105747", "https://access.redhat.com/errata/RHSA-2019:2091", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686", @@ -1863,10 +2489,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: out-of-bounds read when parsing a crafted syslog message", "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16866.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html", "http://seclists.org/fulldisclosure/2019/May/21", "http://www.openwall.com/lists/oss-security/2019/05/10/4", @@ -1889,10 +2518,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", @@ -1908,10 +2540,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec", "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.", - "Severity": "CRITICAL", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-15686.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "http://www.securityfocus.com/bid/105747", "https://access.redhat.com/errata/RHSA-2019:2091", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686", @@ -1930,10 +2565,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: out-of-bounds read when parsing a crafted syslog message", "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16866.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html", "http://seclists.org/fulldisclosure/2019/May/21", "http://www.openwall.com/lists/oss-security/2019/05/10/4", @@ -1956,10 +2594,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", @@ -1975,10 +2616,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "vim/neovim: ':source!' command allows arbitrary command execution via modelines", "Description": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-12735.html", + "http://linux.oracle.com/errata/ELSA-2019-1774.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html", diff --git a/integration/testdata/centos-7-low-high.json.golden b/integration/testdata/centos-7-low-high.json.golden index 5ef6786339..912d1bac90 100644 --- a/integration/testdata/centos-7-low-high.json.golden +++ b/integration/testdata/centos-7-low-high.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/centos-7.tar.gz (centos 7.6.1810)", + "Type": "centos", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2018-5743", @@ -10,12 +11,142 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "bind: Limiting simultaneous TCP clients is ineffective", "Description": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.6, 9.12.0 -\u003e 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -\u003e 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -\u003e 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-5743.html", + "http://linux.oracle.com/errata/ELSA-2019-1492.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743", - "https://kb.isc.org/docs/cve-2018-5743" + "https://kb.isc.org/docs/cve-2018-5743", + "https://support.f5.com/csp/article/K74009656?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.synology.com/security/advisory/Synology_SA_19_20" + ] + }, + { + "VulnerabilityID": "CVE-2018-12641", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "FixedVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack Exhaustion in the demangling functions provided by libiberty", + "Description": "An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12641.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", + "https://access.redhat.com/errata/RHSA-2019:2075", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763099", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23058" + ] + }, + { + "VulnerabilityID": "CVE-2018-12697", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "FixedVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in work_stuff_copy_to_from in cplus-dem.c.", + "Description": "A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12697.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", + "http://www.securityfocus.com/bid/104538", + "https://access.redhat.com/errata/RHSA-2019:2075", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" + ] + }, + { + "VulnerabilityID": "CVE-2018-14618", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "FixedVersion": "7.29.0-51.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: NTLM password overflow via integer overflow", + "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-14618.html", + "http://linux.oracle.com/errata/ELSA-2019-1880.html", + "http://www.securitytracker.com/id/1041605", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2018-14618.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", + "https://security.gentoo.org/glsa/201903-03", + "https://usn.ubuntu.com/3765-1/", + "https://usn.ubuntu.com/3765-2/", + "https://www.debian.org/security/2018/dsa-4286" + ] + }, + { + "VulnerabilityID": "CVE-2018-16842", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "FixedVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting", + "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16842.html", + "http://linux.oracle.com/errata/ELSA-2019-2181.html", + "http://www.securitytracker.com/id/1042014", + "https://access.redhat.com/errata/RHSA-2019:2181", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842", + "https://curl.haxx.se/docs/CVE-2018-16842.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16842", + "https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html", + "https://security.gentoo.org/glsa/201903-03", + "https://usn.ubuntu.com/3805-1/", + "https://usn.ubuntu.com/3805-2/", + "https://www.debian.org/security/2018/dsa-4331" + ] + }, + { + "VulnerabilityID": "CVE-2018-16062", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", + "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23541", + "https://sourceware.org/git/?p=elfutils.git;a=commit;h=29e31978ba51c1051743a503ee325b5ebc03d7e9", + "https://usn.ubuntu.com/4012-1/" ] }, { @@ -26,15 +157,217 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2018-16403", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", + "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23529", + "https://sourceware.org/git/?p=elfutils.git;a=commit;h=6983e59b727458a6c64d9659c85f08218bc4fcda", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18310", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", + "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18520", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: eu-size cannot handle recursive ar files", + "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18521", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", + "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7149", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", + "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7150", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", + "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7664", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", + "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" + ] + }, + { + "VulnerabilityID": "CVE-2019-7665", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", + "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-16062", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", + "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23541", + "https://sourceware.org/git/?p=elfutils.git;a=commit;h=29e31978ba51c1051743a503ee325b5ebc03d7e9", + "https://usn.ubuntu.com/4012-1/" + ] + }, { "VulnerabilityID": "CVE-2018-16402", "PkgName": "elfutils-libelf", @@ -43,15 +376,217 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2018-16403", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", + "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23529", + "https://sourceware.org/git/?p=elfutils.git;a=commit;h=6983e59b727458a6c64d9659c85f08218bc4fcda", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18310", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", + "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18520", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: eu-size cannot handle recursive ar files", + "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18521", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", + "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7149", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", + "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7150", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", + "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7664", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", + "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" + ] + }, + { + "VulnerabilityID": "CVE-2019-7665", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", + "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-16062", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", + "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23541", + "https://sourceware.org/git/?p=elfutils.git;a=commit;h=29e31978ba51c1051743a503ee325b5ebc03d7e9", + "https://usn.ubuntu.com/4012-1/" + ] + }, { "VulnerabilityID": "CVE-2018-16402", "PkgName": "elfutils-libs", @@ -60,344 +595,766 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", "https://usn.ubuntu.com/4012-1/" ] }, { - "VulnerabilityID": "CVE-2018-0495", - "PkgName": "nspr", - "InstalledVersion": "4.19.0-1.el7_5", - "FixedVersion": "4.21.0-1.el7", + "VulnerabilityID": "CVE-2018-16403", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "SeveritySource": "redhat", + "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", + "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", "Severity": "LOW", "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23529", + "https://sourceware.org/git/?p=elfutils.git;a=commit;h=6983e59b727458a6c64d9659c85f08218bc4fcda", + "https://usn.ubuntu.com/4012-1/" ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2018-18310", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", + "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18520", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: eu-size cannot handle recursive ar files", + "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-18521", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", + "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", + "https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7149", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", + "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7150", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", + "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7664", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", + "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" + ] + }, + { + "VulnerabilityID": "CVE-2019-7665", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", + "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-14618", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "FixedVersion": "7.29.0-51.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: NTLM password overflow via integer overflow", + "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-14618.html", + "http://linux.oracle.com/errata/ELSA-2019-1880.html", + "http://www.securitytracker.com/id/1041605", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2018-14618.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", + "https://security.gentoo.org/glsa/201903-03", + "https://usn.ubuntu.com/3765-1/", + "https://usn.ubuntu.com/3765-2/", + "https://www.debian.org/security/2018/dsa-4286" + ] + }, + { + "VulnerabilityID": "CVE-2018-16842", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "FixedVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting", + "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16842.html", + "http://linux.oracle.com/errata/ELSA-2019-2181.html", + "http://www.securitytracker.com/id/1042014", + "https://access.redhat.com/errata/RHSA-2019:2181", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842", + "https://curl.haxx.se/docs/CVE-2018-16842.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16842", + "https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html", + "https://security.gentoo.org/glsa/201903-03", + "https://usn.ubuntu.com/3805-1/", + "https://usn.ubuntu.com/3805-2/", + "https://www.debian.org/security/2018/dsa-4331" + ] + }, + { + "VulnerabilityID": "CVE-2019-3855", + "PkgName": "libssh2", + "InstalledVersion": "1.4.3-12.el7", + "FixedVersion": "1.4.3-12.el7_6.2", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libssh2: Integer overflow in transport read resulting in out of bounds write", + "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3855.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", + "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", + "http://www.openwall.com/lists/oss-security/2019/03/18/3", + "http://www.securityfocus.com/bid/107485", + "https://access.redhat.com/errata/RHSA-2019:0679", + "https://access.redhat.com/errata/RHSA-2019:1175", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3855", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/", + "https://seclists.org/bugtraq/2019/Apr/25", + "https://seclists.org/bugtraq/2019/Mar/25", + "https://security.netapp.com/advisory/ntap-20190327-0005/", + "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767", + "https://www.debian.org/security/2019/dsa-4431", + "https://www.libssh2.org/CVE-2019-3855.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-3856", + "PkgName": "libssh2", + "InstalledVersion": "1.4.3-12.el7", + "FixedVersion": "1.4.3-12.el7_6.2", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write", + "Description": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3856.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", + "https://access.redhat.com/errata/RHSA-2019:0679", + "https://access.redhat.com/errata/RHSA-2019:1175", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3856", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", + "https://seclists.org/bugtraq/2019/Apr/25", + "https://security.netapp.com/advisory/ntap-20190327-0005/", + "https://www.debian.org/security/2019/dsa-4431", + "https://www.libssh2.org/CVE-2019-3856.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-3857", + "PkgName": "libssh2", + "InstalledVersion": "1.4.3-12.el7", + "FixedVersion": "1.4.3-12.el7_6.2", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write", + "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3857.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", + "https://access.redhat.com/errata/RHSA-2019:0679", + "https://access.redhat.com/errata/RHSA-2019:1175", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3857", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", + "https://seclists.org/bugtraq/2019/Apr/25", + "https://security.netapp.com/advisory/ntap-20190327-0005/", + "https://www.debian.org/security/2019/dsa-4431", + "https://www.libssh2.org/CVE-2019-3857.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-3863", + "PkgName": "libssh2", + "InstalledVersion": "1.4.3-12.el7", + "FixedVersion": "1.4.3-12.el7_6.2", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes", + "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3863.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", + "https://access.redhat.com/errata/RHSA-2019:0679", + "https://access.redhat.com/errata/RHSA-2019:1175", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", + "https://seclists.org/bugtraq/2019/Apr/25", + "https://security.netapp.com/advisory/ntap-20190327-0005/", + "https://www.debian.org/security/2019/dsa-4431", + "https://www.libssh2.org/CVE-2019-3863.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", "PkgName": "nss", "InstalledVersion": "3.36.0-7.1.el7_6", - "FixedVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11745", "PkgName": "nss-softokn", "InstalledVersion": "3.36.0-5.el7_5", - "FixedVersion": "3.44.0-5.el7", + "FixedVersion": "3.44.0-8.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11745", "PkgName": "nss-softokn-freebl", "InstalledVersion": "3.36.0-5.el7_5", - "FixedVersion": "3.44.0-5.el7", + "FixedVersion": "3.44.0-8.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11745", "PkgName": "nss-sysinit", "InstalledVersion": "3.36.0-7.1.el7_6", - "FixedVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11745", "PkgName": "nss-tools", "InstalledVersion": "3.36.0-7.1.el7_6", - "FixedVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11745", "PkgName": "nss-util", "InstalledVersion": "3.36.0-1.1.el7_6", - "FixedVersion": "3.44.0-3.el7", + "FixedVersion": "3.44.0-4.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { - "VulnerabilityID": "CVE-2018-5407", + "VulnerabilityID": "CVE-2018-0734", "PkgName": "openssl-libs", "InstalledVersion": "1:1.0.2k-16.el7", - "FixedVersion": "1:1.0.2k-16.el7_6.1", + "FixedVersion": "1:1.0.2k-19.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)", - "Description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.", + "SeveritySource": "redhat", + "Title": "openssl: timing side channel attack in the DSA signature algorithm", + "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", "Severity": "LOW", "References": [ - "http://www.securityfocus.com/bid/105897", - "https://access.redhat.com/errata/RHSA-2019:0483", - "https://access.redhat.com/errata/RHSA-2019:0651", - "https://access.redhat.com/errata/RHSA-2019:0652", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407", - "https://eprint.iacr.org/2018/1060.pdf", - "https://github.com/bbbrumley/portsmash", - "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", + "http://linux.oracle.com/cve/CVE-2018-0734.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html", + "http://www.securityfocus.com/bid/105758", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7", "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", - "https://security.gentoo.org/glsa/201903-10", - "https://security.netapp.com/advisory/ntap-20181126-0001/", + "https://security.netapp.com/advisory/ntap-20181105-0002/", + "https://security.netapp.com/advisory/ntap-20190118-0002/", + "https://security.netapp.com/advisory/ntap-20190423-0002/", "https://usn.ubuntu.com/3840-1/", "https://www.debian.org/security/2018/dsa-4348", "https://www.debian.org/security/2018/dsa-4355", - "https://www.exploit-db.com/exploits/45785/", - "https://www.openssl.org/news/secadv/20181112.txt", + "https://www.openssl.org/news/secadv/20181030.txt", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.tenable.com/security/tns-2018-16", "https://www.tenable.com/security/tns-2018-17" ] }, { - "VulnerabilityID": "CVE-2019-5010", + "VulnerabilityID": "CVE-2019-10160", "PkgName": "python", "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", + "FixedVersion": "2.7.5-80.el7_6", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", + "SeveritySource": "redhat", + "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc", + "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", "Severity": "HIGH", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" + "http://linux.oracle.com/cve/CVE-2019-10160.html", + "http://linux.oracle.com/errata/ELSA-2019-1587.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html", + "https://access.redhat.com/errata/RHSA-2019:1587", + "https://access.redhat.com/errata/RHSA-2019:1700", + "https://access.redhat.com/errata/RHSA-2019:2437", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160", + "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", + "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", + "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", + "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", + "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", + "https://security.netapp.com/advisory/ntap-20190617-0003/", + "https://usn.ubuntu.com/4127-1/", + "https://usn.ubuntu.com/4127-2/" ] }, { - "VulnerabilityID": "CVE-2019-5010", + "VulnerabilityID": "CVE-2019-9636", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-77.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", + "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", + "http://www.securityfocus.com/bid/107400", + "https://access.redhat.com/errata/RHBA-2019:0959", + "https://access.redhat.com/errata/RHSA-2019:0710", + "https://access.redhat.com/errata/RHSA-2019:0765", + "https://access.redhat.com/errata/RHSA-2019:0806", + "https://access.redhat.com/errata/RHSA-2019:0902", + "https://access.redhat.com/errata/RHSA-2019:0981", + "https://access.redhat.com/errata/RHSA-2019:0997", + "https://access.redhat.com/errata/RHSA-2019:1467", + "https://bugs.python.org/issue36216", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636", + "https://github.com/python/cpython/pull/12201", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/", + "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html", + "https://security.netapp.com/advisory/ntap-20190517-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-10160", "PkgName": "python-libs", "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", + "FixedVersion": "2.7.5-80.el7_6", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", + "SeveritySource": "redhat", + "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc", + "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", "Severity": "HIGH", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" + "http://linux.oracle.com/cve/CVE-2019-10160.html", + "http://linux.oracle.com/errata/ELSA-2019-1587.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html", + "https://access.redhat.com/errata/RHSA-2019:1587", + "https://access.redhat.com/errata/RHSA-2019:1700", + "https://access.redhat.com/errata/RHSA-2019:2437", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160", + "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", + "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", + "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", + "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", + "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", + "https://security.netapp.com/advisory/ntap-20190617-0003/", + "https://usn.ubuntu.com/4127-1/", + "https://usn.ubuntu.com/4127-2/" ] }, { - "VulnerabilityID": "CVE-2018-16866", - "PkgName": "systemd", - "InstalledVersion": "219-62.el7_6.5", - "FixedVersion": "219-67.el7", + "VulnerabilityID": "CVE-2019-9636", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-77.el7_6", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "systemd: out-of-bounds read when parsing a crafted syslog message", - "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", + "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", + "Severity": "HIGH", "References": [ - "http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html", - "http://seclists.org/fulldisclosure/2019/May/21", - "http://www.openwall.com/lists/oss-security/2019/05/10/4", - "http://www.securityfocus.com/bid/106527", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16866", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16866", - "https://seclists.org/bugtraq/2019/May/25", - "https://security.gentoo.org/glsa/201903-07", - "https://security.netapp.com/advisory/ntap-20190117-0001/", - "https://usn.ubuntu.com/3855-1/", - "https://www.debian.org/security/2019/dsa-4367", - "https://www.qualys.com/2019/01/09/system-down/system-down.txt" + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", + "http://www.securityfocus.com/bid/107400", + "https://access.redhat.com/errata/RHBA-2019:0959", + "https://access.redhat.com/errata/RHSA-2019:0710", + "https://access.redhat.com/errata/RHSA-2019:0765", + "https://access.redhat.com/errata/RHSA-2019:0806", + "https://access.redhat.com/errata/RHSA-2019:0902", + "https://access.redhat.com/errata/RHSA-2019:0981", + "https://access.redhat.com/errata/RHSA-2019:0997", + "https://access.redhat.com/errata/RHSA-2019:1467", + "https://bugs.python.org/issue36216", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636", + "https://github.com/python/cpython/pull/12201", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/", + "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html", + "https://security.netapp.com/advisory/ntap-20190517-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-13734", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "FixedVersion": "3.7.17-8.el7_7.1", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: fts3: improve shadow table corruption detection", + "Description": "Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-13734.html", + "http://linux.oracle.com/errata/ELSA-2020-0273.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025466", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" ] }, { @@ -408,10 +1365,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", @@ -419,32 +1379,6 @@ "https://security.netapp.com/advisory/ntap-20190307-0007/" ] }, - { - "VulnerabilityID": "CVE-2018-16866", - "PkgName": "systemd-libs", - "InstalledVersion": "219-62.el7_6.5", - "FixedVersion": "219-67.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "systemd: out-of-bounds read when parsing a crafted syslog message", - "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.", - "Severity": "LOW", - "References": [ - "http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html", - "http://seclists.org/fulldisclosure/2019/May/21", - "http://www.openwall.com/lists/oss-security/2019/05/10/4", - "http://www.securityfocus.com/bid/106527", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16866", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16866", - "https://seclists.org/bugtraq/2019/May/25", - "https://security.gentoo.org/glsa/201903-07", - "https://security.netapp.com/advisory/ntap-20190117-0001/", - "https://usn.ubuntu.com/3855-1/", - "https://www.debian.org/security/2019/dsa-4367", - "https://www.qualys.com/2019/01/09/system-down/system-down.txt" - ] - }, { "VulnerabilityID": "CVE-2018-16888", "PkgName": "systemd-libs", @@ -453,16 +1387,51 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", "https://lists.apache.org/thread.html/5960a34a524848cd722fd7ab7e2227eac10107b0f90d9d1e9c3caa74@%3Cuser.cassandra.apache.org%3E", "https://security.netapp.com/advisory/ntap-20190307-0007/" ] + }, + { + "VulnerabilityID": "CVE-2019-12735", + "PkgName": "vim-minimal", + "InstalledVersion": "2:7.4.160-5.el7", + "FixedVersion": "2:7.4.160-6.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "vim/neovim: ':source!' command allows arbitrary command execution via modelines", + "Description": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-12735.html", + "http://linux.oracle.com/errata/ELSA-2019-1774.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html", + "http://www.securityfocus.com/bid/108724", + "https://bugs.debian.org/930020", + "https://bugs.debian.org/930024", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735", + "https://github.com/neovim/neovim/pull/10082", + "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md", + "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/", + "https://usn.ubuntu.com/4016-1/", + "https://usn.ubuntu.com/4016-2/", + "https://www.debian.org/security/2019/dsa-4467" + ] } ] } diff --git a/integration/testdata/centos-7.json.golden b/integration/testdata/centos-7.json.golden index ef60e0e41a..5aafca5883 100644 --- a/integration/testdata/centos-7.json.golden +++ b/integration/testdata/centos-7.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/centos-7.tar.gz (centos 7.6.1810)", + "Type": "centos", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2015-5186", @@ -9,6 +10,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "Audit: log terminal emulator escape sequences handling", "Description": "Audit before 2.4.4 in Linux does not sanitize escape characters in filenames.", "Severity": "MEDIUM", @@ -20,271 +22,6 @@ "https://people.redhat.com/sgrubb/audit/ChangeLog" ] }, - { - "VulnerabilityID": "CVE-2014-6277", - "PkgName": "bash", - "InstalledVersion": "4.2.46-31.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "bash: uninitialized here document closing delimiter pointer use", - "Description": "GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.", - "Severity": "CRITICAL", - "References": [ - "http://jvn.jp/en/jp/JVN55667175/index.html", - "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126", - "http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html", - "http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html", - "http://linux.oracle.com/errata/ELSA-2014-3093", - "http://linux.oracle.com/errata/ELSA-2014-3094", - "http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html", - "http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html", - "http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html", - "http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html", - "http://marc.info/?l=bugtraq\u0026m=141330468527613\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141345648114150\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383026420882\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383081521087\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383196021590\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383244821813\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383304022067\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383353622268\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383465822787\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141450491804793\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141576728022234\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577137423233\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577241923505\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577297623641\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141585637922673\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141879528318582\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142118135300698\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142289270617409\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358026505815\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358078406056\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142721162228379\u0026w=2", - "http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html", - "http://secunia.com/advisories/58200", - "http://secunia.com/advisories/59907", - "http://secunia.com/advisories/59961", - "http://secunia.com/advisories/60024", - "http://secunia.com/advisories/60034", - "http://secunia.com/advisories/60044", - "http://secunia.com/advisories/60055", - "http://secunia.com/advisories/60063", - "http://secunia.com/advisories/60193", - "http://secunia.com/advisories/60325", - "http://secunia.com/advisories/60433", - "http://secunia.com/advisories/61065", - "http://secunia.com/advisories/61128", - "http://secunia.com/advisories/61129", - "http://secunia.com/advisories/61283", - "http://secunia.com/advisories/61287", - "http://secunia.com/advisories/61291", - "http://secunia.com/advisories/61312", - "http://secunia.com/advisories/61313", - "http://secunia.com/advisories/61328", - "http://secunia.com/advisories/61442", - "http://secunia.com/advisories/61471", - "http://secunia.com/advisories/61485", - "http://secunia.com/advisories/61503", - "http://secunia.com/advisories/61550", - "http://secunia.com/advisories/61552", - "http://secunia.com/advisories/61565", - "http://secunia.com/advisories/61603", - "http://secunia.com/advisories/61633", - "http://secunia.com/advisories/61641", - "http://secunia.com/advisories/61643", - "http://secunia.com/advisories/61654", - "http://secunia.com/advisories/61703", - "http://secunia.com/advisories/61780", - "http://secunia.com/advisories/61816", - "http://secunia.com/advisories/61857", - "http://secunia.com/advisories/62312", - "http://secunia.com/advisories/62343", - "http://support.apple.com/HT204244", - "http://support.novell.com/security/cve/CVE-2014-6277.html", - "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685541", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685604", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685733", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685749", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685914", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686131", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686246", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686445", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686479", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686494", - "http://www-01.ibm.com/support/docview.wss?uid=swg21687079", - "http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:164", - "http://www.novell.com/support/kb/doc.php?id=7015721", - "http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html", - "http://www.qnap.com/i/en/support/con_show.php?cid=61", - "http://www.ubuntu.com/usn/USN-2380-1", - "http://www.vmware.com/security/advisories/VMSA-2014-0010.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277", - "https://kb.bluecoat.com/index?page=content\u0026id=SA82", - "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10648", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10085", - "https://support.apple.com/HT205267", - "https://support.citrix.com/article/CTX200217", - "https://support.citrix.com/article/CTX200223", - "https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04497075", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04518183", - "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk102673\u0026src=securityAlerts", - "https://www.suse.com/support/shellshock/" - ] - }, - { - "VulnerabilityID": "CVE-2014-6278", - "PkgName": "bash", - "InstalledVersion": "4.2.46-31.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "bash: incorrect parsing of function definitions with nested command substitutions", - "Description": "GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.", - "Severity": "CRITICAL", - "References": [ - "http://jvn.jp/en/jp/JVN55667175/index.html", - "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126", - "http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html", - "http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html", - "http://linux.oracle.com/errata/ELSA-2014-3093", - "http://linux.oracle.com/errata/ELSA-2014-3094", - "http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html", - "http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html", - "http://marc.info/?l=bugtraq\u0026m=141330468527613\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141345648114150\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383026420882\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383081521087\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383196021590\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383244821813\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383304022067\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383353622268\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383465822787\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141450491804793\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141576728022234\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577137423233\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577241923505\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577297623641\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141585637922673\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141879528318582\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142118135300698\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358026505815\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358078406056\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142721162228379\u0026w=2", - "http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html", - "http://packetstormsecurity.com/files/137344/Sun-Secure-Global-Desktop-Oracle-Global-Desktop-Shellshock.html", - "http://secunia.com/advisories/58200", - "http://secunia.com/advisories/59907", - "http://secunia.com/advisories/59961", - "http://secunia.com/advisories/60024", - "http://secunia.com/advisories/60034", - "http://secunia.com/advisories/60044", - "http://secunia.com/advisories/60055", - "http://secunia.com/advisories/60063", - "http://secunia.com/advisories/60193", - "http://secunia.com/advisories/60325", - "http://secunia.com/advisories/60433", - "http://secunia.com/advisories/61065", - "http://secunia.com/advisories/61128", - "http://secunia.com/advisories/61129", - "http://secunia.com/advisories/61283", - "http://secunia.com/advisories/61287", - "http://secunia.com/advisories/61291", - "http://secunia.com/advisories/61312", - "http://secunia.com/advisories/61313", - "http://secunia.com/advisories/61328", - "http://secunia.com/advisories/61442", - "http://secunia.com/advisories/61471", - "http://secunia.com/advisories/61485", - "http://secunia.com/advisories/61503", - "http://secunia.com/advisories/61550", - "http://secunia.com/advisories/61552", - "http://secunia.com/advisories/61565", - "http://secunia.com/advisories/61603", - "http://secunia.com/advisories/61633", - "http://secunia.com/advisories/61641", - "http://secunia.com/advisories/61643", - "http://secunia.com/advisories/61654", - "http://secunia.com/advisories/61703", - "http://secunia.com/advisories/61780", - "http://secunia.com/advisories/61816", - "http://secunia.com/advisories/61857", - "http://secunia.com/advisories/62312", - "http://secunia.com/advisories/62343", - "http://support.novell.com/security/cve/CVE-2014-6278.html", - "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685541", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685604", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685733", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685749", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685914", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686131", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686246", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686445", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686479", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686494", - "http://www-01.ibm.com/support/docview.wss?uid=swg21687079", - "http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:164", - "http://www.novell.com/support/kb/doc.php?id=7015721", - "http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html", - "http://www.qnap.com/i/en/support/con_show.php?cid=61", - "http://www.ubuntu.com/usn/USN-2380-1", - "http://www.vmware.com/security/advisories/VMSA-2014-0010.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=1147414", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278", - "https://kb.bluecoat.com/index?page=content\u0026id=SA82", - "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10648", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10085", - "https://security-tracker.debian.org/tracker/CVE-2014-6278", - "https://support.citrix.com/article/CTX200217", - "https://support.citrix.com/article/CTX200223", - "https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04497075", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04518183", - "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk102673\u0026src=securityAlerts", - "https://www.exploit-db.com/exploits/39568/", - "https://www.exploit-db.com/exploits/39887/", - "https://www.suse.com/support/shellshock/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9924", - "PkgName": "bash", - "InstalledVersion": "4.2.46-31.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "bash: BASH_CMD is writable in restricted bash shells", - "Description": "rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.", - "Severity": "HIGH", - "References": [ - "http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00049.html", - "https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html", - "https://security.netapp.com/advisory/ntap-20190411-0001/" - ] - }, { "VulnerabilityID": "CVE-2012-6711", "PkgName": "bash", @@ -292,6 +29,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "bash: heap-based buffer overflow during echo of unsupported characters", "Description": "A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().", "Severity": "MEDIUM", @@ -302,6 +40,43 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6711" ] }, + { + "VulnerabilityID": "CVE-2019-9924", + "PkgName": "bash", + "InstalledVersion": "4.2.46-31.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "bash: BASH_CMD is writable in restricted bash shells", + "Description": "rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00049.html", + "https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html", + "https://security.netapp.com/advisory/ntap-20190411-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18276", + "PkgName": "bash", + "InstalledVersion": "4.2.46-31.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped", + "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html", + "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff", + "https://www.youtube.com/watch?v=-wGtxJ8opa8" + ] + }, { "VulnerabilityID": "CVE-2018-5743", "PkgName": "bind-license", @@ -310,12 +85,76 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "bind: Limiting simultaneous TCP clients is ineffective", "Description": "By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.6, 9.12.0 -\u003e 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -\u003e 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -\u003e 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-5743.html", + "http://linux.oracle.com/errata/ELSA-2019-1492.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743", - "https://kb.isc.org/docs/cve-2018-5743" + "https://kb.isc.org/docs/cve-2018-5743", + "https://support.f5.com/csp/article/K74009656?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.synology.com/security/advisory/Synology_SA_19_20" + ] + }, + { + "VulnerabilityID": "CVE-2018-5741", + "PkgName": "bind-license", + "InstalledVersion": "32:9.9.4-73.el7_6", + "FixedVersion": "32:9.11.4-9.P2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies", + "Description": "To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-5741.html", + "http://linux.oracle.com/errata/ELSA-2019-2057.html", + "http://www.securityfocus.com/bid/105379", + "http://www.securitytracker.com/id/1041674", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741", + "https://kb.isc.org/docs/cve-2018-5741", + "https://security.gentoo.org/glsa/201903-13", + "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03927en_us" + ] + }, + { + "VulnerabilityID": "CVE-2019-6477", + "PkgName": "bind-license", + "InstalledVersion": "32:9.9.4-73.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "bind: TCP Pipelining doesn't limit TCP clients on a single connection", + "Description": "With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).", + "Severity": "MEDIUM", + "References": [ + "https://kb.isc.org/docs/cve-2019-6477", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN/", + "https://support.f5.com/csp/article/K15840535?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.synology.com/security/advisory/Synology_SA_19_39" + ] + }, + { + "VulnerabilityID": "CVE-2013-5661", + "PkgName": "bind-license", + "InstalledVersion": "32:9.9.4-73.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "DNS response rate limiting can simplify cache poisoning attacks", + "Description": "Cache Poisoning issue exists in DNS Response Rate Limiting.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5661", + "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5661", + "https://security-tracker.debian.org/tracker/CVE-2013-5661" ] }, { @@ -325,9 +164,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "bind: Improper restriction of zone size limit", "Description": "ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/07/06/3", "http://www.securityfocus.com/bid/91611", @@ -343,26 +183,6 @@ "https://security.gentoo.org/glsa/201610-07" ] }, - { - "VulnerabilityID": "CVE-2018-5741", - "PkgName": "bind-license", - "InstalledVersion": "32:9.9.4-73.el7_6", - "FixedVersion": "32:9.11.4-9.P2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies", - "Description": "To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105379", - "http://www.securitytracker.com/id/1041674", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741", - "https://kb.isc.org/docs/cve-2018-5741", - "https://security.gentoo.org/glsa/201903-13", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03927en_us" - ] - }, { "VulnerabilityID": "CVE-2018-5745", "PkgName": "bind-license", @@ -370,25 +190,18 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "bind: An assertion failure if a trust anchor rolls over to an unsupported key algorithm when using managed-keys", "Description": "\"managed-keys\" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.5-P1, 9.12.0 -\u003e 9.12.3-P1, and versions 9.9.3-S1 -\u003e 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -\u003e 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-5745.html", + "http://linux.oracle.com/errata/ELSA-2019-3552.html", + "https://access.redhat.com/errata/RHSA-2019:3552", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5745", "https://kb.isc.org/docs/cve-2018-5745" ] }, - { - "VulnerabilityID": "CVE-2013-5661", - "PkgName": "bind-license", - "InstalledVersion": "32:9.9.4-73.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "DNS response rate limiting can simplify cache poisoning attacks", - "Description": "No description is available for this CVE.", - "Severity": "LOW" - }, { "VulnerabilityID": "CVE-2019-6465", "PkgName": "bind-license", @@ -396,1127 +209,18 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "bind: Controls for zone transfers may not be properly applied to DLZs if the zones are writable", "Description": "Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -\u003e 9.10.8-P1, 9.11.0 -\u003e 9.11.5-P2, 9.12.0 -\u003e 9.12.3-P2, and versions 9.9.3-S1 -\u003e 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -\u003e 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-6465.html", + "http://linux.oracle.com/errata/ELSA-2019-3552.html", + "https://access.redhat.com/errata/RHSA-2019:3552", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6465", "https://kb.isc.org/docs/cve-2019-6465" ] }, - { - "VulnerabilityID": "CVE-2014-9939", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: buffer overflow in ihex.c", - "Description": "ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.", - "Severity": "HIGH", - "References": [ - "http://www.openwall.com/lists/oss-security/2015/07/31/6", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9939", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18750", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e27a9d5f22f9f7ead11738b1546d0b5c737266b" - ] - }, - { - "VulnerabilityID": "CVE-2017-13716", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Memory leak with the C++ symbol demangler routine in libiberty", - "Description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" - ] - }, - { - "VulnerabilityID": "CVE-2017-14930", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Memory leak in decode_line_info", - "Description": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14930", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22191" - ] - }, - { - "VulnerabilityID": "CVE-2017-7614", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in bfd_elf_final_link function", - "Description": "elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.", - "Severity": "HIGH", - "References": [ - "https://blogs.gentoo.org/ago/2017/04/05/binutils-two-null-pointer-dereference-in-elflink-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7614", - "https://security.gentoo.org/glsa/201709-02" - ] - }, - { - "VulnerabilityID": "CVE-2017-8421", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Memory exhaustion in objdump via a crafted PE file", - "Description": "The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8421", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21440" - ] - }, - { - "VulnerabilityID": "CVE-2018-12699", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: heap-based buffer overflow in finish_stab in stabs.c", - "Description": "finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/104540", - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", - "https://security.gentoo.org/glsa/201908-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" - ] - }, - { - "VulnerabilityID": "CVE-2015-8538", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libdwarf: Out-of-bounds read in dwarf_leb.c", - "Description": "dwarf_leb.c in libdwarf allows attackers to cause a denial of service (SIGSEGV).", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2015/12/10/3", - "https://bugzilla.redhat.com/show_bug.cgi?id=1291299", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8538" - ] - }, - { - "VulnerabilityID": "CVE-2016-2226", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc: Exploitable buffer overflow", - "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90103", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2226", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687", - "https://www.exploit-db.com/exploits/42386/" - ] - }, - { - "VulnerabilityID": "CVE-2016-4487", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc: Invalid write due to a use-after-free to array btypevec", - "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90025", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4487", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481" - ] - }, - { - "VulnerabilityID": "CVE-2016-4488", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", - "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90025", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4488", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481" - ] - }, - { - "VulnerabilityID": "CVE-2016-4489", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc: Invalid write due to integer overflow", - "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90017", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4489", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492" - ] - }, - { - "VulnerabilityID": "CVE-2016-4490", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc: Write access violation", - "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90019", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4490", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498" - ] - }, - { - "VulnerabilityID": "CVE-2016-4491", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", - "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90016", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4491", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909", - "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00105.html" - ] - }, - { - "VulnerabilityID": "CVE-2016-4492", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc: Read access violations", - "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90014", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4492", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926", - "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" - ] - }, - { - "VulnerabilityID": "CVE-2016-4493", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc: Read access violations", - "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90014", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4493", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926", - "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" - ] - }, - { - "VulnerabilityID": "CVE-2016-6131", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler", - "Description": "The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/06/30/4", - "http://www.openwall.com/lists/oss-security/2016/06/30/7", - "http://www.securityfocus.com/bid/91519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696", - "https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html" - ] - }, - { - "VulnerabilityID": "CVE-2017-12449", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: out of bounds heap read in _bfd_vms_save_sized_string function", - "Description": "The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12449", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" - ] - }, - { - "VulnerabilityID": "CVE-2017-12451", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: out of bounds stack read in _bfd_xcoff_read_ar_hdr function", - "Description": "The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12451", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21786" - ] - }, - { - "VulnerabilityID": "CVE-2017-12452", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: out of bounds heap read in bfd_mach_o_i386_canonicalize_one_reloc function", - "Description": "The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12452", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" - ] - }, - { - "VulnerabilityID": "CVE-2017-12453", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: out of bounds heap read in __bfd_vms_slurp_eeom function", - "Description": "The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12453", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" - ] - }, - { - "VulnerabilityID": "CVE-2017-12454", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Arbitrary memory read in _bfd_vms_slurp_egs function", - "Description": "The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12454", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" - ] - }, - { - "VulnerabilityID": "CVE-2017-12455", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: out of bounds heap read in evax_bfd_print_emh function", - "Description": "The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12455", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" - ] - }, - { - "VulnerabilityID": "CVE-2017-12456", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: out of bounds heap read in read_symbol_stabs_debugging_inf function", - "Description": "The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12456", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" - ] - }, - { - "VulnerabilityID": "CVE-2017-12457", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in bfd_make_section_with_flags function", - "Description": "The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12457", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" - ] - }, - { - "VulnerabilityID": "CVE-2017-12458", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: out of bounds heap read in nlm_swap_auxiliary_headers_in function", - "Description": "The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12458", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" - ] - }, - { - "VulnerabilityID": "CVE-2017-12799", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based 1 byte buffer over-write in elf_read_notes function in bfd/elf.c", - "Description": "The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100292", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12799", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21933" - ] - }, - { - "VulnerabilityID": "CVE-2017-12967", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack-based buffer over-read in getsym function in tekhex.c", - "Description": "The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100462", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12967", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21962" - ] - }, - { - "VulnerabilityID": "CVE-2017-13710", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in the setup_group function", - "Description": "The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100499", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13710", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0c54f69295208331faab9bc5e995111a35672f9b" - ] - }, - { - "VulnerabilityID": "CVE-2017-13757", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: heap-based buffer over-read in elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100532", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13757", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22018", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=90efb6422939ca031804266fba669f77c22a274a" - ] - }, - { - "VulnerabilityID": "CVE-2017-14128", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer over-read in the decode_line_info function", - "Description": "The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14128", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22059", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e8b60085eb3e6f2c41bc0c00c0d759fa7f72780" - ] - }, - { - "VulnerabilityID": "CVE-2017-14129", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer over-read in the read_section function", - "Description": "The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100624", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14129", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22047", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e4f2723003859dc6b33ca0dadbc4a7659ebf1643" - ] - }, - { - "VulnerabilityID": "CVE-2017-14130", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer over-read in the _bfd_elf_parse_attributes function", - "Description": "The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100625", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14130", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22058", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2a143b99fc4a5094a9cf128f3184d8e6818c8229" - ] - }, - { - "VulnerabilityID": "CVE-2017-14529", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: heap-based buffer over-read in bfd_getl16 function in peXXigen.c", - "Description": "The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14529", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22113", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4d465c689a8fb27212ef358d0aee89d60dee69a6", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dcaaca89e8618eba35193c27afcb1cfa54f74582" - ] - }, - { - "VulnerabilityID": "CVE-2017-14729", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap buffer overflow in the *_get_synthetic_symtab functions", - "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/09/25/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14729", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22170", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=56933f9e3e90eebf1018ed7417d6c1184b91db6b", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=61e3bf5f83f7e505b6bc51ef65426e5b31e6e360" - ] - }, - { - "VulnerabilityID": "CVE-2017-14745", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Integer overflow in the *_get_synthetic_symtab functions", - "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14745", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22148" - ] - }, - { - "VulnerabilityID": "CVE-2017-14932", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Infinite loop in the decode_line_info", - "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14932", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22204", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e338894dc2e603683bed2172e8e9f25b29051005" - ] - }, - { - "VulnerabilityID": "CVE-2017-14933", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Infinite loop in read_formatted_entries", - "Description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14933", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22210", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=33e0a9a056bd23e923b929a4f2ab049ade0b1c32" - ] - }, - { - "VulnerabilityID": "CVE-2017-14934", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Infinite loop in process_debug_info", - "Description": "process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101204", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14934", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22219", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=19485196044b2521af979f1e5c4a89bfb90fba0b" - ] - }, - { - "VulnerabilityID": "CVE-2017-14938", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Excessive memory allocation in _bfd_elf_slurp_version_tables", - "Description": "_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101212", - "https://blogs.gentoo.org/ago/2017/09/26/binutils-memory-allocation-failure-in-_bfd_elf_slurp_version_tables-elf-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14938", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22166", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bd61e135492ecf624880e6b78e5fcde3c9716df6" - ] - }, - { - "VulnerabilityID": "CVE-2017-14939", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer over-read in the decode_line_info", - "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101216", - "https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14939", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22169", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=515f23e63c0074ab531bc954f84ca40c6281a724", - "https://www.exploit-db.com/exploits/42970/" - ] - }, - { - "VulnerabilityID": "CVE-2017-14940", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in the scan_unit_for_symbols", - "Description": "scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/09/26/binutils-null-pointer-dereference-in-scan_unit_for_symbols-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14940", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22166", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0d76029f92182c3682d8be2c833d45bc9a2068fe" - ] - }, - { - "VulnerabilityID": "CVE-2017-14974", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in the *_get_synthetic_symtab functions", - "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14974", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22163", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e70c19e3a4c26e9c1ebf0c9170d105039b56d7cf" - ] - }, - { - "VulnerabilityID": "CVE-2017-15020", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer overflow in parse_die", - "Description": "dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-parse_die-dwarf1-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15020", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22202", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5" - ] - }, - { - "VulnerabilityID": "CVE-2017-15021", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer over-read in bfd_get_debug_link_info_1", - "Description": "bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-bfd_getl32-opncls-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15021", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22197", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52b36c51e5bf6d7600fdc6ba115b170b0e78e31d" - ] - }, - { - "VulnerabilityID": "CVE-2017-15022", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in dwarf2.c", - "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15022", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22201", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11855d8a1f11b102a702ab76e95b22082cccf2f8" - ] - }, - { - "VulnerabilityID": "CVE-2017-15023", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in read_formatted_entries", - "Description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101611", - "https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15023", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22200", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c361faae8d964db951b7100cada4dcdc983df1bf" - ] - }, - { - "VulnerabilityID": "CVE-2017-15024", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Infinite recursion in find_abstract_instance_name", - "Description": "find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/10/03/binutils-infinite-loop-in-find_abstract_instance_name-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15024", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22187", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52a93b95ec0771c97e26f0bb28630a271a667bd2" - ] - }, - { - "VulnerabilityID": "CVE-2017-15025", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Divide-by-zero in decode_line_info", - "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/10/03/binutils-divide-by-zero-in-decode_line_info-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15025", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22186", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d8010d3e75ec7194a4703774090b27486b742d48" - ] - }, - { - "VulnerabilityID": "CVE-2017-15225", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Memory leak in _bfd_dwarf2_cleanup_debug_info", - "Description": "_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15225", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22212", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b55ec8b676ed05d93ee49d6c79ae0403616c4fb0" - ] - }, - { - "VulnerabilityID": "CVE-2017-15938", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Invalid memory read in find_abstract_instance_name", - "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101610", - "https://blogs.gentoo.org/ago/2017/10/24/binutils-invalid-memory-read-in-find_abstract_instance_name-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15938", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22209", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1b86808a86077722ee4f42ff97f836b12420bb2a" - ] - }, - { - "VulnerabilityID": "CVE-2017-15939", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in the concat_filename", - "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101613", - "https://blogs.gentoo.org/ago/2017/10/24/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023/", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22205", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a54018b72d75abf2e74bf36016702da06399c1d9" - ] - }, - { - "VulnerabilityID": "CVE-2017-15996", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Excessive memory allocation in elfcomm.c", - "Description": "elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a \"buffer overflow on fuzzed archive header,\" related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101608", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15996", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22361", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d91f0b20e561e326ee91a09a76206257bde8438b" - ] - }, - { - "VulnerabilityID": "CVE-2017-16826", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Invalid memory access in the coff_slurp_line_table function", - "Description": "The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16826", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22376", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a67d66eb97e7613a38ffe6622d837303b3ecd31d" - ] - }, - { - "VulnerabilityID": "CVE-2017-16827", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Invalid free in the aout_get_external_symbols function", - "Description": "The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16827", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22306", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419" - ] - }, - { - "VulnerabilityID": "CVE-2017-16828", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Integer overflow in the display_debug_frames function", - "Description": "The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16828", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22386", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d" - ] - }, - { - "VulnerabilityID": "CVE-2017-16829", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds read in the _bfd_elf_parse_gnu_properties function", - "Description": "The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16829", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22307", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf54ebff3b7361989712fd9c0128a9b255578163" - ] - }, - { - "VulnerabilityID": "CVE-2017-16830", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Segmentation fault in the print_gnu_property_note function", - "Description": "The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101941", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16830", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22384", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6ab2c4ed51f9c4243691755e1b1d2149c6a426f4" - ] - }, - { - "VulnerabilityID": "CVE-2017-16831", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Integer overflow in coffgen.c", - "Description": "coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16831", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22385", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca" - ] - }, - { - "VulnerabilityID": "CVE-2017-16832", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Segmentation fault in the pe_bfd_read_buildid function", - "Description": "The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16832", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22373", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bb6961f18b8e832d88b490d421ca56cea16c45b" - ] - }, - { - "VulnerabilityID": "CVE-2017-17080", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer over-read in bfd_getl32", - "Description": "elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17080", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22421" - ] - }, - { - "VulnerabilityID": "CVE-2017-17121", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Memory access violation via a crafted COFF binary", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17121", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22506", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b23dc97fe237a1d9e850d7cbeee066183a00630b" - ] - }, - { - "VulnerabilityID": "CVE-2017-17122", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Excessive memory allocation in the dump_relocs_in_section function", - "Description": "The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17122", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22508", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d785b7d4b877ed465d04072e17ca19d0f47d840f" - ] - }, - { - "VulnerabilityID": "CVE-2017-17123", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in the coff_slurp_reloc_table function", - "Description": "The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17123", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22509", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4581a1c7d304ce14e714b27522ebf3d0188d6543" - ] - }, - { - "VulnerabilityID": "CVE-2017-17124", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap buffer overflow in the _bfd_coff_read_string_table function", - "Description": "The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17124", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22507", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b0029dce6867de1a2828293177b0e030d2f0f03c" - ] - }, - { - "VulnerabilityID": "CVE-2017-17125", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Buffer over-read in the _bfd_elf_get_symbol_version_string function", - "Description": "nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17125", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22443", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=160b1a618ad94988410dc81fce9189fcda5b7ff4" - ] - }, - { - "VulnerabilityID": "CVE-2017-17126", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Invalid memory access in the load_debug_section function", - "Description": "The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17126", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22510", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f425ec6600b69e39eb605f3128806ff688137ea8" - ] - }, { "VulnerabilityID": "CVE-2017-6965", "PkgName": "binutils", @@ -1524,6 +228,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer overflow in target_specific_reloc_handling in readelf", "Description": "readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.", "Severity": "MEDIUM", @@ -1540,6 +245,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: Use-after-free in target_specific_reloc_handling in readelf", "Description": "readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.", "Severity": "MEDIUM", @@ -1549,757 +255,6 @@ "https://sourceware.org/bugzilla/show_bug.cgi?id=21139" ] }, - { - "VulnerabilityID": "CVE-2017-6969", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer over-read in readelf when processing corrupt RL78 binaries", - "Description": "readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97065", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21156" - ] - }, - { - "VulnerabilityID": "CVE-2017-7209", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Null pointer dereference in dump_section_as_bytes function in readelf", - "Description": "The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/96994", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21135" - ] - }, - { - "VulnerabilityID": "CVE-2017-7210", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer over-reads in objdump", - "Description": "objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/96992", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21157" - ] - }, - { - "VulnerabilityID": "CVE-2017-7223", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Global buffer overflow when attempting to unget EOF character", - "Description": "GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7223", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20898" - ] - }, - { - "VulnerabilityID": "CVE-2017-7224", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Invalid write in find_nearest_line function", - "Description": "The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97277", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7224", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20892" - ] - }, - { - "VulnerabilityID": "CVE-2017-7225", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Null pointer dereference and invalid write in find_nearest_line function in addr2line", - "Description": "The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97275", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7225", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20891" - ] - }, - { - "VulnerabilityID": "CVE-2017-7226", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer over-read in pe_ILF_object_p function in libbfd", - "Description": "The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7226", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20905" - ] - }, - { - "VulnerabilityID": "CVE-2017-7227", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-based buffer overflow in ld due to missing null termination", - "Description": "GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\\0' termination of a name field in ldlex.l.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97209", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7227", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20906" - ] - }, - { - "VulnerabilityID": "CVE-2017-7299", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds read in bfd_elf_final_link function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97217", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7299", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20908" - ] - }, - { - "VulnerabilityID": "CVE-2017-7300", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-buffer overflow in aout_link_add_symbols function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97219", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7300", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20909" - ] - }, - { - "VulnerabilityID": "CVE-2017-7301", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Off-by-one error in aout_link_add_symbols function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97218", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7301", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20924" - ] - }, - { - "VulnerabilityID": "CVE-2017-7302", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds read in wap_std_reloc_out function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97216", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7302", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20921" - ] - }, - { - "VulnerabilityID": "CVE-2017-7303", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds read in find_link function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97213", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7303", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20922" - ] - }, - { - "VulnerabilityID": "CVE-2017-7304", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds read in copy_special_section_fields function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97215", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20931" - ] - }, - { - "VulnerabilityID": "CVE-2017-8392", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in the _bfd_dwarf2_find_nearest_line function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21409" - ] - }, - { - "VulnerabilityID": "CVE-2017-8393", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds read due to wrong assumption for objcopy and strip", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8393", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21412" - ] - }, - { - "VulnerabilityID": "CVE-2017-8394", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in the _bfd_elf_large_com_section", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8394", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21414" - ] - }, - { - "VulnerabilityID": "CVE-2017-8395", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds write in the _bfd_generic_get_section_contents function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8395", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21431" - ] - }, - { - "VulnerabilityID": "CVE-2017-8396", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds read in the existing reloc offset range tests", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8396", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21432" - ] - }, - { - "VulnerabilityID": "CVE-2017-8397", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds read and write while processing binary containing reloc(s) with negative addresses", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8397", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21434" - ] - }, - { - "VulnerabilityID": "CVE-2017-8398", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds read while dumping the debug information from a corrupt binary", - "Description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8398", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21438" - ] - }, - { - "VulnerabilityID": "CVE-2017-9038", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap-buffer overflow in the byte_get_little_endian", - "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98589", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9038", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d" - ] - }, - { - "VulnerabilityID": "CVE-2017-9039", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Memory consumption via many program headers", - "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98580", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9039", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5" - ] - }, - { - "VulnerabilityID": "CVE-2017-9040", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in the process_mips_specific_function", - "Description": "GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98579", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9040", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf" - ] - }, - { - "VulnerabilityID": "CVE-2017-9041", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap buffer overflow in the process_mips_specific function", - "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98598", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9041", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3" - ] - }, - { - "VulnerabilityID": "CVE-2017-9042", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Invalid variable type in readelf.c", - "Description": "readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9042", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf" - ] - }, - { - "VulnerabilityID": "CVE-2017-9043", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Shift exponent too large for type unsigned long in readelf.c", - "Description": "readelf.c in GNU Binutils 2017-04-12 has a \"shift exponent too large for type unsigned long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98591", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9043", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ddef72cdc10d82ba011a7ff81cafbbd3466acf54" - ] - }, - { - "VulnerabilityID": "CVE-2017-9044", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Out-of-bounds read in the print_symbol_for_build_attribute function", - "Description": "The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98587", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9044" - ] - }, - { - "VulnerabilityID": "CVE-2017-9742", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Global buffer over-read in print_insn_score16 function while disassembling corrupt score binary", - "Description": "The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99105", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9742", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21576", - "https://www.exploit-db.com/exploits/42203/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9743", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Global buffer over-read in print_insn_score32 function while disassembling corrupt score binary", - "Description": "The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99106", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9743", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21577" - ] - }, - { - "VulnerabilityID": "CVE-2017-9744", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Address violation in sh_elf_set_mach_from_flags function when disassembling a corrupt SH binary", - "Description": "The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99108", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9744", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21578" - ] - }, - { - "VulnerabilityID": "CVE-2017-9745", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap buffer over-read in _bfd_vms_slurp_etir function when handling VMS alpha binaries", - "Description": "The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99109", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9745", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21579" - ] - }, - { - "VulnerabilityID": "CVE-2017-9746", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap buffer over-read in disassemble_bytes function when disassembling a corrupt binary", - "Description": "The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99117", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9746", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21580", - "https://www.exploit-db.com/exploits/42199/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9747", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack-based buffer over-read in ieee_archive_p function while disassembling corrupt IEEE binary", - "Description": "The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99114", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9747", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21581", - "https://www.exploit-db.com/exploits/42200/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9748", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack-based buffer over-read in ieee_object_p function", - "Description": "The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99110", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9748", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21582", - "https://www.exploit-db.com/exploits/42202/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9749", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Global buffer over-read in *regs* macros when disassembling corrupt bfin binary", - "Description": "The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99113", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9749", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21586", - "https://www.exploit-db.com/exploits/42201/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9750", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Global buffer over-read in opcodes/rx-decode.opc when disassembling a corrupt RX binary", - "Description": "opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99118", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9750", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21587", - "https://www.exploit-db.com/exploits/42198/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9751", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack-based buffer over-read in opcodes/rl78-decode.opc when disassembling a corrupt RL78 binary", - "Description": "opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99111", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9751", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21588" - ] - }, - { - "VulnerabilityID": "CVE-2017-9752", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Heap buffer over-read in f_bfd_vms_get_value function when processing a corrupt Alpha VMA binary", - "Description": "bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99122", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9752", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21589" - ] - }, - { - "VulnerabilityID": "CVE-2017-9753", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Address violation in versados_mkobject function when disassembling a corrupt versados binary", - "Description": "The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99116", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9753", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21591" - ] - }, - { - "VulnerabilityID": "CVE-2017-9754", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack-based buffer over-read in process_otr function", - "Description": "The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99125", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9754", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21591" - ] - }, - { - "VulnerabilityID": "CVE-2017-9755", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Global buffer over-read in opcodes/i386-dis.c while checking invalid registers", - "Description": "opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99124", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9755", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21594" - ] - }, - { - "VulnerabilityID": "CVE-2017-9756", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Address violation in aarch64_ext_ldst_reglist function when disassembling corrupt aarch64 binary", - "Description": "The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99103", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9756", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21595", - "https://www.exploit-db.com/exploits/42204/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9954", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: stack-based buffer over-read in getvalue function", - "Description": "The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99307", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9954", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21670" - ] - }, - { - "VulnerabilityID": "CVE-2017-9955", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: heap buffer over-read in get_build_id function", - "Description": "The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99573", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9955", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21665" - ] - }, { "VulnerabilityID": "CVE-2018-1000876", "PkgName": "binutils", @@ -2308,312 +263,19 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: integer overflow leads to heap-based buffer overflow in objdump", "Description": "binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000876.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", "http://www.securityfocus.com/bid/106304", "https://access.redhat.com/errata/RHSA-2019:2075", "https://sourceware.org/bugzilla/show_bug.cgi?id=23994", "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f" ] }, - { - "VulnerabilityID": "CVE-2018-12641", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "FixedVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack Exhaustion in the demangling functions provided by libiberty", - "Description": "An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.", - "Severity": "MEDIUM", - "References": [ - "https://access.redhat.com/errata/RHSA-2019:2075", - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763099", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452", - "https://security.gentoo.org/glsa/201908-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23058" - ] - }, - { - "VulnerabilityID": "CVE-2018-12697", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "FixedVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in work_stuff_copy_to_from in cplus-dem.c.", - "Description": "A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/104538", - "https://access.redhat.com/errata/RHSA-2019:2075", - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", - "https://security.gentoo.org/glsa/201908-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" - ] - }, - { - "VulnerabilityID": "CVE-2018-12698", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: excessive memory consumption in demangle_template in cplus-dem.c", - "Description": "demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the \"Create an array for saving the template argument values\" XNEWVEC call. This can occur during execution of objdump.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/104539", - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", - "https://security.gentoo.org/glsa/201908-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" - ] - }, - { - "VulnerabilityID": "CVE-2018-12700", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack Exhaustion in debug_write_type in debug.c", - "Description": "A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/104541", - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", - "https://security.gentoo.org/glsa/201908-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" - ] - }, - { - "VulnerabilityID": "CVE-2018-12934", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Uncontrolled Resource Consumption in remember_Ktype in cplus-dem.c", - "Description": "remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763101", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23059" - ] - }, - { - "VulnerabilityID": "CVE-2018-14038", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libbfd: remote dos via crafted file in function aout_32_swap_std_reloc_out in aoutx.h", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-7642. Reason: This candidate is a reservation duplicate of CVE-2018-7642. Notes: All CVE users should reference CVE-2018-7642 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", - "Severity": "MEDIUM" - }, - { - "VulnerabilityID": "CVE-2018-17794", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in libiberty/cplus-dem.c:work_stuff_copy_to_from() via crafted input", - "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.", - "Severity": "MEDIUM", - "References": [ - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350" - ] - }, - { - "VulnerabilityID": "CVE-2018-17985", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack consumption problem caused by the cplus_demangle_type", - "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.", - "Severity": "MEDIUM", - "References": [ - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335" - ] - }, - { - "VulnerabilityID": "CVE-2018-18483", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Integer overflow in cplus-dem.c:get_count() allows for denial of service", - "Description": "The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105689", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23767" - ] - }, - { - "VulnerabilityID": "CVE-2018-18484", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack exhaustion in cp-demangle.c allows for denial of service", - "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105693", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636" - ] - }, - { - "VulnerabilityID": "CVE-2018-18605", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: heap-based buffer over-read in sec_merge_hash_lookup in merge.c", - "Description": "A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105754", - "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18605", - "https://security.netapp.com/advisory/ntap-20190307-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23804", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ab419ddbb2cdd17ca83618990f2cacf904ce1d61" - ] - }, - { - "VulnerabilityID": "CVE-2018-18606", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in _bfd_add_merge_section in merge_strings function in merge.c", - "Description": "An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105754", - "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18606", - "https://security.netapp.com/advisory/ntap-20190307-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23806", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45a0eaf77022963d639d6d19871dbab7b79703fc" - ] - }, - { - "VulnerabilityID": "CVE-2018-18607", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: NULL pointer dereference in elf_link_input_bfd in elflink.c", - "Description": "An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105754", - "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18607", - "https://security.netapp.com/advisory/ntap-20190307-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23805", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=102def4da826b3d9e169741421e5e67e8731909a" - ] - }, - { - "VulnerabilityID": "CVE-2018-18700", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Recursive Stack Overflow within function d_name, d_encoding, and d_local_name in cp-demangle.c", - "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681" - ] - }, - { - "VulnerabilityID": "CVE-2018-18701", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: infinite recursion in next_is_type_qual and cplus_demangle_type functions in cp-demangle.c", - "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675" - ] - }, - { - "VulnerabilityID": "CVE-2018-19932", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Integer overflow due to the IS_CONTAINED_BY_LMA macro resulting in a denial of service", - "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106144", - "https://security.gentoo.org/glsa/201908-01", - "https://security.netapp.com/advisory/ntap-20190221-0004/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23932", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7" - ] - }, - { - "VulnerabilityID": "CVE-2018-20002", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: memory leak in _bfd_generic_read_minisymbols function in syms.c", - "Description": "The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106142", - "https://security.gentoo.org/glsa/201908-01", - "https://security.netapp.com/advisory/ntap-20190221-0004/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23952", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c2f5dc30afa34696f2da0081c4ac50b958ecb0e9", - "https://support.f5.com/csp/article/K62602089" - ] - }, - { - "VulnerabilityID": "CVE-2018-20657", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", - "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106444", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", - "https://support.f5.com/csp/article/K62602089" - ] - }, { "VulnerabilityID": "CVE-2018-20673", "PkgName": "binutils", @@ -2621,6 +283,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libiberty: Integer overflow in demangle_template() function", "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", "Severity": "MEDIUM", @@ -2629,119 +292,6 @@ "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" ] }, - { - "VulnerabilityID": "CVE-2018-6323", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Integer overflow in elf_object_p function in elfcode.h", - "Description": "The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/102821", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6323", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22746", - "https://www.exploit-db.com/exploits/44035/" - ] - }, - { - "VulnerabilityID": "CVE-2018-6759", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Unchecked strnlen in opncls.c:bfd_get_debug_link_info_1() can allow lead to denial of service", - "Description": "The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/103030", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6759", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22794" - ] - }, - { - "VulnerabilityID": "CVE-2018-6872", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: out of bounds read in elf_parse_notes function in elf.c file in libbfd library", - "Description": "The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/103103", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6872", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22788", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6" - ] - }, - { - "VulnerabilityID": "CVE-2018-9138", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack Exhaustion in the the C++ demangling functions provided by libiberty", - "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=23008" - ] - }, - { - "VulnerabilityID": "CVE-2018-9996", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Stack-overflow in libiberty/cplus-dem.c causes crash", - "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/103733", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304" - ] - }, - { - "VulnerabilityID": "CVE-2019-1010204", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read in gold/fileread.cc and elfcpp/elfcpp_file.h leads to denial of service", - "Description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", - "Severity": "MEDIUM", - "References": [ - "https://security.netapp.com/advisory/ntap-20190822-0001/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23765" - ] - }, - { - "VulnerabilityID": "CVE-2019-14250", - "PkgName": "binutils", - "InstalledVersion": "2.27-34.base.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "binutils: integer overflow in simple-object-elf.c leads to a heap-based buffer overflow", - "Description": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/109354", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924", - "https://gcc.gnu.org/ml/gcc-patches/2019-07/msg01003.html", - "https://security.netapp.com/advisory/ntap-20190822-0002/" - ] - }, { "VulnerabilityID": "CVE-2019-9074", "PkgName": "binutils", @@ -2749,6 +299,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: out-of-bound read in function bfd_getl32 in libbfd.c", "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.", "Severity": "MEDIUM", @@ -2765,6 +316,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: heap-based buffer overflow in function _bfd_archive_64_bit_slurp_armap in archive64.c", "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.", "Severity": "MEDIUM", @@ -2781,6 +333,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: heap-based buffer overflow in function process_mips_specific in readelf.c", "Description": "An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.", "Severity": "MEDIUM", @@ -2792,21 +345,2458 @@ ] }, { - "VulnerabilityID": "CVE-2019-12900", - "PkgName": "bzip2-libs", - "InstalledVersion": "1.0.6-13.el7", + "VulnerabilityID": "CVE-2014-9939", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "bzip2: out-of-bounds write in function BZ2_decompress", - "Description": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "binutils: buffer overflow in ihex.c", + "Description": "ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.", + "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900", - "https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html", - "https://usn.ubuntu.com/4038-1/", - "https://usn.ubuntu.com/4038-2/" + "http://www.openwall.com/lists/oss-security/2015/07/31/6", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9939", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18750", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e27a9d5f22f9f7ead11738b1546d0b5c737266b" + ] + }, + { + "VulnerabilityID": "CVE-2015-8538", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libdwarf: Out-of-bounds read in dwarf_leb.c", + "Description": "dwarf_leb.c in libdwarf allows attackers to cause a denial of service (SIGSEGV).", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2015/12/10/3", + "https://bugzilla.redhat.com/show_bug.cgi?id=1291299", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8538" + ] + }, + { + "VulnerabilityID": "CVE-2016-2226", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "gcc: Exploitable buffer overflow", + "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90103", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2226", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687", + "https://www.exploit-db.com/exploits/42386/" + ] + }, + { + "VulnerabilityID": "CVE-2016-4487", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "gcc: Invalid write due to a use-after-free to array btypevec", + "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90025", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4487", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481" + ] + }, + { + "VulnerabilityID": "CVE-2016-4488", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", + "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90025", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4488", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481" + ] + }, + { + "VulnerabilityID": "CVE-2016-4489", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "gcc: Invalid write due to integer overflow", + "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90017", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4489", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492" + ] + }, + { + "VulnerabilityID": "CVE-2016-4490", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "gcc: Write access violation", + "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90019", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4490", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498" + ] + }, + { + "VulnerabilityID": "CVE-2016-4491", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", + "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90016", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4491", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909", + "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00105.html" + ] + }, + { + "VulnerabilityID": "CVE-2016-4492", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "gcc: Read access violations", + "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90014", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4492", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926", + "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" + ] + }, + { + "VulnerabilityID": "CVE-2016-4493", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "gcc: Read access violations", + "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90014", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4493", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926", + "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" + ] + }, + { + "VulnerabilityID": "CVE-2017-12449", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in _bfd_vms_save_sized_string function", + "Description": "The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12449", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" + ] + }, + { + "VulnerabilityID": "CVE-2017-12451", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds stack read in _bfd_xcoff_read_ar_hdr function", + "Description": "The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12451", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21786" + ] + }, + { + "VulnerabilityID": "CVE-2017-12452", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in bfd_mach_o_i386_canonicalize_one_reloc function", + "Description": "The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12452", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" + ] + }, + { + "VulnerabilityID": "CVE-2017-12453", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in __bfd_vms_slurp_eeom function", + "Description": "The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12453", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" + ] + }, + { + "VulnerabilityID": "CVE-2017-12454", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Arbitrary memory read in _bfd_vms_slurp_egs function", + "Description": "The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12454", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" + ] + }, + { + "VulnerabilityID": "CVE-2017-12455", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in evax_bfd_print_emh function", + "Description": "The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12455", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" + ] + }, + { + "VulnerabilityID": "CVE-2017-12456", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in read_symbol_stabs_debugging_inf function", + "Description": "The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12456", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" + ] + }, + { + "VulnerabilityID": "CVE-2017-12457", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in bfd_make_section_with_flags function", + "Description": "The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12457", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" + ] + }, + { + "VulnerabilityID": "CVE-2017-12458", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in nlm_swap_auxiliary_headers_in function", + "Description": "The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12458", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" + ] + }, + { + "VulnerabilityID": "CVE-2017-12799", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based 1 byte buffer over-write in elf_read_notes function in bfd/elf.c", + "Description": "The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100292", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12799", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21933" + ] + }, + { + "VulnerabilityID": "CVE-2017-12967", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack-based buffer over-read in getsym function in tekhex.c", + "Description": "The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100462", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12967", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21962" + ] + }, + { + "VulnerabilityID": "CVE-2017-13710", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the setup_group function", + "Description": "The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100499", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13710", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0c54f69295208331faab9bc5e995111a35672f9b" + ] + }, + { + "VulnerabilityID": "CVE-2017-13716", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory leak with the C++ symbol demangler routine in libiberty", + "Description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ] + }, + { + "VulnerabilityID": "CVE-2017-13757", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer over-read in elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100532", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13757", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22018", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=90efb6422939ca031804266fba669f77c22a274a" + ] + }, + { + "VulnerabilityID": "CVE-2017-14128", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in the decode_line_info function", + "Description": "The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14128", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22059", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e8b60085eb3e6f2c41bc0c00c0d759fa7f72780" + ] + }, + { + "VulnerabilityID": "CVE-2017-14129", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in the read_section function", + "Description": "The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100624", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14129", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22047", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e4f2723003859dc6b33ca0dadbc4a7659ebf1643" + ] + }, + { + "VulnerabilityID": "CVE-2017-14130", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in the _bfd_elf_parse_attributes function", + "Description": "The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100625", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14130", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22058", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2a143b99fc4a5094a9cf128f3184d8e6818c8229" + ] + }, + { + "VulnerabilityID": "CVE-2017-14529", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer over-read in bfd_getl16 function in peXXigen.c", + "Description": "The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14529", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22113", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4d465c689a8fb27212ef358d0aee89d60dee69a6", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dcaaca89e8618eba35193c27afcb1cfa54f74582" + ] + }, + { + "VulnerabilityID": "CVE-2017-14729", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer overflow in the *_get_synthetic_symtab functions", + "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/09/25/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14729", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22170", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=56933f9e3e90eebf1018ed7417d6c1184b91db6b", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=61e3bf5f83f7e505b6bc51ef65426e5b31e6e360" + ] + }, + { + "VulnerabilityID": "CVE-2017-14745", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow in the *_get_synthetic_symtab functions", + "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14745", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22148" + ] + }, + { + "VulnerabilityID": "CVE-2017-14930", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory leak in decode_line_info", + "Description": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14930", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22191" + ] + }, + { + "VulnerabilityID": "CVE-2017-14932", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Infinite loop in the decode_line_info", + "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14932", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22204", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e338894dc2e603683bed2172e8e9f25b29051005" + ] + }, + { + "VulnerabilityID": "CVE-2017-14933", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Infinite loop in read_formatted_entries", + "Description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101203", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14933", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22210", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=33e0a9a056bd23e923b929a4f2ab049ade0b1c32" + ] + }, + { + "VulnerabilityID": "CVE-2017-14934", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Infinite loop in process_debug_info", + "Description": "process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101204", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14934", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22219", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=19485196044b2521af979f1e5c4a89bfb90fba0b" + ] + }, + { + "VulnerabilityID": "CVE-2017-14938", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Excessive memory allocation in _bfd_elf_slurp_version_tables", + "Description": "_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101212", + "https://blogs.gentoo.org/ago/2017/09/26/binutils-memory-allocation-failure-in-_bfd_elf_slurp_version_tables-elf-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14938", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22166", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bd61e135492ecf624880e6b78e5fcde3c9716df6" + ] + }, + { + "VulnerabilityID": "CVE-2017-14939", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in the decode_line_info", + "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101216", + "https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14939", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22169", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=515f23e63c0074ab531bc954f84ca40c6281a724", + "https://www.exploit-db.com/exploits/42970/" + ] + }, + { + "VulnerabilityID": "CVE-2017-14940", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the scan_unit_for_symbols", + "Description": "scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/09/26/binutils-null-pointer-dereference-in-scan_unit_for_symbols-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14940", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22166", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0d76029f92182c3682d8be2c833d45bc9a2068fe" + ] + }, + { + "VulnerabilityID": "CVE-2017-14974", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the *_get_synthetic_symtab functions", + "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14974", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22163", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e70c19e3a4c26e9c1ebf0c9170d105039b56d7cf" + ] + }, + { + "VulnerabilityID": "CVE-2017-15020", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer overflow in parse_die", + "Description": "dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-parse_die-dwarf1-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15020", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22202", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5" + ] + }, + { + "VulnerabilityID": "CVE-2017-15021", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in bfd_get_debug_link_info_1", + "Description": "bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-bfd_getl32-opncls-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15021", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22197", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52b36c51e5bf6d7600fdc6ba115b170b0e78e31d" + ] + }, + { + "VulnerabilityID": "CVE-2017-15022", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in dwarf2.c", + "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15022", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22201", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11855d8a1f11b102a702ab76e95b22082cccf2f8" + ] + }, + { + "VulnerabilityID": "CVE-2017-15023", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in read_formatted_entries", + "Description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101611", + "https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15023", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22200", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c361faae8d964db951b7100cada4dcdc983df1bf" + ] + }, + { + "VulnerabilityID": "CVE-2017-15024", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Infinite recursion in find_abstract_instance_name", + "Description": "find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/10/03/binutils-infinite-loop-in-find_abstract_instance_name-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15024", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22187", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52a93b95ec0771c97e26f0bb28630a271a667bd2" + ] + }, + { + "VulnerabilityID": "CVE-2017-15025", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Divide-by-zero in decode_line_info", + "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/10/03/binutils-divide-by-zero-in-decode_line_info-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15025", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22186", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d8010d3e75ec7194a4703774090b27486b742d48" + ] + }, + { + "VulnerabilityID": "CVE-2017-15225", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory leak in _bfd_dwarf2_cleanup_debug_info", + "Description": "_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15225", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22212", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b55ec8b676ed05d93ee49d6c79ae0403616c4fb0" + ] + }, + { + "VulnerabilityID": "CVE-2017-15938", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid memory read in find_abstract_instance_name", + "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101610", + "https://blogs.gentoo.org/ago/2017/10/24/binutils-invalid-memory-read-in-find_abstract_instance_name-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15938", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22209", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1b86808a86077722ee4f42ff97f836b12420bb2a" + ] + }, + { + "VulnerabilityID": "CVE-2017-15939", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the concat_filename", + "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101613", + "https://blogs.gentoo.org/ago/2017/10/24/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023/", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22205", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a54018b72d75abf2e74bf36016702da06399c1d9" + ] + }, + { + "VulnerabilityID": "CVE-2017-15996", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Excessive memory allocation in elfcomm.c", + "Description": "elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a \"buffer overflow on fuzzed archive header,\" related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101608", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15996", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22361", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d91f0b20e561e326ee91a09a76206257bde8438b" + ] + }, + { + "VulnerabilityID": "CVE-2017-16826", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid memory access in the coff_slurp_line_table function", + "Description": "The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16826", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22376", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a67d66eb97e7613a38ffe6622d837303b3ecd31d" + ] + }, + { + "VulnerabilityID": "CVE-2017-16827", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid free in the aout_get_external_symbols function", + "Description": "The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16827", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22306", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419" + ] + }, + { + "VulnerabilityID": "CVE-2017-16828", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow in the display_debug_frames function", + "Description": "The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16828", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22386", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d" + ] + }, + { + "VulnerabilityID": "CVE-2017-16829", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in the _bfd_elf_parse_gnu_properties function", + "Description": "The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16829", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22307", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf54ebff3b7361989712fd9c0128a9b255578163" + ] + }, + { + "VulnerabilityID": "CVE-2017-16830", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Segmentation fault in the print_gnu_property_note function", + "Description": "The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101941", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16830", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22384", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6ab2c4ed51f9c4243691755e1b1d2149c6a426f4" + ] + }, + { + "VulnerabilityID": "CVE-2017-16831", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow in coffgen.c", + "Description": "coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16831", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22385", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca" + ] + }, + { + "VulnerabilityID": "CVE-2017-16832", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Segmentation fault in the pe_bfd_read_buildid function", + "Description": "The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16832", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22373", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bb6961f18b8e832d88b490d421ca56cea16c45b" + ] + }, + { + "VulnerabilityID": "CVE-2017-17080", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in bfd_getl32", + "Description": "elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17080", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22421" + ] + }, + { + "VulnerabilityID": "CVE-2017-17121", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory access violation via a crafted COFF binary", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17121", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22506", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b23dc97fe237a1d9e850d7cbeee066183a00630b" + ] + }, + { + "VulnerabilityID": "CVE-2017-17122", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Excessive memory allocation in the dump_relocs_in_section function", + "Description": "The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17122", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22508", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d785b7d4b877ed465d04072e17ca19d0f47d840f" + ] + }, + { + "VulnerabilityID": "CVE-2017-17123", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the coff_slurp_reloc_table function", + "Description": "The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17123", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22509", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4581a1c7d304ce14e714b27522ebf3d0188d6543" + ] + }, + { + "VulnerabilityID": "CVE-2017-17124", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer overflow in the _bfd_coff_read_string_table function", + "Description": "The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17124", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22507", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b0029dce6867de1a2828293177b0e030d2f0f03c" + ] + }, + { + "VulnerabilityID": "CVE-2017-17125", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Buffer over-read in the _bfd_elf_get_symbol_version_string function", + "Description": "nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17125", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22443", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=160b1a618ad94988410dc81fce9189fcda5b7ff4" + ] + }, + { + "VulnerabilityID": "CVE-2017-17126", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid memory access in the load_debug_section function", + "Description": "The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17126", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22510", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f425ec6600b69e39eb605f3128806ff688137ea8" + ] + }, + { + "VulnerabilityID": "CVE-2017-6969", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in readelf when processing corrupt RL78 binaries", + "Description": "readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97065", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21156" + ] + }, + { + "VulnerabilityID": "CVE-2017-7209", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Null pointer dereference in dump_section_as_bytes function in readelf", + "Description": "The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/96994", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21135" + ] + }, + { + "VulnerabilityID": "CVE-2017-7210", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-reads in objdump", + "Description": "objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/96992", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21157" + ] + }, + { + "VulnerabilityID": "CVE-2017-7223", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer overflow when attempting to unget EOF character", + "Description": "GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7223", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20898" + ] + }, + { + "VulnerabilityID": "CVE-2017-7224", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid write in find_nearest_line function", + "Description": "The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97277", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7224", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20892" + ] + }, + { + "VulnerabilityID": "CVE-2017-7225", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Null pointer dereference and invalid write in find_nearest_line function in addr2line", + "Description": "The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97275", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7225", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20891" + ] + }, + { + "VulnerabilityID": "CVE-2017-7226", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in pe_ILF_object_p function in libbfd", + "Description": "The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7226", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20905" + ] + }, + { + "VulnerabilityID": "CVE-2017-7227", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer overflow in ld due to missing null termination", + "Description": "GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\\0' termination of a name field in ldlex.l.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97209", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7227", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20906" + ] + }, + { + "VulnerabilityID": "CVE-2017-7299", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in bfd_elf_final_link function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97217", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7299", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20908" + ] + }, + { + "VulnerabilityID": "CVE-2017-7300", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-buffer overflow in aout_link_add_symbols function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97219", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7300", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20909" + ] + }, + { + "VulnerabilityID": "CVE-2017-7301", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Off-by-one error in aout_link_add_symbols function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97218", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7301", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20924" + ] + }, + { + "VulnerabilityID": "CVE-2017-7302", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in wap_std_reloc_out function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97216", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7302", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20921" + ] + }, + { + "VulnerabilityID": "CVE-2017-7303", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in find_link function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97213", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7303", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20922" + ] + }, + { + "VulnerabilityID": "CVE-2017-7304", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in copy_special_section_fields function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97215", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20931" + ] + }, + { + "VulnerabilityID": "CVE-2017-7614", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in bfd_elf_final_link function", + "Description": "elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/04/05/binutils-two-null-pointer-dereference-in-elflink-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7614", + "https://security.gentoo.org/glsa/201709-02" + ] + }, + { + "VulnerabilityID": "CVE-2017-8392", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the _bfd_dwarf2_find_nearest_line function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", + "Severity": "LOW", + "References": [ + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21409" + ] + }, + { + "VulnerabilityID": "CVE-2017-8393", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read due to wrong assumption for objcopy and strip", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8393", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21412" + ] + }, + { + "VulnerabilityID": "CVE-2017-8394", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the _bfd_elf_large_com_section", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8394", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21414" + ] + }, + { + "VulnerabilityID": "CVE-2017-8395", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds write in the _bfd_generic_get_section_contents function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8395", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21431" + ] + }, + { + "VulnerabilityID": "CVE-2017-8396", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in the existing reloc offset range tests", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8396", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21432" + ] + }, + { + "VulnerabilityID": "CVE-2017-8397", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read and write while processing binary containing reloc(s) with negative addresses", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8397", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21434" + ] + }, + { + "VulnerabilityID": "CVE-2017-8398", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read while dumping the debug information from a corrupt binary", + "Description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8398", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21438" + ] + }, + { + "VulnerabilityID": "CVE-2017-8421", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory exhaustion in objdump via a crafted PE file", + "Description": "The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8421", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21440" + ] + }, + { + "VulnerabilityID": "CVE-2017-9038", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-buffer overflow in the byte_get_little_endian", + "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98589", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9038", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d" + ] + }, + { + "VulnerabilityID": "CVE-2017-9039", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory consumption via many program headers", + "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98580", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9039", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5" + ] + }, + { + "VulnerabilityID": "CVE-2017-9040", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the process_mips_specific_function", + "Description": "GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98579", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9040", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf" + ] + }, + { + "VulnerabilityID": "CVE-2017-9041", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer overflow in the process_mips_specific function", + "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98598", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9041", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3" + ] + }, + { + "VulnerabilityID": "CVE-2017-9042", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid variable type in readelf.c", + "Description": "readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9042", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf" + ] + }, + { + "VulnerabilityID": "CVE-2017-9043", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Shift exponent too large for type unsigned long in readelf.c", + "Description": "readelf.c in GNU Binutils 2017-04-12 has a \"shift exponent too large for type unsigned long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98591", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9043", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ddef72cdc10d82ba011a7ff81cafbbd3466acf54" + ] + }, + { + "VulnerabilityID": "CVE-2017-9044", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in the print_symbol_for_build_attribute function", + "Description": "The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98587", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9044" + ] + }, + { + "VulnerabilityID": "CVE-2017-9742", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer over-read in print_insn_score16 function while disassembling corrupt score binary", + "Description": "The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99105", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9742", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21576", + "https://www.exploit-db.com/exploits/42203/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9743", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer over-read in print_insn_score32 function while disassembling corrupt score binary", + "Description": "The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99106", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9743", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21577" + ] + }, + { + "VulnerabilityID": "CVE-2017-9744", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Address violation in sh_elf_set_mach_from_flags function when disassembling a corrupt SH binary", + "Description": "The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99108", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9744", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21578" + ] + }, + { + "VulnerabilityID": "CVE-2017-9745", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer over-read in _bfd_vms_slurp_etir function when handling VMS alpha binaries", + "Description": "The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99109", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9745", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21579" + ] + }, + { + "VulnerabilityID": "CVE-2017-9746", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer over-read in disassemble_bytes function when disassembling a corrupt binary", + "Description": "The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99117", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9746", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21580", + "https://www.exploit-db.com/exploits/42199/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9747", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack-based buffer over-read in ieee_archive_p function while disassembling corrupt IEEE binary", + "Description": "The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99114", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9747", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21581", + "https://www.exploit-db.com/exploits/42200/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9748", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack-based buffer over-read in ieee_object_p function", + "Description": "The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99110", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9748", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21582", + "https://www.exploit-db.com/exploits/42202/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9749", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer over-read in *regs* macros when disassembling corrupt bfin binary", + "Description": "The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99113", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9749", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21586", + "https://www.exploit-db.com/exploits/42201/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9750", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer over-read in opcodes/rx-decode.opc when disassembling a corrupt RX binary", + "Description": "opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99118", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9750", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21587", + "https://www.exploit-db.com/exploits/42198/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9751", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack-based buffer over-read in opcodes/rl78-decode.opc when disassembling a corrupt RL78 binary", + "Description": "opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99111", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9751", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21588" + ] + }, + { + "VulnerabilityID": "CVE-2017-9752", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer over-read in f_bfd_vms_get_value function when processing a corrupt Alpha VMA binary", + "Description": "bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99122", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9752", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21589" + ] + }, + { + "VulnerabilityID": "CVE-2017-9753", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Address violation in versados_mkobject function when disassembling a corrupt versados binary", + "Description": "The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99116", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9753", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21591" + ] + }, + { + "VulnerabilityID": "CVE-2017-9754", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack-based buffer over-read in process_otr function", + "Description": "The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99125", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9754", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21591" + ] + }, + { + "VulnerabilityID": "CVE-2017-9755", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer over-read in opcodes/i386-dis.c while checking invalid registers", + "Description": "opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99124", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9755", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21594" + ] + }, + { + "VulnerabilityID": "CVE-2017-9756", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Address violation in aarch64_ext_ldst_reglist function when disassembling corrupt aarch64 binary", + "Description": "The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99103", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9756", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21595", + "https://www.exploit-db.com/exploits/42204/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9954", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: stack-based buffer over-read in getvalue function", + "Description": "The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99307", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9954", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21670" + ] + }, + { + "VulnerabilityID": "CVE-2017-9955", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap buffer over-read in get_build_id function", + "Description": "The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99573", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9955", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21665" + ] + }, + { + "VulnerabilityID": "CVE-2018-12641", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "FixedVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack Exhaustion in the demangling functions provided by libiberty", + "Description": "An issue was discovered in arm_pt in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_arm_hp_template, demangle_class_name, demangle_fund_type, do_type, do_arg, demangle_args, and demangle_nested_args. This can occur during execution of nm-new.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12641.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", + "https://access.redhat.com/errata/RHSA-2019:2075", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763099", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85452", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23058" + ] + }, + { + "VulnerabilityID": "CVE-2018-12697", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "FixedVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in work_stuff_copy_to_from in cplus-dem.c.", + "Description": "A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12697.html", + "http://linux.oracle.com/errata/ELSA-2019-2075.html", + "http://www.securityfocus.com/bid/104538", + "https://access.redhat.com/errata/RHSA-2019:2075", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" + ] + }, + { + "VulnerabilityID": "CVE-2018-12698", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: excessive memory consumption in demangle_template in cplus-dem.c", + "Description": "demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the \"Create an array for saving the template argument values\" XNEWVEC call. This can occur during execution of objdump.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/104539", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" + ] + }, + { + "VulnerabilityID": "CVE-2018-12699", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer overflow in finish_stab in stabs.c", + "Description": "finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/104540", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" + ] + }, + { + "VulnerabilityID": "CVE-2018-12700", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack Exhaustion in debug_write_type in debug.c", + "Description": "A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/104541", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" + ] + }, + { + "VulnerabilityID": "CVE-2018-12934", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Uncontrolled Resource Consumption in remember_Ktype in cplus-dem.c", + "Description": "remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.", + "Severity": "LOW", + "References": [ + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763101", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23059" + ] + }, + { + "VulnerabilityID": "CVE-2018-17358", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: invalid memory access in _bfd_stab_section_find_nearest_line in syms.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23686" + ] + }, + { + "VulnerabilityID": "CVE-2018-17359", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: invalid memory access in bfd_zalloc in opncls.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23686" + ] + }, + { + "VulnerabilityID": "CVE-2018-17360", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer over-read in bfd_getl32 in libbfd.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23685" + ] + }, + { + "VulnerabilityID": "CVE-2018-17794", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in libiberty/cplus-dem.c:work_stuff_copy_to_from() via crafted input", + "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.", + "Severity": "LOW", + "References": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350" + ] + }, + { + "VulnerabilityID": "CVE-2018-17985", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack consumption problem caused by the cplus_demangle_type", + "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335" + ] + }, + { + "VulnerabilityID": "CVE-2018-18483", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow in cplus-dem.c:get_count() allows for denial of service", + "Description": "The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/105689", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23767" + ] + }, + { + "VulnerabilityID": "CVE-2018-18484", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack exhaustion in cp-demangle.c allows for denial of service", + "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/105693", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636" + ] + }, + { + "VulnerabilityID": "CVE-2018-18605", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer over-read in sec_merge_hash_lookup in merge.c", + "Description": "A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/105754", + "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18605", + "https://security.netapp.com/advisory/ntap-20190307-0003/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23804", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ab419ddbb2cdd17ca83618990f2cacf904ce1d61" + ] + }, + { + "VulnerabilityID": "CVE-2018-18606", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in _bfd_add_merge_section in merge_strings function in merge.c", + "Description": "An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/105754", + "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18606", + "https://security.netapp.com/advisory/ntap-20190307-0003/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23806", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45a0eaf77022963d639d6d19871dbab7b79703fc" + ] + }, + { + "VulnerabilityID": "CVE-2018-18607", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in elf_link_input_bfd in elflink.c", + "Description": "An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/105754", + "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18607", + "https://security.netapp.com/advisory/ntap-20190307-0003/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23805", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=102def4da826b3d9e169741421e5e67e8731909a" + ] + }, + { + "VulnerabilityID": "CVE-2018-18700", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Recursive Stack Overflow within function d_name, d_encoding, and d_local_name in cp-demangle.c", + "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.", + "Severity": "LOW", + "References": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681" + ] + }, + { + "VulnerabilityID": "CVE-2018-18701", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: infinite recursion in next_is_type_qual and cplus_demangle_type functions in cp-demangle.c", + "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.", + "Severity": "LOW", + "References": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675" + ] + }, + { + "VulnerabilityID": "CVE-2018-19932", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow due to the IS_CONTAINED_BY_LMA macro resulting in a denial of service", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/106144", + "https://security.gentoo.org/glsa/201908-01", + "https://security.netapp.com/advisory/ntap-20190221-0004/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23932", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7" + ] + }, + { + "VulnerabilityID": "CVE-2018-20002", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: memory leak in _bfd_generic_read_minisymbols function in syms.c", + "Description": "The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/106142", + "https://security.gentoo.org/glsa/201908-01", + "https://security.netapp.com/advisory/ntap-20190221-0004/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23952", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c2f5dc30afa34696f2da0081c4ac50b958ecb0e9", + "https://support.f5.com/csp/article/K62602089" + ] + }, + { + "VulnerabilityID": "CVE-2018-20657", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", + "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20657.html", + "http://linux.oracle.com/errata/ELSA-2019-3352.html", + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ] + }, + { + "VulnerabilityID": "CVE-2018-6323", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow in elf_object_p function in elfcode.h", + "Description": "The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/102821", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6323", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22746", + "https://www.exploit-db.com/exploits/44035/" + ] + }, + { + "VulnerabilityID": "CVE-2018-6759", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Unchecked strnlen in opncls.c:bfd_get_debug_link_info_1() can allow lead to denial of service", + "Description": "The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/103030", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6759", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22794" + ] + }, + { + "VulnerabilityID": "CVE-2018-6872", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds read in elf_parse_notes function in elf.c file in libbfd library", + "Description": "The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/103103", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6872", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22788", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010204", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read in gold/fileread.cc and elfcpp/elfcpp_file.h leads to denial of service", + "Description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "Severity": "LOW", + "References": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765" + ] + }, + { + "VulnerabilityID": "CVE-2019-14250", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: integer overflow in simple-object-elf.c leads to a heap-based buffer overflow", + "Description": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/109354", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924", + "https://gcc.gnu.org/ml/gcc-patches/2019-07/msg01003.html", + "https://security.netapp.com/advisory/ntap-20190822-0002/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17450", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: denial of service via crafted ELF file", + "Description": "find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://security.netapp.com/advisory/ntap-20191024-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25078" + ] + }, + { + "VulnerabilityID": "CVE-2019-17451", + "PkgName": "binutils", + "InstalledVersion": "2.27-34.base.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "binutils: integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm.", + "Severity": "LOW", + "References": [ + "https://security.netapp.com/advisory/ntap-20191024-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25070", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848f4b9558456fdcf283ee8a32d7fd1" ] }, { @@ -2816,9 +2806,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "bzip2: heap use after free in bzip2recover", "Description": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/06/20/1", "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", @@ -2829,6 +2820,56 @@ "https://security.gentoo.org/glsa/201708-08" ] }, + { + "VulnerabilityID": "CVE-2019-12900", + "PkgName": "bzip2-libs", + "InstalledVersion": "1.0.6-13.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "bzip2: out-of-bounds write in function BZ2_decompress", + "Description": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900", + "https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html", + "https://usn.ubuntu.com/4038-1/", + "https://usn.ubuntu.com/4038-2/" + ] + }, + { + "VulnerabilityID": "CVE-2016-2781", + "PkgName": "coreutils", + "InstalledVersion": "8.22-23.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", + "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/02/28/2", + "http://www.openwall.com/lists/oss-security/2016/02/28/3" + ] + }, + { + "VulnerabilityID": "CVE-2017-18018", + "PkgName": "coreutils", + "InstalledVersion": "8.22-23.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "coreutils: race condition vulnerability in chown and chgrp", + "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", + "Severity": "MEDIUM", + "References": [ + "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2014-9471", "PkgName": "coreutils", @@ -2836,9 +2877,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "coreutils: memory corruption flaw in parse_datetime()", "Description": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://advisories.mageia.org/MGASA-2015-0029.html", "http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872", @@ -2860,9 +2902,15 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "coreutils: heap buffer overflow in sort(1) keycompare_mb()", - "Description": "No description is available for this CVE.", - "Severity": "LOW" + "Description": "The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2015/05/15/1", + "https://bugzilla.suse.com/show_bug.cgi?id=928749", + "https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940" + ] }, { "VulnerabilityID": "CVE-2015-4042", @@ -2871,56 +2919,31 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "coreutils: possible buffer overflow in keycompare_mb()", - "Description": "No description is available for this CVE.", - "Severity": "LOW" - }, - { - "VulnerabilityID": "CVE-2016-2781", - "PkgName": "coreutils", - "InstalledVersion": "8.22-23.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", - "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "Description": "Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings.", "Severity": "LOW", "References": [ - "http://www.openwall.com/lists/oss-security/2016/02/28/2", - "http://www.openwall.com/lists/oss-security/2016/02/28/3" + "http://openwall.com/lists/oss-security/2015/05/15/1", + "https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940" ] }, { - "VulnerabilityID": "CVE-2017-18018", - "PkgName": "coreutils", - "InstalledVersion": "8.22-23.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "coreutils: race condition vulnerability in chown and chgrp", - "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "Severity": "LOW", - "References": [ - "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html" - ] - }, - { - "VulnerabilityID": "CVE-2016-2037", + "VulnerabilityID": "CVE-2019-14866", "PkgName": "cpio", "InstalledVersion": "2.11-27.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "cpio: out of bounds write", - "Description": "The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.", + "SeveritySource": "redhat", + "Title": "cpio: improper input validation when writing tar header fields leads to unexpect tar generation", + "Description": "In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.", "Severity": "MEDIUM", "References": [ - "http://www.debian.org/security/2016/dsa-3483", - "http://www.openwall.com/lists/oss-security/2016/01/19/4", - "http://www.openwall.com/lists/oss-security/2016/01/22/4", - "http://www.securityfocus.com/bid/82293", - "http://www.securitytracker.com/id/1035067", - "http://www.ubuntu.com/usn/USN-2906-1" + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14866", + "https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html", + "https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html" ] }, { @@ -2930,6 +2953,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "cpio: directory traversal through symlinks", "Description": "cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.", "Severity": "LOW", @@ -2945,6 +2969,26 @@ "https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html" ] }, + { + "VulnerabilityID": "CVE-2016-2037", + "PkgName": "cpio", + "InstalledVersion": "2.11-27.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "cpio: out of bounds write", + "Description": "The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2016/dsa-3483", + "http://www.openwall.com/lists/oss-security/2016/01/19/4", + "http://www.openwall.com/lists/oss-security/2016/01/22/4", + "http://www.securityfocus.com/bid/82293", + "http://www.securitytracker.com/id/1035067", + "http://www.ubuntu.com/usn/USN-2906-1" + ] + }, { "VulnerabilityID": "CVE-2016-6318", "PkgName": "cracklib", @@ -2952,9 +2996,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "cracklib: Stack-based buffer overflow when parsing large GECOS field", "Description": "Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-08/msg00122.html", "http://www.openwall.com/lists/oss-security/2016/08/16/2", @@ -2970,9 +3015,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "cracklib: Stack-based buffer overflow when parsing large GECOS field", "Description": "Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-08/msg00122.html", "http://www.openwall.com/lists/oss-security/2016/08/16/2", @@ -2981,142 +3027,6 @@ "https://security.gentoo.org/glsa/201612-25" ] }, - { - "VulnerabilityID": "CVE-2018-14618", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "FixedVersion": "7.29.0-51.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: NTLM password overflow via integer overflow", - "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", - "Severity": "CRITICAL", - "References": [ - "http://www.securitytracker.com/id/1041605", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", - "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", - "https://curl.haxx.se/docs/CVE-2018-14618.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", - "https://security.gentoo.org/glsa/201903-03", - "https://usn.ubuntu.com/3765-1/", - "https://usn.ubuntu.com/3765-2/", - "https://www.debian.org/security/2018/dsa-4286" - ] - }, - { - "VulnerabilityID": "CVE-2016-8618", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: Double-free in curl_maprintf", - "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94098", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", - "https://curl.haxx.se/docs/adv_20161102D.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8619", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: Double-free in krb5 code", - "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94100", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", - "https://curl.haxx.se/CVE-2016-8619.patch", - "https://curl.haxx.se/docs/adv_20161102E.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8622", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: URL unescape heap overflow via integer truncation", - "Description": "The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94105", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622", - "https://curl.haxx.se/docs/adv_20161102H.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2017-8817", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: FTP wildcard out of bounds read", - "Description": "The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.", - "Severity": "HIGH", - "References": [ - "http://security.cucumberlinux.com/security/details.php?id=162", - "http://www.securityfocus.com/bid/102057", - "http://www.securitytracker.com/id/1039897", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/docs/adv_2017-ae72.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00040.html", - "https://security.gentoo.org/glsa/201712-04", - "https://www.debian.org/security/2017/dsa-4051" - ] - }, - { - "VulnerabilityID": "CVE-2019-5482", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: heap buffer overflow in function tftp_receive_packet()", - "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", - "https://curl.haxx.se/docs/CVE-2019-5482.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" - ] - }, { "VulnerabilityID": "CVE-2015-3153", "PkgName": "curl", @@ -3124,6 +3034,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: sensitive HTTP server headers also sent to proxies", "Description": "The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.", "Severity": "MEDIUM", @@ -3145,6 +3056,257 @@ "https://support.apple.com/kb/HT205031" ] }, + { + "VulnerabilityID": "CVE-2016-8615", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Cookie injection for other servers", + "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8615.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94096", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", + "https://curl.haxx.se/CVE-2016-8615.patch", + "https://curl.haxx.se/docs/adv_20161102A.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8617", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Out-of-bounds write via unchecked multiplication", + "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8617.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94097", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", + "https://curl.haxx.se/CVE-2016-8617.patch", + "https://curl.haxx.se/docs/adv_20161102C.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8618", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in curl_maprintf", + "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8618.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94098", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", + "https://curl.haxx.se/docs/adv_20161102D.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8619", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in krb5 code", + "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8619.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94100", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", + "https://curl.haxx.se/CVE-2016-8619.patch", + "https://curl.haxx.se/docs/adv_20161102E.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8624", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Invalid URL parsing with '#'", + "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8624.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94103", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", + "https://curl.haxx.se/docs/adv_20161102J.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8625", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: IDNA 2003 makes curl use wrong host", + "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8625.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.securityfocus.com/bid/94107", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", + "https://curl.haxx.se/CVE-2016-8625.patch", + "https://curl.haxx.se/docs/adv_20161102K.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2017-1000254", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP PWD response parser out of bounds read", + "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3992", + "http://www.securityfocus.com/bid/101115", + "http://www.securitytracker.com/id/1039509", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://curl.haxx.se/673d0cd8.patch", + "https://curl.haxx.se/docs/adv_20171004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", + "https://security.gentoo.org/glsa/201712-04", + "https://support.apple.com/HT208331" + ] + }, + { + "VulnerabilityID": "CVE-2017-8817", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP wildcard out of bounds read", + "Description": "The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.", + "Severity": "MEDIUM", + "References": [ + "http://security.cucumberlinux.com/security/details.php?id=162", + "http://www.securityfocus.com/bid/102057", + "http://www.securitytracker.com/id/1039897", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://curl.haxx.se/docs/adv_2017-ae72.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00040.html", + "https://security.gentoo.org/glsa/201712-04", + "https://www.debian.org/security/2017/dsa-4051" + ] + }, + { + "VulnerabilityID": "CVE-2018-20483", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "wget: Information exposure in set_file_metadata function in xattr.c", + "Description": "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS", + "http://linux.oracle.com/cve/CVE-2018-20483.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106358", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483", + "https://security.gentoo.org/glsa/201903-08", + "https://security.netapp.com/advisory/ntap-20190321-0002/", + "https://twitter.com/marcan42/status/1077676739877232640", + "https://usn.ubuntu.com/3943-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, { "VulnerabilityID": "CVE-2016-0755", "PkgName": "curl", @@ -3152,9 +3314,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: NTLM credentials not-checked for proxy connection re-use", "Description": "The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://curl.haxx.se/docs/adv_20160127A.html", "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", @@ -3177,30 +3340,6 @@ "https://support.apple.com/HT207170" ] }, - { - "VulnerabilityID": "CVE-2016-8615", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: Cookie injection for other servers", - "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94096", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", - "https://curl.haxx.se/CVE-2016-8615.patch", - "https://curl.haxx.se/docs/adv_20161102A.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-8616", "PkgName": "curl", @@ -3208,10 +3347,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: Case insensitive password comparison", "Description": "A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8616.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94094", "http://www.securitytracker.com/id/1037192", @@ -3225,30 +3367,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8617", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: Out-of-bounds write via unchecked multiplication", - "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94097", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", - "https://curl.haxx.se/CVE-2016-8617.patch", - "https://curl.haxx.se/docs/adv_20161102C.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-8621", "PkgName": "curl", @@ -3256,10 +3374,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: curl_getdate out-of-bounds read", "Description": "The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8621.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94101", "http://www.securitytracker.com/id/1037192", @@ -3273,6 +3394,32 @@ "https://www.tenable.com/security/tns-2016-21" ] }, + { + "VulnerabilityID": "CVE-2016-8622", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: URL unescape heap overflow via integer truncation", + "Description": "The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8622.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94105", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622", + "https://curl.haxx.se/docs/adv_20161102H.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, { "VulnerabilityID": "CVE-2016-8623", "PkgName": "curl", @@ -3280,10 +3427,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: Use-after-free via shared cookies", "Description": "A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8623.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94106", "http://www.securitytracker.com/id/1037192", @@ -3297,52 +3447,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8624", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: Invalid URL parsing with '#'", - "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94103", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", - "https://curl.haxx.se/docs/adv_20161102J.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8625", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: IDNA 2003 makes curl use wrong host", - "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/94107", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", - "https://curl.haxx.se/CVE-2016-8625.patch", - "https://curl.haxx.se/docs/adv_20161102K.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-9586", "PkgName": "curl", @@ -3350,9 +3454,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: printf floating point buffer overflow", "Description": "curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/95019", @@ -3373,9 +3478,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: TFTP sends more than buffer size", "Description": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.debian.org/security/2017/dsa-3992", "http://www.securityfocus.com/bid/100286", @@ -3388,26 +3494,51 @@ ] }, { - "VulnerabilityID": "CVE-2017-1000254", + "VulnerabilityID": "CVE-2017-7407", "PkgName": "curl", "InstalledVersion": "7.29.0-51.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "curl: FTP PWD response parser out of bounds read", - "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "curl: --write-out out of bounds read", + "Description": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.", + "Severity": "LOW", "References": [ - "http://www.debian.org/security/2017/dsa-3992", - "http://www.securityfocus.com/bid/101115", - "http://www.securitytracker.com/id/1039509", - "https://access.redhat.com/errata/RHSA-2018:2486", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/673d0cd8.patch", - "https://curl.haxx.se/docs/adv_20171004.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", - "https://security.gentoo.org/glsa/201712-04", - "https://support.apple.com/HT208331" + "https://curl.haxx.se/docs/adv_20170403.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407", + "https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13", + "https://security.gentoo.org/glsa/201709-14" + ] + }, + { + "VulnerabilityID": "CVE-2018-14618", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.el7", + "FixedVersion": "7.29.0-51.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: NTLM password overflow via integer overflow", + "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-14618.html", + "http://linux.oracle.com/errata/ELSA-2019-1880.html", + "http://www.securitytracker.com/id/1041605", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2018-14618.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", + "https://security.gentoo.org/glsa/201903-03", + "https://usn.ubuntu.com/3765-1/", + "https://usn.ubuntu.com/3765-2/", + "https://www.debian.org/security/2018/dsa-4286" ] }, { @@ -3418,10 +3549,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting", "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16842.html", + "http://linux.oracle.com/errata/ELSA-2019-2181.html", "http://www.securitytracker.com/id/1042014", "https://access.redhat.com/errata/RHSA-2019:2181", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842", @@ -3442,9 +3576,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", @@ -3455,65 +3590,50 @@ ] }, { - "VulnerabilityID": "CVE-2017-7407", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", + "VulnerabilityID": "CVE-2019-19906", + "PkgName": "cyrus-sasl-lib", + "InstalledVersion": "2.1.26-23.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "curl: --write-out out of bounds read", - "Description": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "cyrus-sasl: denial of service in _sasl_add_string function", + "Description": "cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.", + "Severity": "MEDIUM", "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/docs/adv_20170403.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407", - "https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13", - "https://security.gentoo.org/glsa/201709-14" + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906", + "https://github.com/cyrusimap/cyrus-sasl/issues/587", + "https://lists.debian.org/debian-lts-announce/2019/12/msg00027.html", + "https://seclists.org/bugtraq/2019/Dec/42", + "https://usn.ubuntu.com/4256-1/", + "https://www.debian.org/security/2019/dsa-4591", + "https://www.openldap.org/its/index.cgi/Incoming?id=9123" ] }, { - "VulnerabilityID": "CVE-2018-20483", - "PkgName": "curl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "wget: Information exposure in set_file_metadata function in xattr.c", - "Description": "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", - "Severity": "LOW", - "References": [ - "http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS", - "http://www.securityfocus.com/bid/106358", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483", - "https://security.gentoo.org/glsa/201903-08", - "https://security.netapp.com/advisory/ntap-20190321-0002/", - "https://twitter.com/marcan42/status/1077676739877232640", - "https://usn.ubuntu.com/3943-1/" - ] - }, - { - "VulnerabilityID": "CVE-2014-3635", + "VulnerabilityID": "CVE-2019-12749", "PkgName": "dbus", "InstalledVersion": "1:1.10.24-12.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "dbus: heap-based buffer overflow flaw in file descriptor passing", - "Description": "Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass", + "Description": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.", + "Severity": "HIGH", "References": [ - "http://advisories.mageia.org/MGASA-2014-0395.html", - "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", - "http://secunia.com/advisories/61378", - "http://www.debian.org/security/2014/dsa-3026", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:176", - "http://www.openwall.com/lists/oss-security/2014/09/16/9", - "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", - "http://www.securitytracker.com/id/1030864", - "http://www.ubuntu.com/usn/USN-2352-1", - "https://bugs.freedesktop.org/show_bug.cgi?id=83622" + "http://linux.oracle.com/cve/CVE-2019-12749.html", + "http://linux.oracle.com/errata/ELSA-2019-3707.html", + "http://www.openwall.com/lists/oss-security/2019/06/11/2", + "http://www.securityfocus.com/bid/108751", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00005.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/", + "https://seclists.org/bugtraq/2019/Jun/16", + "https://usn.ubuntu.com/4015-1/", + "https://usn.ubuntu.com/4015-2/", + "https://www.debian.org/security/2019/dsa-4462", + "https://www.openwall.com/lists/oss-security/2019/06/11/2" ] }, { @@ -3523,9 +3643,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service flaw in dbus-daemon", "Description": "The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0266.html", "http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8\u0026id=24c590703ca47eb71ddef453de43126b90954567", @@ -3549,9 +3670,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in file descriptor passing feature", "Description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0294.html", "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", @@ -3573,9 +3695,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service when forwarding invalid file descriptors", "Description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0294.html", "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", @@ -3591,6 +3714,30 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533" ] }, + { + "VulnerabilityID": "CVE-2014-3635", + "PkgName": "dbus", + "InstalledVersion": "1:1.10.24-12.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "dbus: heap-based buffer overflow flaw in file descriptor passing", + "Description": "Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.", + "Severity": "MEDIUM", + "References": [ + "http://advisories.mageia.org/MGASA-2014-0395.html", + "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", + "http://secunia.com/advisories/61378", + "http://www.debian.org/security/2014/dsa-3026", + "http://www.mandriva.com/security/advisories?name=MDVSA-2015:176", + "http://www.openwall.com/lists/oss-security/2014/09/16/9", + "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", + "http://www.securitytracker.com/id/1030864", + "http://www.ubuntu.com/usn/USN-2352-1", + "https://bugs.freedesktop.org/show_bug.cgi?id=83622" + ] + }, { "VulnerabilityID": "CVE-2014-3636", "PkgName": "dbus", @@ -3598,6 +3745,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service by queuing or splitting file descriptors", "Description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.", "Severity": "LOW", @@ -3621,6 +3769,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service by creating unkillable D-Bus connections", "Description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.", "Severity": "LOW", @@ -3646,6 +3795,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in method call handling", "Description": "The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.", "Severity": "LOW", @@ -3671,6 +3821,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service flaw in incomplete connection handling", "Description": "The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.", "Severity": "LOW", @@ -3696,6 +3847,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in dbus systemd activation", "Description": "D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.", "Severity": "LOW", @@ -3710,15 +3862,18 @@ }, { "VulnerabilityID": "CVE-2019-12749", - "PkgName": "dbus", + "PkgName": "dbus-libs", "InstalledVersion": "1:1.10.24-12.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass", "Description": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.", - "Severity": "LOW", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-12749.html", + "http://linux.oracle.com/errata/ELSA-2019-3707.html", "http://www.openwall.com/lists/oss-security/2019/06/11/2", "http://www.securityfocus.com/bid/108751", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749", @@ -3731,29 +3886,6 @@ "https://www.openwall.com/lists/oss-security/2019/06/11/2" ] }, - { - "VulnerabilityID": "CVE-2014-3635", - "PkgName": "dbus-libs", - "InstalledVersion": "1:1.10.24-12.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "dbus: heap-based buffer overflow flaw in file descriptor passing", - "Description": "Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.", - "Severity": "MEDIUM", - "References": [ - "http://advisories.mageia.org/MGASA-2014-0395.html", - "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", - "http://secunia.com/advisories/61378", - "http://www.debian.org/security/2014/dsa-3026", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:176", - "http://www.openwall.com/lists/oss-security/2014/09/16/9", - "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", - "http://www.securitytracker.com/id/1030864", - "http://www.ubuntu.com/usn/USN-2352-1", - "https://bugs.freedesktop.org/show_bug.cgi?id=83622" - ] - }, { "VulnerabilityID": "CVE-2014-3477", "PkgName": "dbus-libs", @@ -3761,9 +3893,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service flaw in dbus-daemon", "Description": "The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0266.html", "http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8\u0026id=24c590703ca47eb71ddef453de43126b90954567", @@ -3787,9 +3920,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in file descriptor passing feature", "Description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0294.html", "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", @@ -3811,9 +3945,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service when forwarding invalid file descriptors", "Description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0294.html", "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", @@ -3829,6 +3964,30 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533" ] }, + { + "VulnerabilityID": "CVE-2014-3635", + "PkgName": "dbus-libs", + "InstalledVersion": "1:1.10.24-12.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "dbus: heap-based buffer overflow flaw in file descriptor passing", + "Description": "Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.", + "Severity": "MEDIUM", + "References": [ + "http://advisories.mageia.org/MGASA-2014-0395.html", + "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", + "http://secunia.com/advisories/61378", + "http://www.debian.org/security/2014/dsa-3026", + "http://www.mandriva.com/security/advisories?name=MDVSA-2015:176", + "http://www.openwall.com/lists/oss-security/2014/09/16/9", + "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", + "http://www.securitytracker.com/id/1030864", + "http://www.ubuntu.com/usn/USN-2352-1", + "https://bugs.freedesktop.org/show_bug.cgi?id=83622" + ] + }, { "VulnerabilityID": "CVE-2014-3636", "PkgName": "dbus-libs", @@ -3836,6 +3995,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service by queuing or splitting file descriptors", "Description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.", "Severity": "LOW", @@ -3859,6 +4019,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service by creating unkillable D-Bus connections", "Description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.", "Severity": "LOW", @@ -3884,6 +4045,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in method call handling", "Description": "The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.", "Severity": "LOW", @@ -3909,6 +4071,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service flaw in incomplete connection handling", "Description": "The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.", "Severity": "LOW", @@ -3934,6 +4097,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in dbus systemd activation", "Description": "D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.", "Severity": "LOW", @@ -3947,26 +4111,35 @@ ] }, { - "VulnerabilityID": "CVE-2019-12749", - "PkgName": "dbus-libs", - "InstalledVersion": "1:1.10.24-12.el7", + "VulnerabilityID": "CVE-2020-8991", + "PkgName": "device-mapper", + "InstalledVersion": "7:1.02.149-10.el7_6.3", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass", - "Description": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.", + "SeveritySource": "redhat", + "Title": "lvm2: memory leak in vg_lookup in daemons/lvmetad/lvmetad-core.c", + "Description": "** DISPUTED ** vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages memory, leading to an lvmetad memory leak, as demonstrated by running pvs. NOTE: RedHat disputes CVE-2020-8991 as not being a vulnerability since there’s no apparent route to either privilege escalation or to denial of service through the bug.", "Severity": "LOW", "References": [ - "http://www.openwall.com/lists/oss-security/2019/06/11/2", - "http://www.securityfocus.com/bid/108751", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00005.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/", - "https://seclists.org/bugtraq/2019/Jun/16", - "https://usn.ubuntu.com/4015-1/", - "https://usn.ubuntu.com/4015-2/", - "https://www.debian.org/security/2019/dsa-4462", - "https://www.openwall.com/lists/oss-security/2019/06/11/2" + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8991", + "https://sourceware.org/git/?p=lvm2.git;a=commit;h=bcf9556b8fcd16ad8997f80cc92785f295c66701" + ] + }, + { + "VulnerabilityID": "CVE-2020-8991", + "PkgName": "device-mapper-libs", + "InstalledVersion": "7:1.02.149-10.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "lvm2: memory leak in vg_lookup in daemons/lvmetad/lvmetad-core.c", + "Description": "** DISPUTED ** vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages memory, leading to an lvmetad memory leak, as demonstrated by running pvs. NOTE: RedHat disputes CVE-2020-8991 as not being a vulnerability since there’s no apparent route to either privilege escalation or to denial of service through the bug.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8991", + "https://sourceware.org/git/?p=lvm2.git;a=commit;h=bcf9556b8fcd16ad8997f80cc92785f295c66701" ] }, { @@ -3976,9 +4149,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "dracut: Brute force attack on LUKS password decryption via initramfs", "Description": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html", "http://www.openwall.com/lists/oss-security/2016/11/14/13", @@ -3991,23 +4165,6 @@ "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb" ] }, - { - "VulnerabilityID": "CVE-2018-16402", - "PkgName": "elfutils-default-yama-scope", - "InstalledVersion": "0.172-2.el7", - "FixedVersion": "0.176-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", - "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", - "https://usn.ubuntu.com/4012-1/" - ] - }, { "VulnerabilityID": "CVE-2016-10254", "PkgName": "elfutils-default-yama-scope", @@ -4015,9 +4172,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in allocate_elf", "Description": "The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/2", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h/", @@ -4034,9 +4192,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)", "Description": "The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/1", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c/", @@ -4054,9 +4213,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the handle_gnu_hash function", "Description": "The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98608", @@ -4073,9 +4233,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the ebl_object_note_type_name function", "Description": "The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98609", @@ -4093,9 +4254,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in elf_compress.c", "Description": "elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609", @@ -4110,9 +4272,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_group function", "Description": "The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c", @@ -4129,9 +4292,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_symtab_shndx function", "Description": "The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c", @@ -4148,9 +4312,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_sysv_hash function", "Description": "The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_sysv_hash-elflint-c", @@ -4167,9 +4332,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: elflint.c does not validate the number of sections and segments", "Description": "elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-xcalloc-xmalloc-c", @@ -4187,10 +4353,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", @@ -4200,6 +4369,26 @@ "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2018-16402", + "PkgName": "elfutils-default-yama-scope", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", + "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", + "https://usn.ubuntu.com/4012-1/" + ] + }, { "VulnerabilityID": "CVE-2018-16403", "PkgName": "elfutils-default-yama-scope", @@ -4208,10 +4397,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", @@ -4228,10 +4420,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", @@ -4247,10 +4442,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: eu-size cannot handle recursive ar files", "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", @@ -4266,10 +4464,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", @@ -4285,10 +4486,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", @@ -4304,10 +4508,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", @@ -4323,10 +4530,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" @@ -4340,10 +4550,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", @@ -4351,23 +4564,6 @@ "https://usn.ubuntu.com/4012-1/" ] }, - { - "VulnerabilityID": "CVE-2018-16402", - "PkgName": "elfutils-libelf", - "InstalledVersion": "0.172-2.el7", - "FixedVersion": "0.176-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", - "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", - "https://usn.ubuntu.com/4012-1/" - ] - }, { "VulnerabilityID": "CVE-2016-10254", "PkgName": "elfutils-libelf", @@ -4375,9 +4571,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in allocate_elf", "Description": "The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/2", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h/", @@ -4394,9 +4591,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)", "Description": "The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/1", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c/", @@ -4414,9 +4612,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the handle_gnu_hash function", "Description": "The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98608", @@ -4433,9 +4632,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the ebl_object_note_type_name function", "Description": "The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98609", @@ -4453,9 +4653,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in elf_compress.c", "Description": "elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609", @@ -4470,9 +4671,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_group function", "Description": "The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c", @@ -4489,9 +4691,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_symtab_shndx function", "Description": "The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c", @@ -4508,9 +4711,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_sysv_hash function", "Description": "The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_sysv_hash-elflint-c", @@ -4527,9 +4731,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: elflint.c does not validate the number of sections and segments", "Description": "elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-xcalloc-xmalloc-c", @@ -4547,10 +4752,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", @@ -4560,6 +4768,26 @@ "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2018-16402", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", + "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", + "https://usn.ubuntu.com/4012-1/" + ] + }, { "VulnerabilityID": "CVE-2018-16403", "PkgName": "elfutils-libelf", @@ -4568,10 +4796,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", @@ -4588,10 +4819,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", @@ -4607,10 +4841,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: eu-size cannot handle recursive ar files", "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", @@ -4626,10 +4863,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", @@ -4645,10 +4885,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", @@ -4664,10 +4907,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", @@ -4683,10 +4929,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" @@ -4700,10 +4949,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", @@ -4711,23 +4963,6 @@ "https://usn.ubuntu.com/4012-1/" ] }, - { - "VulnerabilityID": "CVE-2018-16402", - "PkgName": "elfutils-libs", - "InstalledVersion": "0.172-2.el7", - "FixedVersion": "0.176-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", - "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", - "https://usn.ubuntu.com/4012-1/" - ] - }, { "VulnerabilityID": "CVE-2016-10254", "PkgName": "elfutils-libs", @@ -4735,9 +4970,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in allocate_elf", "Description": "The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/2", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h/", @@ -4754,9 +4990,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)", "Description": "The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/1", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c/", @@ -4774,9 +5011,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the handle_gnu_hash function", "Description": "The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98608", @@ -4793,9 +5031,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the ebl_object_note_type_name function", "Description": "The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98609", @@ -4813,9 +5052,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in elf_compress.c", "Description": "elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609", @@ -4830,9 +5070,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_group function", "Description": "The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c", @@ -4849,9 +5090,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_symtab_shndx function", "Description": "The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c", @@ -4868,9 +5110,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_sysv_hash function", "Description": "The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_sysv_hash-elflint-c", @@ -4887,9 +5130,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: elflint.c does not validate the number of sections and segments", "Description": "elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-xcalloc-xmalloc-c", @@ -4907,10 +5151,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", @@ -4920,6 +5167,26 @@ "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2018-16402", + "PkgName": "elfutils-libs", + "InstalledVersion": "0.172-2.el7", + "FixedVersion": "0.176-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", + "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", + "https://usn.ubuntu.com/4012-1/" + ] + }, { "VulnerabilityID": "CVE-2018-16403", "PkgName": "elfutils-libs", @@ -4928,10 +5195,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", @@ -4948,10 +5218,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", @@ -4967,10 +5240,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: eu-size cannot handle recursive ar files", "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", @@ -4986,10 +5262,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", @@ -5005,10 +5284,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", @@ -5024,10 +5306,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", @@ -5043,10 +5328,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" @@ -5060,10 +5348,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", @@ -5071,6 +5362,61 @@ "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2012-6702", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "expat: Using XML_Parse before rand() results into non-random output", + "Description": "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2016/dsa-3597", + "http://www.openwall.com/lists/oss-security/2016/06/03/8", + "http://www.openwall.com/lists/oss-security/2016/06/04/1", + "http://www.securityfocus.com/bid/91483", + "http://www.ubuntu.com/usn/USN-3010-1", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702", + "https://security.gentoo.org/glsa/201701-21", + "https://source.android.com/security/bulletin/2016-11-01.html", + "https://www.tenable.com/security/tns-2016-20" + ] + }, + { + "VulnerabilityID": "CVE-2013-0340", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "expat: internal entity expansion", + "Description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", + "Severity": "MEDIUM", + "References": [ + "http://openwall.com/lists/oss-security/2013/02/22/3", + "http://securitytracker.com/id?1028213", + "http://www.openwall.com/lists/oss-security/2013/04/12/6", + "http://www.osvdb.org/90634", + "http://www.securityfocus.com/bid/58233", + "https://security.gentoo.org/glsa/201701-21" + ] + }, + { + "VulnerabilityID": "CVE-2013-0341", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "expat: external entity expansion", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "MEDIUM" + }, { "VulnerabilityID": "CVE-2015-2716", "PkgName": "expat", @@ -5078,10 +5424,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "Mozilla: Buffer overflow when parsing compressed XML (MFSA 2015-54)", + "SeveritySource": "redhat", + "Title": "expat: Integer overflow leading to buffer overflow in XML_GetBuffer()", "Description": "Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-2716.html", + "http://linux.oracle.com/errata/ELSA-2015-1012.html", "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html", "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00054.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00000.html", @@ -5104,6 +5453,27 @@ "https://www.tenable.com/security/tns-2016-20" ] }, + { + "VulnerabilityID": "CVE-2016-4472", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "expat: Undefined behavior and pointer overflows", + "Description": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/91528", + "http://www.ubuntu.com/usn/USN-3013-1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1344251", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472", + "https://security.gentoo.org/glsa/201701-21", + "https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde", + "https://www.tenable.com/security/tns-2016-20" + ] + }, { "VulnerabilityID": "CVE-2016-5300", "PkgName": "expat", @@ -5111,9 +5481,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "expat: Little entropy used for hash initialization", "Description": "The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.debian.org/security/2016/dsa-3597", "http://www.openwall.com/lists/oss-security/2016/06/04/4", @@ -5128,99 +5499,6 @@ "https://www.tenable.com/security/tns-2016-20" ] }, - { - "VulnerabilityID": "CVE-2016-9063", - "PkgName": "expat", - "InstalledVersion": "2.1.0-10.el7_3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "firefox: Possible integer overflow to fix inside XML_Parse in Expat", - "Description": "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox \u003c 50.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/94337", - "http://www.securitytracker.com/id/1037298", - "http://www.securitytracker.com/id/1039427", - "https://bugzilla.mozilla.org/show_bug.cgi?id=1274777", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063", - "https://www.debian.org/security/2017/dsa-3898", - "https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/#CVE-2016-9063", - "https://www.mozilla.org/security/advisories/mfsa2016-89/" - ] - }, - { - "VulnerabilityID": "CVE-2012-6702", - "PkgName": "expat", - "InstalledVersion": "2.1.0-10.el7_3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "expat: Using XML_Parse before rand() results into non-random output", - "Description": "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2016/dsa-3597", - "http://www.openwall.com/lists/oss-security/2016/06/03/8", - "http://www.openwall.com/lists/oss-security/2016/06/04/1", - "http://www.securityfocus.com/bid/91483", - "http://www.ubuntu.com/usn/USN-3010-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702", - "https://security.gentoo.org/glsa/201701-21", - "https://source.android.com/security/bulletin/2016-11-01.html", - "https://www.tenable.com/security/tns-2016-20" - ] - }, - { - "VulnerabilityID": "CVE-2013-0340", - "PkgName": "expat", - "InstalledVersion": "2.1.0-10.el7_3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "expat: internal entity expansion", - "Description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", - "Severity": "MEDIUM", - "References": [ - "http://openwall.com/lists/oss-security/2013/02/22/3", - "http://securitytracker.com/id?1028213", - "http://www.openwall.com/lists/oss-security/2013/04/12/6", - "http://www.osvdb.org/90634", - "http://www.securityfocus.com/bid/58233", - "https://security.gentoo.org/glsa/201701-21" - ] - }, - { - "VulnerabilityID": "CVE-2013-0341", - "PkgName": "expat", - "InstalledVersion": "2.1.0-10.el7_3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "expat: external entity expansion", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "MEDIUM" - }, - { - "VulnerabilityID": "CVE-2016-4472", - "PkgName": "expat", - "InstalledVersion": "2.1.0-10.el7_3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "expat: Undefined behavior and pointer overflows", - "Description": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/91528", - "http://www.ubuntu.com/usn/USN-3013-1", - "https://bugzilla.redhat.com/show_bug.cgi?id=1344251", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472", - "https://security.gentoo.org/glsa/201701-21", - "https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde", - "https://www.tenable.com/security/tns-2016-20" - ] - }, { "VulnerabilityID": "CVE-2017-9233", "PkgName": "expat", @@ -5228,6 +5506,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "expat: Inifinite loop due to invalid XML in external entity", "Description": "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.", "Severity": "MEDIUM", @@ -5246,6 +5525,55 @@ "https://support.f5.com/csp/article/K03244804" ] }, + { + "VulnerabilityID": "CVE-2018-20843", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS", + "Description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).", + "Severity": "MEDIUM", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843", + "https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes", + "https://github.com/libexpat/libexpat/issues/186", + "https://github.com/libexpat/libexpat/pull/262", + "https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html", + "https://seclists.org/bugtraq/2019/Jun/39", + "https://security.netapp.com/advisory/ntap-20190703-0001/", + "https://usn.ubuntu.com/4040-1/", + "https://usn.ubuntu.com/4040-2/", + "https://www.debian.org/security/2019/dsa-4472" + ] + }, + { + "VulnerabilityID": "CVE-2016-9063", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "firefox: Possible integer overflow to fix inside XML_Parse in Expat", + "Description": "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox \u003c 50.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/94337", + "http://www.securitytracker.com/id/1037298", + "http://www.securitytracker.com/id/1039427", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1274777", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063", + "https://www.debian.org/security/2017/dsa-3898", + "https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/#CVE-2016-9063", + "https://www.mozilla.org/security/advisories/mfsa2016-89/" + ] + }, { "VulnerabilityID": "CVE-2019-15903", "PkgName": "expat", @@ -5253,10 +5581,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "expat: heap-based buffer over-read via crafted XML input", "Description": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-15903.html", + "http://linux.oracle.com/errata/ELSA-2019-3237.html", "http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903", "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43", @@ -5268,6 +5599,34 @@ "https://usn.ubuntu.com/4132-2/" ] }, + { + "VulnerabilityID": "CVE-2014-9620", + "PkgName": "file-libs", + "InstalledVersion": "5.11-35.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "file: limit the number of ELF notes processed", + "Description": "The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.", + "Severity": "LOW", + "References": [ + "http://advisories.mageia.org/MGASA-2015-0040.html", + "http://linux.oracle.com/cve/CVE-2014-9620.html", + "http://linux.oracle.com/errata/ELSA-2016-0760.html", + "http://mx.gw.com/pipermail/file/2014/001653.html", + "http://mx.gw.com/pipermail/file/2015/001660.html", + "http://rhn.redhat.com/errata/RHSA-2016-0760.html", + "http://www.debian.org/security/2015/dsa-3121", + "http://www.openwall.com/lists/oss-security/2015/01/17/9", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/71715", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620", + "https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4", + "https://security.gentoo.org/glsa/201503-08", + "https://usn.ubuntu.com/3686-1/" + ] + }, { "VulnerabilityID": "CVE-2015-8865", "PkgName": "file-libs", @@ -5275,9 +5634,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "file: Buffer over-write in finfo_open with malformed magic file", "Description": "The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://bugs.gw.com/view.php?id=522", "http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e", @@ -5302,31 +5662,6 @@ "https://usn.ubuntu.com/3686-2/" ] }, - { - "VulnerabilityID": "CVE-2014-9620", - "PkgName": "file-libs", - "InstalledVersion": "5.11-35.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "file: limit the number of ELF notes processed", - "Description": "The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.", - "Severity": "MEDIUM", - "References": [ - "http://advisories.mageia.org/MGASA-2015-0040.html", - "http://mx.gw.com/pipermail/file/2014/001653.html", - "http://mx.gw.com/pipermail/file/2015/001660.html", - "http://rhn.redhat.com/errata/RHSA-2016-0760.html", - "http://www.debian.org/security/2015/dsa-3121", - "http://www.openwall.com/lists/oss-security/2015/01/17/9", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/71715", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620", - "https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4", - "https://security.gentoo.org/glsa/201503-08", - "https://usn.ubuntu.com/3686-1/" - ] - }, { "VulnerabilityID": "CVE-2018-10360", "PkgName": "file-libs", @@ -5334,9 +5669,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "file: out-of-bounds read via a crafted ELF file", "Description": "The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00027.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00053.html", @@ -5348,31 +5684,62 @@ ] }, { - "VulnerabilityID": "CVE-2015-8391", + "VulnerabilityID": "CVE-2015-8385", "PkgName": "glib2", "InstalledVersion": "2.56.1-2.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "pcre: inefficient posix character class syntax check (8.38/16)", - "Description": "The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "CRITICAL", + "SeveritySource": "redhat", + "Title": "pcre: buffer overflow caused by named forward reference to duplicate group number (8.38/30)", + "Description": "PCRE before 8.38 mishandles the /(?|(\\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "HIGH", "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://linux.oracle.com/cve/CVE-2015-8385.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", "http://www.openwall.com/lists/oss-security/2015/11/29/1", "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/82990", + "http://www.securityfocus.com/bid/85572", "https://access.redhat.com/errata/RHSA-2016:1132", "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8391", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8385", "https://security.gentoo.org/glsa/201607-02" ] }, + { + "VulnerabilityID": "CVE-2016-3191", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12)", + "Description": "The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-3191.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://vcs.pcre.org/pcre2?view=revision\u0026revision=489", + "http://vcs.pcre.org/pcre?view=revision\u0026revision=1631", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/84810", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://bugs.debian.org/815920", + "https://bugs.debian.org/815921", + "https://bugs.exim.org/show_bug.cgi?id=1791", + "https://bugzilla.redhat.com/show_bug.cgi?id=1311503", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191", + "https://www.tenable.com/security/tns-2016-18" + ] + }, { "VulnerabilityID": "CVE-2015-2327", "PkgName": "glib2", @@ -5380,9 +5747,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: infinite recursion compiling pattern with zero-repeated groups that include recursive back reference (8.36/19)", "Description": "PCRE before 8.36 mishandles the /(((a\\2)|(a*)\\g\u003c-1\u003e))*/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -5401,10 +5769,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20)", "Description": "PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-2328.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -5418,225 +5789,6 @@ "https://jira.mongodb.org/browse/SERVER-17252" ] }, - { - "VulnerabilityID": "CVE-2015-8385", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "pcre: buffer overflow caused by named forward reference to duplicate group number (8.38/30)", - "Description": "PCRE before 8.38 mishandles the /(?|(\\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/85572", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8385", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8386", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "pcre: Buffer overflow caused by lookbehind assertion (8.38/6)", - "Description": "PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/82990", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8386", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8387", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "pcre: Integer overflow in subroutine calls (8.38/8)", - "Description": "PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8387", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8388", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)", - "Description": "PCRE before 8.38 mishandles the /(?=di(?\u003c=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/85576", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8388", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8390", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "pcre: uninitialized memory read triggered by malformed posix character class (8.38/22)", - "Description": "PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8390", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8394", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", - "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2016-3191", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12)", - "Description": "The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.", - "Severity": "HIGH", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://vcs.pcre.org/pcre2?view=revision\u0026revision=489", - "http://vcs.pcre.org/pcre?view=revision\u0026revision=1631", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/84810", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://bugs.debian.org/815920", - "https://bugs.debian.org/815921", - "https://bugs.exim.org/show_bug.cgi?id=1791", - "https://bugzilla.redhat.com/show_bug.cgi?id=1311503", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191", - "https://www.tenable.com/security/tns-2016-18" - ] - }, - { - "VulnerabilityID": "CVE-2017-11164", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", - "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "Severity": "HIGH", - "References": [ - "http://openwall.com/lists/oss-security/2017/07/11/3", - "http://www.securityfocus.com/bid/99575" - ] - }, - { - "VulnerabilityID": "CVE-2018-16428", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glib2: NULL pointer dereference in g_markup_parse_context_end_parse() function in gmarkup.c", - "Description": "In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/105210", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16428", - "https://gitlab.gnome.org/GNOME/glib/commit/fccef3cc822af74699cca84cd202719ae61ca3b9", - "https://gitlab.gnome.org/GNOME/glib/issues/1364", - "https://lists.debian.org/debian-lts-announce/2019/07/msg00029.html", - "https://usn.ubuntu.com/3767-1/", - "https://usn.ubuntu.com/3767-2/" - ] - }, - { - "VulnerabilityID": "CVE-2019-12450", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress", - "Description": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450", - "https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/", - "https://security.netapp.com/advisory/ntap-20190606-0003/", - "https://usn.ubuntu.com/4014-1/", - "https://usn.ubuntu.com/4014-2/" - ] - }, { "VulnerabilityID": "CVE-2015-3217", "PkgName": "glib2", @@ -5644,10 +5796,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: stack overflow caused by mishandled group empty match (8.38/11)", "Description": "PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-3217.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre?view=revision\u0026revision=1566", @@ -5668,10 +5823,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)", "Description": "Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-5073.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?revision=1609\u0026view=markup", @@ -5688,6 +5846,212 @@ "https://security.gentoo.org/glsa/201607-02" ] }, + { + "VulnerabilityID": "CVE-2015-8387", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "pcre: Integer overflow in subroutine calls (8.38/8)", + "Description": "PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8387", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8388", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)", + "Description": "PCRE before 8.38 mishandles the /(?=di(?\u003c=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2015-8388.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-2750.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/85576", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8388", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8390", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "pcre: uninitialized memory read triggered by malformed posix character class (8.38/22)", + "Description": "PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8390", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8391", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "pcre: inefficient posix character class syntax check (8.38/16)", + "Description": "The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2015-8391.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-2750.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/82990", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8391", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8394", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", + "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2019-12450", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress", + "Description": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-12450.html", + "http://linux.oracle.com/errata/ELSA-2019-3530.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450", + "https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/", + "https://security.netapp.com/advisory/ntap-20190606-0003/", + "https://usn.ubuntu.com/4014-1/", + "https://usn.ubuntu.com/4014-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-9633", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glib: g_socket_client_connected_callback in gio/gsocketclient.c allows to cause denial of service", + "Description": "gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/107391", + "https://gitlab.gnome.org/GNOME/glib/issues/1649" + ] + }, + { + "VulnerabilityID": "CVE-2015-8386", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "pcre: Buffer overflow caused by lookbehind assertion (8.38/6)", + "Description": "PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2015-8386.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-2750.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/82990", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8386", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2017-11164", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", + "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/07/11/3", + "http://www.securityfocus.com/bid/99575" + ] + }, { "VulnerabilityID": "CVE-2017-7244", "PkgName": "glib2", @@ -5695,9 +6059,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)", "Description": "The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -5713,9 +6078,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -5730,9 +6096,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -5740,6 +6107,27 @@ "https://security.gentoo.org/glsa/201710-25" ] }, + { + "VulnerabilityID": "CVE-2018-16428", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glib2: NULL pointer dereference in g_markup_parse_context_end_parse() function in gmarkup.c", + "Description": "In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/105210", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16428", + "https://gitlab.gnome.org/GNOME/glib/commit/fccef3cc822af74699cca84cd202719ae61ca3b9", + "https://gitlab.gnome.org/GNOME/glib/issues/1364", + "https://lists.debian.org/debian-lts-announce/2019/07/msg00029.html", + "https://usn.ubuntu.com/3767-1/", + "https://usn.ubuntu.com/3767-2/" + ] + }, { "VulnerabilityID": "CVE-2018-16429", "PkgName": "glib2", @@ -5747,9 +6135,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "glib2: Out-of-bounds read in g_markup_parse_context_parse() in gmarkup.c", "Description": "GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16429", "https://gitlab.gnome.org/GNOME/glib/commit/cec71705406f0b2790422f0c1aa0ff3b4b464b1b", @@ -5766,9 +6155,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "glib2: insecure permissions for files and directories", "Description": "The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb-\u003edir, NULL, NULL) and files using g_file_replace_contents (kfsb-\u003efile, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00022.html", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931234#12", @@ -5784,51 +6174,547 @@ ] }, { - "VulnerabilityID": "CVE-2019-9633", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", + "VulnerabilityID": "CVE-2009-5155", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "glib: g_socket_client_connected_callback in gio/gsocketclient.c allows to cause denial of service", - "Description": "gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).", + "SeveritySource": "redhat", + "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", + "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", "Severity": "MEDIUM", "References": [ - "http://www.securityfocus.com/bid/107391", - "https://gitlab.gnome.org/GNOME/glib/issues/1649" + "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", + "https://support.f5.com/csp/article/K64119434" ] }, { - "VulnerabilityID": "CVE-2017-16231", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-2.el7", + "VulnerabilityID": "CVE-2015-8983", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", - "Description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", + "SeveritySource": "redhat", + "Title": "glibc: _IO_wstr_overflow integer overflow", + "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/72740", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", + "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" + ] + }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "FixedVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2016-1234", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", + "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", + "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", + "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", + "http://www.openwall.com/lists/oss-security/2016/03/07/16", + "http://www.securityfocus.com/bid/84204", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", + "https://security.gentoo.org/glsa/201702-11", + "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" + ] + }, + { + "VulnerabilityID": "CVE-2017-8804", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: memory leak in sunrpc when decoding malformed XDR", + "Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/05/05/2", + "http://www.securityfocus.com/bid/98339", + "https://bugzilla.suse.com/show_bug.cgi?id=1037559#c7", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21461", + "https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "MEDIUM", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" + ] + }, + { + "VulnerabilityID": "CVE-2019-9169", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", + "https://support.f5.com/csp/article/K54823184" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, + { + "VulnerabilityID": "CVE-2020-1752", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "MEDIUM" + }, + { + "VulnerabilityID": "CVE-2014-4043", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: posix_spawn_file_actions_addopen fails to copy the path argument", + "Description": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.", "Severity": "LOW", "References": [ - "http://packetstormsecurity.com/files/150897/PCRE-8.41-Buffer-Overflow.html", - "http://seclists.org/fulldisclosure/2018/Dec/33", - "http://www.openwall.com/lists/oss-security/2017/11/01/11", - "http://www.openwall.com/lists/oss-security/2017/11/01/3", - "http://www.openwall.com/lists/oss-security/2017/11/01/7", - "http://www.openwall.com/lists/oss-security/2017/11/01/8", - "http://www.securityfocus.com/bid/101688", - "https://bugs.exim.org/show_bug.cgi?id=2047" + "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.html", + "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", + "http://seclists.org/fulldisclosure/2019/Jun/18", + "http://www.mandriva.com/security/advisories?name=MDVSA-2014:152", + "http://www.securityfocus.com/bid/68006", + "https://bugzilla.redhat.com/show_bug.cgi?id=1109263", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/93784", + "https://seclists.org/bugtraq/2019/Jun/14", + "https://security.gentoo.org/glsa/201503-04", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17048", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=ChangeLog;h=3020b9ac232315df362521aeaf85f21cb9926db8;hp=d86e73963dd9fb5e21b1a28326630337226812aa;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=posix/spawn_faction_addopen.c;h=40800b8e6e81341501c0fb8a91009529e2048dec;hp=47f62425b696a4fdd511b2a057746322eb6518db;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89e435f3559c53084498e9baad22172b64429362" ] }, { - "VulnerabilityID": "CVE-2014-4043", + "VulnerabilityID": "CVE-2015-8982", "PkgName": "glibc", "InstalledVersion": "2.17-260.el7_6.3", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", + "Title": "glibc: multiple overflows in strxfrm()", + "Description": "Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2015/02/13/3", + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/72602", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8982", + "https://sourceware.org/bugzilla/show_bug.cgi?id=16009", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed" + ] + }, + { + "VulnerabilityID": "CVE-2015-8984", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: potential denial of service in internal_fnmatch()", + "Description": "The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2015/02/26/5", + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/72789", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8984", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18032", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185", + "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" + ] + }, + { + "VulnerabilityID": "CVE-2015-8985", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: potential denial of service in pop_fail_stack()", + "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/76916", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8985", + "https://security.gentoo.org/glsa/201908-06" + ] + }, + { + "VulnerabilityID": "CVE-2016-10228", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: iconv program can hang when invoked with the -c option", + "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/03/01/10", + "http://www.securityfocus.com/bid/96525", + "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" + ] + }, + { + "VulnerabilityID": "CVE-2016-4429", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", + "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", + "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", + "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", + "http://www.securityfocus.com/bid/102073", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", + "https://source.android.com/security/bulletin/2017-12-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", + "https://usn.ubuntu.com/3759-1/", + "https://usn.ubuntu.com/3759-2/" + ] + }, + { + "VulnerabilityID": "CVE-2017-15671", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: Memory leak in glob with GLOB_TILDE", + "Description": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22325" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010023", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", + "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/109167", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "glibc", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, + { + "VulnerabilityID": "CVE-2009-5155", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", + "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", + "https://support.f5.com/csp/article/K64119434" + ] + }, + { + "VulnerabilityID": "CVE-2015-8983", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: _IO_wstr_overflow integer overflow", + "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/72740", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", + "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" + ] + }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "FixedVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2016-1234", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", + "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", + "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", + "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", + "http://www.openwall.com/lists/oss-security/2016/03/07/16", + "http://www.securityfocus.com/bid/84204", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", + "https://security.gentoo.org/glsa/201702-11", + "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" + ] + }, + { + "VulnerabilityID": "CVE-2017-8804", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: memory leak in sunrpc when decoding malformed XDR", + "Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/05/05/2", + "http://www.securityfocus.com/bid/98339", + "https://bugzilla.suse.com/show_bug.cgi?id=1037559#c7", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21461", + "https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "MEDIUM", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" + ] + }, + { + "VulnerabilityID": "CVE-2019-9169", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", + "https://support.f5.com/csp/article/K54823184" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, + { + "VulnerabilityID": "CVE-2020-1752", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "MEDIUM" + }, + { + "VulnerabilityID": "CVE-2014-4043", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", "Title": "glibc: posix_spawn_file_actions_addopen fails to copy the path argument", "Description": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.html", "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", @@ -5846,116 +6732,17 @@ "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89e435f3559c53084498e9baad22172b64429362" ] }, - { - "VulnerabilityID": "CVE-2016-4429", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", - "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", - "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", - "http://www.securityfocus.com/bid/102073", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", - "https://source.android.com/security/bulletin/2017-12-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", - "https://usn.ubuntu.com/3759-1/", - "https://usn.ubuntu.com/3759-2/" - ] - }, - { - "VulnerabilityID": "CVE-2017-8804", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: memory leak in sunrpc when decoding malformed XDR", - "Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.", - "Severity": "HIGH", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/05/05/2", - "http://www.securityfocus.com/bid/98339", - "https://bugzilla.suse.com/show_bug.cgi?id=1037559#c7", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21461", - "https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html" - ] - }, - { - "VulnerabilityID": "CVE-2019-1010022", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] - }, - { - "VulnerabilityID": "CVE-2019-9169", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/107160", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", - "https://support.f5.com/csp/article/K54823184" - ] - }, - { - "VulnerabilityID": "CVE-2009-5155", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", - "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", - "References": [ - "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", - "https://support.f5.com/csp/article/K64119434" - ] - }, { "VulnerabilityID": "CVE-2015-8982", - "PkgName": "glibc", + "PkgName": "glibc-common", "InstalledVersion": "2.17-260.el7_6.3", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "glibc: multiple overflows in strxfrm()", "Description": "Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2015/02/13/3", "http://www.openwall.com/lists/oss-security/2017/02/14/9", @@ -5965,302 +6752,6 @@ "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed" ] }, - { - "VulnerabilityID": "CVE-2015-8983", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: _IO_wstr_overflow integer overflow", - "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/72740", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", - "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" - ] - }, - { - "VulnerabilityID": "CVE-2015-8984", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: potential denial of service in internal_fnmatch()", - "Description": "The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2015/02/26/5", - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/72789", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8984", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18032", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185", - "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" - ] - }, - { - "VulnerabilityID": "CVE-2015-8985", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: potential denial of service in pop_fail_stack()", - "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/76916", - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8985", - "https://security.gentoo.org/glsa/201908-06" - ] - }, - { - "VulnerabilityID": "CVE-2016-10228", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: iconv program can hang when invoked with the -c option", - "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", - "References": [ - "http://openwall.com/lists/oss-security/2017/03/01/10", - "http://www.securityfocus.com/bid/96525", - "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" - ] - }, - { - "VulnerabilityID": "CVE-2016-10739", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "FixedVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", - "http://www.securityfocus.com/bid/106672", - "https://access.redhat.com/errata/RHSA-2019:2118", - "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" - ] - }, - { - "VulnerabilityID": "CVE-2016-1234", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", - "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", - "Severity": "MEDIUM", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", - "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", - "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www.openwall.com/lists/oss-security/2016/03/07/16", - "http://www.securityfocus.com/bid/84204", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", - "https://security.gentoo.org/glsa/201702-11", - "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" - ] - }, - { - "VulnerabilityID": "CVE-2017-15671", - "PkgName": "glibc", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: Memory leak in glob with GLOB_TILDE", - "Description": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101517", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22325" - ] - }, - { - "VulnerabilityID": "CVE-2014-4043", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: posix_spawn_file_actions_addopen fails to copy the path argument", - "Description": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.html", - "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", - "http://seclists.org/fulldisclosure/2019/Jun/18", - "http://www.mandriva.com/security/advisories?name=MDVSA-2014:152", - "http://www.securityfocus.com/bid/68006", - "https://bugzilla.redhat.com/show_bug.cgi?id=1109263", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/93784", - "https://seclists.org/bugtraq/2019/Jun/14", - "https://security.gentoo.org/glsa/201503-04", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17048", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=ChangeLog;h=3020b9ac232315df362521aeaf85f21cb9926db8;hp=d86e73963dd9fb5e21b1a28326630337226812aa;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=posix/spawn_faction_addopen.c;h=40800b8e6e81341501c0fb8a91009529e2048dec;hp=47f62425b696a4fdd511b2a057746322eb6518db;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89e435f3559c53084498e9baad22172b64429362" - ] - }, - { - "VulnerabilityID": "CVE-2016-4429", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", - "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", - "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", - "http://www.securityfocus.com/bid/102073", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", - "https://source.android.com/security/bulletin/2017-12-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", - "https://usn.ubuntu.com/3759-1/", - "https://usn.ubuntu.com/3759-2/" - ] - }, - { - "VulnerabilityID": "CVE-2017-8804", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: memory leak in sunrpc when decoding malformed XDR", - "Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.", - "Severity": "HIGH", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/05/05/2", - "http://www.securityfocus.com/bid/98339", - "https://bugzilla.suse.com/show_bug.cgi?id=1037559#c7", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21461", - "https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html" - ] - }, - { - "VulnerabilityID": "CVE-2019-1010022", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] - }, - { - "VulnerabilityID": "CVE-2019-9169", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/107160", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", - "https://support.f5.com/csp/article/K54823184" - ] - }, - { - "VulnerabilityID": "CVE-2009-5155", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", - "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", - "References": [ - "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", - "https://support.f5.com/csp/article/K64119434" - ] - }, - { - "VulnerabilityID": "CVE-2015-8982", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: multiple overflows in strxfrm()", - "Description": "Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2015/02/13/3", - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/72602", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8982", - "https://sourceware.org/bugzilla/show_bug.cgi?id=16009", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed" - ] - }, - { - "VulnerabilityID": "CVE-2015-8983", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-260.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: _IO_wstr_overflow integer overflow", - "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/72740", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", - "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" - ] - }, { "VulnerabilityID": "CVE-2015-8984", "PkgName": "glibc-common", @@ -6268,9 +6759,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "glibc: potential denial of service in internal_fnmatch()", "Description": "The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2015/02/26/5", "http://www.openwall.com/lists/oss-security/2017/02/14/9", @@ -6288,9 +6780,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -6306,9 +6799,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", @@ -6316,45 +6810,27 @@ ] }, { - "VulnerabilityID": "CVE-2016-10739", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-260.el7_6.3", - "FixedVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", - "http://www.securityfocus.com/bid/106672", - "https://access.redhat.com/errata/RHSA-2019:2118", - "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" - ] - }, - { - "VulnerabilityID": "CVE-2016-1234", + "VulnerabilityID": "CVE-2016-4429", "PkgName": "glibc-common", "InstalledVersion": "2.17-260.el7_6.3", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", - "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", + "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", + "Severity": "LOW", "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www.openwall.com/lists/oss-security/2016/03/07/16", - "http://www.securityfocus.com/bid/84204", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", - "https://security.gentoo.org/glsa/201702-11", - "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" + "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", + "http://www.securityfocus.com/bid/102073", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", + "https://source.android.com/security/bulletin/2017-12-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", + "https://usn.ubuntu.com/3759-1/", + "https://usn.ubuntu.com/3759-2/" ] }, { @@ -6364,15 +6840,49 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "glibc: Memory leak in glob with GLOB_TILDE", "Description": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101517", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671", "https://sourceware.org/bugzilla/show_bug.cgi?id=22325" ] }, + { + "VulnerabilityID": "CVE-2019-1010023", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", + "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/109167", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-260.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, { "VulnerabilityID": "CVE-2014-4617", "PkgName": "gnupg2", @@ -6380,6 +6890,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gnupg: infinite loop when decompressing data packets", "Description": "The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.", "Severity": "MEDIUM", @@ -6399,22 +6910,6 @@ "http://www.ubuntu.com/usn/USN-2258-1" ] }, - { - "VulnerabilityID": "CVE-2018-9234", - "PkgName": "gnupg2", - "InstalledVersion": "2.0.22-5.el7_5", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys", - "Description": "GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234", - "https://dev.gnupg.org/T3844", - "https://usn.ubuntu.com/3675-1/" - ] - }, { "VulnerabilityID": "CVE-2019-13050", "PkgName": "gnupg2", @@ -6422,6 +6917,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "GnuPG: interaction between the sks-keyserver code and GnuPG allows for a Certificate Spamming Attack which leads to persistent DoS", "Description": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.", "Severity": "MEDIUM", @@ -6439,9 +6935,17 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack)", - "Description": "No description is available for this CVE.", - "Severity": "LOW" + "Description": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.", + "Severity": "LOW", + "References": [ + "http://www.cs.tau.ac.il/~tromer/radioexp/", + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" + ] }, { "VulnerabilityID": "CVE-2015-0837", @@ -6450,11 +6954,17 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libgcrypt: last-level cache side-channel attack", - "Description": "No description is available for this CVE.", + "Description": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837" + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837", + "https://ieeexplore.ieee.org/document/7163050", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" ] }, { @@ -6464,10 +6974,17 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gnupg2: invalid memory read using a garbled keyring", - "Description": "No description is available for this CVE.", + "Description": "The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.", "Severity": "LOW", "References": [ + "http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648", + "http://www.debian.org/security/2015/dsa-3184", + "http://www.openwall.com/lists/oss-security/2015/02/13/14", + "http://www.openwall.com/lists/oss-security/2015/02/14/6", + "http://www.securitytracker.com/id/1031876", + "https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1606" ] }, @@ -6478,11 +6995,38 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gnupg2: memcpy with overlapping ranges (keybox_search.c)", - "Description": "No description is available for this CVE.", + "Description": "kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and \"memcpy with overlapping ranges.\"", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1607" + "http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392", + "http://www.openwall.com/lists/oss-security/2015/02/13/14", + "http://www.openwall.com/lists/oss-security/2015/02/14/6", + "http://www.securityfocus.com/bid/72610", + "http://www.ubuntu.com/usn/usn-2554-1/", + "https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1607", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000361.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000362.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-9234", + "PkgName": "gnupg2", + "InstalledVersion": "2.0.22-5.el7_5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys", + "Description": "GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234", + "https://dev.gnupg.org/T3844", + "https://usn.ubuntu.com/3675-1/" ] }, { @@ -6492,9 +7036,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gpgme: heap-based buffer overflow in gpgsm status handler", "Description": "Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to \"different line lengths in a specific order.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77", "http://seclists.org/oss-sec/2014/q3/266", @@ -6505,6 +7050,36 @@ "https://bugzilla.redhat.com/show_bug.cgi?id=1113267" ] }, + { + "VulnerabilityID": "CVE-2014-5351", + "PkgName": "krb5-libs", + "InstalledVersion": "1.15.1-37.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "krb5: current keys returned when randomizing the keys for a service principal", + "Description": "The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.", + "Severity": "MEDIUM", + "References": [ + "http://advisories.mageia.org/MGASA-2014-0477.html", + "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018", + "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html", + "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html", + "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html", + "http://security.gentoo.org/glsa/glsa-201412-53.xml", + "http://www.mandriva.com/security/advisories?name=MDVSA-2014:224", + "http://www.securityfocus.com/bid/70380", + "http://www.securitytracker.com/id/1031003", + "http://www.ubuntu.com/usn/USN-2498-1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1145425", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/97028", + "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca", + "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html" + ] + }, { "VulnerabilityID": "CVE-2015-2695", "PkgName": "krb5-libs", @@ -6512,9 +7087,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "krb5: SPNEGO context aliasing bugs", "Description": "lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244", "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00006.html", @@ -6537,9 +7113,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "krb5: IAKERB context aliasing flaw", "Description": "lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted IAKERB packet that is mishandled during a gss_inquire_context call.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244", "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00006.html", @@ -6554,43 +7131,6 @@ "https://security.gentoo.org/glsa/201611-14" ] }, - { - "VulnerabilityID": "CVE-2017-11462", - "PkgName": "krb5-libs", - "InstalledVersion": "1.15.1-37.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "krb5: Automatic sec context deletion could lead to double-free", - "Description": "Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.", - "Severity": "HIGH", - "References": [ - "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598", - "https://bugzilla.redhat.com/show_bug.cgi?id=1488873", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11462", - "https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/" - ] - }, - { - "VulnerabilityID": "CVE-2017-15088", - "PkgName": "krb5-libs", - "InstalledVersion": "1.15.1-37.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "krb5: Buffer overflow in get_matching_data()", - "Description": "plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/101594", - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698", - "https://bugzilla.redhat.com/show_bug.cgi?id=1504045", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088", - "https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4", - "https://github.com/krb5/krb5/pull/707" - ] - }, { "VulnerabilityID": "CVE-2015-2697", "PkgName": "krb5-libs", @@ -6598,6 +7138,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "krb5: build_principal() memory flaw", "Description": "The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '\\0' character in a long realm field within a TGS request.", "Severity": "MEDIUM", @@ -6617,61 +7158,23 @@ ] }, { - "VulnerabilityID": "CVE-2018-5709", + "VulnerabilityID": "CVE-2017-15088", "PkgName": "krb5-libs", "InstalledVersion": "1.15.1-37.el7_6", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "krb5: integer overflow in dbentry-\u003en_key_data in kadmin/dbutil/dump.c", - "Description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", + "SeveritySource": "redhat", + "Title": "krb5: Buffer overflow in get_matching_data()", + "Description": "plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.", "Severity": "MEDIUM", "References": [ - "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow" - ] - }, - { - "VulnerabilityID": "CVE-2018-5710", - "PkgName": "krb5-libs", - "InstalledVersion": "1.15.1-37.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "krb5: null pointer deference in strlen function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c", - "Description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function \"strlen\" is getting a \"NULL\" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5710", - "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service(DoS)" - ] - }, - { - "VulnerabilityID": "CVE-2014-5351", - "PkgName": "krb5-libs", - "InstalledVersion": "1.15.1-37.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "krb5: current keys returned when randomizing the keys for a service principal", - "Description": "The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.", - "Severity": "LOW", - "References": [ - "http://advisories.mageia.org/MGASA-2014-0477.html", - "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018", - "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html", - "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html", - "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html", - "http://security.gentoo.org/glsa/glsa-201412-53.xml", - "http://www.mandriva.com/security/advisories?name=MDVSA-2014:224", - "http://www.securityfocus.com/bid/70380", - "http://www.securitytracker.com/id/1031003", - "http://www.ubuntu.com/usn/USN-2498-1", - "https://bugzilla.redhat.com/show_bug.cgi?id=1145425", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/97028", - "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca", - "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html" + "http://www.securityfocus.com/bid/101594", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698", + "https://bugzilla.redhat.com/show_bug.cgi?id=1504045", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088", + "https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4", + "https://github.com/krb5/krb5/pull/707" ] }, { @@ -6681,9 +7184,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "krb5: Reachable assertion in the KDC using S4U2Self requests", "Description": "A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217", @@ -6693,6 +7197,25 @@ "https://security.netapp.com/advisory/ntap-20190416-0006/" ] }, + { + "VulnerabilityID": "CVE-2017-11462", + "PkgName": "krb5-libs", + "InstalledVersion": "1.15.1-37.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "krb5: Automatic sec context deletion could lead to double-free", + "Description": "Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.", + "Severity": "LOW", + "References": [ + "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598", + "https://bugzilla.redhat.com/show_bug.cgi?id=1488873", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11462", + "https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/" + ] + }, { "VulnerabilityID": "CVE-2014-9114", "PkgName": "libblkid", @@ -6700,9 +7223,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -6723,9 +7247,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -6740,6 +7265,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -6760,6 +7286,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check leading to heap buffer overflow (oCERT-015-002)", "Description": "Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image.", "Severity": "MEDIUM", @@ -6784,6 +7311,46 @@ "https://security.gentoo.org/glsa/201701-06" ] }, + { + "VulnerabilityID": "CVE-2019-5094", + "PkgName": "libcom_err", + "InstalledVersion": "1.42.9-13.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", + "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html", + "https://seclists.org/bugtraq/2019/Sep/58", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887", + "https://usn.ubuntu.com/4142-2/", + "https://www.debian.org/security/2019/dsa-4535" + ] + }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libcom_err", + "InstalledVersion": "1.42.9-13.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2015-1572", "PkgName": "libcom_err", @@ -6791,9 +7358,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "e2fsprogs: potential buffer overflow in closefs() (incomplete CVE-2015-0247 fix)", "Description": "Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://advisories.mageia.org/MGASA-2015-0088.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/150606.html", @@ -6811,142 +7379,6 @@ "https://security.gentoo.org/glsa/201507-22" ] }, - { - "VulnerabilityID": "CVE-2018-14618", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "FixedVersion": "7.29.0-51.el7_6.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: NTLM password overflow via integer overflow", - "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", - "Severity": "CRITICAL", - "References": [ - "http://www.securitytracker.com/id/1041605", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", - "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", - "https://curl.haxx.se/docs/CVE-2018-14618.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", - "https://security.gentoo.org/glsa/201903-03", - "https://usn.ubuntu.com/3765-1/", - "https://usn.ubuntu.com/3765-2/", - "https://www.debian.org/security/2018/dsa-4286" - ] - }, - { - "VulnerabilityID": "CVE-2016-8618", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: Double-free in curl_maprintf", - "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94098", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", - "https://curl.haxx.se/docs/adv_20161102D.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8619", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: Double-free in krb5 code", - "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94100", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", - "https://curl.haxx.se/CVE-2016-8619.patch", - "https://curl.haxx.se/docs/adv_20161102E.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8622", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: URL unescape heap overflow via integer truncation", - "Description": "The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94105", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622", - "https://curl.haxx.se/docs/adv_20161102H.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2017-8817", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: FTP wildcard out of bounds read", - "Description": "The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.", - "Severity": "HIGH", - "References": [ - "http://security.cucumberlinux.com/security/details.php?id=162", - "http://www.securityfocus.com/bid/102057", - "http://www.securitytracker.com/id/1039897", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/docs/adv_2017-ae72.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00040.html", - "https://security.gentoo.org/glsa/201712-04", - "https://www.debian.org/security/2017/dsa-4051" - ] - }, - { - "VulnerabilityID": "CVE-2019-5482", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: heap buffer overflow in function tftp_receive_packet()", - "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", - "https://curl.haxx.se/docs/CVE-2019-5482.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" - ] - }, { "VulnerabilityID": "CVE-2015-3153", "PkgName": "libcurl", @@ -6954,6 +7386,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: sensitive HTTP server headers also sent to proxies", "Description": "The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.", "Severity": "MEDIUM", @@ -6975,6 +7408,257 @@ "https://support.apple.com/kb/HT205031" ] }, + { + "VulnerabilityID": "CVE-2016-8615", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Cookie injection for other servers", + "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8615.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94096", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", + "https://curl.haxx.se/CVE-2016-8615.patch", + "https://curl.haxx.se/docs/adv_20161102A.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8617", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Out-of-bounds write via unchecked multiplication", + "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8617.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94097", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", + "https://curl.haxx.se/CVE-2016-8617.patch", + "https://curl.haxx.se/docs/adv_20161102C.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8618", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in curl_maprintf", + "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8618.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94098", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", + "https://curl.haxx.se/docs/adv_20161102D.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8619", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in krb5 code", + "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8619.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94100", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", + "https://curl.haxx.se/CVE-2016-8619.patch", + "https://curl.haxx.se/docs/adv_20161102E.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8624", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: Invalid URL parsing with '#'", + "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8624.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94103", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", + "https://curl.haxx.se/docs/adv_20161102J.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8625", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: IDNA 2003 makes curl use wrong host", + "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8625.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.securityfocus.com/bid/94107", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", + "https://curl.haxx.se/CVE-2016-8625.patch", + "https://curl.haxx.se/docs/adv_20161102K.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2017-1000254", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP PWD response parser out of bounds read", + "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3992", + "http://www.securityfocus.com/bid/101115", + "http://www.securitytracker.com/id/1039509", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://curl.haxx.se/673d0cd8.patch", + "https://curl.haxx.se/docs/adv_20171004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", + "https://security.gentoo.org/glsa/201712-04", + "https://support.apple.com/HT208331" + ] + }, + { + "VulnerabilityID": "CVE-2017-8817", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP wildcard out of bounds read", + "Description": "The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.", + "Severity": "MEDIUM", + "References": [ + "http://security.cucumberlinux.com/security/details.php?id=162", + "http://www.securityfocus.com/bid/102057", + "http://www.securitytracker.com/id/1039897", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://curl.haxx.se/docs/adv_2017-ae72.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00040.html", + "https://security.gentoo.org/glsa/201712-04", + "https://www.debian.org/security/2017/dsa-4051" + ] + }, + { + "VulnerabilityID": "CVE-2018-20483", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "wget: Information exposure in set_file_metadata function in xattr.c", + "Description": "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS", + "http://linux.oracle.com/cve/CVE-2018-20483.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106358", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483", + "https://security.gentoo.org/glsa/201903-08", + "https://security.netapp.com/advisory/ntap-20190321-0002/", + "https://twitter.com/marcan42/status/1077676739877232640", + "https://usn.ubuntu.com/3943-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, { "VulnerabilityID": "CVE-2016-0755", "PkgName": "libcurl", @@ -6982,9 +7666,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: NTLM credentials not-checked for proxy connection re-use", "Description": "The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://curl.haxx.se/docs/adv_20160127A.html", "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", @@ -7007,30 +7692,6 @@ "https://support.apple.com/HT207170" ] }, - { - "VulnerabilityID": "CVE-2016-8615", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: Cookie injection for other servers", - "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94096", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", - "https://curl.haxx.se/CVE-2016-8615.patch", - "https://curl.haxx.se/docs/adv_20161102A.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-8616", "PkgName": "libcurl", @@ -7038,10 +7699,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: Case insensitive password comparison", "Description": "A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8616.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94094", "http://www.securitytracker.com/id/1037192", @@ -7055,30 +7719,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8617", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: Out-of-bounds write via unchecked multiplication", - "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94097", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", - "https://curl.haxx.se/CVE-2016-8617.patch", - "https://curl.haxx.se/docs/adv_20161102C.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-8621", "PkgName": "libcurl", @@ -7086,10 +7726,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: curl_getdate out-of-bounds read", "Description": "The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8621.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94101", "http://www.securitytracker.com/id/1037192", @@ -7103,6 +7746,32 @@ "https://www.tenable.com/security/tns-2016-21" ] }, + { + "VulnerabilityID": "CVE-2016-8622", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: URL unescape heap overflow via integer truncation", + "Description": "The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8622.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94105", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622", + "https://curl.haxx.se/docs/adv_20161102H.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, { "VulnerabilityID": "CVE-2016-8623", "PkgName": "libcurl", @@ -7110,10 +7779,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: Use-after-free via shared cookies", "Description": "A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8623.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94106", "http://www.securitytracker.com/id/1037192", @@ -7127,52 +7799,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8624", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: Invalid URL parsing with '#'", - "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94103", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", - "https://curl.haxx.se/docs/adv_20161102J.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8625", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: IDNA 2003 makes curl use wrong host", - "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/94107", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", - "https://curl.haxx.se/CVE-2016-8625.patch", - "https://curl.haxx.se/docs/adv_20161102K.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-9586", "PkgName": "libcurl", @@ -7180,9 +7806,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: printf floating point buffer overflow", "Description": "curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/95019", @@ -7203,9 +7830,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: TFTP sends more than buffer size", "Description": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.debian.org/security/2017/dsa-3992", "http://www.securityfocus.com/bid/100286", @@ -7218,26 +7846,51 @@ ] }, { - "VulnerabilityID": "CVE-2017-1000254", + "VulnerabilityID": "CVE-2017-7407", "PkgName": "libcurl", "InstalledVersion": "7.29.0-51.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "curl: FTP PWD response parser out of bounds read", - "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "curl: --write-out out of bounds read", + "Description": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.", + "Severity": "LOW", "References": [ - "http://www.debian.org/security/2017/dsa-3992", - "http://www.securityfocus.com/bid/101115", - "http://www.securitytracker.com/id/1039509", - "https://access.redhat.com/errata/RHSA-2018:2486", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/673d0cd8.patch", - "https://curl.haxx.se/docs/adv_20171004.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", - "https://security.gentoo.org/glsa/201712-04", - "https://support.apple.com/HT208331" + "https://curl.haxx.se/docs/adv_20170403.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407", + "https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13", + "https://security.gentoo.org/glsa/201709-14" + ] + }, + { + "VulnerabilityID": "CVE-2018-14618", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.el7", + "FixedVersion": "7.29.0-51.el7_6.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "curl: NTLM password overflow via integer overflow", + "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-14618.html", + "http://linux.oracle.com/errata/ELSA-2019-1880.html", + "http://www.securitytracker.com/id/1041605", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2018-14618.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014", + "https://security.gentoo.org/glsa/201903-03", + "https://usn.ubuntu.com/3765-1/", + "https://usn.ubuntu.com/3765-2/", + "https://www.debian.org/security/2018/dsa-4286" ] }, { @@ -7248,10 +7901,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting", "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16842.html", + "http://linux.oracle.com/errata/ELSA-2019-2181.html", "http://www.securitytracker.com/id/1042014", "https://access.redhat.com/errata/RHSA-2019:2181", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842", @@ -7272,9 +7928,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", @@ -7284,45 +7941,6 @@ "https://security.netapp.com/advisory/ntap-20190606-0004/" ] }, - { - "VulnerabilityID": "CVE-2017-7407", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "curl: --write-out out of bounds read", - "Description": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.", - "Severity": "LOW", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/docs/adv_20170403.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407", - "https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13", - "https://security.gentoo.org/glsa/201709-14" - ] - }, - { - "VulnerabilityID": "CVE-2018-20483", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-51.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "wget: Information exposure in set_file_metadata function in xattr.c", - "Description": "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", - "Severity": "LOW", - "References": [ - "http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS", - "http://www.securityfocus.com/bid/106358", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483", - "https://security.gentoo.org/glsa/201903-08", - "https://security.netapp.com/advisory/ntap-20190321-0002/", - "https://twitter.com/marcan42/status/1077676739877232640", - "https://usn.ubuntu.com/3943-1/" - ] - }, { "VulnerabilityID": "CVE-2017-10140", "PkgName": "libdb", @@ -7330,6 +7948,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libdb: Reads DB_CONFIG from the current working directory", "Description": "Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.", "Severity": "MEDIUM", @@ -7347,6 +7966,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libdb: Reads DB_CONFIG from the current working directory", "Description": "Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.", "Severity": "MEDIUM", @@ -7364,9 +7984,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: integer overflow flaws in libgfortran", "Description": "Multiple integer overflows in libgfortran might allow remote attackers to execute arbitrary code or cause a denial of service (Fortran application crash) via vectors related to array allocation.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2014/07/24/1", "http://www.openwall.com/lists/oss-security/2014/07/31/6", @@ -7376,6 +7997,22 @@ "https://gcc.gnu.org/viewcvs/gcc/trunk/libgfortran/ChangeLog?limit_changes=0\u0026view=markup\u0026pathrev=211721" ] }, + { + "VulnerabilityID": "CVE-2018-20673", + "PkgName": "libgcc", + "InstalledVersion": "4.8.5-36.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libiberty: Integer overflow in demangle_template() function", + "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106454", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" + ] + }, { "VulnerabilityID": "CVE-2015-5276", "PkgName": "libgcc", @@ -7383,9 +8020,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Predictable randomness from std::random_device", "Description": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2015-11/msg00054.html", "http://lists.opensuse.org/opensuse-updates/2016-04/msg00052.html", @@ -7401,9 +8039,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Exploitable buffer overflow", "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90103", @@ -7419,9 +8058,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array btypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -7436,9 +8076,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -7453,9 +8094,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to integer overflow", "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90017", @@ -7470,9 +8112,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Write access violation", "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90019", @@ -7487,9 +8130,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90016", @@ -7505,9 +8149,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -7523,9 +8168,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -7534,25 +8180,6 @@ "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" ] }, - { - "VulnerabilityID": "CVE-2016-6131", - "PkgName": "libgcc", - "InstalledVersion": "4.8.5-36.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler", - "Description": "The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/06/30/4", - "http://www.openwall.com/lists/oss-security/2016/06/30/7", - "http://www.securityfocus.com/bid/91519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696", - "https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html" - ] - }, { "VulnerabilityID": "CVE-2018-20657", "PkgName": "libgcc", @@ -7560,30 +8187,19 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20657.html", + "http://linux.oracle.com/errata/ELSA-2019-3352.html", "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", "https://support.f5.com/csp/article/K62602089" ] }, - { - "VulnerabilityID": "CVE-2018-20673", - "PkgName": "libgcc", - "InstalledVersion": "4.8.5-36.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libiberty: Integer overflow in demangle_template() function", - "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106454", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" - ] - }, { "VulnerabilityID": "CVE-2019-14250", "PkgName": "libgcc", @@ -7591,9 +8207,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: integer overflow in simple-object-elf.c leads to a heap-based buffer overflow", "Description": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109354", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924", @@ -7601,6 +8218,25 @@ "https://security.netapp.com/advisory/ntap-20190822-0002/" ] }, + { + "VulnerabilityID": "CVE-2014-5270", + "PkgName": "libgcrypt", + "InstalledVersion": "1.5.3-14.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libgcrypt: ELGAMAL side-channel attack", + "Description": "Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.", + "Severity": "MEDIUM", + "References": [ + "http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html", + "http://openwall.com/lists/oss-security/2014/08/16/2", + "http://www.cs.tau.ac.il/~tromer/handsoff/", + "http://www.debian.org/security/2014/dsa-3024", + "http://www.debian.org/security/2014/dsa-3073" + ] + }, { "VulnerabilityID": "CVE-2017-7526", "PkgName": "libgcrypt", @@ -7608,6 +8244,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libgcrypt: Use of left-to-right sliding window method allows full RSA key recovery", "Description": "libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.", "Severity": "MEDIUM", @@ -7634,6 +8271,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack", "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)", "Severity": "MEDIUM", @@ -7652,26 +8290,16 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack)", - "Description": "No description is available for this CVE.", - "Severity": "LOW" - }, - { - "VulnerabilityID": "CVE-2014-5270", - "PkgName": "libgcrypt", - "InstalledVersion": "1.5.3-14.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libgcrypt: ELGAMAL side-channel attack", - "Description": "Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.", + "Description": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.", "Severity": "LOW", "References": [ - "http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html", - "http://openwall.com/lists/oss-security/2014/08/16/2", - "http://www.cs.tau.ac.il/~tromer/handsoff/", - "http://www.debian.org/security/2014/dsa-3024", - "http://www.debian.org/security/2014/dsa-3073" + "http://www.cs.tau.ac.il/~tromer/radioexp/", + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" ] }, { @@ -7681,11 +8309,17 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libgcrypt: last-level cache side-channel attack", - "Description": "No description is available for this CVE.", + "Description": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837" + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837", + "https://ieeexplore.ieee.org/document/7163050", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" ] }, { @@ -7695,9 +8329,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libidn: out-of-bounds read with stringprep on invalid UTF-8", "Description": "The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c279", "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162537.html", @@ -7712,24 +8347,6 @@ "https://github.com/jabberd2/jabberd2/issues/85" ] }, - { - "VulnerabilityID": "CVE-2017-14062", - "PkgName": "libidn", - "InstalledVersion": "1.28-4.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libidn2: Integer overflow in puny_decode.c/decode_digit", - "Description": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.", - "Severity": "HIGH", - "References": [ - "http://www.debian.org/security/2017/dsa-3988", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062", - "https://gitlab.com/libidn/libidn2/blob/master/NEWS", - "https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd", - "https://lists.debian.org/debian-lts-announce/2018/07/msg00040.html" - ] - }, { "VulnerabilityID": "CVE-2015-8948", "PkgName": "libidn", @@ -7737,9 +8354,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libidn: Out-of-bounds read due to use of fgets with fixed-size buffer", "Description": "idn in GNU libidn before 1.33 might allow remote attackers to obtain sensitive memory information by reading a zero byte as input, which triggers an out-of-bounds read.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=570e68886c41c2e765e6218cb317d9a9a447a041", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00005.html", @@ -7760,9 +8378,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libidn: Out of bounds stack read in idna_to_ascii_4i", "Description": "The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via 64 bytes of input.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00098.html", @@ -7783,9 +8402,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libidn: Out-of-bounds read when reading zero byte as input", "Description": "idn in libidn before 1.33 might allow remote attackers to obtain sensitive memory information by reading a zero byte as input, which triggers an out-of-bounds read, a different vulnerability than CVE-2015-8948.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=5e3cb9c7b5bf0ce665b9d68f5ddf095af5c9ba60", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00005.html", @@ -7804,9 +8424,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libidn: Crash when given invalid UTF-8 data on input", "Description": "The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted UTF-8 data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1fbee57ef3c72db2206dd87e4162108b2f425555", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00005.html", @@ -7820,6 +8441,25 @@ "https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html" ] }, + { + "VulnerabilityID": "CVE-2017-14062", + "PkgName": "libidn", + "InstalledVersion": "1.28-4.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libidn2: Integer overflow in puny_decode.c/decode_digit", + "Description": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2017/dsa-3988", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062", + "https://gitlab.com/libidn/libidn2/blob/master/NEWS", + "https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd", + "https://lists.debian.org/debian-lts-announce/2018/07/msg00040.html" + ] + }, { "VulnerabilityID": "CVE-2014-9114", "PkgName": "libmount", @@ -7827,9 +8467,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -7850,9 +8491,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -7867,6 +8509,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -7887,9 +8530,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -7910,9 +8554,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -7927,6 +8572,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -7948,10 +8594,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Integer overflow in transport read resulting in out of bounds write", "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3855.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -7972,25 +8621,6 @@ "https://www.libssh2.org/CVE-2019-3855.html" ] }, - { - "VulnerabilityID": "CVE-2019-13115", - "PkgName": "libssh2", - "InstalledVersion": "1.4.3-12.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write", - "Description": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.", - "Severity": "MEDIUM", - "References": [ - "https://blog.semmle.com/libssh2-integer-overflow/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115", - "https://github.com/libssh2/libssh2/compare/02ecf17...42d37aa", - "https://github.com/libssh2/libssh2/pull/350", - "https://libssh2.org/changes.html", - "https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html" - ] - }, { "VulnerabilityID": "CVE-2019-3856", "PkgName": "libssh2", @@ -7999,10 +8629,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write", "Description": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3856.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://access.redhat.com/errata/RHSA-2019:0679", @@ -8025,10 +8658,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write", "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3857.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://access.redhat.com/errata/RHSA-2019:0679", @@ -8043,6 +8679,77 @@ "https://www.libssh2.org/CVE-2019-3857.html" ] }, + { + "VulnerabilityID": "CVE-2019-3863", + "PkgName": "libssh2", + "InstalledVersion": "1.4.3-12.el7", + "FixedVersion": "1.4.3-12.el7_6.2", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes", + "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3863.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", + "https://access.redhat.com/errata/RHSA-2019:0679", + "https://access.redhat.com/errata/RHSA-2019:1175", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", + "https://seclists.org/bugtraq/2019/Apr/25", + "https://security.netapp.com/advisory/ntap-20190327-0005/", + "https://www.debian.org/security/2019/dsa-4431", + "https://www.libssh2.org/CVE-2019-3863.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-13115", + "PkgName": "libssh2", + "InstalledVersion": "1.4.3-12.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write", + "Description": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.", + "Severity": "MEDIUM", + "References": [ + "https://blog.semmle.com/libssh2-integer-overflow/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115", + "https://github.com/libssh2/libssh2/compare/02ecf17...42d37aa", + "https://github.com/libssh2/libssh2/pull/350", + "https://libssh2.org/changes.html", + "https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17498", + "PkgName": "libssh2", + "InstalledVersion": "1.4.3-12.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c", + "Description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00026.html", + "https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498", + "https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498", + "https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c#L480", + "https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94", + "https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/" + ] + }, { "VulnerabilityID": "CVE-2019-3858", "PkgName": "libssh2", @@ -8051,10 +8758,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3858.html", + "http://linux.oracle.com/errata/ELSA-2019-2136.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -8080,6 +8790,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", @@ -8113,6 +8824,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Out-of-bounds reads with specially crafted SFTP packets", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", @@ -8137,10 +8849,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Out-of-bounds reads with specially crafted SSH packets", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3861.html", + "http://linux.oracle.com/errata/ELSA-2019-2136.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3861", @@ -8161,10 +8876,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3862.html", + "http://linux.oracle.com/errata/ELSA-2019-4693.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -8183,32 +8901,6 @@ "https://www.libssh2.org/CVE-2019-3862.html" ] }, - { - "VulnerabilityID": "CVE-2019-3863", - "PkgName": "libssh2", - "InstalledVersion": "1.4.3-12.el7", - "FixedVersion": "1.4.3-12.el7_6.2", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes", - "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", - "https://access.redhat.com/errata/RHSA-2019:0679", - "https://access.redhat.com/errata/RHSA-2019:1175", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/", - "https://seclists.org/bugtraq/2019/Apr/25", - "https://security.netapp.com/advisory/ntap-20190327-0005/", - "https://www.debian.org/security/2019/dsa-4431", - "https://www.libssh2.org/CVE-2019-3863.html" - ] - }, { "VulnerabilityID": "CVE-2014-5044", "PkgName": "libstdc++", @@ -8216,9 +8908,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: integer overflow flaws in libgfortran", "Description": "Multiple integer overflows in libgfortran might allow remote attackers to execute arbitrary code or cause a denial of service (Fortran application crash) via vectors related to array allocation.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2014/07/24/1", "http://www.openwall.com/lists/oss-security/2014/07/31/6", @@ -8228,6 +8921,22 @@ "https://gcc.gnu.org/viewcvs/gcc/trunk/libgfortran/ChangeLog?limit_changes=0\u0026view=markup\u0026pathrev=211721" ] }, + { + "VulnerabilityID": "CVE-2018-20673", + "PkgName": "libstdc++", + "InstalledVersion": "4.8.5-36.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libiberty: Integer overflow in demangle_template() function", + "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106454", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" + ] + }, { "VulnerabilityID": "CVE-2015-5276", "PkgName": "libstdc++", @@ -8235,9 +8944,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Predictable randomness from std::random_device", "Description": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2015-11/msg00054.html", "http://lists.opensuse.org/opensuse-updates/2016-04/msg00052.html", @@ -8253,9 +8963,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Exploitable buffer overflow", "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90103", @@ -8271,9 +8982,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array btypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -8288,9 +9000,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -8305,9 +9018,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to integer overflow", "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90017", @@ -8322,9 +9036,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Write access violation", "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90019", @@ -8339,9 +9054,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90016", @@ -8357,9 +9073,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -8375,9 +9092,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -8386,25 +9104,6 @@ "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" ] }, - { - "VulnerabilityID": "CVE-2016-6131", - "PkgName": "libstdc++", - "InstalledVersion": "4.8.5-36.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler", - "Description": "The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/06/30/4", - "http://www.openwall.com/lists/oss-security/2016/06/30/7", - "http://www.securityfocus.com/bid/91519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696", - "https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html" - ] - }, { "VulnerabilityID": "CVE-2018-20657", "PkgName": "libstdc++", @@ -8412,30 +9111,19 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20657.html", + "http://linux.oracle.com/errata/ELSA-2019-3352.html", "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", "https://support.f5.com/csp/article/K62602089" ] }, - { - "VulnerabilityID": "CVE-2018-20673", - "PkgName": "libstdc++", - "InstalledVersion": "4.8.5-36.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libiberty: Integer overflow in demangle_template() function", - "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106454", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" - ] - }, { "VulnerabilityID": "CVE-2019-14250", "PkgName": "libstdc++", @@ -8443,9 +9131,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "binutils: integer overflow in simple-object-elf.c leads to a heap-based buffer overflow", "Description": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109354", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924", @@ -8453,23 +9142,6 @@ "https://security.netapp.com/advisory/ntap-20190822-0002/" ] }, - { - "VulnerabilityID": "CVE-2018-1000654", - "PkgName": "libtasn1", - "InstalledVersion": "4.10-1.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion", - "Description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", - "http://www.securityfocus.com/bid/105151", - "https://gitlab.com/gnutls/libtasn1/issues/4" - ] - }, { "VulnerabilityID": "CVE-2016-4008", "PkgName": "libtasn1", @@ -8477,6 +9149,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libtasn1: infinite loop while parsing DER certificates", "Description": "The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.", "Severity": "MEDIUM", @@ -8497,6 +9170,26 @@ "https://security.gentoo.org/glsa/201703-05" ] }, + { + "VulnerabilityID": "CVE-2018-6003", + "PkgName": "libtasn1", + "InstalledVersion": "4.10-1.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libtasn1: Stack exhaustion due to indefinite recursion during BER decoding", + "Description": "An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/?id=c593ae84cfcde8fea45787e53950e0ac71e9ca97", + "https://bugzilla.redhat.com/show_bug.cgi?id=1535926", + "https://bugzilla.suse.com/show_bug.cgi?id=1076832", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003", + "https://gitlab.com/gnutls/libtasn1/commit/946565d8eb05fbf7970ea366e817581bb5a90910", + "https://www.debian.org/security/2018/dsa-4106" + ] + }, { "VulnerabilityID": "CVE-2017-10790", "PkgName": "libtasn1", @@ -8504,9 +9197,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libtasn1: NULL pointer dereference in the _asn1_check_identifier function", "Description": "The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464141", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790", @@ -8522,9 +9216,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libtasn1: Stack-based buffer overflow in asn1_find_node()", "Description": "Two errors in the \"asn1_find_node()\" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=5520704d075802df25ce4ffccc010ba1641bd484", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", @@ -8538,22 +9233,21 @@ ] }, { - "VulnerabilityID": "CVE-2018-6003", + "VulnerabilityID": "CVE-2018-1000654", "PkgName": "libtasn1", "InstalledVersion": "4.10-1.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "libtasn1: Stack exhaustion due to indefinite recursion during BER decoding", - "Description": "An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion", + "Description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", + "Severity": "LOW", "References": [ - "http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/?id=c593ae84cfcde8fea45787e53950e0ac71e9ca97", - "https://bugzilla.redhat.com/show_bug.cgi?id=1535926", - "https://bugzilla.suse.com/show_bug.cgi?id=1076832", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003", - "https://gitlab.com/gnutls/libtasn1/commit/946565d8eb05fbf7970ea366e817581bb5a90910", - "https://www.debian.org/security/2018/dsa-4106" + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", + "http://www.securityfocus.com/bid/105151", + "https://gitlab.com/gnutls/libtasn1/issues/4" ] }, { @@ -8563,9 +9257,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -8586,9 +9281,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -8603,6 +9299,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -8616,147 +9313,6 @@ "https://www.kernel.org/pub/linux/utils/util-linux/v2.27/v2.27-ReleaseNotes" ] }, - { - "VulnerabilityID": "CVE-2016-4658", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Use after free via namespace node in XPointer ranges", - "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", - "Severity": "CRITICAL", - "References": [ - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html", - "http://www.securityfocus.com/bid/93054", - "http://www.securitytracker.com/id/1036858", - "http://www.securitytracker.com/id/1038623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658", - "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b", - "https://github.com/sparklemotion/nokogiri/issues/1615", - "https://security.gentoo.org/glsa/201701-37", - "https://support.apple.com/HT207141", - "https://support.apple.com/HT207142", - "https://support.apple.com/HT207143", - "https://support.apple.com/HT207170" - ] - }, - { - "VulnerabilityID": "CVE-2017-16931", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Mishandling parameter-entity references", - "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", - "Severity": "HIGH", - "References": [ - "http://xmlsoft.org/news.html", - "https://bugzilla.gnome.org/show_bug.cgi?id=766956", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931", - "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html" - ] - }, - { - "VulnerabilityID": "CVE-2017-7375", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Missing validation for external entities in xmlParsePEReference", - "Description": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/98877", - "http://www.securitytracker.com/id/1038623", - "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", - "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375", - "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", - "https://security.gentoo.org/glsa/201711-01", - "https://source.android.com/security/bulletin/2017-06-01", - "https://www.debian.org/security/2017/dsa-3952" - ] - }, - { - "VulnerabilityID": "CVE-2015-8806", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: heap-buffer overread in dict.c", - "Description": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"\u003c!DOCTYPE html\" substring in a crafted HTML document.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/02/03/5", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/82071", - "http://www.ubuntu.com/usn/USN-2994-1", - "http://www.ubuntu.com/usn/usn-2994-1/", - "https://bugzilla.gnome.org/show_bug.cgi?id=749115", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806", - "https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028", - "https://github.com/sparklemotion/nokogiri/issues/1473", - "https://mail.gnome.org/archives/xml/2016-May/msg00023.html", - "https://security.gentoo.org/glsa/201701-37", - "https://www.debian.org/security/2016/dsa-3593" - ] - }, - { - "VulnerabilityID": "CVE-2016-2073", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: out-of-bounds read in htmlParseNameComplex()", - "Description": "The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/01/25/6", - "http://www.openwall.com/lists/oss-security/2016/01/26/7", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/85267", - "http://www.securitytracker.com/id/1035011", - "http://www.ubuntu.com/usn/USN-2994-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073", - "https://security.gentoo.org/glsa/201701-37", - "https://www.debian.org/security/2016/dsa-3593" - ] - }, - { - "VulnerabilityID": "CVE-2016-4483", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: out-of-bounds read", - "Description": "The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.", - "Severity": "MEDIUM", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-2957.html", - "http://www.debian.org/security/2016/dsa-3593", - "http://www.openwall.com/lists/oss-security/2016/05/03/8", - "http://www.openwall.com/lists/oss-security/2016/05/04/7", - "http://www.openwall.com/lists/oss-security/2016/06/07/4", - "http://www.openwall.com/lists/oss-security/2016/06/07/5", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/90013", - "http://www.securitytracker.com/id/1036348", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483", - "https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd", - "https://security.gentoo.org/glsa/201701-37", - "https://www.tenable.com/security/tns-2016-18" - ] - }, { "VulnerabilityID": "CVE-2016-5131", "PkgName": "libxml2", @@ -8764,9 +9320,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "libxml2: use after free triggered by XPointer paths beginning with range-to", + "SeveritySource": "redhat", + "Title": "libxml2: Use after free triggered by XPointer paths beginning with range-to", "Description": "Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html", "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", @@ -8797,44 +9354,6 @@ "https://support.apple.com/HT207170" ] }, - { - "VulnerabilityID": "CVE-2016-9318", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: XML External Entity vulnerability", - "Description": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/94347", - "https://bugzilla.gnome.org/show_bug.cgi?id=772726", - "https://github.com/lsh123/xmlsec/issues/43", - "https://security.gentoo.org/glsa/201711-01", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/3739-2/" - ] - }, - { - "VulnerabilityID": "CVE-2017-0663", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Heap buffer overflow in xmlAddID", - "Description": "A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.securityfocus.com/bid/98877", - "http://www.securitytracker.com/id/1038623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663", - "https://security.gentoo.org/glsa/201711-01", - "https://source.android.com/security/bulletin/2017-06-01" - ] - }, { "VulnerabilityID": "CVE-2017-15412", "PkgName": "libxml2", @@ -8842,9 +9361,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "chromium-browser: use after free in libxml", + "SeveritySource": "redhat", + "Title": "libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c", "Description": "Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "http://www.securitytracker.com/id/1040348", "https://access.redhat.com/errata/RHSA-2017:3401", @@ -8861,185 +9381,6 @@ "https://www.debian.org/security/2018/dsa-4086" ] }, - { - "VulnerabilityID": "CVE-2017-16932", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Infinite recursion in parameter entities", - "Description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.", - "Severity": "MEDIUM", - "References": [ - "http://xmlsoft.org/news.html", - "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html", - "https://bugzilla.gnome.org/show_bug.cgi?id=759579", - "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961", - "https://github.com/sparklemotion/nokogiri/issues/1714", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/usn/usn-3504-1/" - ] - }, - { - "VulnerabilityID": "CVE-2017-18258", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: denial of service in xz_head function in xzlib.c", - "Description": "The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18258", - "https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://security.netapp.com/advisory/ntap-20190719-0001/", - "https://usn.ubuntu.com/3739-1/" - ] - }, - { - "VulnerabilityID": "CVE-2017-8872", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Out-of-bounds read in htmlParseTryOrFinish", - "Description": "The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.", - "Severity": "MEDIUM", - "References": [ - "https://bugzilla.gnome.org/show_bug.cgi?id=775200", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872" - ] - }, - { - "VulnerabilityID": "CVE-2017-9047", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Buffer overflow in function xmlSnprintfElementContent", - "Description": "A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content-\u003etype is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content-\u003eprefix is appended to buf (if it actually fits) whereupon (ii) content-\u003ename is written to the buffer. However, the check for whether the content-\u003ename actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9048", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Stack-based buffer overflow in function xmlSnprintfElementContent", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 \u003c size. This vulnerability causes programs that use libxml2, such as PHP, to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98556", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9049", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Heap-based buffer over-read in function xmlDictComputeFastKey", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9050", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Heap-based buffer over-read in function xmlDictAddString", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98568", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050", - "https://github.com/sparklemotion/nokogiri/issues/1673", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html", - "https://security.gentoo.org/glsa/201711-01", - "https://usn.ubuntu.com/usn/usn-3424-1/" - ] - }, - { - "VulnerabilityID": "CVE-2018-14404", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: NULL pointer dereference in xpath.c:xmlXPathCompOpEval() can allow attackers to cause a denial of service", - "Description": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817", - "https://bugzilla.redhat.com/show_bug.cgi?id=1595985", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404", - "https://github.com/sparklemotion/nokogiri/issues/1785", - "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", - "https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594", - "https://gitlab.gnome.org/GNOME/libxml2/issues/10", - "https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/3739-2/" - ] - }, - { - "VulnerabilityID": "CVE-2018-14567", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Infinite loop when --with-lzma is used allows for denial of service via crafted XML file", - "Description": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105198", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567", - "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://usn.ubuntu.com/3739-1/" - ] - }, { "VulnerabilityID": "CVE-2015-8035", "PkgName": "libxml2", @@ -9047,9 +9388,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "libxml2: DoS when parsing specially crafted XML document if XZ support is enabled", + "SeveritySource": "redhat", + "Title": "libxml2: DoS caused by incorrect error detection during XZ decompression", "Description": "The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html", "http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html", @@ -9080,146 +9422,13 @@ ] }, { - "VulnerabilityID": "CVE-2017-5969", + "VulnerabilityID": "CVE-2016-4483", "PkgName": "libxml2", "InstalledVersion": "2.9.1-6.el7_2.3", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "libxml2: Null pointer dereference in xmlSaveDoc implementation", - "Description": "** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states \"I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser.\"", - "Severity": "LOW", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/11/05/3", - "http://www.openwall.com/lists/oss-security/2017/02/13/1", - "http://www.securityfocus.com/bid/96188", - "https://bugzilla.gnome.org/show_bug.cgi?id=778519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2016-4658", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Use after free via namespace node in XPointer ranges", - "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", - "Severity": "CRITICAL", - "References": [ - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html", - "http://www.securityfocus.com/bid/93054", - "http://www.securitytracker.com/id/1036858", - "http://www.securitytracker.com/id/1038623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658", - "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b", - "https://github.com/sparklemotion/nokogiri/issues/1615", - "https://security.gentoo.org/glsa/201701-37", - "https://support.apple.com/HT207141", - "https://support.apple.com/HT207142", - "https://support.apple.com/HT207143", - "https://support.apple.com/HT207170" - ] - }, - { - "VulnerabilityID": "CVE-2017-16931", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Mishandling parameter-entity references", - "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", - "Severity": "HIGH", - "References": [ - "http://xmlsoft.org/news.html", - "https://bugzilla.gnome.org/show_bug.cgi?id=766956", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931", - "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html" - ] - }, - { - "VulnerabilityID": "CVE-2017-7375", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Missing validation for external entities in xmlParsePEReference", - "Description": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/98877", - "http://www.securitytracker.com/id/1038623", - "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", - "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375", - "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", - "https://security.gentoo.org/glsa/201711-01", - "https://source.android.com/security/bulletin/2017-06-01", - "https://www.debian.org/security/2017/dsa-3952" - ] - }, - { - "VulnerabilityID": "CVE-2015-8806", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: heap-buffer overread in dict.c", - "Description": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"\u003c!DOCTYPE html\" substring in a crafted HTML document.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/02/03/5", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/82071", - "http://www.ubuntu.com/usn/USN-2994-1", - "http://www.ubuntu.com/usn/usn-2994-1/", - "https://bugzilla.gnome.org/show_bug.cgi?id=749115", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806", - "https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028", - "https://github.com/sparklemotion/nokogiri/issues/1473", - "https://mail.gnome.org/archives/xml/2016-May/msg00023.html", - "https://security.gentoo.org/glsa/201701-37", - "https://www.debian.org/security/2016/dsa-3593" - ] - }, - { - "VulnerabilityID": "CVE-2016-2073", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: out-of-bounds read in htmlParseNameComplex()", - "Description": "The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/01/25/6", - "http://www.openwall.com/lists/oss-security/2016/01/26/7", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/85267", - "http://www.securitytracker.com/id/1035011", - "http://www.ubuntu.com/usn/USN-2994-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073", - "https://security.gentoo.org/glsa/201701-37", - "https://www.debian.org/security/2016/dsa-3593" - ] - }, - { - "VulnerabilityID": "CVE-2016-4483", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, + "SeveritySource": "redhat", "Title": "libxml2: out-of-bounds read", "Description": "The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.", "Severity": "MEDIUM", @@ -9239,6 +9448,377 @@ "https://www.tenable.com/security/tns-2016-18" ] }, + { + "VulnerabilityID": "CVE-2016-4658", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Use after free via namespace node in XPointer ranges", + "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", + "Severity": "MEDIUM", + "References": [ + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html", + "http://www.securityfocus.com/bid/93054", + "http://www.securitytracker.com/id/1036858", + "http://www.securitytracker.com/id/1038623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658", + "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b", + "https://github.com/sparklemotion/nokogiri/issues/1615", + "https://security.gentoo.org/glsa/201701-37", + "https://support.apple.com/HT207141", + "https://support.apple.com/HT207142", + "https://support.apple.com/HT207143", + "https://support.apple.com/HT207170" + ] + }, + { + "VulnerabilityID": "CVE-2016-9318", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: XML External Entity vulnerability", + "Description": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/94347", + "https://bugzilla.gnome.org/show_bug.cgi?id=772726", + "https://github.com/lsh123/xmlsec/issues/43", + "https://security.gentoo.org/glsa/201711-01", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/3739-2/" + ] + }, + { + "VulnerabilityID": "CVE-2017-0663", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap buffer overflow in xmlAddID", + "Description": "A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.securityfocus.com/bid/98877", + "http://www.securitytracker.com/id/1038623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663", + "https://security.gentoo.org/glsa/201711-01", + "https://source.android.com/security/bulletin/2017-06-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-16931", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Mishandling parameter-entity references", + "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", + "Severity": "MEDIUM", + "References": [ + "http://xmlsoft.org/news.html", + "https://bugzilla.gnome.org/show_bug.cgi?id=766956", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931", + "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html" + ] + }, + { + "VulnerabilityID": "CVE-2017-16932", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Infinite recursion in parameter entities", + "Description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.", + "Severity": "MEDIUM", + "References": [ + "http://xmlsoft.org/news.html", + "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html", + "https://bugzilla.gnome.org/show_bug.cgi?id=759579", + "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961", + "https://github.com/sparklemotion/nokogiri/issues/1714", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/usn/usn-3504-1/" + ] + }, + { + "VulnerabilityID": "CVE-2017-7375", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Missing validation for external entities in xmlParsePEReference", + "Description": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/98877", + "http://www.securitytracker.com/id/1038623", + "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", + "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375", + "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", + "https://security.gentoo.org/glsa/201711-01", + "https://source.android.com/security/bulletin/2017-06-01", + "https://www.debian.org/security/2017/dsa-3952" + ] + }, + { + "VulnerabilityID": "CVE-2017-9047", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Buffer overflow in function xmlSnprintfElementContent", + "Description": "A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content-\u003etype is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content-\u003eprefix is appended to buf (if it actually fits) whereupon (ii) content-\u003ename is written to the buffer. However, the check for whether the content-\u003ename actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98599", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-9049", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap-based buffer over-read in function xmlDictComputeFastKey", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98601", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-9050", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap-based buffer over-read in function xmlDictAddString", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98568", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050", + "https://github.com/sparklemotion/nokogiri/issues/1673", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html", + "https://security.gentoo.org/glsa/201711-01", + "https://usn.ubuntu.com/usn/usn-3424-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-14404", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c", + "Description": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817", + "https://bugzilla.redhat.com/show_bug.cgi?id=1595985", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404", + "https://github.com/sparklemotion/nokogiri/issues/1785", + "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", + "https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594", + "https://gitlab.gnome.org/GNOME/libxml2/issues/10", + "https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/3739-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19956", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: There's a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c that could result in a crash", + "Description": "xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc-\u003eoldNs.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19956", + "https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549", + "https://lists.debian.org/debian-lts-announce/2019/12/msg00032.html", + "https://security.netapp.com/advisory/ntap-20200114-0002/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20388", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c", + "Description": "xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.", + "Severity": "MEDIUM", + "References": [ + "https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/" + ] + }, + { + "VulnerabilityID": "CVE-2020-7595", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations", + "Description": "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sparklemotion/nokogiri/issues/1992", + "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", + "https://usn.ubuntu.com/4274-1/" + ] + }, + { + "VulnerabilityID": "CVE-2017-18258", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Unrestricted memory usage in xz_head() function in xzlib.c", + "Description": "The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18258", + "https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://security.netapp.com/advisory/ntap-20190719-0001/", + "https://usn.ubuntu.com/3739-1/" + ] + }, + { + "VulnerabilityID": "CVE-2017-5969", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Null pointer dereference in xmlSaveDoc implementation", + "Description": "** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states \"I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser.\"", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/11/05/3", + "http://www.openwall.com/lists/oss-security/2017/02/13/1", + "http://www.securityfocus.com/bid/96188", + "https://bugzilla.gnome.org/show_bug.cgi?id=778519", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-8872", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Out-of-bounds read in htmlParseTryOrFinish", + "Description": "The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.", + "Severity": "LOW", + "References": [ + "https://bugzilla.gnome.org/show_bug.cgi?id=775200", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872" + ] + }, + { + "VulnerabilityID": "CVE-2017-9048", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Stack-based buffer overflow in function xmlSnprintfElementContent", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 \u003c size. This vulnerability causes programs that use libxml2, such as PHP, to crash.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98556", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2018-14567", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Infinite loop caused by incorrect error detection during LZMA decompression", + "Description": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/105198", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567", + "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://usn.ubuntu.com/3739-1/" + ] + }, { "VulnerabilityID": "CVE-2016-5131", "PkgName": "libxml2-python", @@ -9246,9 +9826,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "libxml2: use after free triggered by XPointer paths beginning with range-to", + "SeveritySource": "redhat", + "Title": "libxml2: Use after free triggered by XPointer paths beginning with range-to", "Description": "Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html", "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", @@ -9279,44 +9860,6 @@ "https://support.apple.com/HT207170" ] }, - { - "VulnerabilityID": "CVE-2016-9318", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: XML External Entity vulnerability", - "Description": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/94347", - "https://bugzilla.gnome.org/show_bug.cgi?id=772726", - "https://github.com/lsh123/xmlsec/issues/43", - "https://security.gentoo.org/glsa/201711-01", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/3739-2/" - ] - }, - { - "VulnerabilityID": "CVE-2017-0663", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Heap buffer overflow in xmlAddID", - "Description": "A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.securityfocus.com/bid/98877", - "http://www.securitytracker.com/id/1038623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663", - "https://security.gentoo.org/glsa/201711-01", - "https://source.android.com/security/bulletin/2017-06-01" - ] - }, { "VulnerabilityID": "CVE-2017-15412", "PkgName": "libxml2-python", @@ -9324,9 +9867,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "chromium-browser: use after free in libxml", + "SeveritySource": "redhat", + "Title": "libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c", "Description": "Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "http://www.securitytracker.com/id/1040348", "https://access.redhat.com/errata/RHSA-2017:3401", @@ -9343,185 +9887,6 @@ "https://www.debian.org/security/2018/dsa-4086" ] }, - { - "VulnerabilityID": "CVE-2017-16932", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Infinite recursion in parameter entities", - "Description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.", - "Severity": "MEDIUM", - "References": [ - "http://xmlsoft.org/news.html", - "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html", - "https://bugzilla.gnome.org/show_bug.cgi?id=759579", - "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961", - "https://github.com/sparklemotion/nokogiri/issues/1714", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/usn/usn-3504-1/" - ] - }, - { - "VulnerabilityID": "CVE-2017-18258", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: denial of service in xz_head function in xzlib.c", - "Description": "The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18258", - "https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://security.netapp.com/advisory/ntap-20190719-0001/", - "https://usn.ubuntu.com/3739-1/" - ] - }, - { - "VulnerabilityID": "CVE-2017-8872", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Out-of-bounds read in htmlParseTryOrFinish", - "Description": "The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.", - "Severity": "MEDIUM", - "References": [ - "https://bugzilla.gnome.org/show_bug.cgi?id=775200", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872" - ] - }, - { - "VulnerabilityID": "CVE-2017-9047", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Buffer overflow in function xmlSnprintfElementContent", - "Description": "A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content-\u003etype is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content-\u003eprefix is appended to buf (if it actually fits) whereupon (ii) content-\u003ename is written to the buffer. However, the check for whether the content-\u003ename actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9048", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Stack-based buffer overflow in function xmlSnprintfElementContent", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 \u003c size. This vulnerability causes programs that use libxml2, such as PHP, to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98556", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9049", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Heap-based buffer over-read in function xmlDictComputeFastKey", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9050", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Heap-based buffer over-read in function xmlDictAddString", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98568", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050", - "https://github.com/sparklemotion/nokogiri/issues/1673", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html", - "https://security.gentoo.org/glsa/201711-01", - "https://usn.ubuntu.com/usn/usn-3424-1/" - ] - }, - { - "VulnerabilityID": "CVE-2018-14404", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: NULL pointer dereference in xpath.c:xmlXPathCompOpEval() can allow attackers to cause a denial of service", - "Description": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817", - "https://bugzilla.redhat.com/show_bug.cgi?id=1595985", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404", - "https://github.com/sparklemotion/nokogiri/issues/1785", - "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", - "https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594", - "https://gitlab.gnome.org/GNOME/libxml2/issues/10", - "https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/3739-2/" - ] - }, - { - "VulnerabilityID": "CVE-2018-14567", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "libxml2: Infinite loop when --with-lzma is used allows for denial of service via crafted XML file", - "Description": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105198", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567", - "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://usn.ubuntu.com/3739-1/" - ] - }, { "VulnerabilityID": "CVE-2015-8035", "PkgName": "libxml2-python", @@ -9529,9 +9894,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "libxml2: DoS when parsing specially crafted XML document if XZ support is enabled", + "SeveritySource": "redhat", + "Title": "libxml2: DoS caused by incorrect error detection during XZ decompression", "Description": "The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html", "http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html", @@ -9561,6 +9927,330 @@ "https://support.apple.com/HT206169" ] }, + { + "VulnerabilityID": "CVE-2016-4483", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: out-of-bounds read", + "Description": "The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.", + "Severity": "MEDIUM", + "References": [ + "http://rhn.redhat.com/errata/RHSA-2016-2957.html", + "http://www.debian.org/security/2016/dsa-3593", + "http://www.openwall.com/lists/oss-security/2016/05/03/8", + "http://www.openwall.com/lists/oss-security/2016/05/04/7", + "http://www.openwall.com/lists/oss-security/2016/06/07/4", + "http://www.openwall.com/lists/oss-security/2016/06/07/5", + "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", + "http://www.securityfocus.com/bid/90013", + "http://www.securitytracker.com/id/1036348", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483", + "https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd", + "https://security.gentoo.org/glsa/201701-37", + "https://www.tenable.com/security/tns-2016-18" + ] + }, + { + "VulnerabilityID": "CVE-2016-4658", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Use after free via namespace node in XPointer ranges", + "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", + "Severity": "MEDIUM", + "References": [ + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html", + "http://www.securityfocus.com/bid/93054", + "http://www.securitytracker.com/id/1036858", + "http://www.securitytracker.com/id/1038623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658", + "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b", + "https://github.com/sparklemotion/nokogiri/issues/1615", + "https://security.gentoo.org/glsa/201701-37", + "https://support.apple.com/HT207141", + "https://support.apple.com/HT207142", + "https://support.apple.com/HT207143", + "https://support.apple.com/HT207170" + ] + }, + { + "VulnerabilityID": "CVE-2016-9318", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: XML External Entity vulnerability", + "Description": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/94347", + "https://bugzilla.gnome.org/show_bug.cgi?id=772726", + "https://github.com/lsh123/xmlsec/issues/43", + "https://security.gentoo.org/glsa/201711-01", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/3739-2/" + ] + }, + { + "VulnerabilityID": "CVE-2017-0663", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap buffer overflow in xmlAddID", + "Description": "A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.securityfocus.com/bid/98877", + "http://www.securitytracker.com/id/1038623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663", + "https://security.gentoo.org/glsa/201711-01", + "https://source.android.com/security/bulletin/2017-06-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-16931", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Mishandling parameter-entity references", + "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", + "Severity": "MEDIUM", + "References": [ + "http://xmlsoft.org/news.html", + "https://bugzilla.gnome.org/show_bug.cgi?id=766956", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931", + "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html" + ] + }, + { + "VulnerabilityID": "CVE-2017-16932", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Infinite recursion in parameter entities", + "Description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.", + "Severity": "MEDIUM", + "References": [ + "http://xmlsoft.org/news.html", + "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html", + "https://bugzilla.gnome.org/show_bug.cgi?id=759579", + "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961", + "https://github.com/sparklemotion/nokogiri/issues/1714", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/usn/usn-3504-1/" + ] + }, + { + "VulnerabilityID": "CVE-2017-7375", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Missing validation for external entities in xmlParsePEReference", + "Description": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/98877", + "http://www.securitytracker.com/id/1038623", + "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", + "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375", + "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", + "https://security.gentoo.org/glsa/201711-01", + "https://source.android.com/security/bulletin/2017-06-01", + "https://www.debian.org/security/2017/dsa-3952" + ] + }, + { + "VulnerabilityID": "CVE-2017-9047", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Buffer overflow in function xmlSnprintfElementContent", + "Description": "A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content-\u003etype is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content-\u003eprefix is appended to buf (if it actually fits) whereupon (ii) content-\u003ename is written to the buffer. However, the check for whether the content-\u003ename actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98599", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-9049", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap-based buffer over-read in function xmlDictComputeFastKey", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98601", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-9050", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap-based buffer over-read in function xmlDictAddString", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98568", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050", + "https://github.com/sparklemotion/nokogiri/issues/1673", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html", + "https://security.gentoo.org/glsa/201711-01", + "https://usn.ubuntu.com/usn/usn-3424-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-14404", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c", + "Description": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817", + "https://bugzilla.redhat.com/show_bug.cgi?id=1595985", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404", + "https://github.com/sparklemotion/nokogiri/issues/1785", + "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", + "https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594", + "https://gitlab.gnome.org/GNOME/libxml2/issues/10", + "https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/3739-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19956", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: There's a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c that could result in a crash", + "Description": "xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc-\u003eoldNs.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19956", + "https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549", + "https://lists.debian.org/debian-lts-announce/2019/12/msg00032.html", + "https://security.netapp.com/advisory/ntap-20200114-0002/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20388", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c", + "Description": "xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.", + "Severity": "MEDIUM", + "References": [ + "https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/" + ] + }, + { + "VulnerabilityID": "CVE-2020-7595", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations", + "Description": "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sparklemotion/nokogiri/issues/1992", + "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", + "https://usn.ubuntu.com/4274-1/" + ] + }, + { + "VulnerabilityID": "CVE-2017-18258", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Unrestricted memory usage in xz_head() function in xzlib.c", + "Description": "The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18258", + "https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://security.netapp.com/advisory/ntap-20190719-0001/", + "https://usn.ubuntu.com/3739-1/" + ] + }, { "VulnerabilityID": "CVE-2017-5969", "PkgName": "libxml2-python", @@ -9568,6 +10258,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "libxml2: Null pointer dereference in xmlSaveDoc implementation", "Description": "** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states \"I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser.\"", "Severity": "LOW", @@ -9580,6 +10271,60 @@ "https://security.gentoo.org/glsa/201711-01" ] }, + { + "VulnerabilityID": "CVE-2017-8872", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Out-of-bounds read in htmlParseTryOrFinish", + "Description": "The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.", + "Severity": "LOW", + "References": [ + "https://bugzilla.gnome.org/show_bug.cgi?id=775200", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872" + ] + }, + { + "VulnerabilityID": "CVE-2017-9048", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Stack-based buffer overflow in function xmlSnprintfElementContent", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 \u003c size. This vulnerability causes programs that use libxml2, such as PHP, to crash.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98556", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2018-14567", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Infinite loop caused by incorrect error detection during LZMA decompression", + "Description": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/105198", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567", + "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://usn.ubuntu.com/3739-1/" + ] + }, { "VulnerabilityID": "CVE-2014-5461", "PkgName": "lua", @@ -9587,6 +10332,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "lua: overflow flaw in vararg functions", "Description": "Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.", "Severity": "MEDIUM", @@ -9608,6 +10354,32 @@ "https://security.gentoo.org/glsa/201701-53" ] }, + { + "VulnerabilityID": "CVE-2019-17543", + "PkgName": "lz4", + "InstalledVersion": "1.7.5-2.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "lz4: heap-based buffer overflow in LZ4_write32", + "Description": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html", + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941", + "https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2", + "https://github.com/lz4/lz4/issues/801", + "https://github.com/lz4/lz4/pull/756", + "https://github.com/lz4/lz4/pull/760", + "https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E" + ] + }, { "VulnerabilityID": "CVE-2017-10684", "PkgName": "ncurses", @@ -9615,9 +10387,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -9631,15 +10404,54 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", "https://security.gentoo.org/glsa/201804-13" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2017-11112", "PkgName": "ncurses", @@ -9647,9 +10459,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -9663,9 +10476,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -9679,9 +10493,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -9695,9 +10510,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -9711,9 +10527,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -9727,9 +10544,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -9743,9 +10561,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -9759,9 +10578,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -9775,9 +10595,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -9791,9 +10612,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -9802,6 +10624,21 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2018-10754", + "PkgName": "ncurses", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "ncurses", @@ -9809,9 +10646,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -9824,28 +10662,15 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_name_match", "Description": "** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643753", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217" ] }, - { - "VulnerabilityID": "CVE-2018-10754", - "PkgName": "ncurses", - "InstalledVersion": "5.9-14.20130511.el7_4", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "LOW", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" - ] - }, { "VulnerabilityID": "CVE-2017-10684", "PkgName": "ncurses-base", @@ -9853,9 +10678,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -9869,15 +10695,54 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", "https://security.gentoo.org/glsa/201804-13" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-base", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-base", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2017-11112", "PkgName": "ncurses-base", @@ -9885,9 +10750,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -9901,9 +10767,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -9917,9 +10784,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -9933,9 +10801,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -9949,9 +10818,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -9965,9 +10835,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -9981,9 +10852,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -9997,9 +10869,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -10013,9 +10886,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -10029,9 +10903,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -10040,6 +10915,21 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2018-10754", + "PkgName": "ncurses-base", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "ncurses-base", @@ -10047,9 +10937,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -10062,28 +10953,15 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_name_match", "Description": "** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643753", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217" ] }, - { - "VulnerabilityID": "CVE-2018-10754", - "PkgName": "ncurses-base", - "InstalledVersion": "5.9-14.20130511.el7_4", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "LOW", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" - ] - }, { "VulnerabilityID": "CVE-2017-10684", "PkgName": "ncurses-libs", @@ -10091,9 +10969,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -10107,15 +10986,54 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", "https://security.gentoo.org/glsa/201804-13" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-libs", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-libs", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2017-11112", "PkgName": "ncurses-libs", @@ -10123,9 +11041,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -10139,9 +11058,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -10155,9 +11075,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -10171,9 +11092,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -10187,9 +11109,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -10203,9 +11126,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -10219,9 +11143,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -10235,9 +11160,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -10251,9 +11177,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -10267,9 +11194,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -10278,6 +11206,21 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2018-10754", + "PkgName": "ncurses-libs", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "ncurses-libs", @@ -10285,9 +11228,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -10300,28 +11244,15 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_name_match", "Description": "** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643753", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217" ] }, - { - "VulnerabilityID": "CVE-2018-10754", - "PkgName": "ncurses-libs", - "InstalledVersion": "5.9-14.20130511.el7_4", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "LOW", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" - ] - }, { "VulnerabilityID": "CVE-2016-1951", "PkgName": "nspr", @@ -10329,9 +11260,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nspr: Memory allocation issue related to PR_*printf functions", "Description": "Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable Runtime (NSPR) before 4.12 allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long string to a PR_*printf function.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.securityfocus.com/bid/92385", "http://www.securitytracker.com/id/1036590", @@ -10343,24 +11275,6 @@ "https://hg.mozilla.org/projects/nspr/rev/96381e3aaae2" ] }, - { - "VulnerabilityID": "CVE-2018-12404", - "PkgName": "nspr", - "InstalledVersion": "4.19.0-1.el7_5", - "FixedVersion": "4.21.0-1.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", - "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", - "http://www.securityfocus.com/bid/107260", - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" - ] - }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nspr", @@ -10369,10 +11283,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -10395,6 +11312,55 @@ "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nspr", + "InstalledVersion": "4.19.0-1.el7_5", + "FixedVersion": "4.21.0-1.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2015-2808", "PkgName": "nss", @@ -10402,6 +11368,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -10409,6 +11376,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -10517,11 +11486,14 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)", "Description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", "Severity": "MEDIUM", "References": [ "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759", + "http://linux.oracle.com/cve/CVE-2016-2183.html", + "http://linux.oracle.com/errata/ELSA-2018-2123.html", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "http://rhn.redhat.com/errata/RHSA-2017-0337.html", @@ -10554,6 +11526,7 @@ "https://access.redhat.com/errata/RHSA-2017:3240", "https://access.redhat.com/errata/RHSA-2018:2123", "https://access.redhat.com/errata/RHSA-2019:1245", + "https://access.redhat.com/errata/RHSA-2019:2859", "https://access.redhat.com/security/cve/cve-2016-2183", "https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/", "https://bto.bluecoat.com/security-advisory/sa133", @@ -10586,6 +11559,7 @@ "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008", "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.sigsac.org/ccs/CCS2016/accepted-papers/", "https://www.tenable.com/security/tns-2016-16", "https://www.tenable.com/security/tns-2016-20", @@ -10601,6 +11575,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Insufficient timing side-channel resistance in divSpoiler", "Description": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50.", "Severity": "MEDIUM", @@ -10625,6 +11600,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA", "Description": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.", "Severity": "MEDIUM", @@ -10634,39 +11610,6 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9574" ] }, - { - "VulnerabilityID": "CVE-2018-12404", - "PkgName": "nss", - "InstalledVersion": "3.36.0-7.1.el7_6", - "FixedVersion": "3.44.0-4.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", - "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", - "http://www.securityfocus.com/bid/107260", - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" - ] - }, - { - "VulnerabilityID": "CVE-2018-18508", - "PkgName": "nss", - "InstalledVersion": "3.36.0-7.1.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", - "Description": "No description is available for this CVE.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" - ] - }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss", @@ -10675,10 +11618,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -10701,6 +11647,196 @@ "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2018-18508", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18508.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2019-11719", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds read when importing curve25519 private key", + "Description": "When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11719.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1540541", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11756", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: UAF in sftk_FreeSession due to improper refcounting", + "Description": "Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes", + "https://www.mozilla.org/security/advisories/mfsa2019-36/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17006", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Check length of inputs for cryptographic primitives", + "Description": "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17006", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2019-11727", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: PKCS#1 v1.5 signatures can be used for TLS 1.3", + "Description": "A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox \u003c 68.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11727.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1552208", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727", + "https://www.mozilla.org/security/advisories/mfsa2019-21/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17023", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state", + "Description": "After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox \u003c 72.", + "Severity": "LOW", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1590001", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes", + "https://usn.ubuntu.com/4234-1/", + "https://www.mozilla.org/security/advisories/mfsa2020-01/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-8.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2015-2613", "PkgName": "nss-softokn", @@ -10708,6 +11844,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "NSS / JCE: missing EC parameter validation in ECDH_Derive() (OpenJDK JCE, 8075833)", "Description": "Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE.", "Severity": "MEDIUM", @@ -10735,6 +11872,109 @@ "https://security.gentoo.org/glsa/201603-14" ] }, + { + "VulnerabilityID": "CVE-2017-7781", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.el7_5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", + "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/100383", + "http://www.securitytracker.com/id/1039124", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", + "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", + "https://www.mozilla.org/security/advisories/mfsa2017-18/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-5.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-5.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-8.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, { "VulnerabilityID": "CVE-2016-1938", "PkgName": "nss-softokn", @@ -10742,9 +11982,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "Mozilla NSS: Errors in mp_div and mp_exptmod cryptographic functions", "Description": "The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html", "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html", @@ -10773,73 +12014,31 @@ ] }, { - "VulnerabilityID": "CVE-2017-7781", - "PkgName": "nss-softokn", + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn-freebl", "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-8.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", - "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securityfocus.com/bid/100383", - "http://www.securitytracker.com/id/1039124", - "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", - "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", - "https://www.mozilla.org/security/advisories/mfsa2017-18/" - ] - }, - { - "VulnerabilityID": "CVE-2018-12404", - "PkgName": "nss-softokn", - "InstalledVersion": "3.36.0-5.el7_5", - "FixedVersion": "3.44.0-5.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", - "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", - "http://www.securityfocus.com/bid/107260", - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" - ] - }, - { - "VulnerabilityID": "CVE-2018-0495", - "PkgName": "nss-softokn", - "InstalledVersion": "3.36.0-5.el7_5", - "FixedVersion": "3.44.0-5.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", - "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { @@ -10849,6 +12048,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "NSS / JCE: missing EC parameter validation in ECDH_Derive() (OpenJDK JCE, 8075833)", "Description": "Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE.", "Severity": "MEDIUM", @@ -10876,6 +12076,109 @@ "https://security.gentoo.org/glsa/201603-14" ] }, + { + "VulnerabilityID": "CVE-2017-7781", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.el7_5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", + "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/100383", + "http://www.securitytracker.com/id/1039124", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", + "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", + "https://www.mozilla.org/security/advisories/mfsa2017-18/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-5.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-5.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.el7_5", + "FixedVersion": "3.44.0-8.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, { "VulnerabilityID": "CVE-2016-1938", "PkgName": "nss-softokn-freebl", @@ -10883,9 +12186,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "Mozilla NSS: Errors in mp_div and mp_exptmod cryptographic functions", "Description": "The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html", "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html", @@ -10914,73 +12218,31 @@ ] }, { - "VulnerabilityID": "CVE-2017-7781", - "PkgName": "nss-softokn-freebl", - "InstalledVersion": "3.36.0-5.el7_5", + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", - "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securityfocus.com/bid/100383", - "http://www.securitytracker.com/id/1039124", - "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", - "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", - "https://www.mozilla.org/security/advisories/mfsa2017-18/" - ] - }, - { - "VulnerabilityID": "CVE-2018-12404", - "PkgName": "nss-softokn-freebl", - "InstalledVersion": "3.36.0-5.el7_5", - "FixedVersion": "3.44.0-5.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", - "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", - "http://www.securityfocus.com/bid/107260", - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" - ] - }, - { - "VulnerabilityID": "CVE-2018-0495", - "PkgName": "nss-softokn-freebl", - "InstalledVersion": "3.36.0-5.el7_5", - "FixedVersion": "3.44.0-5.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", - "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { @@ -10990,6 +12252,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -10997,6 +12260,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -11105,11 +12370,14 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)", "Description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", "Severity": "MEDIUM", "References": [ "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759", + "http://linux.oracle.com/cve/CVE-2016-2183.html", + "http://linux.oracle.com/errata/ELSA-2018-2123.html", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "http://rhn.redhat.com/errata/RHSA-2017-0337.html", @@ -11142,6 +12410,7 @@ "https://access.redhat.com/errata/RHSA-2017:3240", "https://access.redhat.com/errata/RHSA-2018:2123", "https://access.redhat.com/errata/RHSA-2019:1245", + "https://access.redhat.com/errata/RHSA-2019:2859", "https://access.redhat.com/security/cve/cve-2016-2183", "https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/", "https://bto.bluecoat.com/security-advisory/sa133", @@ -11174,6 +12443,7 @@ "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008", "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.sigsac.org/ccs/CCS2016/accepted-papers/", "https://www.tenable.com/security/tns-2016-16", "https://www.tenable.com/security/tns-2016-20", @@ -11189,6 +12459,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Insufficient timing side-channel resistance in divSpoiler", "Description": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50.", "Severity": "MEDIUM", @@ -11213,6 +12484,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA", "Description": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.", "Severity": "MEDIUM", @@ -11222,39 +12494,6 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9574" ] }, - { - "VulnerabilityID": "CVE-2018-12404", - "PkgName": "nss-sysinit", - "InstalledVersion": "3.36.0-7.1.el7_6", - "FixedVersion": "3.44.0-4.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", - "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", - "http://www.securityfocus.com/bid/107260", - "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" - ] - }, - { - "VulnerabilityID": "CVE-2018-18508", - "PkgName": "nss-sysinit", - "InstalledVersion": "3.36.0-7.1.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", - "Description": "No description is available for this CVE.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", - "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" - ] - }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss-sysinit", @@ -11263,10 +12502,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -11289,6 +12531,196 @@ "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, + { + "VulnerabilityID": "CVE-2018-12404", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", + "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", + "http://www.securityfocus.com/bid/107260", + "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" + ] + }, + { + "VulnerabilityID": "CVE-2018-18508", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-18508.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2019-11719", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds read when importing curve25519 private key", + "Description": "When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11719.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1540541", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11756", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: UAF in sftk_FreeSession due to improper refcounting", + "Description": "Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes", + "https://www.mozilla.org/security/advisories/mfsa2019-36/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17006", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Check length of inputs for cryptographic primitives", + "Description": "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17006", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2019-11727", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: PKCS#1 v1.5 signatures can be used for TLS 1.3", + "Description": "A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox \u003c 68.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11727.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1552208", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727", + "https://www.mozilla.org/security/advisories/mfsa2019-21/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17023", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state", + "Description": "After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox \u003c 72.", + "Severity": "LOW", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1590001", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes", + "https://usn.ubuntu.com/4234-1/", + "https://www.mozilla.org/security/advisories/mfsa2020-01/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2015-2808", "PkgName": "nss-tools", @@ -11296,6 +12728,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -11303,6 +12736,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -11411,11 +12846,14 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)", "Description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", "Severity": "MEDIUM", "References": [ "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759", + "http://linux.oracle.com/cve/CVE-2016-2183.html", + "http://linux.oracle.com/errata/ELSA-2018-2123.html", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "http://rhn.redhat.com/errata/RHSA-2017-0337.html", @@ -11448,6 +12886,7 @@ "https://access.redhat.com/errata/RHSA-2017:3240", "https://access.redhat.com/errata/RHSA-2018:2123", "https://access.redhat.com/errata/RHSA-2019:1245", + "https://access.redhat.com/errata/RHSA-2019:2859", "https://access.redhat.com/security/cve/cve-2016-2183", "https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/", "https://bto.bluecoat.com/security-advisory/sa133", @@ -11480,6 +12919,7 @@ "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008", "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.sigsac.org/ccs/CCS2016/accepted-papers/", "https://www.tenable.com/security/tns-2016-16", "https://www.tenable.com/security/tns-2016-20", @@ -11495,6 +12935,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Insufficient timing side-channel resistance in divSpoiler", "Description": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50.", "Severity": "MEDIUM", @@ -11519,6 +12960,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA", "Description": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.", "Severity": "MEDIUM", @@ -11528,6 +12970,43 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9574" ] }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", + "http://www.securitytracker.com/id/1041144", + "http://www.securitytracker.com/id/1041147", + "https://access.redhat.com/errata/RHSA-2018:3221", + "https://access.redhat.com/errata/RHSA-2018:3505", + "https://access.redhat.com/errata/RHSA-2019:1296", + "https://access.redhat.com/errata/RHSA-2019:1297", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", + "https://dev.gnupg.org/T4011", + "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", + "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", + "https://usn.ubuntu.com/3689-1/", + "https://usn.ubuntu.com/3689-2/", + "https://usn.ubuntu.com/3692-1/", + "https://usn.ubuntu.com/3692-2/", + "https://usn.ubuntu.com/3850-1/", + "https://usn.ubuntu.com/3850-2/", + "https://www.debian.org/security/2018/dsa-4231", + "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, { "VulnerabilityID": "CVE-2018-12404", "PkgName": "nss-tools", @@ -11536,10 +13015,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -11553,26 +13035,183 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", "Description": "No description is available for this CVE.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18508.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11719", "PkgName": "nss-tools", "InstalledVersion": "3.36.0-7.1.el7_6", - "FixedVersion": "3.44.0-4.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds read when importing curve25519 private key", + "Description": "When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11719.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1540541", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11756", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: UAF in sftk_FreeSession due to improper refcounting", + "Description": "Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes", + "https://www.mozilla.org/security/advisories/mfsa2019-36/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17006", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Check length of inputs for cryptographic primitives", + "Description": "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17006", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2019-11727", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: PKCS#1 v1.5 signatures can be used for TLS 1.3", + "Description": "A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox \u003c 68.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-11727.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1552208", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727", + "https://www.mozilla.org/security/advisories/mfsa2019-21/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17023", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state", + "Description": "After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox \u003c 72.", + "Severity": "LOW", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1590001", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes", + "https://usn.ubuntu.com/4234-1/", + "https://www.mozilla.org/security/advisories/mfsa2020-01/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-util", + "InstalledVersion": "3.36.0-1.1.el7_6", + "FixedVersion": "3.44.0-4.el7_7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2018-0495", + "PkgName": "nss-util", + "InstalledVersion": "3.36.0-1.1.el7_6", + "FixedVersion": "3.44.0-3.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", + "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -11603,10 +13242,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -11614,61 +13256,52 @@ ] }, { - "VulnerabilityID": "CVE-2018-0495", + "VulnerabilityID": "CVE-2019-11729", "PkgName": "nss-util", "InstalledVersion": "3.36.0-1.1.el7_6", - "FixedVersion": "3.44.0-3.el7", + "FixedVersion": "3.44.0-4.el7_7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", - "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", - "Severity": "LOW", + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", "References": [ - "http://www.securitytracker.com/id/1041144", - "http://www.securitytracker.com/id/1041147", - "https://access.redhat.com/errata/RHSA-2018:3221", - "https://access.redhat.com/errata/RHSA-2018:3505", - "https://access.redhat.com/errata/RHSA-2019:1296", - "https://access.redhat.com/errata/RHSA-2019:1297", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495", - "https://dev.gnupg.org/T4011", - "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965", - "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html", - "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html", - "https://usn.ubuntu.com/3689-1/", - "https://usn.ubuntu.com/3689-2/", - "https://usn.ubuntu.com/3692-1/", - "https://usn.ubuntu.com/3692-2/", - "https://usn.ubuntu.com/3850-1/", - "https://usn.ubuntu.com/3850-2/", - "https://www.debian.org/security/2018/dsa-4231", - "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" ] }, { - "VulnerabilityID": "CVE-2015-1546", + "VulnerabilityID": "CVE-2019-13057", "PkgName": "openldap", "InstalledVersion": "2.4.44-21.el7_6", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "openldap: slapd crash in valueReturnFilter cleanup", - "Description": "Double free vulnerability in the get_vrFilter function in servers/slapd/filter.c in OpenLDAP 2.4.40 allows remote attackers to cause a denial of service (crash) via a crafted search query with a matched values control.", + "SeveritySource": "redhat", + "Title": "openldap: Information disclosure issue in slapd component", + "Description": "An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)", "Severity": "MEDIUM", "References": [ - "http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html", - "http://lists.opensuse.org/opensuse-updates/2015-07/msg00069.html", - "http://secunia.com/advisories/62787", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:073", - "http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a", - "http://www.openldap.org/its/?findid=8046", - "http://www.openwall.com/lists/oss-security/2015/02/07/3", - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/100938", - "https://support.apple.com/HT204659" + "http://www.openldap.org/lists/openldap-announce/201907/msg00001.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13057", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html", + "https://openldap.org/its/?findid=9038", + "https://security.netapp.com/advisory/ntap-20190822-0004/", + "https://usn.ubuntu.com/4078-1/", + "https://usn.ubuntu.com/4078-2/", + "https://www.openldap.org/its/?findid=9038", + "https://www.openldap.org/lists/openldap-announce/201907/msg00001.html" ] }, { @@ -11678,6 +13311,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "openldap: ACL restrictions bypass due to sasl_ssf value being set permanently", "Description": "An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.", "Severity": "MEDIUM", @@ -11701,6 +13335,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "openldap-servers: /usr/libexec/openldap/generate-server-cert.sh create world readable password file", "Description": "/usr/libexec/openldap/generate-server-cert.sh in openldap-servers sets weak permissions for the TLS certificate, which allows local users to obtain the TLS certificate by leveraging a race condition between the creation of the certificate, and the chmod to protect it.", "Severity": "LOW", @@ -11708,42 +13343,6 @@ "https://bugzilla.redhat.com/show_bug.cgi?id=1346120" ] }, - { - "VulnerabilityID": "CVE-2017-14159", - "PkgName": "openldap", - "InstalledVersion": "2.4.44-21.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "openldap: Privilege escalation via PID file manipulation", - "Description": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.", - "Severity": "LOW", - "References": [ - "http://www.openldap.org/its/index.cgi?findid=8703" - ] - }, - { - "VulnerabilityID": "CVE-2019-13057", - "PkgName": "openldap", - "InstalledVersion": "2.4.44-21.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "openldap: Information disclosure issue in slapd component", - "Description": "An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)", - "Severity": "LOW", - "References": [ - "http://www.openldap.org/lists/openldap-announce/201907/msg00001.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13057", - "https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html", - "https://openldap.org/its/?findid=9038", - "https://security.netapp.com/advisory/ntap-20190822-0004/", - "https://usn.ubuntu.com/4078-1/", - "https://usn.ubuntu.com/4078-2/", - "https://www.openldap.org/its/?findid=9038", - "https://www.openldap.org/lists/openldap-announce/201907/msg00001.html" - ] - }, { "VulnerabilityID": "CVE-2015-2808", "PkgName": "openssl-libs", @@ -11751,6 +13350,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -11758,6 +13358,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -11859,122 +13461,6 @@ "https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf" ] }, - { - "VulnerabilityID": "CVE-2018-0734", - "PkgName": "openssl-libs", - "InstalledVersion": "1:1.0.2k-16.el7", - "FixedVersion": "1:1.0.2k-19.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "openssl: timing side channel attack in the DSA signature algorithm", - "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html", - "http://www.securityfocus.com/bid/105758", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7", - "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", - "https://security.netapp.com/advisory/ntap-20181105-0002/", - "https://security.netapp.com/advisory/ntap-20190118-0002/", - "https://security.netapp.com/advisory/ntap-20190423-0002/", - "https://usn.ubuntu.com/3840-1/", - "https://www.debian.org/security/2018/dsa-4348", - "https://www.debian.org/security/2018/dsa-4355", - "https://www.openssl.org/news/secadv/20181030.txt", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.tenable.com/security/tns-2018-16", - "https://www.tenable.com/security/tns-2018-17" - ] - }, - { - "VulnerabilityID": "CVE-2018-0735", - "PkgName": "openssl-libs", - "InstalledVersion": "1:1.0.2k-16.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "openssl: timing side channel attack in the ECDSA signature generation", - "Description": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105750", - "http://www.securitytracker.com/id/1041986", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0735", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", - "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", - "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", - "https://security.netapp.com/advisory/ntap-20181105-0002/", - "https://usn.ubuntu.com/3840-1/", - "https://www.debian.org/security/2018/dsa-4348", - "https://www.openssl.org/news/secadv/20181029.txt", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" - ] - }, - { - "VulnerabilityID": "CVE-2019-1559", - "PkgName": "openssl-libs", - "InstalledVersion": "1:1.0.2k-16.el7", - "FixedVersion": "1:1.0.2k-19.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "openssl: 0-byte record padding oracle", - "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", - "http://www.securityfocus.com/bid/107174", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", - "https://github.com/RUB-NDS/TLS-Padding-Oracles", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", - "https://security.gentoo.org/glsa/201903-10", - "https://security.netapp.com/advisory/ntap-20190301-0001/", - "https://security.netapp.com/advisory/ntap-20190301-0002/", - "https://security.netapp.com/advisory/ntap-20190423-0002/", - "https://support.f5.com/csp/article/K18549143", - "https://usn.ubuntu.com/3899-1/", - "https://www.debian.org/security/2019/dsa-4400", - "https://www.openssl.org/news/secadv/20190226.txt", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "https://www.tenable.com/security/tns-2019-02", - "https://www.tenable.com/security/tns-2019-03" - ] - }, - { - "VulnerabilityID": "CVE-2019-1563", - "PkgName": "openssl-libs", - "InstalledVersion": "1:1.0.2k-16.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", - "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "MEDIUM", - "References": [ - "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", - "https://seclists.org/bugtraq/2019/Sep/25", - "https://security.netapp.com/advisory/ntap-20190919-0002/", - "https://www.openssl.org/news/secadv/20190910.txt" - ] - }, { "VulnerabilityID": "CVE-2018-5407", "PkgName": "openssl-libs", @@ -11983,10 +13469,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)", "Description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-5407.html", + "http://linux.oracle.com/errata/ELSA-2019-2125.html", "http://www.securityfocus.com/bid/105897", "https://access.redhat.com/errata/RHSA-2019:0483", "https://access.redhat.com/errata/RHSA-2019:0651", @@ -12017,9 +13506,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "openssl: side-channel weak encryption vulnerability", "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", "https://arxiv.org/abs/1909.01785", @@ -12032,6 +13522,158 @@ "https://www.openssl.org/news/secadv/20190910.txt" ] }, + { + "VulnerabilityID": "CVE-2019-1559", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-16.el7", + "FixedVersion": "1:1.0.2k-19.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "openssl: 0-byte record padding oracle", + "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-1559.html", + "http://linux.oracle.com/errata/ELSA-2019-2471.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html", + "http://www.securityfocus.com/bid/107174", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", + "https://github.com/RUB-NDS/TLS-Padding-Oracles", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", + "https://security.gentoo.org/glsa/201903-10", + "https://security.netapp.com/advisory/ntap-20190301-0001/", + "https://security.netapp.com/advisory/ntap-20190301-0002/", + "https://security.netapp.com/advisory/ntap-20190423-0002/", + "https://support.f5.com/csp/article/K18549143", + "https://usn.ubuntu.com/3899-1/", + "https://www.debian.org/security/2019/dsa-4400", + "https://www.openssl.org/news/secadv/20190226.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.tenable.com/security/tns-2019-02", + "https://www.tenable.com/security/tns-2019-03" + ] + }, + { + "VulnerabilityID": "CVE-2018-0734", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-16.el7", + "FixedVersion": "1:1.0.2k-19.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "openssl: timing side channel attack in the DSA signature algorithm", + "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0734.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html", + "http://www.securityfocus.com/bid/105758", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7", + "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", + "https://security.netapp.com/advisory/ntap-20181105-0002/", + "https://security.netapp.com/advisory/ntap-20190118-0002/", + "https://security.netapp.com/advisory/ntap-20190423-0002/", + "https://usn.ubuntu.com/3840-1/", + "https://www.debian.org/security/2018/dsa-4348", + "https://www.debian.org/security/2018/dsa-4355", + "https://www.openssl.org/news/secadv/20181030.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "https://www.tenable.com/security/tns-2018-16", + "https://www.tenable.com/security/tns-2018-17" + ] + }, + { + "VulnerabilityID": "CVE-2018-0735", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-16.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "openssl: timing side channel attack in the ECDSA signature generation", + "Description": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0735.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", + "http://www.securityfocus.com/bid/105750", + "http://www.securitytracker.com/id/1041986", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0735", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", + "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", + "https://security.netapp.com/advisory/ntap-20181105-0002/", + "https://usn.ubuntu.com/3840-1/", + "https://www.debian.org/security/2018/dsa-4348", + "https://www.openssl.org/news/secadv/20181029.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-1551", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-16.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" + ] + }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-16.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, { "VulnerabilityID": "CVE-2015-8380", "PkgName": "pcre", @@ -12039,9 +13681,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: OOB write when pcre_exec() is called with ovecsize of 1 (8.38/10)", "Description": "The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \\01 string, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173700.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -12061,9 +13704,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: Integer overflow in subroutine calls (8.38/8)", "Description": "PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -12082,9 +13726,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: uninitialized memory read triggered by malformed posix character class (8.38/22)", "Description": "PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -12096,65 +13741,6 @@ "https://security.gentoo.org/glsa/201607-02" ] }, - { - "VulnerabilityID": "CVE-2015-8394", - "PkgName": "pcre", - "InstalledVersion": "8.32-17.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", - "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2017-11164", - "PkgName": "pcre", - "InstalledVersion": "8.32-17.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", - "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "Severity": "HIGH", - "References": [ - "http://openwall.com/lists/oss-security/2017/07/11/3", - "http://www.securityfocus.com/bid/99575" - ] - }, - { - "VulnerabilityID": "CVE-2015-8382", - "PkgName": "pcre", - "InstalledVersion": "8.32-17.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "php: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)", - "Description": "The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.", - "Severity": "MEDIUM", - "References": [ - "http://git.php.net/?p=php-src.git;a=commit;h=c351b47ce85a3a147cfa801fa9f0149ab4160834", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502\u0026r2=1510", - "http://www.openwall.com/lists/oss-security/2015/08/04/3", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/76157", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://bugs.exim.org/show_bug.cgi?id=1537", - "https://bugzilla.redhat.com/show_bug.cgi?id=1187225", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8382" - ] - }, { "VulnerabilityID": "CVE-2015-8393", "PkgName": "pcre", @@ -12162,6 +13748,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: pcregrep -q is not always quiet (8.38/28)", "Description": "pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.", "Severity": "MEDIUM", @@ -12176,6 +13763,28 @@ "https://security.gentoo.org/glsa/201607-02" ] }, + { + "VulnerabilityID": "CVE-2015-8394", + "PkgName": "pcre", + "InstalledVersion": "8.32-17.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", + "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, { "VulnerabilityID": "CVE-2017-6004", "PkgName": "pcre", @@ -12183,6 +13792,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3)", "Description": "The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.", "Severity": "MEDIUM", @@ -12203,6 +13813,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: Invalid Unicode property lookup (8.41/7, 10.24/2)", "Description": "libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.", "Severity": "MEDIUM", @@ -12220,6 +13831,46 @@ "https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_ucd.c?r1=316\u0026r2=670\u0026sortby=date" ] }, + { + "VulnerabilityID": "CVE-2015-8382", + "PkgName": "pcre", + "InstalledVersion": "8.32-17.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "php: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)", + "Description": "The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.", + "Severity": "LOW", + "References": [ + "http://git.php.net/?p=php-src.git;a=commit;h=c351b47ce85a3a147cfa801fa9f0149ab4160834", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502\u0026r2=1510", + "http://www.openwall.com/lists/oss-security/2015/08/04/3", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/76157", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://bugs.exim.org/show_bug.cgi?id=1537", + "https://bugzilla.redhat.com/show_bug.cgi?id=1187225", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8382" + ] + }, + { + "VulnerabilityID": "CVE-2017-11164", + "PkgName": "pcre", + "InstalledVersion": "8.32-17.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", + "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/07/11/3", + "http://www.securityfocus.com/bid/99575" + ] + }, { "VulnerabilityID": "CVE-2017-7244", "PkgName": "pcre", @@ -12227,9 +13878,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)", "Description": "The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -12245,9 +13897,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -12262,9 +13915,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -12272,46 +13926,6 @@ "https://security.gentoo.org/glsa/201710-25" ] }, - { - "VulnerabilityID": "CVE-2017-16231", - "PkgName": "pcre", - "InstalledVersion": "8.32-17.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", - "Description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", - "Severity": "LOW", - "References": [ - "http://packetstormsecurity.com/files/150897/PCRE-8.41-Buffer-Overflow.html", - "http://seclists.org/fulldisclosure/2018/Dec/33", - "http://www.openwall.com/lists/oss-security/2017/11/01/11", - "http://www.openwall.com/lists/oss-security/2017/11/01/3", - "http://www.openwall.com/lists/oss-security/2017/11/01/7", - "http://www.openwall.com/lists/oss-security/2017/11/01/8", - "http://www.securityfocus.com/bid/101688", - "https://bugs.exim.org/show_bug.cgi?id=2047" - ] - }, - { - "VulnerabilityID": "CVE-2018-1121", - "PkgName": "procps-ng", - "InstalledVersion": "3.3.10-23.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "procps-ng, procps: process hiding through race condition enumerating /proc", - "Description": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.", - "Severity": "MEDIUM", - "References": [ - "http://seclists.org/oss-sec/2018/q2/122", - "http://www.securityfocus.com/bid/104214", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121", - "https://security.gentoo.org/glsa/201805-14", - "https://www.exploit-db.com/exploits/44806/", - "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" - ] - }, { "VulnerabilityID": "CVE-2018-1122", "PkgName": "procps-ng", @@ -12320,10 +13934,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "procps-ng, procps: Local privilege escalation in top", "Description": "procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1122.html", + "http://linux.oracle.com/errata/ELSA-2019-2189.html", "http://seclists.org/oss-sec/2018/q2/122", "http://www.securityfocus.com/bid/104214", "https://access.redhat.com/errata/RHSA-2019:2189", @@ -12338,6 +13955,26 @@ "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" ] }, + { + "VulnerabilityID": "CVE-2018-1121", + "PkgName": "procps-ng", + "InstalledVersion": "3.3.10-23.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "procps-ng, procps: process hiding through race condition enumerating /proc", + "Description": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.", + "Severity": "LOW", + "References": [ + "http://seclists.org/oss-sec/2018/q2/122", + "http://www.securityfocus.com/bid/104214", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121", + "https://security.gentoo.org/glsa/201805-14", + "https://www.exploit-db.com/exploits/44806/", + "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" + ] + }, { "VulnerabilityID": "CVE-2018-1123", "PkgName": "procps-ng", @@ -12345,9 +13982,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "procps-ng, procps: denial of service in ps via mmap buffer overflow", "Description": "procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maps a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://seclists.org/oss-sec/2018/q2/122", "http://www.securityfocus.com/bid/104214", @@ -12369,9 +14007,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "procps-ng, procps: stack buffer overflow in pgrep", "Description": "procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://seclists.org/oss-sec/2018/q2/122", "http://www.securityfocus.com/bid/104214", @@ -12384,180 +14023,6 @@ "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" ] }, - { - "VulnerabilityID": "CVE-2017-1000158", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", - "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", - "Severity": "HIGH", - "References": [ - "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", - "http://www.securitytracker.com/id/1039890", - "https://bugs.python.org/issue30657", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", - "https://security.gentoo.org/glsa/201805-02", - "https://www.debian.org/security/2018/dsa-4307" - ] - }, - { - "VulnerabilityID": "CVE-2019-5010", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" - ] - }, - { - "VulnerabilityID": "CVE-2013-1664", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "Python xml bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities", - "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", - "Severity": "MEDIUM", - "References": [ - "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", - "http://bugs.python.org/issue17239", - "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html", - "http://rhn.redhat.com/errata/RHSA-2013-0657.html", - "http://rhn.redhat.com/errata/RHSA-2013-0658.html", - "http://rhn.redhat.com/errata/RHSA-2013-0670.html", - "http://ubuntu.com/usn/usn-1757-1", - "http://www.openwall.com/lists/oss-security/2013/02/19/2", - "http://www.openwall.com/lists/oss-security/2013/02/19/4", - "https://bugs.launchpad.net/nova/+bug/1100282", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1664" - ] - }, - { - "VulnerabilityID": "CVE-2013-1665", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities", - "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", - "Severity": "MEDIUM", - "References": [ - "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", - "http://bugs.python.org/issue17239", - "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html", - "http://rhn.redhat.com/errata/RHSA-2013-0657.html", - "http://rhn.redhat.com/errata/RHSA-2013-0658.html", - "http://rhn.redhat.com/errata/RHSA-2013-0670.html", - "http://ubuntu.com/usn/usn-1757-1", - "http://www.debian.org/security/2013/dsa-2634", - "http://www.openwall.com/lists/oss-security/2013/02/19/2", - "http://www.openwall.com/lists/oss-security/2013/02/19/4", - "https://bugs.launchpad.net/keystone/+bug/1100279", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1665" - ] - }, - { - "VulnerabilityID": "CVE-2013-7040", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: hash secret can be recovered remotely", - "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", - "Severity": "MEDIUM", - "References": [ - "http://bugs.python.org/issue14621", - "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", - "http://www.openwall.com/lists/oss-security/2013/12/09/13", - "http://www.openwall.com/lists/oss-security/2013/12/09/3", - "http://www.securityfocus.com/bid/64194", - "https://support.apple.com/kb/HT205031" - ] - }, - { - "VulnerabilityID": "CVE-2018-1000030", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", - "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.python.org/issue31530", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", - "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", - "https://security.gentoo.org/glsa/201811-02", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0" - ] - }, - { - "VulnerabilityID": "CVE-2018-14647", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: Missing salt initialization in _elementtree.c module", - "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105396", - "http://www.securitytracker.com/id/1041740", - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://access.redhat.com/errata/RHSA-2019:2030", - "https://bugs.python.org/issue34623", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.debian.org/security/2018/dsa-4306", - "https://www.debian.org/security/2018/dsa-4307" - ] - }, - { - "VulnerabilityID": "CVE-2018-20852", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: Cookie domain check returns incorrect results", - "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", - "https://bugs.python.org/issue35121", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852", - "https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html", - "https://python-security.readthedocs.io/vuln/cookie-domain-check.html" - ] - }, { "VulnerabilityID": "CVE-2019-10160", "PkgName": "python", @@ -12566,41 +14031,35 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc", "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-10160.html", + "http://linux.oracle.com/errata/ELSA-2019-1587.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html", "https://access.redhat.com/errata/RHSA-2019:1587", + "https://access.redhat.com/errata/RHSA-2019:1700", + "https://access.redhat.com/errata/RHSA-2019:2437", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160", "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", - "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", - "https://security.netapp.com/advisory/ntap-20190617-0003/" - ] - }, - { - "VulnerabilityID": "CVE-2019-16056", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: email.utils.parseaddr wrongly parses email addresses", - "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.python.org/issue34155", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056", - "https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9", - "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html", - "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", + "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", + "https://security.netapp.com/advisory/ntap-20190617-0003/", + "https://usn.ubuntu.com/4127-1/", + "https://usn.ubuntu.com/4127-2/" ] }, { @@ -12611,10 +14070,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", @@ -12646,114 +14108,14 @@ "https://security.netapp.com/advisory/ntap-20190517-0001/" ] }, - { - "VulnerabilityID": "CVE-2019-9740", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: CRLF injection via the query part of the url passed to urlopen()", - "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/107466", - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://bugs.python.org/issue36276", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9947", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: CRLF injection via the path part of the url passed to urlopen()", - "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", - "Severity": "MEDIUM", - "References": [ - "https://access.redhat.com/errata/RHSA-2019:1260", - "https://bugs.python.org/issue35906", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", - "https://security.netapp.com/advisory/ntap-20190404-0004/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9948", - "PkgName": "python", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", - "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", - "http://www.securityfocus.com/bid/107549", - "https://bugs.python.org/issue35907", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948", - "https://github.com/python/cpython/pull/11842", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", - "https://security.netapp.com/advisory/ntap-20190404-0004/" - ] - }, - { - "VulnerabilityID": "CVE-2017-1000158", - "PkgName": "python-libs", - "InstalledVersion": "2.7.5-76.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", - "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", - "Severity": "HIGH", - "References": [ - "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", - "http://www.securitytracker.com/id/1039890", - "https://bugs.python.org/issue30657", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", - "https://security.gentoo.org/glsa/201805-02", - "https://www.debian.org/security/2018/dsa-4307" - ] - }, - { - "VulnerabilityID": "CVE-2019-5010", - "PkgName": "python-libs", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" - ] - }, { "VulnerabilityID": "CVE-2013-1664", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.7.5-76.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "Python xml bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities", "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", "Severity": "MEDIUM", @@ -12773,11 +14135,12 @@ }, { "VulnerabilityID": "CVE-2013-1665", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.7.5-76.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities", "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", "Severity": "MEDIUM", @@ -12798,11 +14161,12 @@ }, { "VulnerabilityID": "CVE-2013-7040", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.7.5-76.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: hash secret can be recovered remotely", "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", "Severity": "MEDIUM", @@ -12816,37 +14180,44 @@ ] }, { - "VulnerabilityID": "CVE-2018-1000030", - "PkgName": "python-libs", + "VulnerabilityID": "CVE-2017-1000158", + "PkgName": "python", "InstalledVersion": "2.7.5-76.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", - "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "SeveritySource": "redhat", + "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", + "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", "Severity": "MEDIUM", "References": [ - "https://bugs.python.org/issue31530", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", - "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", - "https://security.gentoo.org/glsa/201811-02", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0" + "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", + "http://www.securitytracker.com/id/1039890", + "https://bugs.python.org/issue30657", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", + "https://security.gentoo.org/glsa/201805-02", + "https://www.debian.org/security/2018/dsa-4307" ] }, { "VulnerabilityID": "CVE-2018-14647", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.7.5-76.el7", "FixedVersion": "2.7.5-86.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: Missing salt initialization in _elementtree.c module", "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-14647.html", + "http://linux.oracle.com/errata/ELSA-2019-2030.html", "http://www.securityfocus.com/bid/105396", "http://www.securitytracker.com/id/1041740", "https://access.redhat.com/errata/RHSA-2019:1260", @@ -12865,15 +14236,18 @@ }, { "VulnerabilityID": "CVE-2018-20852", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.7.5-76.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: Cookie domain check returns incorrect results", "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20852.html", + "http://linux.oracle.com/errata/ELSA-2019-4884.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", "https://bugs.python.org/issue35121", @@ -12882,36 +14256,14 @@ "https://python-security.readthedocs.io/vuln/cookie-domain-check.html" ] }, - { - "VulnerabilityID": "CVE-2019-10160", - "PkgName": "python-libs", - "InstalledVersion": "2.7.5-76.el7", - "FixedVersion": "2.7.5-80.el7_6", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc", - "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", - "Severity": "MEDIUM", - "References": [ - "https://access.redhat.com/errata/RHSA-2019:1587", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", - "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", - "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", - "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", - "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", - "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", - "https://security.netapp.com/advisory/ntap-20190617-0003/" - ] - }, { "VulnerabilityID": "CVE-2019-16056", - "PkgName": "python-libs", + "PkgName": "python", "InstalledVersion": "2.7.5-76.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: email.utils.parseaddr wrongly parses email addresses", "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", "Severity": "MEDIUM", @@ -12927,6 +14279,241 @@ "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" ] }, + { + "VulnerabilityID": "CVE-2019-16935", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field", + "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue38243", + "https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897", + "https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213", + "https://github.com/python/cpython/pull/16373", + "https://security.netapp.com/advisory/ntap-20191017-0004/", + "https://usn.ubuntu.com/4151-1/", + "https://usn.ubuntu.com/4151-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18348", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: CRLF injection via the host part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue30458#msg347282", + "https://bugzilla.redhat.com/show_bug.cgi?id=1727276", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://security.netapp.com/advisory/ntap-20191107-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5010", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", + "Description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5010.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", + "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758" + ] + }, + { + "VulnerabilityID": "CVE-2019-9740", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: CRLF injection via the query part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-9740.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "http://www.securityfocus.com/bid/107466", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://bugs.python.org/issue36276", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/" + ] + }, + { + "VulnerabilityID": "CVE-2019-9947", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: CRLF injection via the path part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-9947.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://bugs.python.org/issue35906", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", + "https://security.netapp.com/advisory/ntap-20190404-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2019-9948", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", + "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", + "http://www.securityfocus.com/bid/107549", + "https://bugs.python.org/issue35907", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948", + "https://github.com/python/cpython/pull/11842", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://security.netapp.com/advisory/ntap-20190404-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2020-8492", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS", + "Description": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue39503", + "https://github.com/python/cpython/pull/18284", + "https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html", + "https://security.netapp.com/advisory/ntap-20200221-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000030", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", + "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "Severity": "LOW", + "References": [ + "https://bugs.python.org/issue31530", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", + "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", + "https://security.gentoo.org/glsa/201811-02", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-9674", + "PkgName": "python", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py", + "Description": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue36260", + "https://bugs.python.org/issue36462", + "https://github.com/python/cpython/blob/master/Lib/zipfile.py", + "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb", + "https://security.netapp.com/advisory/ntap-20200221-0003/", + "https://www.python.org/news/security/" + ] + }, + { + "VulnerabilityID": "CVE-2019-10160", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-80.el7_6", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc", + "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-10160.html", + "http://linux.oracle.com/errata/ELSA-2019-1587.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html", + "https://access.redhat.com/errata/RHSA-2019:1587", + "https://access.redhat.com/errata/RHSA-2019:1700", + "https://access.redhat.com/errata/RHSA-2019:2437", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160", + "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09", + "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e", + "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de", + "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", + "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html", + "https://security.netapp.com/advisory/ntap-20190617-0003/", + "https://usn.ubuntu.com/4127-1/", + "https://usn.ubuntu.com/4127-2/" + ] + }, { "VulnerabilityID": "CVE-2019-9636", "PkgName": "python-libs", @@ -12935,10 +14522,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", @@ -12970,6 +14560,240 @@ "https://security.netapp.com/advisory/ntap-20190517-0001/" ] }, + { + "VulnerabilityID": "CVE-2013-1664", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "Python xml bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities", + "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", + "Severity": "MEDIUM", + "References": [ + "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", + "http://bugs.python.org/issue17239", + "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html", + "http://rhn.redhat.com/errata/RHSA-2013-0657.html", + "http://rhn.redhat.com/errata/RHSA-2013-0658.html", + "http://rhn.redhat.com/errata/RHSA-2013-0670.html", + "http://ubuntu.com/usn/usn-1757-1", + "http://www.openwall.com/lists/oss-security/2013/02/19/2", + "http://www.openwall.com/lists/oss-security/2013/02/19/4", + "https://bugs.launchpad.net/nova/+bug/1100282", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1664" + ] + }, + { + "VulnerabilityID": "CVE-2013-1665", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities", + "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", + "Severity": "MEDIUM", + "References": [ + "http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html", + "http://bugs.python.org/issue17239", + "http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html", + "http://rhn.redhat.com/errata/RHSA-2013-0657.html", + "http://rhn.redhat.com/errata/RHSA-2013-0658.html", + "http://rhn.redhat.com/errata/RHSA-2013-0670.html", + "http://ubuntu.com/usn/usn-1757-1", + "http://www.debian.org/security/2013/dsa-2634", + "http://www.openwall.com/lists/oss-security/2013/02/19/2", + "http://www.openwall.com/lists/oss-security/2013/02/19/4", + "https://bugs.launchpad.net/keystone/+bug/1100279", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1665" + ] + }, + { + "VulnerabilityID": "CVE-2013-7040", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: hash secret can be recovered remotely", + "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "Severity": "MEDIUM", + "References": [ + "http://bugs.python.org/issue14621", + "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", + "http://www.openwall.com/lists/oss-security/2013/12/09/13", + "http://www.openwall.com/lists/oss-security/2013/12/09/3", + "http://www.securityfocus.com/bid/64194", + "https://support.apple.com/kb/HT205031" + ] + }, + { + "VulnerabilityID": "CVE-2017-1000158", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", + "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", + "Severity": "MEDIUM", + "References": [ + "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", + "http://www.securitytracker.com/id/1039890", + "https://bugs.python.org/issue30657", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", + "https://security.gentoo.org/glsa/201805-02", + "https://www.debian.org/security/2018/dsa-4307" + ] + }, + { + "VulnerabilityID": "CVE-2018-14647", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Missing salt initialization in _elementtree.c module", + "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-14647.html", + "http://linux.oracle.com/errata/ELSA-2019-2030.html", + "http://www.securityfocus.com/bid/105396", + "http://www.securitytracker.com/id/1041740", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://access.redhat.com/errata/RHSA-2019:2030", + "https://bugs.python.org/issue34623", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.debian.org/security/2018/dsa-4306", + "https://www.debian.org/security/2018/dsa-4307" + ] + }, + { + "VulnerabilityID": "CVE-2018-20852", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Cookie domain check returns incorrect results", + "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20852.html", + "http://linux.oracle.com/errata/ELSA-2019-4884.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", + "https://bugs.python.org/issue35121", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html", + "https://python-security.readthedocs.io/vuln/cookie-domain-check.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-16056", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: email.utils.parseaddr wrongly parses email addresses", + "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue34155", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056", + "https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" + ] + }, + { + "VulnerabilityID": "CVE-2019-16935", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field", + "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue38243", + "https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897", + "https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213", + "https://github.com/python/cpython/pull/16373", + "https://security.netapp.com/advisory/ntap-20191017-0004/", + "https://usn.ubuntu.com/4151-1/", + "https://usn.ubuntu.com/4151-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18348", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: CRLF injection via the host part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue30458#msg347282", + "https://bugzilla.redhat.com/show_bug.cgi?id=1727276", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://security.netapp.com/advisory/ntap-20191107-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5010", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "FixedVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", + "Description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5010.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", + "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758" + ] + }, { "VulnerabilityID": "CVE-2019-9740", "PkgName": "python-libs", @@ -12978,10 +14802,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: CRLF injection via the query part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9740.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://www.securityfocus.com/bid/107466", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue36276", @@ -12998,10 +14825,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: CRLF injection via the path part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9947.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue35906", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", @@ -13018,10 +14848,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", "http://www.securityfocus.com/bid/107549", @@ -13032,6 +14865,68 @@ "https://security.netapp.com/advisory/ntap-20190404-0004/" ] }, + { + "VulnerabilityID": "CVE-2020-8492", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS", + "Description": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue39503", + "https://github.com/python/cpython/pull/18284", + "https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html", + "https://security.netapp.com/advisory/ntap-20200221-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000030", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", + "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "Severity": "LOW", + "References": [ + "https://bugs.python.org/issue31530", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", + "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", + "https://security.gentoo.org/glsa/201811-02", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-9674", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-76.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py", + "Description": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue36260", + "https://bugs.python.org/issue36462", + "https://github.com/python/cpython/blob/master/Lib/zipfile.py", + "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb", + "https://security.netapp.com/advisory/ntap-20200221-0003/", + "https://www.python.org/news/security/" + ] + }, { "VulnerabilityID": "CVE-2016-7091", "PkgName": "readline", @@ -13039,10 +14934,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "sudo: Possible info leak via INPUTRC", "Description": "sudo: It was discovered that the default sudo configuration on Red Hat Enterprise Linux and possibly other Linux implementations preserves the value of INPUTRC which could lead to information disclosure. A local user with sudo access to a restricted program that uses readline could use this flaw to read content from specially formatted files with elevated privileges provided by sudo.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-7091.html", + "http://linux.oracle.com/errata/ELSA-2016-2593.html", "http://www.securityfocus.com/bid/92615", "https://lists.gnu.org/archive/html/bug-readline/2016-05/msg00009.html", "https://rhn.redhat.com/errata/RHSA-2016-2593.html" @@ -13055,9 +14953,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -13071,6 +14970,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -13086,9 +14986,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -13102,6 +15003,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -13117,9 +15019,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -13133,6 +15036,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -13148,9 +15052,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -13164,6 +15069,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -13173,26 +15079,47 @@ ] }, { - "VulnerabilityID": "CVE-2016-6252", - "PkgName": "shadow-utils", - "InstalledVersion": "2:4.1.5.1-25.el7", + "VulnerabilityID": "CVE-2019-13734", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "FixedVersion": "3.7.17-8.el7_7.1", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "shadow-utils: Incorrect integer handling results in LPE", - "Description": "Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "sqlite: fts3: improve shadow table corruption detection", + "Description": "Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "Severity": "HIGH", "References": [ - "http://www.debian.org/security/2017/dsa-3793", - "http://www.openwall.com/lists/oss-security/2016/07/19/6", - "http://www.openwall.com/lists/oss-security/2016/07/19/7", - "http://www.openwall.com/lists/oss-security/2016/07/20/2", - "http://www.openwall.com/lists/oss-security/2016/07/25/7", - "http://www.securityfocus.com/bid/92055", - "https://bugzilla.suse.com/show_bug.cgi?id=979282", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252", - "https://github.com/shadow-maint/shadow/issues/27", - "https://security.gentoo.org/glsa/201706-02" + "http://linux.oracle.com/cve/CVE-2019-13734.html", + "http://linux.oracle.com/errata/ELSA-2020-0273.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025466", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5827", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "chromium-browser: out-of-bounds access in SQLite", + "Description": "Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.html", + "https://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.html", + "https://crbug.com/952406", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5827", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CPM7VPE27DUNJLXM4F5PAAEFFWOEND6X/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKN4GPMBQ3SDXWB4HL45II5CZ7P2E4AI/" ] }, { @@ -13202,9 +15129,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "sqlite: arbitrary code execution on databases with malformed schema", "Description": "The fts3_tokenizer function in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a SQL command that triggers an API call with a crafted pointer value in the second argument.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://support.apple.com/kb/HT204941", "http://support.apple.com/kb/HT204942", @@ -13212,6 +15140,225 @@ "https://security.gentoo.org/glsa/201612-21" ] }, + { + "VulnerabilityID": "CVE-2017-7000", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "chromium-browser: pointer disclosure in sqlite", + "Description": "An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the \"SQLite\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/98767", + "http://www.securityfocus.com/bid/99950", + "https://access.redhat.com/errata/RHSA-2017:1833", + "https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7000", + "https://security.gentoo.org/glsa/201709-15", + "https://support.apple.com/HT207797", + "https://support.apple.com/HT207798", + "https://www.debian.org/security/2017/dsa-3926" + ] + }, + { + "VulnerabilityID": "CVE-2019-13751", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: fts3: improve detection of corrupted records", + "Description": "Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025465", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, + { + "VulnerabilityID": "CVE-2019-13752", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: fts3: improve shadow table corruption detection", + "Description": "Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025470", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, + { + "VulnerabilityID": "CVE-2019-13753", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: fts3: incorrectly removed corruption check", + "Description": "Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025471", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19603", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: mishandles certain SELECT statements with a nonexistent VIEW, leading to DoS", + "Description": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13", + "https://security.netapp.com/advisory/ntap-20191223-0001/", + "https://www.sqlite.org/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19645", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements", + "Description": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06", + "https://security.netapp.com/advisory/ntap-20191223-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19880", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: invalid pointer dereference in exprListAppendList in window.c", + "Description": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880", + "https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54", + "https://security.netapp.com/advisory/ntap-20200114-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19924", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: incorrect sqlite3WindowRewrite() error handling leads to mishandling certain parser-tree rewriting", + "Description": "SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/8654186b0236d556aa85528c2573ee0b6ab71be3", + "https://security.netapp.com/advisory/ntap-20200114-0003/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20218", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error", + "Description": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387", + "https://usn.ubuntu.com/4298-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-8457", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: heap out-of-bound read in function rtreenode()", + "Description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/", + "https://security.netapp.com/advisory/ntap-20190606-0002/", + "https://usn.ubuntu.com/4004-1/", + "https://usn.ubuntu.com/4004-2/", + "https://usn.ubuntu.com/4019-1/", + "https://usn.ubuntu.com/4019-2/", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "https://www.sqlite.org/releaselog/3_28_0.html", + "https://www.sqlite.org/src/info/90acdbfce9c08858" + ] + }, + { + "VulnerabilityID": "CVE-2016-6153", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "sqlite: Tempdir selection vulnerability", + "Description": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2016-08/msg00053.html", + "http://www.openwall.com/lists/oss-security/2016/07/01/1", + "http://www.openwall.com/lists/oss-security/2016/07/01/2", + "http://www.securityfocus.com/bid/91546", + "http://www.sqlite.org/cgi/src/info/67985761aa93fb61", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGQTH7V45QVHFDXJAEECHEO3HHD644WZ/", + "https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt", + "https://www.sqlite.org/releaselog/3_13_0.html", + "https://www.tenable.com/security/tns-2016-20" + ] + }, { "VulnerabilityID": "CVE-2017-10989", "PkgName": "sqlite", @@ -13219,9 +15366,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "sqlite: Heap-buffer overflow in the getNodeSize function", "Description": "The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00050.html", "http://marc.info/?l=sqlite-users\u0026m=149933696214713\u0026w=2", @@ -13242,48 +15390,6 @@ "https://usn.ubuntu.com/4019-2/" ] }, - { - "VulnerabilityID": "CVE-2019-8457", - "PkgName": "sqlite", - "InstalledVersion": "3.7.17-8.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "sqlite3: heap out-of-bound read in function rtreenode()", - "Description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457", - "https://security.netapp.com/advisory/ntap-20190606-0002/", - "https://usn.ubuntu.com/4004-1/", - "https://usn.ubuntu.com/4004-2/", - "https://www.sqlite.org/releaselog/3_28_0.html", - "https://www.sqlite.org/src/info/90acdbfce9c08858" - ] - }, - { - "VulnerabilityID": "CVE-2016-6153", - "PkgName": "sqlite", - "InstalledVersion": "3.7.17-8.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "sqlite: Tempdir selection vulnerability", - "Description": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2016-08/msg00053.html", - "http://www.openwall.com/lists/oss-security/2016/07/01/1", - "http://www.openwall.com/lists/oss-security/2016/07/01/2", - "http://www.securityfocus.com/bid/91546", - "http://www.sqlite.org/cgi/src/info/67985761aa93fb61", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGQTH7V45QVHFDXJAEECHEO3HHD644WZ/", - "https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt", - "https://www.sqlite.org/releaselog/3_13_0.html", - "https://www.tenable.com/security/tns-2016-20" - ] - }, { "VulnerabilityID": "CVE-2017-13685", "PkgName": "sqlite", @@ -13291,9 +15397,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "sqlite: Local DoS via dump_callback function", "Description": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg105314.html", "http://www.securityfocus.com/bid/100521", @@ -13307,37 +15414,16 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "sqlite: NULL pointer dereference in tableColumnList", "Description": "SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15286", "https://github.com/Ha0Team/crash-of-sqlite3/blob/master/poc.md" ] }, - { - "VulnerabilityID": "CVE-2017-7000", - "PkgName": "sqlite", - "InstalledVersion": "3.7.17-8.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "chromium-browser: pointer disclosure in sqlite", - "Description": "An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the \"SQLite\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98767", - "http://www.securityfocus.com/bid/99950", - "https://access.redhat.com/errata/RHSA-2017:1833", - "https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7000", - "https://security.gentoo.org/glsa/201709-15", - "https://support.apple.com/HT207797", - "https://support.apple.com/HT207798", - "https://www.debian.org/security/2017/dsa-3926" - ] - }, { "VulnerabilityID": "CVE-2018-8740", "PkgName": "sqlite", @@ -13345,9 +15431,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "sqlite: NULL pointer dereference with databases with schema corrupted with CREATE TABLE AS allows for denial of service", "Description": "In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00050.html", "http://www.securityfocus.com/bid/103466", @@ -13360,62 +15447,36 @@ ] }, { - "VulnerabilityID": "CVE-2019-5827", + "VulnerabilityID": "CVE-2019-19244", "PkgName": "sqlite", "InstalledVersion": "3.7.17-8.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "chromium-browser: out-of-bounds access in SQLite", - "Description": "Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "SeveritySource": "redhat", + "Title": "sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage", + "Description": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.", + "Severity": "LOW", + "References": [ + "https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348", + "https://usn.ubuntu.com/4205-1/" + ] + }, + { + "VulnerabilityID": "CVE-2013-4392", + "PkgName": "systemd", + "InstalledVersion": "219-62.el7_6.5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", + "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.html", - "https://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.html", - "https://crbug.com/952406", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5827", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CPM7VPE27DUNJLXM4F5PAAEFFWOEND6X/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKN4GPMBQ3SDXWB4HL45II5CZ7P2E4AI/" - ] - }, - { - "VulnerabilityID": "CVE-2018-15686", - "PkgName": "systemd", - "InstalledVersion": "219-62.el7_6.5", - "FixedVersion": "219-67.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec", - "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.", - "Severity": "CRITICAL", - "References": [ - "http://www.securityfocus.com/bid/105747", - "https://access.redhat.com/errata/RHSA-2019:2091", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686", - "https://github.com/systemd/systemd/pull/10519", - "https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html", - "https://security.gentoo.org/glsa/201810-10", - "https://usn.ubuntu.com/3816-1/", - "https://www.exploit-db.com/exploits/45714/" - ] - }, - { - "VulnerabilityID": "CVE-2018-6954", - "PkgName": "systemd", - "InstalledVersion": "219-62.el7_6.5", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", - "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", - "https://github.com/systemd/systemd/issues/7986", - "https://usn.ubuntu.com/3816-1/", - "https://usn.ubuntu.com/3816-2/" + "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", + "http://www.openwall.com/lists/oss-security/2013/10/01/9", + "https://bugzilla.redhat.com/show_bug.cgi?id=859060" ] }, { @@ -13425,6 +15486,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: Unsafe handling of hard links allowing privilege escalation", "Description": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.", "Severity": "MEDIUM", @@ -13440,57 +15502,28 @@ ] }, { - "VulnerabilityID": "CVE-2019-3842", + "VulnerabilityID": "CVE-2018-15686", "PkgName": "systemd", "InstalledVersion": "219-62.el7_6.5", + "FixedVersion": "219-67.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "systemd: Spoofing of XDG_SEAT allows for actions to be checked against \"allow_active\" instead of \"allow_any\"", - "Description": "In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the \"allow_active\" element rather than \"allow_any\".", + "SeveritySource": "redhat", + "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec", + "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.", "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", - "http://packetstormsecurity.com/files/152610/systemd-Seat-Verification-Active-Session-Spoofing.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3842", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3842", - "https://lists.debian.org/debian-lts-announce/2019/04/msg00022.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STR36RJE4ZZIORMDXRERVBHMPRNRTHAC/", - "https://www.exploit-db.com/exploits/46743/" - ] - }, - { - "VulnerabilityID": "CVE-2013-4392", - "PkgName": "systemd", - "InstalledVersion": "219-62.el7_6.5", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", - "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "Severity": "LOW", - "References": [ - "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", - "http://www.openwall.com/lists/oss-security/2013/10/01/9", - "https://bugzilla.redhat.com/show_bug.cgi?id=859060" - ] - }, - { - "VulnerabilityID": "CVE-2016-6349", - "PkgName": "systemd", - "InstalledVersion": "219-62.el7_6.5", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "oci-register-machine: information exposure for docker containers", - "Description": "The machinectl command in oci-register-machine allows local users to list running containers and possibly obtain sensitive information by running that command.", - "Severity": "LOW", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/07/26/9", - "http://www.openwall.com/lists/oss-security/2016/10/13/7", - "http://www.securityfocus.com/bid/92143", - "https://bugzilla.redhat.com/show_bug.cgi?id=1360634", - "https://github.com/projectatomic/oci-register-machine/pull/22" + "http://linux.oracle.com/cve/CVE-2018-15686.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", + "http://www.securityfocus.com/bid/105747", + "https://access.redhat.com/errata/RHSA-2019:2091", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686", + "https://github.com/systemd/systemd/pull/10519", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html", + "https://security.gentoo.org/glsa/201810-10", + "https://usn.ubuntu.com/3816-1/", + "https://www.exploit-db.com/exploits/45714/" ] }, { @@ -13501,10 +15534,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: out-of-bounds read when parsing a crafted syslog message", "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16866.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html", "http://seclists.org/fulldisclosure/2019/May/21", "http://www.openwall.com/lists/oss-security/2019/05/10/4", @@ -13520,56 +15556,16 @@ ] }, { - "VulnerabilityID": "CVE-2018-16888", + "VulnerabilityID": "CVE-2018-6954", "PkgName": "systemd", "InstalledVersion": "219-62.el7_6.5", - "FixedVersion": "219-67.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", - "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", - "Severity": "LOW", - "References": [ - "https://access.redhat.com/errata/RHSA-2019:2091", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", - "https://lists.apache.org/thread.html/5960a34a524848cd722fd7ab7e2227eac10107b0f90d9d1e9c3caa74@%3Cuser.cassandra.apache.org%3E", - "https://security.netapp.com/advisory/ntap-20190307-0007/" - ] - }, - { - "VulnerabilityID": "CVE-2018-15686", - "PkgName": "systemd-libs", - "InstalledVersion": "219-62.el7_6.5", - "FixedVersion": "219-67.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec", - "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.", - "Severity": "CRITICAL", - "References": [ - "http://www.securityfocus.com/bid/105747", - "https://access.redhat.com/errata/RHSA-2019:2091", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686", - "https://github.com/systemd/systemd/pull/10519", - "https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html", - "https://security.gentoo.org/glsa/201810-10", - "https://usn.ubuntu.com/3816-1/", - "https://www.exploit-db.com/exploits/45714/" - ] - }, - { - "VulnerabilityID": "CVE-2018-6954", - "PkgName": "systemd-libs", - "InstalledVersion": "219-62.el7_6.5", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", @@ -13578,6 +15574,103 @@ "https://usn.ubuntu.com/3816-2/" ] }, + { + "VulnerabilityID": "CVE-2019-3842", + "PkgName": "systemd", + "InstalledVersion": "219-62.el7_6.5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "systemd: Spoofing of XDG_SEAT allows for actions to be checked against \"allow_active\" instead of \"allow_any\"", + "Description": "In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the \"allow_active\" element rather than \"allow_any\".", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", + "http://packetstormsecurity.com/files/152610/systemd-Seat-Verification-Active-Session-Spoofing.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3842", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3842", + "https://lists.debian.org/debian-lts-announce/2019/04/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STR36RJE4ZZIORMDXRERVBHMPRNRTHAC/", + "https://www.exploit-db.com/exploits/46743/" + ] + }, + { + "VulnerabilityID": "CVE-2016-6349", + "PkgName": "systemd", + "InstalledVersion": "219-62.el7_6.5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "oci-register-machine: information exposure for docker containers", + "Description": "The machinectl command in oci-register-machine allows local users to list running containers and possibly obtain sensitive information by running that command.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/07/26/9", + "http://www.openwall.com/lists/oss-security/2016/10/13/7", + "http://www.securityfocus.com/bid/92143", + "https://bugzilla.redhat.com/show_bug.cgi?id=1360634", + "https://github.com/projectatomic/oci-register-machine/pull/22" + ] + }, + { + "VulnerabilityID": "CVE-2018-16888", + "PkgName": "systemd", + "InstalledVersion": "219-62.el7_6.5", + "FixedVersion": "219-67.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", + "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", + "https://access.redhat.com/errata/RHSA-2019:2091", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", + "https://lists.apache.org/thread.html/5960a34a524848cd722fd7ab7e2227eac10107b0f90d9d1e9c3caa74@%3Cuser.cassandra.apache.org%3E", + "https://security.netapp.com/advisory/ntap-20190307-0007/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "systemd", + "InstalledVersion": "219-62.el7_6.5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, + { + "VulnerabilityID": "CVE-2013-4392", + "PkgName": "systemd-libs", + "InstalledVersion": "219-62.el7_6.5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", + "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", + "Severity": "MEDIUM", + "References": [ + "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", + "http://www.openwall.com/lists/oss-security/2013/10/01/9", + "https://bugzilla.redhat.com/show_bug.cgi?id=859060" + ] + }, { "VulnerabilityID": "CVE-2017-18078", "PkgName": "systemd-libs", @@ -13585,6 +15678,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: Unsafe handling of hard links allowing privilege escalation", "Description": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.", "Severity": "MEDIUM", @@ -13600,57 +15694,28 @@ ] }, { - "VulnerabilityID": "CVE-2019-3842", + "VulnerabilityID": "CVE-2018-15686", "PkgName": "systemd-libs", "InstalledVersion": "219-62.el7_6.5", + "FixedVersion": "219-67.el7", "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, - "Title": "systemd: Spoofing of XDG_SEAT allows for actions to be checked against \"allow_active\" instead of \"allow_any\"", - "Description": "In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the \"allow_active\" element rather than \"allow_any\".", + "SeveritySource": "redhat", + "Title": "systemd: line splitting via fgets() allows for state injection during daemon-reexec", + "Description": "A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.", "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", - "http://packetstormsecurity.com/files/152610/systemd-Seat-Verification-Active-Session-Spoofing.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3842", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3842", - "https://lists.debian.org/debian-lts-announce/2019/04/msg00022.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STR36RJE4ZZIORMDXRERVBHMPRNRTHAC/", - "https://www.exploit-db.com/exploits/46743/" - ] - }, - { - "VulnerabilityID": "CVE-2013-4392", - "PkgName": "systemd-libs", - "InstalledVersion": "219-62.el7_6.5", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", - "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "Severity": "LOW", - "References": [ - "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", - "http://www.openwall.com/lists/oss-security/2013/10/01/9", - "https://bugzilla.redhat.com/show_bug.cgi?id=859060" - ] - }, - { - "VulnerabilityID": "CVE-2016-6349", - "PkgName": "systemd-libs", - "InstalledVersion": "219-62.el7_6.5", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "oci-register-machine: information exposure for docker containers", - "Description": "The machinectl command in oci-register-machine allows local users to list running containers and possibly obtain sensitive information by running that command.", - "Severity": "LOW", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/07/26/9", - "http://www.openwall.com/lists/oss-security/2016/10/13/7", - "http://www.securityfocus.com/bid/92143", - "https://bugzilla.redhat.com/show_bug.cgi?id=1360634", - "https://github.com/projectatomic/oci-register-machine/pull/22" + "http://linux.oracle.com/cve/CVE-2018-15686.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", + "http://www.securityfocus.com/bid/105747", + "https://access.redhat.com/errata/RHSA-2019:2091", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686", + "https://github.com/systemd/systemd/pull/10519", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html", + "https://security.gentoo.org/glsa/201810-10", + "https://usn.ubuntu.com/3816-1/", + "https://www.exploit-db.com/exploits/45714/" ] }, { @@ -13661,10 +15726,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: out-of-bounds read when parsing a crafted syslog message", "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16866.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html", "http://seclists.org/fulldisclosure/2019/May/21", "http://www.openwall.com/lists/oss-security/2019/05/10/4", @@ -13679,6 +15747,65 @@ "https://www.qualys.com/2019/01/09/system-down/system-down.txt" ] }, + { + "VulnerabilityID": "CVE-2018-6954", + "PkgName": "systemd-libs", + "InstalledVersion": "219-62.el7_6.5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", + "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", + "https://github.com/systemd/systemd/issues/7986", + "https://usn.ubuntu.com/3816-1/", + "https://usn.ubuntu.com/3816-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3842", + "PkgName": "systemd-libs", + "InstalledVersion": "219-62.el7_6.5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "systemd: Spoofing of XDG_SEAT allows for actions to be checked against \"allow_active\" instead of \"allow_any\"", + "Description": "In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the \"allow_active\" element rather than \"allow_any\".", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", + "http://packetstormsecurity.com/files/152610/systemd-Seat-Verification-Active-Session-Spoofing.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3842", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3842", + "https://lists.debian.org/debian-lts-announce/2019/04/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STR36RJE4ZZIORMDXRERVBHMPRNRTHAC/", + "https://www.exploit-db.com/exploits/46743/" + ] + }, + { + "VulnerabilityID": "CVE-2016-6349", + "PkgName": "systemd-libs", + "InstalledVersion": "219-62.el7_6.5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "oci-register-machine: information exposure for docker containers", + "Description": "The machinectl command in oci-register-machine allows local users to list running containers and possibly obtain sensitive information by running that command.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/07/26/9", + "http://www.openwall.com/lists/oss-security/2016/10/13/7", + "http://www.securityfocus.com/bid/92143", + "https://bugzilla.redhat.com/show_bug.cgi?id=1360634", + "https://github.com/projectatomic/oci-register-machine/pull/22" + ] + }, { "VulnerabilityID": "CVE-2018-16888", "PkgName": "systemd-libs", @@ -13687,10 +15814,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", @@ -13698,6 +15828,24 @@ "https://security.netapp.com/advisory/ntap-20190307-0007/" ] }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "systemd-libs", + "InstalledVersion": "219-62.el7_6.5", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, { "VulnerabilityID": "CVE-2016-6321", "PkgName": "tar", @@ -13705,6 +15853,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "tar: Bypassing the extract path name", "Description": "Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.", "Severity": "MEDIUM", @@ -13723,23 +15872,6 @@ "https://sintonen.fi/advisories/tar-extract-pathname-bypass.txt" ] }, - { - "VulnerabilityID": "CVE-2019-9923", - "PkgName": "tar", - "InstalledVersion": "2:1.26-35.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", - "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", - "Severity": "MEDIUM", - "References": [ - "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", - "http://savannah.gnu.org/bugs/?55369", - "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" - ] - }, { "VulnerabilityID": "CVE-2018-20482", "PkgName": "tar", @@ -13747,6 +15879,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "tar: Infinite read loop in sparse_dump_region function in sparse.c", "Description": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).", "Severity": "LOW", @@ -13763,6 +15896,24 @@ "https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug" ] }, + { + "VulnerabilityID": "CVE-2019-9923", + "PkgName": "tar", + "InstalledVersion": "2:1.26-35.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", + "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", + "Severity": "LOW", + "References": [ + "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", + "http://savannah.gnu.org/bugs/?55369", + "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" + ] + }, { "VulnerabilityID": "CVE-2014-9114", "PkgName": "util-linux", @@ -13770,9 +15921,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -13793,9 +15945,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -13810,6 +15963,7 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -13831,10 +15985,13 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "vim/neovim: ':source!' command allows arbitrary command execution via modelines", "Description": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-12735.html", + "http://linux.oracle.com/errata/ELSA-2019-1774.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html", @@ -13852,6 +16009,60 @@ "https://www.debian.org/security/2019/dsa-4467" ] }, + { + "VulnerabilityID": "CVE-2017-1000382", + "PkgName": "vim-minimal", + "InstalledVersion": "2:7.4.160-5.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "vim: Ignores umask when creating a swap file", + "Description": "VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.", + "Severity": "LOW", + "References": [ + "http://security.cucumberlinux.com/security/details.php?id=120", + "http://www.openwall.com/lists/oss-security/2017/10/31/1" + ] + }, + { + "VulnerabilityID": "CVE-2017-11109", + "PkgName": "vim-minimal", + "InstalledVersion": "2:7.4.160-5.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "vim: Use-after-free via crafted file", + "Description": "Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1468492", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11109", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11109.html" + ] + }, + { + "VulnerabilityID": "CVE-2017-17087", + "PkgName": "vim-minimal", + "InstalledVersion": "2:7.4.160-5.el7", + "Layer": { + "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" + }, + "SeveritySource": "redhat", + "Title": "vim: Sets the group ownership of a .swp file to the editor's primary group", + "Description": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/11/27/2", + "http://security.cucumberlinux.com/security/details.php?id=166", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17087", + "https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8", + "https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html" + ] + }, { "VulnerabilityID": "CVE-2017-5953", "PkgName": "vim-minimal", @@ -13859,9 +16070,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "vim: Tree length values not validated properly when handling a spell file", "Description": "vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.debian.org/security/2017/dsa-3786", "http://www.securityfocus.com/bid/96217", @@ -13879,9 +16091,10 @@ "Layer": { "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" }, + "SeveritySource": "redhat", "Title": "vim: Integer overflow at an unserialize_uep memory allocation site", "Description": "An integer overflow at an unserialize_uep memory allocation site would occur for vim before patch 8.0.0378, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/96448", "http://www.securitytracker.com/id/1037949", @@ -13891,57 +16104,6 @@ "https://groups.google.com/forum/#!topic/vim_dev/QPZc0CY9j3Y", "https://security.gentoo.org/glsa/201706-26" ] - }, - { - "VulnerabilityID": "CVE-2017-11109", - "PkgName": "vim-minimal", - "InstalledVersion": "2:7.4.160-5.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "vim: Use-after-free via crafted file", - "Description": "Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance.", - "Severity": "MEDIUM", - "References": [ - "https://bugzilla.redhat.com/show_bug.cgi?id=1468492", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11109", - "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11109.html" - ] - }, - { - "VulnerabilityID": "CVE-2017-1000382", - "PkgName": "vim-minimal", - "InstalledVersion": "2:7.4.160-5.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "vim: Ignores umask when creating a swap file", - "Description": "VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.", - "Severity": "LOW", - "References": [ - "http://security.cucumberlinux.com/security/details.php?id=120", - "http://www.openwall.com/lists/oss-security/2017/10/31/1" - ] - }, - { - "VulnerabilityID": "CVE-2017-17087", - "PkgName": "vim-minimal", - "InstalledVersion": "2:7.4.160-5.el7", - "Layer": { - "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854" - }, - "Title": "vim: Sets the group ownership of a .swp file to the editor's primary group", - "Description": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.", - "Severity": "LOW", - "References": [ - "http://openwall.com/lists/oss-security/2017/11/27/2", - "http://security.cucumberlinux.com/security/details.php?id=166", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17087", - "https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8", - "https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ", - "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html" - ] } ] } diff --git a/integration/testdata/debian-buster-ignore-unfixed.json.golden b/integration/testdata/debian-buster-ignore-unfixed.json.golden index 21a0da0a74..4024b5302f 100644 --- a/integration/testdata/debian-buster-ignore-unfixed.json.golden +++ b/integration/testdata/debian-buster-ignore-unfixed.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/debian-buster.tar.gz (debian 10.1)", + "Type": "debian", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2019-5094", @@ -10,6 +11,8 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -21,6 +24,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "e2fsprogs", + "InstalledVersion": "1.44.5-1+deb10u1", + "FixedVersion": "1.44.5-1+deb10u3", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libcom-err2", @@ -29,6 +53,8 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -40,6 +66,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libcom-err2", + "InstalledVersion": "1.44.5-1+deb10u1", + "FixedVersion": "1.44.5-1+deb10u3", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libext2fs2", @@ -48,6 +95,8 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -59,6 +108,89 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libext2fs2", + "InstalledVersion": "1.44.5-1+deb10u1", + "FixedVersion": "1.44.5-1+deb10u3", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18224", + "PkgName": "libidn2-0", + "InstalledVersion": "2.0.5-1", + "FixedVersion": "2.0.5-1+deb10u1", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c", + "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.", + "Severity": "HIGH", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224", + "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c", + "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/", + "https://usn.ubuntu.com/4168-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "libncursesw6", + "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "libncursesw6", + "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libss2", @@ -67,6 +199,8 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -77,6 +211,193 @@ "https://usn.ubuntu.com/4142-2/", "https://www.debian.org/security/2019/dsa-4535" ] + }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libss2", + "InstalledVersion": "1.44.5-1+deb10u1", + "FixedVersion": "1.44.5-1+deb10u3", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-15718", + "PkgName": "libsystemd0", + "InstalledVersion": "241-7~deb10u1", + "FixedVersion": "241-7~deb10u2", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", + "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-15718.html", + "http://linux.oracle.com/errata/ELSA-2019-3592.html", + "http://www.openwall.com/lists/oss-security/2019/09/03/1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "libtinfo6", + "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "libtinfo6", + "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-15718", + "PkgName": "libudev1", + "InstalledVersion": "241-7~deb10u1", + "FixedVersion": "241-7~deb10u2", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", + "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-15718.html", + "http://linux.oracle.com/errata/ELSA-2019-3592.html", + "http://www.openwall.com/lists/oss-security/2019/09/03/1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-base", + "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-base", + "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-bin", + "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-bin", + "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] } ] } diff --git a/integration/testdata/debian-buster.json.golden b/integration/testdata/debian-buster.json.golden index d46b80bdbd..eda7a70eda 100644 --- a/integration/testdata/debian-buster.json.golden +++ b/integration/testdata/debian-buster.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/debian-buster.tar.gz (debian 10.1)", + "Type": "debian", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2011-3374", @@ -9,7 +10,33 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, - "Severity": "LOW" + "SeveritySource": "debian", + "Description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2011-3374", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", + "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", + "https://security-tracker.debian.org/tracker/CVE-2011-3374", + "https://snyk.io/vuln/SNYK-LINUX-APT-116518" + ] + }, + { + "VulnerabilityID": "CVE-2019-18276", + "PkgName": "bash", + "InstalledVersion": "5.0-4", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped", + "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html", + "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff", + "https://www.youtube.com/watch?v=-wGtxJ8opa8" + ] }, { "VulnerabilityID": "TEMP-0841856-B18BAF", @@ -18,6 +45,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Severity": "LOW" }, { @@ -27,6 +55,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "LOW", @@ -42,6 +71,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "coreutils: race condition vulnerability in chown and chgrp", "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", "Severity": "LOW", @@ -57,6 +87,8 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -68,6 +100,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "e2fsprogs", + "InstalledVersion": "1.44.5-1+deb10u1", + "FixedVersion": "1.44.5-1+deb10u3", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2018-12886", "PkgName": "gcc-8-base", @@ -75,6 +128,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", "Severity": "MEDIUM", @@ -90,13 +144,34 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "gcc: POWER9 \"DARN\" RNG intrinsic produces repeated output", "Description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", "Severity": "MEDIUM", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" ] }, + { + "VulnerabilityID": "CVE-2019-14855", + "PkgName": "gpgv", + "InstalledVersion": "2.2.12-1+deb10u1", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "gnupg2: OpenPGP Key Certification Forgeries with SHA-1", + "Description": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855", + "https://dev.gnupg.org/T4755", + "https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html", + "https://rwc.iacr.org/2020/slides/Leurent.pdf" + ] + }, { "VulnerabilityID": "CVE-2011-3374", "PkgName": "libapt-pkg5.0", @@ -104,21 +179,38 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, - "Severity": "LOW" + "SeveritySource": "debian", + "Description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2011-3374", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", + "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", + "https://security-tracker.debian.org/tracker/CVE-2011-3374", + "https://snyk.io/vuln/SNYK-LINUX-APT-116518" + ] }, { - "VulnerabilityID": "CVE-2019-1010022", + "VulnerabilityID": "CVE-2020-1752", "PkgName": "libc-bin", "InstalledVersion": "2.28-10", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "HIGH" + }, + { + "VulnerabilityID": "CVE-2020-1751", + "PkgName": "libc-bin", + "InstalledVersion": "2.28-10", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "Title": "glibc: array overflow in backtrace on powerpc", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM" }, { "VulnerabilityID": "CVE-2010-4051", @@ -127,9 +219,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -151,9 +244,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -175,9 +269,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", @@ -191,9 +286,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", @@ -207,14 +303,31 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "libc-bin", + "InstalledVersion": "2.28-10", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" ] }, { @@ -224,8 +337,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109167", "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", @@ -239,8 +354,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "glibc: ASLR bypass using cache of thread stack and heap", "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109162", "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", @@ -254,13 +371,30 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "glibc: information disclosure of heap addresses of pthread_created thread", "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://sourceware.org/bugzilla/show_bug.cgi?id=22853" ] }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "libc-bin", + "InstalledVersion": "2.28-10", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, { "VulnerabilityID": "CVE-2019-9192", "PkgName": "libc-bin", @@ -268,26 +402,53 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" ] }, { - "VulnerabilityID": "CVE-2019-1010022", + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "libc-bin", + "InstalledVersion": "2.28-10", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, + { + "VulnerabilityID": "CVE-2020-1752", "PkgName": "libc6", "InstalledVersion": "2.28-10", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "HIGH" + }, + { + "VulnerabilityID": "CVE-2020-1751", + "PkgName": "libc6", + "InstalledVersion": "2.28-10", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "Title": "glibc: array overflow in backtrace on powerpc", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM" }, { "VulnerabilityID": "CVE-2010-4051", @@ -296,9 +457,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -320,9 +482,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -344,9 +507,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", @@ -360,9 +524,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", @@ -376,14 +541,31 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "libc6", + "InstalledVersion": "2.28-10", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" ] }, { @@ -393,8 +575,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109167", "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", @@ -408,8 +592,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "glibc: ASLR bypass using cache of thread stack and heap", "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109162", "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", @@ -423,13 +609,30 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "glibc: information disclosure of heap addresses of pthread_created thread", "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://sourceware.org/bugzilla/show_bug.cgi?id=22853" ] }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "libc6", + "InstalledVersion": "2.28-10", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, { "VulnerabilityID": "CVE-2019-9192", "PkgName": "libc6", @@ -437,11 +640,30 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "libc6", + "InstalledVersion": "2.28-10", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" ] }, { @@ -452,6 +674,8 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -463,6 +687,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libcom-err2", + "InstalledVersion": "1.44.5-1+deb10u1", + "FixedVersion": "1.44.5-1+deb10u3", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libext2fs2", @@ -471,6 +716,8 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -482,6 +729,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libext2fs2", + "InstalledVersion": "1.44.5-1+deb10u1", + "FixedVersion": "1.44.5-1+deb10u3", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2018-12886", "PkgName": "libgcc1", @@ -489,6 +757,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", "Severity": "MEDIUM", @@ -504,29 +773,16 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "gcc: POWER9 \"DARN\" RNG intrinsic produces repeated output", "Description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", "Severity": "MEDIUM", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" ] }, - { - "VulnerabilityID": "CVE-2018-6829", - "PkgName": "libgcrypt20", - "InstalledVersion": "1.8.4-5", - "Layer": { - "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" - }, - "Title": "libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information", - "Description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "Severity": "MEDIUM", - "References": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html" - ] - }, { "VulnerabilityID": "CVE-2019-12904", "PkgName": "libgcrypt20", @@ -534,6 +790,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack", "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)", "Severity": "MEDIUM", @@ -552,18 +809,39 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", + "Title": "libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library", "Description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html", "http://www.openwall.com/lists/oss-security/2019/10/02/2", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13627", + "https://dev.gnupg.org/T4683", "https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5", "https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html", "https://minerva.crocs.fi.muni.cz/", "https://security-tracker.debian.org/tracker/CVE-2019-13627" ] }, + { + "VulnerabilityID": "CVE-2018-6829", + "PkgName": "libgcrypt20", + "InstalledVersion": "1.8.4-5", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information", + "Description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "Severity": "LOW", + "References": [ + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, { "VulnerabilityID": "CVE-2011-3389", "PkgName": "libgnutls30", @@ -571,9 +849,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)", "Description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/", "http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx", @@ -585,6 +864,8 @@ "http://eprint.iacr.org/2006/136", "http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html", "http://isc.sans.edu/diary/SSL+TLS+part+3+/11635", + "http://linux.oracle.com/cve/CVE-2011-3389.html", + "http://linux.oracle.com/errata/ELSA-2011-1380.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html", "http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html", @@ -665,6 +946,45 @@ "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752" ] }, + { + "VulnerabilityID": "CVE-2019-18224", + "PkgName": "libidn2-0", + "InstalledVersion": "2.0.5-1", + "FixedVersion": "2.0.5-1+deb10u1", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c", + "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.", + "Severity": "HIGH", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224", + "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c", + "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/", + "https://usn.ubuntu.com/4168-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-12290", + "PkgName": "libidn2-0", + "InstalledVersion": "2.0.5-1", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.", + "Severity": "MEDIUM", + "References": [ + "https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5", + "https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de", + "https://gitlab.com/libidn/libidn2/merge_requests/71", + "https://usn.ubuntu.com/4168-1/" + ] + }, { "VulnerabilityID": "CVE-2019-17543", "PkgName": "liblz4-1", @@ -672,26 +992,41 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "lz4: heap-based buffer overflow in LZ4_write32", "Description": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941", "https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2", "https://github.com/lz4/lz4/issues/801", "https://github.com/lz4/lz4/pull/756", - "https://github.com/lz4/lz4/pull/760" + "https://github.com/lz4/lz4/pull/760", + "https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E" ] }, { "VulnerabilityID": "CVE-2019-17594", "PkgName": "libncursesw6", "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -700,12 +1035,18 @@ "VulnerabilityID": "CVE-2019-17595", "PkgName": "libncursesw6", "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -717,48 +1058,15 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/07/11/3", "http://www.securityfocus.com/bid/99575" ] }, - { - "VulnerabilityID": "CVE-2017-7245", - "PkgName": "libpcre3", - "InstalledVersion": "2:8.39-12", - "Layer": { - "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" - }, - "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", - "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97067", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/", - "https://security.gentoo.org/glsa/201710-25" - ] - }, - { - "VulnerabilityID": "CVE-2017-7246", - "PkgName": "libpcre3", - "InstalledVersion": "2:8.39-12", - "Layer": { - "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" - }, - "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", - "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97067", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/", - "https://security.gentoo.org/glsa/201710-25" - ] - }, { "VulnerabilityID": "CVE-2017-16231", "PkgName": "libpcre3", @@ -766,6 +1074,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", "Description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", "Severity": "LOW", @@ -780,6 +1089,42 @@ "https://bugs.exim.org/show_bug.cgi?id=2047" ] }, + { + "VulnerabilityID": "CVE-2017-7245", + "PkgName": "libpcre3", + "InstalledVersion": "2:8.39-12", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", + "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97067", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/", + "https://security.gentoo.org/glsa/201710-25" + ] + }, + { + "VulnerabilityID": "CVE-2017-7246", + "PkgName": "libpcre3", + "InstalledVersion": "2:8.39-12", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", + "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97067", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/", + "https://security.gentoo.org/glsa/201710-25" + ] + }, { "VulnerabilityID": "CVE-2019-9893", "PkgName": "libseccomp2", @@ -787,10 +1132,13 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "libseccomp: incorrect generation of syscall filters in libseccomp", "Description": "libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9893.html", + "http://linux.oracle.com/errata/ELSA-2019-3624.html", "https://github.com/seccomp/libseccomp/issues/139", "https://seclists.org/oss-sec/2019/q1/179", "https://security.gentoo.org/glsa/201904-18", @@ -806,6 +1154,8 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -817,6 +1167,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libss2", + "InstalledVersion": "1.44.5-1+deb10u1", + "FixedVersion": "1.44.5-1+deb10u3", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2018-12886", "PkgName": "libstdc++6", @@ -824,6 +1195,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", "Severity": "MEDIUM", @@ -839,29 +1211,29 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "gcc: POWER9 \"DARN\" RNG intrinsic produces repeated output", "Description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", "Severity": "MEDIUM", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481" ] }, { - "VulnerabilityID": "CVE-2018-20839", + "VulnerabilityID": "CVE-2020-1712", "PkgName": "libsystemd0", "InstalledVersion": "241-7~deb10u1", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, - "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker", - "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.", - "Severity": "MEDIUM", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "HIGH", "References": [ - "http://www.securityfocus.com/bid/108389", - "https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993", - "https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f", - "https://github.com/systemd/systemd/pull/12378", - "https://security.netapp.com/advisory/ntap-20190530-0002/" + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" ] }, { @@ -871,6 +1243,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "systemd: services with DynamicUser can create SUID/SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", "Severity": "MEDIUM", @@ -888,6 +1261,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", "Severity": "MEDIUM", @@ -904,6 +1278,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", "Severity": "LOW", @@ -917,20 +1292,43 @@ "VulnerabilityID": "CVE-2019-15718", "PkgName": "libsystemd0", "InstalledVersion": "241-7~deb10u1", + "FixedVersion": "241-7~deb10u2", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-15718.html", + "http://linux.oracle.com/errata/ELSA-2019-3592.html", "http://www.openwall.com/lists/oss-security/2019/09/03/1", "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" ] }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "libsystemd0", + "InstalledVersion": "241-7~deb10u1", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, { "VulnerabilityID": "CVE-2018-1000654", "PkgName": "libtasn1-6", @@ -938,9 +1336,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion", "Description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", @@ -952,12 +1351,18 @@ "VulnerabilityID": "CVE-2019-17594", "PkgName": "libtinfo6", "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -966,32 +1371,35 @@ "VulnerabilityID": "CVE-2019-17595", "PkgName": "libtinfo6", "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] }, { - "VulnerabilityID": "CVE-2018-20839", + "VulnerabilityID": "CVE-2020-1712", "PkgName": "libudev1", "InstalledVersion": "241-7~deb10u1", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, - "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker", - "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.", - "Severity": "MEDIUM", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "HIGH", "References": [ - "http://www.securityfocus.com/bid/108389", - "https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993", - "https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f", - "https://github.com/systemd/systemd/pull/12378", - "https://security.netapp.com/advisory/ntap-20190530-0002/" + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" ] }, { @@ -1001,6 +1409,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "systemd: services with DynamicUser can create SUID/SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", "Severity": "MEDIUM", @@ -1018,6 +1427,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", "Severity": "MEDIUM", @@ -1034,6 +1444,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", "Severity": "LOW", @@ -1047,20 +1458,43 @@ "VulnerabilityID": "CVE-2019-15718", "PkgName": "libudev1", "InstalledVersion": "241-7~deb10u1", + "FixedVersion": "241-7~deb10u2", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "nvd", "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-15718.html", + "http://linux.oracle.com/errata/ELSA-2019-3592.html", "http://www.openwall.com/lists/oss-security/2019/09/03/1", "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" ] }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "libudev1", + "InstalledVersion": "241-7~deb10u1", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "nvd", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, { "VulnerabilityID": "CVE-2012-2663", "PkgName": "libxtables12", @@ -1068,9 +1502,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "iptables: --syn flag bypass", "Description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.spinics.net/lists/netfilter-devel/msg21248.html", "https://bugzilla.redhat.com/show_bug.cgi?id=826702" @@ -1083,8 +1518,9 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Description": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://0day.work/cve-2019-11360-bufferoverflow-in-iptables-restore-v1-8-2/", "https://git.netfilter.org/iptables/commit/iptables/xshared.c?id=2ae1099a42e6a0f06de305ca13a842ac83d4683e" @@ -1097,8 +1533,9 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://secunia.com/advisories/27215", "http://www.securityfocus.com/archive/1/482129/100/100/threaded", @@ -1108,21 +1545,6 @@ "https://issues.rpath.com/browse/RPL-1825" ] }, - { - "VulnerabilityID": "CVE-2018-7169", - "PkgName": "login", - "InstalledVersion": "1:4.5-1.1", - "Layer": { - "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" - }, - "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", - "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", - "https://security.gentoo.org/glsa/201805-09" - ] - }, { "VulnerabilityID": "CVE-2013-4235", "PkgName": "login", @@ -1130,9 +1552,50 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", - "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.", - "Severity": "LOW" + "Description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2013-4235", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", + "https://security-tracker.debian.org/tracker/CVE-2013-4235" + ] + }, + { + "VulnerabilityID": "CVE-2018-7169", + "PkgName": "login", + "InstalledVersion": "1:4.5-1.1", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", + "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", + "Severity": "LOW", + "References": [ + "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", + "https://security.gentoo.org/glsa/201805-09" + ] + }, + { + "VulnerabilityID": "CVE-2019-19882", + "PkgName": "login", + "InstalledVersion": "1:4.5-1.1", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", + "Description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", + "Severity": "LOW", + "References": [ + "https://bugs.archlinux.org/task/64836", + "https://bugs.gentoo.org/702252", + "https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75", + "https://github.com/shadow-maint/shadow/pull/199", + "https://github.com/void-linux/void-packages/pull/17580" + ] }, { "VulnerabilityID": "TEMP-0628843-DBAD28", @@ -1141,18 +1604,25 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Severity": "LOW" }, { "VulnerabilityID": "CVE-2019-17594", "PkgName": "ncurses-base", "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -1161,12 +1631,18 @@ "VulnerabilityID": "CVE-2019-17595", "PkgName": "ncurses-base", "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -1175,12 +1651,18 @@ "VulnerabilityID": "CVE-2019-17594", "PkgName": "ncurses-bin", "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -1189,12 +1671,18 @@ "VulnerabilityID": "CVE-2019-17595", "PkgName": "ncurses-bin", "InstalledVersion": "6.1+20181013-2+deb10u1", + "FixedVersion": "6.1+20181013-2+deb10u2", "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -1206,8 +1694,9 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://secunia.com/advisories/27215", "http://www.securityfocus.com/archive/1/482129/100/100/threaded", @@ -1217,21 +1706,6 @@ "https://issues.rpath.com/browse/RPL-1825" ] }, - { - "VulnerabilityID": "CVE-2018-7169", - "PkgName": "passwd", - "InstalledVersion": "1:4.5-1.1", - "Layer": { - "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" - }, - "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", - "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", - "https://security.gentoo.org/glsa/201805-09" - ] - }, { "VulnerabilityID": "CVE-2013-4235", "PkgName": "passwd", @@ -1239,9 +1713,50 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", - "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.", - "Severity": "LOW" + "Description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2013-4235", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", + "https://security-tracker.debian.org/tracker/CVE-2013-4235" + ] + }, + { + "VulnerabilityID": "CVE-2018-7169", + "PkgName": "passwd", + "InstalledVersion": "1:4.5-1.1", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", + "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", + "Severity": "LOW", + "References": [ + "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", + "https://security.gentoo.org/glsa/201805-09" + ] + }, + { + "VulnerabilityID": "CVE-2019-19882", + "PkgName": "passwd", + "InstalledVersion": "1:4.5-1.1", + "Layer": { + "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" + }, + "SeveritySource": "debian", + "Title": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", + "Description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", + "Severity": "LOW", + "References": [ + "https://bugs.archlinux.org/task/64836", + "https://bugs.gentoo.org/702252", + "https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75", + "https://github.com/shadow-maint/shadow/pull/199", + "https://github.com/void-linux/void-packages/pull/17580" + ] }, { "VulnerabilityID": "TEMP-0628843-DBAD28", @@ -1250,6 +1765,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Severity": "LOW" }, { @@ -1259,9 +1775,17 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "perl: File::Temp insecure temporary file handling", - "Description": "No description is available for this CVE.", - "Severity": "LOW" + "Description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2011/11/04/2", + "http://www.openwall.com/lists/oss-security/2011/11/04/4", + "https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14", + "https://rt.cpan.org/Public/Bug/Display.html?id=69106", + "https://seclists.org/oss-sec/2011/q4/238" + ] }, { "VulnerabilityID": "TEMP-0517018-A83CE6", @@ -1270,6 +1794,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Severity": "LOW" }, { @@ -1279,8 +1804,9 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", - "Severity": "CRITICAL", + "Severity": "LOW", "References": [ "http://marc.info/?l=bugtraq\u0026m=112327628230258\u0026w=2" ] @@ -1292,9 +1818,10 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", @@ -1309,6 +1836,7 @@ "Layer": { "DiffID": "sha256:78c1b9419976227e05be9d243b7fa583bea44a5258e52018b2af4cdfe23d148d" }, + "SeveritySource": "debian", "Severity": "LOW" } ] diff --git a/integration/testdata/debian-stretch.json.golden b/integration/testdata/debian-stretch.json.golden index b5ac18e8fd..964f741b27 100644 --- a/integration/testdata/debian-stretch.json.golden +++ b/integration/testdata/debian-stretch.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/debian-stretch.tar.gz (debian 9.9)", + "Type": "debian", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2011-3374", @@ -9,7 +10,33 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, - "Severity": "LOW" + "SeveritySource": "debian", + "Description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2011-3374", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", + "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", + "https://security-tracker.debian.org/tracker/CVE-2011-3374", + "https://snyk.io/vuln/SNYK-LINUX-APT-116518" + ] + }, + { + "VulnerabilityID": "CVE-2019-18276", + "PkgName": "bash", + "InstalledVersion": "4.4-5", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped", + "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html", + "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff", + "https://www.youtube.com/watch?v=-wGtxJ8opa8" + ] }, { "VulnerabilityID": "TEMP-0841856-B18BAF", @@ -18,6 +45,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Severity": "LOW" }, { @@ -27,6 +55,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "HIGH", @@ -44,6 +73,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "LOW", @@ -59,6 +89,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "coreutils: race condition vulnerability in chown and chgrp", "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", "Severity": "LOW", @@ -74,6 +105,8 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -85,6 +118,26 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "e2fslibs", + "InstalledVersion": "1.43.4-2", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "e2fsprogs", @@ -93,6 +146,8 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -104,6 +159,26 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "e2fsprogs", + "InstalledVersion": "1.43.4-2", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2018-12886", "PkgName": "gcc-6-base", @@ -111,6 +186,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", "Severity": "MEDIUM", @@ -126,6 +202,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "gnupg2: Cross site request forgery in dirmngr resulting in an information disclosure or denial of service", "Description": "GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.", "Severity": "MEDIUM", @@ -143,15 +220,34 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys", "Description": "GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234", "https://dev.gnupg.org/T3844", "https://usn.ubuntu.com/3675-1/" ] }, + { + "VulnerabilityID": "CVE-2019-14855", + "PkgName": "gpgv", + "InstalledVersion": "2.1.18-8~deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "gnupg2: OpenPGP Key Certification Forgeries with SHA-1", + "Description": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855", + "https://dev.gnupg.org/T4755", + "https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html", + "https://rwc.iacr.org/2020/slides/Leurent.pdf" + ] + }, { "VulnerabilityID": "CVE-2011-3374", "PkgName": "libapt-pkg5.0", @@ -159,7 +255,16 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, - "Severity": "LOW" + "SeveritySource": "debian", + "Description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2011-3374", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", + "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", + "https://security-tracker.debian.org/tracker/CVE-2011-3374", + "https://snyk.io/vuln/SNYK-LINUX-APT-116518" + ] }, { "VulnerabilityID": "CVE-2016-2779", @@ -168,6 +273,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "HIGH", @@ -185,6 +291,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "bzip2: out-of-bounds write in function BZ2_decompress", "Description": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "Severity": "HIGH", @@ -203,10 +310,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation", "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000001.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://seclists.org/oss-sec/2018/q1/38", "http://www.securityfocus.com/bid/102525", "http://www.securitytracker.com/id/1040162", @@ -227,17 +337,21 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", "Severity": "HIGH", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, @@ -248,6 +362,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: integer overflow in malloc functions", "Description": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.", "Severity": "HIGH", @@ -258,20 +373,6 @@ "https://sourceware.org/git/?p=glibc.git;a=commit;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22" ] }, - { - "VulnerabilityID": "CVE-2019-1010022", - "PkgName": "libc-bin", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] - }, { "VulnerabilityID": "CVE-2019-9169", "PkgName": "libc-bin", @@ -279,6 +380,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", "Severity": "HIGH", @@ -294,6 +396,17 @@ "https://support.f5.com/csp/article/K54823184" ] }, + { + "VulnerabilityID": "CVE-2020-1752", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "HIGH" + }, { "VulnerabilityID": "CVE-2009-5155", "PkgName": "libc-bin", @@ -301,6 +414,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", "Severity": "MEDIUM", @@ -317,6 +431,60 @@ "https://support.f5.com/csp/article/K64119434" ] }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2017-12132", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", + "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", + "http://www.securityfocus.com/bid/100598", + "https://access.redhat.com/errata/RHSA-2018:0805", + "https://arxiv.org/pdf/1205.4011.pdf", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" + ] + }, + { + "VulnerabilityID": "CVE-2020-1751", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "Title": "glibc: array overflow in backtrace on powerpc", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM" + }, { "VulnerabilityID": "CVE-2010-4051", "PkgName": "libc-bin", @@ -324,9 +492,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -348,9 +517,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -372,9 +542,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", @@ -388,9 +559,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -406,52 +578,16 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" ] }, - { - "VulnerabilityID": "CVE-2016-10739", - "PkgName": "libc-bin", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", - "http://www.securityfocus.com/bid/106672", - "https://access.redhat.com/errata/RHSA-2019:2118", - "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" - ] - }, - { - "VulnerabilityID": "CVE-2017-12132", - "PkgName": "libc-bin", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", - "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100598", - "https://access.redhat.com/errata/RHSA-2018:0805", - "https://arxiv.org/pdf/1205.4011.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "libc-bin", @@ -459,14 +595,31 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" ] }, { @@ -476,8 +629,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109167", "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", @@ -491,8 +646,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "glibc: ASLR bypass using cache of thread stack and heap", "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109162", "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", @@ -506,13 +663,30 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: information disclosure of heap addresses of pthread_created thread", "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://sourceware.org/bugzilla/show_bug.cgi?id=22853" ] }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, { "VulnerabilityID": "CVE-2019-6488", "PkgName": "libc-bin", @@ -520,29 +694,16 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault", "Description": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/106671", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6488", "https://sourceware.org/bugzilla/show_bug.cgi?id=24097" ] }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "libc-bin", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" - ] - }, { "VulnerabilityID": "CVE-2019-7309", "PkgName": "libc-bin", @@ -550,6 +711,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -560,6 +722,39 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, { "VulnerabilityID": "CVE-2018-1000001", "PkgName": "libc6", @@ -567,10 +762,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation", "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000001.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://seclists.org/oss-sec/2018/q1/38", "http://www.securityfocus.com/bid/102525", "http://www.securitytracker.com/id/1040162", @@ -591,17 +789,21 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", "Severity": "HIGH", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, @@ -612,6 +814,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: integer overflow in malloc functions", "Description": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.", "Severity": "HIGH", @@ -622,20 +825,6 @@ "https://sourceware.org/git/?p=glibc.git;a=commit;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22" ] }, - { - "VulnerabilityID": "CVE-2019-1010022", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] - }, { "VulnerabilityID": "CVE-2019-9169", "PkgName": "libc6", @@ -643,6 +832,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", "Severity": "HIGH", @@ -658,6 +848,17 @@ "https://support.f5.com/csp/article/K54823184" ] }, + { + "VulnerabilityID": "CVE-2020-1752", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "HIGH" + }, { "VulnerabilityID": "CVE-2009-5155", "PkgName": "libc6", @@ -665,6 +866,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", "Severity": "MEDIUM", @@ -681,6 +883,60 @@ "https://support.f5.com/csp/article/K64119434" ] }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2017-12132", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", + "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", + "http://www.securityfocus.com/bid/100598", + "https://access.redhat.com/errata/RHSA-2018:0805", + "https://arxiv.org/pdf/1205.4011.pdf", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" + ] + }, + { + "VulnerabilityID": "CVE-2020-1751", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "Title": "glibc: array overflow in backtrace on powerpc", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM" + }, { "VulnerabilityID": "CVE-2010-4051", "PkgName": "libc6", @@ -688,9 +944,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -712,9 +969,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -736,9 +994,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", @@ -752,9 +1011,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -770,52 +1030,16 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" ] }, - { - "VulnerabilityID": "CVE-2016-10739", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", - "http://www.securityfocus.com/bid/106672", - "https://access.redhat.com/errata/RHSA-2019:2118", - "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" - ] - }, - { - "VulnerabilityID": "CVE-2017-12132", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", - "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100598", - "https://access.redhat.com/errata/RHSA-2018:0805", - "https://arxiv.org/pdf/1205.4011.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "libc6", @@ -823,14 +1047,31 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" ] }, { @@ -840,8 +1081,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109167", "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", @@ -855,8 +1098,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "glibc: ASLR bypass using cache of thread stack and heap", "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109162", "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", @@ -870,13 +1115,30 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: information disclosure of heap addresses of pthread_created thread", "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://sourceware.org/bugzilla/show_bug.cgi?id=22853" ] }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, { "VulnerabilityID": "CVE-2019-6488", "PkgName": "libc6", @@ -884,29 +1146,16 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault", "Description": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/106671", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6488", "https://sourceware.org/bugzilla/show_bug.cgi?id=24097" ] }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" - ] - }, { "VulnerabilityID": "CVE-2019-7309", "PkgName": "libc6", @@ -914,6 +1163,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -924,6 +1174,39 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libcomerr2", @@ -932,6 +1215,8 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -944,19 +1229,23 @@ ] }, { - "VulnerabilityID": "CVE-2018-16402", - "PkgName": "libelf1", - "InstalledVersion": "0.168-1", + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libcomerr2", + "InstalledVersion": "1.43.4-2", "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, - "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", - "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", - "Severity": "HIGH", + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", - "https://usn.ubuntu.com/4012-1/" + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" ] }, { @@ -966,10 +1255,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", @@ -979,25 +1271,6 @@ "https://usn.ubuntu.com/4012-1/" ] }, - { - "VulnerabilityID": "CVE-2018-16403", - "PkgName": "libelf1", - "InstalledVersion": "0.168-1", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", - "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", - "https://access.redhat.com/errata/RHSA-2019:2197", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23529", - "https://sourceware.org/git/?p=elfutils.git;a=commit;h=6983e59b727458a6c64d9659c85f08218bc4fcda", - "https://usn.ubuntu.com/4012-1/" - ] - }, { "VulnerabilityID": "CVE-2018-18310", "PkgName": "libelf1", @@ -1005,10 +1278,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", @@ -1016,6 +1292,47 @@ "https://usn.ubuntu.com/4012-1/" ] }, + { + "VulnerabilityID": "CVE-2018-16402", + "PkgName": "libelf1", + "InstalledVersion": "0.168-1", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", + "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-16403", + "PkgName": "libelf1", + "InstalledVersion": "0.168-1", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", + "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23529", + "https://sourceware.org/git/?p=elfutils.git;a=commit;h=6983e59b727458a6c64d9659c85f08218bc4fcda", + "https://usn.ubuntu.com/4012-1/" + ] + }, { "VulnerabilityID": "CVE-2018-18520", "PkgName": "libelf1", @@ -1023,10 +1340,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "elfutils: eu-size cannot handle recursive ar files", "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", @@ -1041,10 +1361,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", @@ -1059,9 +1382,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "elfutils: excessive memory allocation in read_long_names in elf_begin.c in libelf", "Description": "**DISPUTED** An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a \"warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7148", "https://sourceware.org/bugzilla/show_bug.cgi?id=24085" @@ -1074,10 +1398,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", @@ -1092,10 +1419,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", @@ -1110,10 +1440,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" @@ -1126,10 +1459,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", @@ -1144,6 +1480,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "HIGH", @@ -1161,6 +1498,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", "Severity": "MEDIUM", @@ -1169,22 +1507,6 @@ "https://www.gnu.org/software/gcc/gcc-8/changes.html" ] }, - { - "VulnerabilityID": "CVE-2018-6829", - "PkgName": "libgcrypt20", - "InstalledVersion": "1.7.6-2+deb9u3", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information", - "Description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "Severity": "MEDIUM", - "References": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html" - ] - }, { "VulnerabilityID": "CVE-2019-12904", "PkgName": "libgcrypt20", @@ -1192,6 +1514,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack", "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)", "Severity": "MEDIUM", @@ -1210,12 +1533,15 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", + "Title": "libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library", "Description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html", "http://www.openwall.com/lists/oss-security/2019/10/02/2", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13627", + "https://dev.gnupg.org/T4683", "https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5", "https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html", "https://minerva.crocs.fi.muni.cz/", @@ -1223,21 +1549,21 @@ ] }, { - "VulnerabilityID": "CVE-2017-14062", - "PkgName": "libidn11", - "InstalledVersion": "1.33-1", + "VulnerabilityID": "CVE-2018-6829", + "PkgName": "libgcrypt20", + "InstalledVersion": "1.7.6-2+deb9u3", "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, - "Title": "libidn2: Integer overflow in puny_decode.c/decode_digit", - "Description": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.", - "Severity": "HIGH", + "SeveritySource": "debian", + "Title": "libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information", + "Description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "Severity": "LOW", "References": [ - "http://www.debian.org/security/2017/dsa-3988", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062", - "https://gitlab.com/libidn/libidn2/blob/master/NEWS", - "https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd", - "https://lists.debian.org/debian-lts-announce/2018/07/msg00040.html" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ] }, { @@ -1247,14 +1573,23 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "lz4: heap-based buffer overflow in LZ4_write32", "Description": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941", "https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2", "https://github.com/lz4/lz4/issues/801", "https://github.com/lz4/lz4/pull/756", - "https://github.com/lz4/lz4/pull/760" + "https://github.com/lz4/lz4/pull/760", + "https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E" ] }, { @@ -1264,6 +1599,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "HIGH", @@ -1281,9 +1617,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -1296,9 +1633,14 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -1310,9 +1652,14 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -1324,6 +1671,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "nettle: Leaky data conversion exposing a manager oracle", "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.", "Severity": "LOW", @@ -1341,48 +1689,15 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/07/11/3", "http://www.securityfocus.com/bid/99575" ] }, - { - "VulnerabilityID": "CVE-2017-7245", - "PkgName": "libpcre3", - "InstalledVersion": "2:8.39-3", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", - "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97067", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/", - "https://security.gentoo.org/glsa/201710-25" - ] - }, - { - "VulnerabilityID": "CVE-2017-7246", - "PkgName": "libpcre3", - "InstalledVersion": "2:8.39-3", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", - "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97067", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/", - "https://security.gentoo.org/glsa/201710-25" - ] - }, { "VulnerabilityID": "CVE-2017-16231", "PkgName": "libpcre3", @@ -1390,6 +1705,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", "Description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", "Severity": "LOW", @@ -1404,6 +1720,42 @@ "https://bugs.exim.org/show_bug.cgi?id=2047" ] }, + { + "VulnerabilityID": "CVE-2017-7245", + "PkgName": "libpcre3", + "InstalledVersion": "2:8.39-3", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", + "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97067", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/", + "https://security.gentoo.org/glsa/201710-25" + ] + }, + { + "VulnerabilityID": "CVE-2017-7246", + "PkgName": "libpcre3", + "InstalledVersion": "2:8.39-3", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", + "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97067", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/", + "https://security.gentoo.org/glsa/201710-25" + ] + }, { "VulnerabilityID": "CVE-2016-2779", "PkgName": "libsmartcols1", @@ -1411,6 +1763,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "HIGH", @@ -1429,6 +1782,8 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -1440,6 +1795,26 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libss2", + "InstalledVersion": "1.43.4-2", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2018-12886", "PkgName": "libstdc++6", @@ -1447,6 +1822,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", "Severity": "MEDIUM", @@ -1456,78 +1832,18 @@ ] }, { - "VulnerabilityID": "CVE-2017-1000082", + "VulnerabilityID": "CVE-2020-1712", "PkgName": "libsystemd0", "InstalledVersion": "232-25+deb9u11", "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, - "Title": "systemd: fails to parse usernames that start with digits", - "Description": "systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. \"0day\"), running the service in question with root privileges rather than the user intended.", - "Severity": "CRITICAL", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/07/02/1", - "http://www.securityfocus.com/bid/99507", - "http://www.securitytracker.com/id/1038839", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082", - "https://github.com/systemd/systemd/issues/6237" - ] - }, - { - "VulnerabilityID": "CVE-2018-6954", - "PkgName": "libsystemd0", - "InstalledVersion": "232-25+deb9u11", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", - "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", "Severity": "HIGH", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", - "https://github.com/systemd/systemd/issues/7986", - "https://usn.ubuntu.com/3816-1/", - "https://usn.ubuntu.com/3816-2/" - ] - }, - { - "VulnerabilityID": "CVE-2017-18078", - "PkgName": "libsystemd0", - "InstalledVersion": "232-25+deb9u11", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "systemd: Unsafe handling of hard links allowing privilege escalation", - "Description": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2018-02/msg00109.html", - "http://packetstormsecurity.com/files/146184/systemd-Local-Privilege-Escalation.html", - "http://www.openwall.com/lists/oss-security/2018/01/29/3", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18078", - "https://github.com/systemd/systemd/issues/7736", - "https://lists.debian.org/debian-lts-announce/2019/04/msg00022.html", - "https://www.exploit-db.com/exploits/43935/", - "https://www.openwall.com/lists/oss-security/2018/01/29/4" - ] - }, - { - "VulnerabilityID": "CVE-2018-20839", - "PkgName": "libsystemd0", - "InstalledVersion": "232-25+deb9u11", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker", - "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/108389", - "https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993", - "https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f", - "https://github.com/systemd/systemd/pull/12378", - "https://security.netapp.com/advisory/ntap-20190530-0002/" + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" ] }, { @@ -1537,6 +1853,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "systemd: services with DynamicUser can create SUID/SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", "Severity": "MEDIUM", @@ -1554,6 +1871,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", "Severity": "MEDIUM", @@ -1570,6 +1888,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", "Severity": "LOW", @@ -1579,6 +1898,47 @@ "https://bugzilla.redhat.com/show_bug.cgi?id=859060" ] }, + { + "VulnerabilityID": "CVE-2017-1000082", + "PkgName": "libsystemd0", + "InstalledVersion": "232-25+deb9u11", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "systemd: fails to parse usernames that start with digits", + "Description": "systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. \"0day\"), running the service in question with root privileges rather than the user intended.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/07/02/1", + "http://www.securityfocus.com/bid/99507", + "http://www.securitytracker.com/id/1038839", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082", + "https://github.com/systemd/systemd/issues/6237" + ] + }, + { + "VulnerabilityID": "CVE-2017-18078", + "PkgName": "libsystemd0", + "InstalledVersion": "232-25+deb9u11", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "systemd: Unsafe handling of hard links allowing privilege escalation", + "Description": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2018-02/msg00109.html", + "http://packetstormsecurity.com/files/146184/systemd-Local-Privilege-Escalation.html", + "http://www.openwall.com/lists/oss-security/2018/01/29/3", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18078", + "https://github.com/systemd/systemd/issues/7736", + "https://lists.debian.org/debian-lts-announce/2019/04/msg00022.html", + "https://www.exploit-db.com/exploits/43935/", + "https://www.openwall.com/lists/oss-security/2018/01/29/4" + ] + }, { "VulnerabilityID": "CVE-2018-16888", "PkgName": "libsystemd0", @@ -1586,10 +1946,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", @@ -1597,6 +1960,43 @@ "https://security.netapp.com/advisory/ntap-20190307-0007/" ] }, + { + "VulnerabilityID": "CVE-2018-6954", + "PkgName": "libsystemd0", + "InstalledVersion": "232-25+deb9u11", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", + "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", + "https://github.com/systemd/systemd/issues/7986", + "https://usn.ubuntu.com/3816-1/", + "https://usn.ubuntu.com/3816-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "libsystemd0", + "InstalledVersion": "232-25+deb9u11", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "libtinfo5", @@ -1604,9 +2004,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -1619,9 +2020,14 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -1633,86 +2039,31 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] }, { - "VulnerabilityID": "CVE-2017-1000082", + "VulnerabilityID": "CVE-2020-1712", "PkgName": "libudev1", "InstalledVersion": "232-25+deb9u11", "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, - "Title": "systemd: fails to parse usernames that start with digits", - "Description": "systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. \"0day\"), running the service in question with root privileges rather than the user intended.", - "Severity": "CRITICAL", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/07/02/1", - "http://www.securityfocus.com/bid/99507", - "http://www.securitytracker.com/id/1038839", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082", - "https://github.com/systemd/systemd/issues/6237" - ] - }, - { - "VulnerabilityID": "CVE-2018-6954", - "PkgName": "libudev1", - "InstalledVersion": "232-25+deb9u11", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", - "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", "Severity": "HIGH", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", - "https://github.com/systemd/systemd/issues/7986", - "https://usn.ubuntu.com/3816-1/", - "https://usn.ubuntu.com/3816-2/" - ] - }, - { - "VulnerabilityID": "CVE-2017-18078", - "PkgName": "libudev1", - "InstalledVersion": "232-25+deb9u11", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "systemd: Unsafe handling of hard links allowing privilege escalation", - "Description": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2018-02/msg00109.html", - "http://packetstormsecurity.com/files/146184/systemd-Local-Privilege-Escalation.html", - "http://www.openwall.com/lists/oss-security/2018/01/29/3", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18078", - "https://github.com/systemd/systemd/issues/7736", - "https://lists.debian.org/debian-lts-announce/2019/04/msg00022.html", - "https://www.exploit-db.com/exploits/43935/", - "https://www.openwall.com/lists/oss-security/2018/01/29/4" - ] - }, - { - "VulnerabilityID": "CVE-2018-20839", - "PkgName": "libudev1", - "InstalledVersion": "232-25+deb9u11", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker", - "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/108389", - "https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993", - "https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f", - "https://github.com/systemd/systemd/pull/12378", - "https://security.netapp.com/advisory/ntap-20190530-0002/" + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" ] }, { @@ -1722,6 +2073,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "systemd: services with DynamicUser can create SUID/SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", "Severity": "MEDIUM", @@ -1739,6 +2091,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", "Severity": "MEDIUM", @@ -1755,6 +2108,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", "Severity": "LOW", @@ -1764,6 +2118,47 @@ "https://bugzilla.redhat.com/show_bug.cgi?id=859060" ] }, + { + "VulnerabilityID": "CVE-2017-1000082", + "PkgName": "libudev1", + "InstalledVersion": "232-25+deb9u11", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "systemd: fails to parse usernames that start with digits", + "Description": "systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. \"0day\"), running the service in question with root privileges rather than the user intended.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/07/02/1", + "http://www.securityfocus.com/bid/99507", + "http://www.securitytracker.com/id/1038839", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082", + "https://github.com/systemd/systemd/issues/6237" + ] + }, + { + "VulnerabilityID": "CVE-2017-18078", + "PkgName": "libudev1", + "InstalledVersion": "232-25+deb9u11", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "systemd: Unsafe handling of hard links allowing privilege escalation", + "Description": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2018-02/msg00109.html", + "http://packetstormsecurity.com/files/146184/systemd-Local-Privilege-Escalation.html", + "http://www.openwall.com/lists/oss-security/2018/01/29/3", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18078", + "https://github.com/systemd/systemd/issues/7736", + "https://lists.debian.org/debian-lts-announce/2019/04/msg00022.html", + "https://www.exploit-db.com/exploits/43935/", + "https://www.openwall.com/lists/oss-security/2018/01/29/4" + ] + }, { "VulnerabilityID": "CVE-2018-16888", "PkgName": "libudev1", @@ -1771,10 +2166,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", @@ -1782,6 +2180,43 @@ "https://security.netapp.com/advisory/ntap-20190307-0007/" ] }, + { + "VulnerabilityID": "CVE-2018-6954", + "PkgName": "libudev1", + "InstalledVersion": "232-25+deb9u11", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", + "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", + "https://github.com/systemd/systemd/issues/7986", + "https://usn.ubuntu.com/3816-1/", + "https://usn.ubuntu.com/3816-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "libudev1", + "InstalledVersion": "232-25+deb9u11", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, { "VulnerabilityID": "CVE-2016-2779", "PkgName": "libuuid1", @@ -1789,6 +2224,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "HIGH", @@ -1806,6 +2242,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "shadow-utils: Buffer overflow via newusers tool", "Description": "In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.", "Severity": "HIGH", @@ -1824,8 +2261,9 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://secunia.com/advisories/27215", "http://www.securityfocus.com/archive/1/482129/100/100/threaded", @@ -1835,21 +2273,6 @@ "https://issues.rpath.com/browse/RPL-1825" ] }, - { - "VulnerabilityID": "CVE-2018-7169", - "PkgName": "login", - "InstalledVersion": "1:4.4-4.1", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", - "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", - "https://security.gentoo.org/glsa/201805-09" - ] - }, { "VulnerabilityID": "CVE-2013-4235", "PkgName": "login", @@ -1857,9 +2280,50 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", - "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.", - "Severity": "LOW" + "Description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2013-4235", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", + "https://security-tracker.debian.org/tracker/CVE-2013-4235" + ] + }, + { + "VulnerabilityID": "CVE-2018-7169", + "PkgName": "login", + "InstalledVersion": "1:4.4-4.1", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", + "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", + "Severity": "LOW", + "References": [ + "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", + "https://security.gentoo.org/glsa/201805-09" + ] + }, + { + "VulnerabilityID": "CVE-2019-19882", + "PkgName": "login", + "InstalledVersion": "1:4.4-4.1", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", + "Description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", + "Severity": "LOW", + "References": [ + "https://bugs.archlinux.org/task/64836", + "https://bugs.gentoo.org/702252", + "https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75", + "https://github.com/shadow-maint/shadow/pull/199", + "https://github.com/void-linux/void-packages/pull/17580" + ] }, { "VulnerabilityID": "TEMP-0628843-DBAD28", @@ -1868,6 +2332,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Severity": "LOW" }, { @@ -1877,6 +2342,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "HIGH", @@ -1894,10 +2360,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation", "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000001.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://seclists.org/oss-sec/2018/q1/38", "http://www.securityfocus.com/bid/102525", "http://www.securitytracker.com/id/1040162", @@ -1918,17 +2387,21 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", "Severity": "HIGH", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, @@ -1939,6 +2412,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: integer overflow in malloc functions", "Description": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.", "Severity": "HIGH", @@ -1949,20 +2423,6 @@ "https://sourceware.org/git/?p=glibc.git;a=commit;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22" ] }, - { - "VulnerabilityID": "CVE-2019-1010022", - "PkgName": "multiarch-support", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] - }, { "VulnerabilityID": "CVE-2019-9169", "PkgName": "multiarch-support", @@ -1970,6 +2430,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", "Severity": "HIGH", @@ -1985,6 +2446,17 @@ "https://support.f5.com/csp/article/K54823184" ] }, + { + "VulnerabilityID": "CVE-2020-1752", + "PkgName": "multiarch-support", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "HIGH" + }, { "VulnerabilityID": "CVE-2009-5155", "PkgName": "multiarch-support", @@ -1992,6 +2464,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", "Severity": "MEDIUM", @@ -2008,6 +2481,60 @@ "https://support.f5.com/csp/article/K64119434" ] }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "multiarch-support", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2017-12132", + "PkgName": "multiarch-support", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", + "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", + "http://www.securityfocus.com/bid/100598", + "https://access.redhat.com/errata/RHSA-2018:0805", + "https://arxiv.org/pdf/1205.4011.pdf", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" + ] + }, + { + "VulnerabilityID": "CVE-2020-1751", + "PkgName": "multiarch-support", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "Title": "glibc: array overflow in backtrace on powerpc", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM" + }, { "VulnerabilityID": "CVE-2010-4051", "PkgName": "multiarch-support", @@ -2015,9 +2542,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -2039,9 +2567,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -2063,9 +2592,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", @@ -2079,9 +2609,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -2097,52 +2628,16 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" ] }, - { - "VulnerabilityID": "CVE-2016-10739", - "PkgName": "multiarch-support", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", - "http://www.securityfocus.com/bid/106672", - "https://access.redhat.com/errata/RHSA-2019:2118", - "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" - ] - }, - { - "VulnerabilityID": "CVE-2017-12132", - "PkgName": "multiarch-support", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", - "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100598", - "https://access.redhat.com/errata/RHSA-2018:0805", - "https://arxiv.org/pdf/1205.4011.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "multiarch-support", @@ -2150,14 +2645,31 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "multiarch-support", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" ] }, { @@ -2167,8 +2679,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109167", "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", @@ -2182,8 +2696,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "glibc: ASLR bypass using cache of thread stack and heap", "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109162", "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", @@ -2197,13 +2713,30 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: information disclosure of heap addresses of pthread_created thread", "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://sourceware.org/bugzilla/show_bug.cgi?id=22853" ] }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "multiarch-support", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, { "VulnerabilityID": "CVE-2019-6488", "PkgName": "multiarch-support", @@ -2211,29 +2744,16 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault", "Description": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/106671", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6488", "https://sourceware.org/bugzilla/show_bug.cgi?id=24097" ] }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "multiarch-support", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" - ] - }, { "VulnerabilityID": "CVE-2019-7309", "PkgName": "multiarch-support", @@ -2241,6 +2761,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -2251,6 +2772,39 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "multiarch-support", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "multiarch-support", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "nvd", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "ncurses-base", @@ -2258,9 +2812,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -2273,9 +2828,14 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -2287,9 +2847,14 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -2301,9 +2866,10 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -2316,9 +2882,14 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -2330,9 +2901,14 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -2344,6 +2920,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "shadow-utils: Buffer overflow via newusers tool", "Description": "In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.", "Severity": "HIGH", @@ -2362,8 +2939,9 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://secunia.com/advisories/27215", "http://www.securityfocus.com/archive/1/482129/100/100/threaded", @@ -2373,21 +2951,6 @@ "https://issues.rpath.com/browse/RPL-1825" ] }, - { - "VulnerabilityID": "CVE-2018-7169", - "PkgName": "passwd", - "InstalledVersion": "1:4.4-4.1", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", - "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", - "https://security.gentoo.org/glsa/201805-09" - ] - }, { "VulnerabilityID": "CVE-2013-4235", "PkgName": "passwd", @@ -2395,9 +2958,50 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", - "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.", - "Severity": "LOW" + "Description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2013-4235", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", + "https://security-tracker.debian.org/tracker/CVE-2013-4235" + ] + }, + { + "VulnerabilityID": "CVE-2018-7169", + "PkgName": "passwd", + "InstalledVersion": "1:4.4-4.1", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", + "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", + "Severity": "LOW", + "References": [ + "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", + "https://security.gentoo.org/glsa/201805-09" + ] + }, + { + "VulnerabilityID": "CVE-2019-19882", + "PkgName": "passwd", + "InstalledVersion": "1:4.4-4.1", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", + "Description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", + "Severity": "LOW", + "References": [ + "https://bugs.archlinux.org/task/64836", + "https://bugs.gentoo.org/702252", + "https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75", + "https://github.com/shadow-maint/shadow/pull/199", + "https://github.com/void-linux/void-packages/pull/17580" + ] }, { "VulnerabilityID": "TEMP-0628843-DBAD28", @@ -2406,6 +3010,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Severity": "LOW" }, { @@ -2415,9 +3020,17 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Title": "perl: File::Temp insecure temporary file handling", - "Description": "No description is available for this CVE.", - "Severity": "LOW" + "Description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2011/11/04/2", + "http://www.openwall.com/lists/oss-security/2011/11/04/4", + "https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14", + "https://rt.cpan.org/Public/Bug/Display.html?id=69106", + "https://seclists.org/oss-sec/2011/q4/238" + ] }, { "VulnerabilityID": "TEMP-0517018-A83CE6", @@ -2426,6 +3039,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Severity": "LOW" }, { @@ -2435,29 +3049,13 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", - "Severity": "CRITICAL", + "Severity": "LOW", "References": [ "http://marc.info/?l=bugtraq\u0026m=112327628230258\u0026w=2" ] }, - { - "VulnerabilityID": "CVE-2019-9923", - "PkgName": "tar", - "InstalledVersion": "1.29b-1.1", - "Layer": { - "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" - }, - "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", - "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", - "Severity": "MEDIUM", - "References": [ - "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", - "http://savannah.gnu.org/bugs/?55369", - "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" - ] - }, { "VulnerabilityID": "CVE-2018-20482", "PkgName": "tar", @@ -2465,6 +3063,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "tar: Infinite read loop in sparse_dump_region function in sparse.c", "Description": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).", "Severity": "LOW", @@ -2481,6 +3080,24 @@ "https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug" ] }, + { + "VulnerabilityID": "CVE-2019-9923", + "PkgName": "tar", + "InstalledVersion": "1.29b-1.1", + "Layer": { + "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" + }, + "SeveritySource": "debian", + "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", + "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", + "Severity": "LOW", + "References": [ + "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", + "http://savannah.gnu.org/bugs/?55369", + "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" + ] + }, { "VulnerabilityID": "TEMP-0290435-0B57B5", "PkgName": "tar", @@ -2488,6 +3105,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "debian", "Severity": "LOW" }, { @@ -2497,6 +3115,7 @@ "Layer": { "DiffID": "sha256:f73e7e79899a33b4b9b78da62efb71520844f8dd518f3c390e27bc3063bce307" }, + "SeveritySource": "nvd", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "HIGH", diff --git a/integration/testdata/distroless-base-ignore-unfixed.json.golden b/integration/testdata/distroless-base-ignore-unfixed.json.golden index 24ef52df5c..ba026c32b6 100644 --- a/integration/testdata/distroless-base-ignore-unfixed.json.golden +++ b/integration/testdata/distroless-base-ignore-unfixed.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/distroless-base.tar.gz (debian 9.9)", + "Type": "debian", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2019-1563", @@ -10,6 +11,7 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "MEDIUM", @@ -32,6 +34,7 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "MEDIUM", diff --git a/integration/testdata/distroless-base.json.golden b/integration/testdata/distroless-base.json.golden index 15e77a4f42..068cad5f35 100644 --- a/integration/testdata/distroless-base.json.golden +++ b/integration/testdata/distroless-base.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/distroless-base.tar.gz (debian 9.9)", + "Type": "debian", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2018-1000001", @@ -9,10 +10,13 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation", "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000001.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://seclists.org/oss-sec/2018/q1/38", "http://www.securityfocus.com/bid/102525", "http://www.securitytracker.com/id/1040162", @@ -33,17 +37,21 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", "Severity": "HIGH", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, @@ -54,6 +62,7 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "glibc: integer overflow in malloc functions", "Description": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.", "Severity": "HIGH", @@ -64,20 +73,6 @@ "https://sourceware.org/git/?p=glibc.git;a=commit;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22" ] }, - { - "VulnerabilityID": "CVE-2019-1010022", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" - }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] - }, { "VulnerabilityID": "CVE-2019-9169", "PkgName": "libc6", @@ -85,6 +80,7 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", "Severity": "HIGH", @@ -100,6 +96,17 @@ "https://support.f5.com/csp/article/K54823184" ] }, + { + "VulnerabilityID": "CVE-2020-1752", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "HIGH" + }, { "VulnerabilityID": "CVE-2009-5155", "PkgName": "libc6", @@ -107,6 +114,7 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", "Severity": "MEDIUM", @@ -123,6 +131,60 @@ "https://support.f5.com/csp/article/K64119434" ] }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2017-12132", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", + "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", + "http://www.securityfocus.com/bid/100598", + "https://access.redhat.com/errata/RHSA-2018:0805", + "https://arxiv.org/pdf/1205.4011.pdf", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" + ] + }, + { + "VulnerabilityID": "CVE-2020-1751", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "Title": "glibc: array overflow in backtrace on powerpc", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM" + }, { "VulnerabilityID": "CVE-2010-4051", "PkgName": "libc6", @@ -130,9 +192,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -154,9 +217,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -178,9 +242,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", @@ -194,9 +259,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -212,52 +278,16 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" ] }, - { - "VulnerabilityID": "CVE-2016-10739", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" - }, - "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", - "http://www.securityfocus.com/bid/106672", - "https://access.redhat.com/errata/RHSA-2019:2118", - "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" - ] - }, - { - "VulnerabilityID": "CVE-2017-12132", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" - }, - "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", - "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100598", - "https://access.redhat.com/errata/RHSA-2018:0805", - "https://arxiv.org/pdf/1205.4011.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "libc6", @@ -265,14 +295,31 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "debian", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" ] }, { @@ -282,8 +329,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109167", "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", @@ -297,8 +346,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", + "Title": "glibc: ASLR bypass using cache of thread stack and heap", "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109162", "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", @@ -312,13 +363,30 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: information disclosure of heap addresses of pthread_created thread", "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://sourceware.org/bugzilla/show_bug.cgi?id=22853" ] }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, { "VulnerabilityID": "CVE-2019-6488", "PkgName": "libc6", @@ -326,29 +394,16 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault", "Description": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/106671", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6488", "https://sourceware.org/bugzilla/show_bug.cgi?id=24097" ] }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" - ] - }, { "VulnerabilityID": "CVE-2019-7309", "PkgName": "libc6", @@ -356,6 +411,7 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -366,6 +422,62 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "debian", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "libssl1.1", + "InstalledVersion": "1.1.0k-1~deb9u1", + "FixedVersion": "1.1.0l-1~deb9u1", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "MEDIUM", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, { "VulnerabilityID": "CVE-2007-6755", "PkgName": "libssl1.1", @@ -373,9 +485,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "Dual_EC_DRBG: weak pseudo random number generator", "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", @@ -394,9 +507,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "openssl: RSA authentication weakness", "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", @@ -407,13 +521,40 @@ ] }, { - "VulnerabilityID": "CVE-2019-1563", + "VulnerabilityID": "CVE-2019-1551", "PkgName": "libssl1.1", "InstalledVersion": "1.1.0k-1~deb9u1", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "debian", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" + ] + }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "openssl", + "InstalledVersion": "1.1.0k-1~deb9u1", "FixedVersion": "1.1.0l-1~deb9u1", "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", "Severity": "MEDIUM", @@ -435,9 +576,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "Dual_EC_DRBG: weak pseudo random number generator", "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", @@ -456,9 +598,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "openssl: RSA authentication weakness", "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", @@ -469,25 +612,29 @@ ] }, { - "VulnerabilityID": "CVE-2019-1563", + "VulnerabilityID": "CVE-2019-1551", "PkgName": "openssl", "InstalledVersion": "1.1.0k-1~deb9u1", - "FixedVersion": "1.1.0l-1~deb9u1", "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, - "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", - "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "MEDIUM", + "SeveritySource": "debian", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "LOW", "References": [ - "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", - "https://seclists.org/bugtraq/2019/Sep/25", - "https://security.netapp.com/advisory/ntap-20190919-0002/", - "https://www.openssl.org/news/secadv/20190910.txt" + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" ] } ] diff --git a/integration/testdata/distroless-python27.json.golden b/integration/testdata/distroless-python27.json.golden index 54594d9507..1cd582bbb3 100644 --- a/integration/testdata/distroless-python27.json.golden +++ b/integration/testdata/distroless-python27.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/distroless-python27.tar.gz (debian 9.9)", + "Type": "debian", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2019-12900", @@ -9,6 +10,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "bzip2: out-of-bounds write in function BZ2_decompress", "Description": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", "Severity": "HIGH", @@ -27,10 +29,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation", "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000001.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://seclists.org/oss-sec/2018/q1/38", "http://www.securityfocus.com/bid/102525", "http://www.securitytracker.com/id/1040162", @@ -51,17 +56,21 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", "Severity": "HIGH", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, @@ -72,6 +81,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "glibc: integer overflow in malloc functions", "Description": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.", "Severity": "HIGH", @@ -82,20 +92,6 @@ "https://sourceware.org/git/?p=glibc.git;a=commit;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22" ] }, - { - "VulnerabilityID": "CVE-2019-1010022", - "PkgName": "libc-bin", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] - }, { "VulnerabilityID": "CVE-2019-9169", "PkgName": "libc-bin", @@ -103,6 +99,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", "Severity": "HIGH", @@ -118,6 +115,17 @@ "https://support.f5.com/csp/article/K54823184" ] }, + { + "VulnerabilityID": "CVE-2020-1752", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "HIGH" + }, { "VulnerabilityID": "CVE-2009-5155", "PkgName": "libc-bin", @@ -125,6 +133,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", "Severity": "MEDIUM", @@ -141,6 +150,60 @@ "https://support.f5.com/csp/article/K64119434" ] }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "nvd", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2017-12132", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "nvd", + "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", + "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", + "http://www.securityfocus.com/bid/100598", + "https://access.redhat.com/errata/RHSA-2018:0805", + "https://arxiv.org/pdf/1205.4011.pdf", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" + ] + }, + { + "VulnerabilityID": "CVE-2020-1751", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "Title": "glibc: array overflow in backtrace on powerpc", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM" + }, { "VulnerabilityID": "CVE-2010-4051", "PkgName": "libc-bin", @@ -148,9 +211,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -172,9 +236,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -196,9 +261,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", @@ -212,9 +278,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -230,52 +297,16 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" ] }, - { - "VulnerabilityID": "CVE-2016-10739", - "PkgName": "libc-bin", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", - "http://www.securityfocus.com/bid/106672", - "https://access.redhat.com/errata/RHSA-2019:2118", - "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" - ] - }, - { - "VulnerabilityID": "CVE-2017-12132", - "PkgName": "libc-bin", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", - "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100598", - "https://access.redhat.com/errata/RHSA-2018:0805", - "https://arxiv.org/pdf/1205.4011.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "libc-bin", @@ -283,14 +314,31 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" ] }, { @@ -300,8 +348,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109167", "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", @@ -315,8 +365,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", + "Title": "glibc: ASLR bypass using cache of thread stack and heap", "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109162", "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", @@ -330,13 +382,30 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "glibc: information disclosure of heap addresses of pthread_created thread", "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://sourceware.org/bugzilla/show_bug.cgi?id=22853" ] }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "nvd", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, { "VulnerabilityID": "CVE-2019-6488", "PkgName": "libc-bin", @@ -344,29 +413,16 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault", "Description": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/106671", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6488", "https://sourceware.org/bugzilla/show_bug.cgi?id=24097" ] }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "libc-bin", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" - ] - }, { "VulnerabilityID": "CVE-2019-7309", "PkgName": "libc-bin", @@ -374,6 +430,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -384,6 +441,39 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "libc-bin", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "nvd", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, { "VulnerabilityID": "CVE-2018-1000001", "PkgName": "libc6", @@ -391,10 +481,13 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation", "Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000001.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://seclists.org/oss-sec/2018/q1/38", "http://www.securityfocus.com/bid/102525", "http://www.securitytracker.com/id/1040162", @@ -415,17 +508,21 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", "Severity": "HIGH", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, @@ -436,6 +533,7 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "glibc: integer overflow in malloc functions", "Description": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.", "Severity": "HIGH", @@ -446,20 +544,6 @@ "https://sourceware.org/git/?p=glibc.git;a=commit;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22" ] }, - { - "VulnerabilityID": "CVE-2019-1010022", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" - }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] - }, { "VulnerabilityID": "CVE-2019-9169", "PkgName": "libc6", @@ -467,6 +551,7 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", "Severity": "HIGH", @@ -482,6 +567,17 @@ "https://support.f5.com/csp/article/K54823184" ] }, + { + "VulnerabilityID": "CVE-2020-1752", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "HIGH" + }, { "VulnerabilityID": "CVE-2009-5155", "PkgName": "libc6", @@ -489,6 +585,7 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "nvd", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", "Severity": "MEDIUM", @@ -505,6 +602,60 @@ "https://support.f5.com/csp/article/K64119434" ] }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2017-12132", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", + "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", + "http://www.securityfocus.com/bid/100598", + "https://access.redhat.com/errata/RHSA-2018:0805", + "https://arxiv.org/pdf/1205.4011.pdf", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" + ] + }, + { + "VulnerabilityID": "CVE-2020-1751", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "Title": "glibc: array overflow in backtrace on powerpc", + "Description": "No description is available for this CVE.", + "Severity": "MEDIUM" + }, { "VulnerabilityID": "CVE-2010-4051", "PkgName": "libc6", @@ -512,9 +663,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -536,9 +688,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine", "Description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/proftpd.gnu.c", "http://seclists.org/fulldisclosure/2011/Jan/78", @@ -560,9 +713,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "Description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", @@ -576,9 +730,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -594,52 +749,16 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" ] }, - { - "VulnerabilityID": "CVE-2016-10739", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" - }, - "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", - "http://www.securityfocus.com/bid/106672", - "https://access.redhat.com/errata/RHSA-2019:2118", - "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" - ] - }, - { - "VulnerabilityID": "CVE-2017-12132", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" - }, - "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", - "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100598", - "https://access.redhat.com/errata/RHSA-2018:0805", - "https://arxiv.org/pdf/1205.4011.pdf", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21361" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "libc6", @@ -647,14 +766,31 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "debian", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" ] }, { @@ -664,8 +800,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109167", "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", @@ -679,8 +817,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", + "Title": "glibc: ASLR bypass using cache of thread stack and heap", "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109162", "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", @@ -694,13 +834,30 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: information disclosure of heap addresses of pthread_created thread", "Description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://sourceware.org/bugzilla/show_bug.cgi?id=22853" ] }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, { "VulnerabilityID": "CVE-2019-6488", "PkgName": "libc6", @@ -708,29 +865,16 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault", "Description": "The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/106671", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6488", "https://sourceware.org/bugzilla/show_bug.cgi?id=24097" ] }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "libc6", - "InstalledVersion": "2.24-11+deb9u4", - "Layer": { - "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" - ] - }, { "VulnerabilityID": "CVE-2019-7309", "PkgName": "libc6", @@ -738,6 +882,7 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -748,6 +893,39 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "debian", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "libc6", + "InstalledVersion": "2.24-11+deb9u4", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, { "VulnerabilityID": "CVE-2013-0340", "PkgName": "libexpat1", @@ -755,9 +933,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "expat: internal entity expansion", "Description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2013/02/22/3", "http://securitytracker.com/id?1028213", @@ -767,29 +946,6 @@ "https://security.gentoo.org/glsa/201701-21" ] }, - { - "VulnerabilityID": "CVE-2019-15903", - "PkgName": "libexpat1", - "InstalledVersion": "2.2.0-2+deb9u2", - "FixedVersion": "2.2.0-2+deb9u3", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "expat: heap-based buffer over-read via crafted XML input", - "Description": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.", - "Severity": "MEDIUM", - "References": [ - "http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903", - "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43", - "https://github.com/libexpat/libexpat/issues/317", - "https://github.com/libexpat/libexpat/issues/342", - "https://github.com/libexpat/libexpat/pull/318", - "https://seclists.org/bugtraq/2019/Sep/30", - "https://usn.ubuntu.com/4132-1/", - "https://usn.ubuntu.com/4132-2/" - ] - }, { "VulnerabilityID": "CVE-2018-12886", "PkgName": "libgcc1", @@ -797,6 +953,7 @@ "Layer": { "DiffID": "sha256:6189abe095d53c1c9f2bfc8f50128ee876b9a5d10f9eda1564e5f5357d6ffe61" }, + "SeveritySource": "nvd", "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", "Severity": "MEDIUM", @@ -812,6 +969,7 @@ "Layer": { "DiffID": "sha256:6189abe095d53c1c9f2bfc8f50128ee876b9a5d10f9eda1564e5f5357d6ffe61" }, + "SeveritySource": "nvd", "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", "Severity": "MEDIUM", @@ -827,9 +985,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -842,9 +1001,14 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -856,81 +1020,35 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] }, { - "VulnerabilityID": "CVE-2019-5010", + "VulnerabilityID": "CVE-2020-8492", "PkgName": "libpython2.7-minimal", "InstalledVersion": "2.7.13-2+deb9u3", "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", + "SeveritySource": "nvd", + "Title": "python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS", + "Description": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", "Severity": "HIGH", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" - ] - }, - { - "VulnerabilityID": "CVE-2013-7040", - "PkgName": "libpython2.7-minimal", - "InstalledVersion": "2.7.13-2+deb9u3", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "python: hash secret can be recovered remotely", - "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", - "Severity": "MEDIUM", - "References": [ - "http://bugs.python.org/issue14621", - "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", - "http://www.openwall.com/lists/oss-security/2013/12/09/13", - "http://www.openwall.com/lists/oss-security/2013/12/09/3", - "http://www.securityfocus.com/bid/64194", - "https://support.apple.com/kb/HT205031" - ] - }, - { - "VulnerabilityID": "CVE-2017-17522", - "PkgName": "libpython2.7-minimal", - "InstalledVersion": "2.7.13-2+deb9u3", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "python: Command injection in Lib/webbrowser.py", - "Description": "** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/102207", - "https://bugs.python.org/issue32367", - "https://security-tracker.debian.org/tracker/CVE-2017-17522" - ] - }, - { - "VulnerabilityID": "CVE-2018-1000030", - "PkgName": "libpython2.7-minimal", - "InstalledVersion": "2.7.13-2+deb9u3", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", - "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.python.org/issue31530", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", - "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", - "https://security.gentoo.org/glsa/201811-02", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0" + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue39503", + "https://github.com/python/cpython/pull/18284", + "https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html", + "https://security.netapp.com/advisory/ntap-20200221-0001/" ] }, { @@ -940,10 +1058,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: Cookie domain check returns incorrect results", "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20852.html", + "http://linux.oracle.com/errata/ELSA-2019-4884.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", "https://bugs.python.org/issue35121", @@ -959,6 +1080,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: email.utils.parseaddr wrongly parses email addresses", "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", "Severity": "MEDIUM", @@ -981,6 +1103,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field", "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", "Severity": "MEDIUM", @@ -994,6 +1117,27 @@ "https://usn.ubuntu.com/4151-2/" ] }, + { + "VulnerabilityID": "CVE-2019-5010", + "PkgName": "libpython2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "nvd", + "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", + "Description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5010.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", + "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758" + ] + }, { "VulnerabilityID": "CVE-2019-9636", "PkgName": "libpython2.7-minimal", @@ -1001,10 +1145,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", @@ -1043,10 +1190,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: CRLF injection via the query part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9740.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://www.securityfocus.com/bid/107466", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue36276", @@ -1062,10 +1212,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: CRLF injection via the path part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9947.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue35906", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", @@ -1081,10 +1234,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", "http://www.securityfocus.com/bid/107549", @@ -1095,6 +1251,106 @@ "https://security.netapp.com/advisory/ntap-20190404-0004/" ] }, + { + "VulnerabilityID": "CVE-2013-7040", + "PkgName": "libpython2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "python: hash secret can be recovered remotely", + "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "Severity": "LOW", + "References": [ + "http://bugs.python.org/issue14621", + "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", + "http://www.openwall.com/lists/oss-security/2013/12/09/13", + "http://www.openwall.com/lists/oss-security/2013/12/09/3", + "http://www.securityfocus.com/bid/64194", + "https://support.apple.com/kb/HT205031" + ] + }, + { + "VulnerabilityID": "CVE-2017-17522", + "PkgName": "libpython2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "python: Command injection in Lib/webbrowser.py", + "Description": "** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/102207", + "https://bugs.python.org/issue32367", + "https://security-tracker.debian.org/tracker/CVE-2017-17522" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000030", + "PkgName": "libpython2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", + "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "Severity": "LOW", + "References": [ + "https://bugs.python.org/issue31530", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", + "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", + "https://security.gentoo.org/glsa/201811-02", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-18348", + "PkgName": "libpython2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "python: CRLF injection via the host part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)", + "Severity": "LOW", + "References": [ + "https://bugs.python.org/issue30458#msg347282", + "https://bugzilla.redhat.com/show_bug.cgi?id=1727276", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://security.netapp.com/advisory/ntap-20191107-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2019-9674", + "PkgName": "libpython2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py", + "Description": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue36260", + "https://bugs.python.org/issue36462", + "https://github.com/python/cpython/blob/master/Lib/zipfile.py", + "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb", + "https://security.netapp.com/advisory/ntap-20200221-0003/", + "https://www.python.org/news/security/" + ] + }, { "VulnerabilityID": "CVE-2019-8457", "PkgName": "libsqlite3-0", @@ -1102,34 +1358,26 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, - "Title": "sqlite3: heap out-of-bound read in function rtreenode()", + "SeveritySource": "nvd", + "Title": "sqlite: heap out-of-bound read in function rtreenode()", "Description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", "Severity": "HIGH", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/", "https://security.netapp.com/advisory/ntap-20190606-0002/", "https://usn.ubuntu.com/4004-1/", "https://usn.ubuntu.com/4004-2/", + "https://usn.ubuntu.com/4019-1/", + "https://usn.ubuntu.com/4019-2/", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "https://www.sqlite.org/releaselog/3_28_0.html", "https://www.sqlite.org/src/info/90acdbfce9c08858" ] }, - { - "VulnerabilityID": "CVE-2017-13685", - "PkgName": "libsqlite3-0", - "InstalledVersion": "3.27.2-3~bpo9+1", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "sqlite: Local DoS via dump_callback function", - "Description": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.", - "Severity": "MEDIUM", - "References": [ - "http://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg105314.html", - "http://www.securityfocus.com/bid/100521", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13685" - ] - }, { "VulnerabilityID": "CVE-2018-20346", "PkgName": "libsqlite3-0", @@ -1137,6 +1385,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "CVE-2018-20505 CVE-2018-20506 sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan)", "Description": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.", "Severity": "MEDIUM", @@ -1154,10 +1403,17 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20346", "https://github.com/zhuowei/worthdoingbadly.com/blob/master/_posts/2018-12-14-sqlitebug.html", "https://lists.debian.org/debian-lts-announce/2018/12/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU4NZ6DDU4BEM3ACM3FM6GLEPX56ZQXK/", "https://news.ycombinator.com/item?id=18685296", "https://security.gentoo.org/glsa/201904-21", "https://sqlite.org/src/info/940f2adc8541a838", "https://sqlite.org/src/info/d44318f59044162e", + "https://support.apple.com/HT209443", + "https://support.apple.com/HT209446", + "https://support.apple.com/HT209447", + "https://support.apple.com/HT209448", + "https://support.apple.com/HT209450", + "https://support.apple.com/HT209451", "https://usn.ubuntu.com/4019-1/", "https://usn.ubuntu.com/4019-2/", "https://worthdoingbadly.com/sqlitebug/", @@ -1174,6 +1430,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "CVE-2018-20346 CVE-2018-20505 CVE-2018-20506 sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan)", "Description": "SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).", "Severity": "MEDIUM", @@ -1213,6 +1470,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "CVE-2018-20346 CVE-2018-20505 CVE-2018-20506 sqlite: Multiple flaws in sqlite which can be triggered via corrupted internal databases (Magellan)", "Description": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a \"merge\" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.", "Severity": "MEDIUM", @@ -1254,6 +1512,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "sqlite: NULL pointer dereference with databases with schema corrupted with CREATE TABLE AS allows for denial of service", "Description": "In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.", "Severity": "MEDIUM", @@ -1275,15 +1534,56 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", + "Title": "sqlite: division by zero in whereLoopAddBtreeIndex in sqlite3.c", "Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"", "Severity": "MEDIUM", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/", "https://security.netapp.com/advisory/ntap-20190926-0003/", + "https://security.netapp.com/advisory/ntap-20200122-0003/", + "https://usn.ubuntu.com/4205-1/", "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html", + "https://www.oracle.com/security-alerts/cpujan2020.html", "https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62", "https://www.sqlite.org/src/timeline?c=98357d8c1263920b" ] }, + { + "VulnerabilityID": "CVE-2019-19603", + "PkgName": "libsqlite3-0", + "InstalledVersion": "3.27.2-3~bpo9+1", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "nvd", + "Title": "sqlite: mishandles certain SELECT statements with a nonexistent VIEW, leading to DoS", + "Description": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13", + "https://security.netapp.com/advisory/ntap-20191223-0001/", + "https://www.sqlite.org/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20218", + "PkgName": "libsqlite3-0", + "InstalledVersion": "3.27.2-3~bpo9+1", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "nvd", + "Title": "sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error", + "Description": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387", + "https://usn.ubuntu.com/4298-1/" + ] + }, { "VulnerabilityID": "CVE-2019-5827", "PkgName": "libsqlite3-0", @@ -1291,6 +1591,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "chromium-browser: out-of-bounds access in SQLite", "Description": "Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "Severity": "MEDIUM", @@ -1303,6 +1604,59 @@ "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKN4GPMBQ3SDXWB4HL45II5CZ7P2E4AI/" ] }, + { + "VulnerabilityID": "CVE-2020-9327", + "PkgName": "libsqlite3-0", + "InstalledVersion": "3.27.2-3~bpo9+1", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "nvd", + "Title": "sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations", + "Description": "In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.", + "Severity": "MEDIUM", + "References": [ + "https://security.gentoo.org/glsa/202003-16", + "https://security.netapp.com/advisory/ntap-20200313-0002/", + "https://usn.ubuntu.com/4298-1/", + "https://www.sqlite.org/cgi/src/info/4374860b29383380", + "https://www.sqlite.org/cgi/src/info/9d0d4ab95dc0c56e", + "https://www.sqlite.org/cgi/src/info/abc473fb8fb99900" + ] + }, + { + "VulnerabilityID": "CVE-2017-13685", + "PkgName": "libsqlite3-0", + "InstalledVersion": "3.27.2-3~bpo9+1", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "sqlite: Local DoS via dump_callback function", + "Description": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.", + "Severity": "LOW", + "References": [ + "http://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg105314.html", + "http://www.securityfocus.com/bid/100521", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13685" + ] + }, + { + "VulnerabilityID": "CVE-2019-19645", + "PkgName": "libsqlite3-0", + "InstalledVersion": "3.27.2-3~bpo9+1", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "nvd", + "Title": "sqlite: infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements", + "Description": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "Severity": "LOW", + "References": [ + "https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06", + "https://security.netapp.com/advisory/ntap-20191223-0001/" + ] + }, { "VulnerabilityID": "CVE-2019-9936", "PkgName": "libsqlite3-0", @@ -1310,9 +1664,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "sqlite: heap-based buffer over-read in function fts5HashEntrySort in sqlite3.c", "Description": "In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00026.html", "http://www.securityfocus.com/bid/107562", @@ -1332,9 +1687,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "sqlite: null-pointer dereference in function fts5ChunkIterate in sqlite3.c", "Description": "In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00026.html", "http://www.securityfocus.com/bid/107562", @@ -1347,6 +1703,29 @@ "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg114393.html" ] }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "libssl1.1", + "InstalledVersion": "1.1.0k-1~deb9u1", + "FixedVersion": "1.1.0l-1~deb9u1", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "MEDIUM", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, { "VulnerabilityID": "CVE-2007-6755", "PkgName": "libssl1.1", @@ -1354,9 +1733,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "Dual_EC_DRBG: weak pseudo random number generator", "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", @@ -1375,9 +1755,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "openssl: RSA authentication weakness", "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", @@ -1388,25 +1769,29 @@ ] }, { - "VulnerabilityID": "CVE-2019-1563", + "VulnerabilityID": "CVE-2019-1551", "PkgName": "libssl1.1", "InstalledVersion": "1.1.0k-1~deb9u1", - "FixedVersion": "1.1.0l-1~deb9u1", "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, - "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", - "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "MEDIUM", + "SeveritySource": "debian", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "LOW", "References": [ - "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", - "https://seclists.org/bugtraq/2019/Sep/25", - "https://security.netapp.com/advisory/ntap-20190919-0002/", - "https://www.openssl.org/news/secadv/20190910.txt" + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" ] }, { @@ -1416,6 +1801,7 @@ "Layer": { "DiffID": "sha256:6189abe095d53c1c9f2bfc8f50128ee876b9a5d10f9eda1564e5f5357d6ffe61" }, + "SeveritySource": "nvd", "Title": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "Description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", "Severity": "MEDIUM", @@ -1431,9 +1817,10 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -1446,9 +1833,14 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] @@ -1460,13 +1852,41 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "debian", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "openssl", + "InstalledVersion": "1.1.0k-1~deb9u1", + "FixedVersion": "1.1.0l-1~deb9u1", + "Layer": { + "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" + }, + "SeveritySource": "nvd", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "MEDIUM", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, { "VulnerabilityID": "CVE-2007-6755", "PkgName": "openssl", @@ -1474,9 +1894,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "Dual_EC_DRBG: weak pseudo random number generator", "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", "http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", @@ -1495,9 +1916,10 @@ "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, + "SeveritySource": "debian", "Title": "openssl: RSA authentication weakness", "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", @@ -1508,95 +1930,48 @@ ] }, { - "VulnerabilityID": "CVE-2019-1563", + "VulnerabilityID": "CVE-2019-1551", "PkgName": "openssl", "InstalledVersion": "1.1.0k-1~deb9u1", - "FixedVersion": "1.1.0l-1~deb9u1", "Layer": { "DiffID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5" }, - "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", - "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "MEDIUM", + "SeveritySource": "debian", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "LOW", "References": [ - "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", - "https://seclists.org/bugtraq/2019/Sep/25", - "https://security.netapp.com/advisory/ntap-20190919-0002/", - "https://www.openssl.org/news/secadv/20190910.txt" + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" ] }, { - "VulnerabilityID": "CVE-2019-5010", + "VulnerabilityID": "CVE-2020-8492", "PkgName": "python2.7-minimal", "InstalledVersion": "2.7.13-2+deb9u3", "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", + "SeveritySource": "nvd", + "Title": "python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS", + "Description": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", "Severity": "HIGH", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" - ] - }, - { - "VulnerabilityID": "CVE-2013-7040", - "PkgName": "python2.7-minimal", - "InstalledVersion": "2.7.13-2+deb9u3", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "python: hash secret can be recovered remotely", - "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", - "Severity": "MEDIUM", - "References": [ - "http://bugs.python.org/issue14621", - "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", - "http://www.openwall.com/lists/oss-security/2013/12/09/13", - "http://www.openwall.com/lists/oss-security/2013/12/09/3", - "http://www.securityfocus.com/bid/64194", - "https://support.apple.com/kb/HT205031" - ] - }, - { - "VulnerabilityID": "CVE-2017-17522", - "PkgName": "python2.7-minimal", - "InstalledVersion": "2.7.13-2+deb9u3", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "python: Command injection in Lib/webbrowser.py", - "Description": "** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/102207", - "https://bugs.python.org/issue32367", - "https://security-tracker.debian.org/tracker/CVE-2017-17522" - ] - }, - { - "VulnerabilityID": "CVE-2018-1000030", - "PkgName": "python2.7-minimal", - "InstalledVersion": "2.7.13-2+deb9u3", - "Layer": { - "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" - }, - "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", - "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.python.org/issue31530", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", - "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", - "https://security.gentoo.org/glsa/201811-02", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0" + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue39503", + "https://github.com/python/cpython/pull/18284", + "https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html", + "https://security.netapp.com/advisory/ntap-20200221-0001/" ] }, { @@ -1606,10 +1981,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: Cookie domain check returns incorrect results", "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20852.html", + "http://linux.oracle.com/errata/ELSA-2019-4884.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", "https://bugs.python.org/issue35121", @@ -1625,6 +2003,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: email.utils.parseaddr wrongly parses email addresses", "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", "Severity": "MEDIUM", @@ -1647,6 +2026,7 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field", "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", "Severity": "MEDIUM", @@ -1660,6 +2040,27 @@ "https://usn.ubuntu.com/4151-2/" ] }, + { + "VulnerabilityID": "CVE-2019-5010", + "PkgName": "python2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "nvd", + "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", + "Description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5010.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", + "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758" + ] + }, { "VulnerabilityID": "CVE-2019-9636", "PkgName": "python2.7-minimal", @@ -1667,10 +2068,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization", "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9636.html", + "http://linux.oracle.com/errata/ELSA-2019-1467.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html", "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html", @@ -1709,10 +2113,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: CRLF injection via the query part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9740.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://www.securityfocus.com/bid/107466", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue36276", @@ -1728,10 +2135,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: CRLF injection via the path part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9947.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue35906", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", @@ -1747,10 +2157,13 @@ "Layer": { "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" }, + "SeveritySource": "nvd", "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", "http://www.securityfocus.com/bid/107549", @@ -1760,6 +2173,106 @@ "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", "https://security.netapp.com/advisory/ntap-20190404-0004/" ] + }, + { + "VulnerabilityID": "CVE-2013-7040", + "PkgName": "python2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "python: hash secret can be recovered remotely", + "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", + "Severity": "LOW", + "References": [ + "http://bugs.python.org/issue14621", + "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html", + "http://www.openwall.com/lists/oss-security/2013/12/09/13", + "http://www.openwall.com/lists/oss-security/2013/12/09/3", + "http://www.securityfocus.com/bid/64194", + "https://support.apple.com/kb/HT205031" + ] + }, + { + "VulnerabilityID": "CVE-2017-17522", + "PkgName": "python2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "python: Command injection in Lib/webbrowser.py", + "Description": "** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/102207", + "https://bugs.python.org/issue32367", + "https://security-tracker.debian.org/tracker/CVE-2017-17522" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000030", + "PkgName": "python2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", + "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "Severity": "LOW", + "References": [ + "https://bugs.python.org/issue31530", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", + "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", + "https://security.gentoo.org/glsa/201811-02", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-18348", + "PkgName": "python2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "python: CRLF injection via the host part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)", + "Severity": "LOW", + "References": [ + "https://bugs.python.org/issue30458#msg347282", + "https://bugzilla.redhat.com/show_bug.cgi?id=1727276", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://security.netapp.com/advisory/ntap-20191107-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2019-9674", + "PkgName": "python2.7-minimal", + "InstalledVersion": "2.7.13-2+deb9u3", + "Layer": { + "DiffID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e" + }, + "SeveritySource": "debian", + "Title": "python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py", + "Description": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue36260", + "https://bugs.python.org/issue36462", + "https://github.com/python/cpython/blob/master/Lib/zipfile.py", + "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb", + "https://security.netapp.com/advisory/ntap-20200221-0003/", + "https://www.python.org/news/security/" + ] } ] } diff --git a/integration/testdata/opensuse-leap-151.json.golden b/integration/testdata/opensuse-leap-151.json.golden index d60b640bc5..a4a4c5312f 100644 --- a/integration/testdata/opensuse-leap-151.json.golden +++ b/integration/testdata/opensuse-leap-151.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/opensuse-leap-151.tar.gz (opensuse.leap 15.1)", + "Type": "opensuse.leap", "Vulnerabilities": [ { "VulnerabilityID": "openSUSE-SU-2019:2596-1", @@ -11,12 +12,61 @@ "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" }, "Title": "Security update for cpio", + "Description": "This update for cpio fixes the following issues:\n\n- CVE-2019-14866: Fixed an improper validation of the values written \n in the header of a TAR file through the to_oct() function which could \n have led to unexpected TAR generation (bsc#1155199).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00076.html", "https://www.suse.com/support/security/rating/" ] }, + { + "VulnerabilityID": "openSUSE-SU-2020:0381-1", + "PkgName": "glibc", + "InstalledVersion": "2.26-lp151.18.7", + "FixedVersion": "2.26-lp151.19.3.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for glibc", + "Description": "This update for glibc fixes the following issues:\n\n- CVE-2020-10029: Fixed a potential overflow in on-stack buffer \n during range reduction (bsc#1165784).\t \n- Fixed an issue where pthread were not always locked correctly (bsc#1164505).\n- Document mprotect and introduce section on memory protection (bsc#1163184).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://www.suse.com/support/security/rating/" + ] + }, + { + "VulnerabilityID": "openSUSE-SU-2020:0166-1", + "PkgName": "libcom_err2", + "InstalledVersion": "1.43.8-lp151.5.6.1", + "FixedVersion": "1.43.8-lp151.5.12.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for e2fsprogs", + "Description": "This update for e2fsprogs fixes the following issues:\n\n- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://www.suse.com/support/security/rating/" + ] + }, + { + "VulnerabilityID": "openSUSE-SU-2020:0022-1", + "PkgName": "libgcrypt20", + "InstalledVersion": "1.8.2-lp151.9.4.1", + "FixedVersion": "1.8.2-lp151.9.7.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for libgcrypt", + "Description": "This update for libgcrypt fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).\n\nBug fixes:\n\n- Added CMAC AES self test (bsc#1155339).\n- Added CMAC TDES self test missing (bsc#1155338).\n- Fix test dsa-rfc6979 in FIPS mode.\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00018.html", + "https://www.suse.com/support/security/rating/" + ] + }, { "VulnerabilityID": "openSUSE-SU-2019:2611-1", "PkgName": "libidn2-0", @@ -26,6 +76,7 @@ "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" }, "Title": "Security update for libidn2", + "Description": "This update for libidn2 to version 2.2.0 fixes the following issues:\n\n- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).\n- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html", @@ -41,12 +92,61 @@ "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" }, "Title": "Security update for ncurses", + "Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", "https://www.suse.com/support/security/rating/" ] }, + { + "VulnerabilityID": "openSUSE-SU-2020:0379-1", + "PkgName": "libnghttp2-14", + "InstalledVersion": "1.39.2-lp151.3.3.1", + "FixedVersion": "1.40.0-lp151.3.6.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for nghttp2", + "Description": "This update for nghttp2 fixes the following issues:\n\nnghttp2 was update to version 1.40.0 (bsc#1166481)\n\n- lib: Add nghttp2_check_authority as public API\n- lib: Fix the bug that stream is closed with wrong error code\n- lib: Faster huffman encoding and decoding\n- build: Avoid filename collision of static and dynamic lib\n- build: Add new flag ENABLE_STATIC_CRT for Windows\n- build: cmake: Support building nghttpx with systemd\n- third-party: Update neverbleed to fix memory leak\n- nghttpx: Fix bug that mruby is incorrectly shared between backends\n- nghttpx: Reconnect h1 backend if it lost connection before sending headers\n- nghttpx: Returns 408 if backend timed out before sending headers\n- nghttpx: Fix request stal\n\n\nThis update was imported from the SUSE:SLE-15:Update update project.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00034.html", + "https://www.suse.com/support/security/rating/" + ] + }, + { + "VulnerabilityID": "openSUSE-SU-2020:0062-1", + "PkgName": "libopenssl1_1", + "InstalledVersion": "1.1.0i-lp151.8.3.1", + "FixedVersion": "1.1.0i-lp151.8.6.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for openssl-1_1", + "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "https://www.suse.com/support/security/rating/" + ] + }, + { + "VulnerabilityID": "openSUSE-SU-2020:0255-1", + "PkgName": "libsolv-tools", + "InstalledVersion": "0.7.6-lp151.2.3.2", + "FixedVersion": "0.7.10-lp151.2.10.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for libsolv, libzypp, zypper", + "Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html", + "https://www.suse.com/support/security/rating/" + ] + }, { "VulnerabilityID": "openSUSE-SU-2019:2689-1", "PkgName": "libssh4", @@ -56,12 +156,61 @@ "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" }, "Title": "Security update for libssh", - "Severity": "MEDIUM", + "Description": "This update for libssh fixes the following issues:\n\n- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", + "Severity": "HIGH", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00033.html", "https://www.suse.com/support/security/rating/" ] }, + { + "VulnerabilityID": "openSUSE-SU-2020:0102-1", + "PkgName": "libssh4", + "InstalledVersion": "0.8.7-lp151.2.3.1", + "FixedVersion": "0.8.7-lp151.2.9.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for libssh", + "Description": "This update for libssh fixes the following issues:\n\n- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00047.html", + "https://www.suse.com/support/security/rating/" + ] + }, + { + "VulnerabilityID": "openSUSE-SU-2020:0208-1", + "PkgName": "libsystemd0", + "InstalledVersion": "234-lp151.26.4.1", + "FixedVersion": "234-lp151.26.7.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for systemd", + "Description": "This update for systemd fixes the following issues:\n\n- CVE-2020-1712 (bsc#bsc#1162108)\n Fix a heap use-after-free vulnerability, when asynchronous\n Polkit queries were performed while handling Dbus messages. A local\n unprivileged attacker could have abused this flaw to crash systemd services or\n potentially execute code and elevate their privileges, by sending specially\n crafted Dbus messages.\n\n- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)\n\n- libblkid: open device in nonblock mode. (bsc#1084671)\n- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)\n- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)\n- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)\n- fileio: initialize errno to zero before we do fread()\n- fileio: try to read one byte too much in read_full_stream()\n- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)\n- logind: never elect a session that is stopping as display\n\n- journal: include kmsg lines from the systemd process which exec()d us (#8078)\n- udevd: don't use monitor after manager_exit()\n- udevd: capitalize log messages in on_sigchld()\n- udevd: merge conditions to decrease indentation\n- Revert 'udevd: fix crash when workers time out after exit is signal caught'\n- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)\n- udevd: fix crash when workers time out after exit is signal caught\n- udevd: wait for workers to finish when exiting (bsc#1106383)\n\n- Improve bash completion support (bsc#1155207)\n * shell-completion: systemctl: do not list template units in {re,}start\n * shell-completion: systemctl: pass current word to all list_unit*\n * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)\n * bash-completion: systemctl: use systemctl --no-pager\n * bash-completion: also suggest template unit files\n * bash-completion: systemctl: add missing options and verbs\n * bash-completion: use the first argument instead of the global variable (#6457)\n\n- networkd: VXLan Make group and remote variable separate (bsc#1156213)\n- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)\n- fs-util: let's avoid unnecessary strerror()\n- fs-util: introduce inotify_add_watch_and_warn() helper\n- ask-password: improve log message when inotify limit is reached (bsc#1155574)\n- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)\n- man: alias names can't be used with enable command (bsc#1151377)\n\n- Add boot option to not use swap at system start (jsc#SLE-7689)\n\n- Allow YaST to select Iranian (Persian, Farsi) keyboard layout\n (bsc#1092920)\n \nThis update was imported from the SUSE:SLE-15:Update update project.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://www.suse.com/support/security/rating/" + ] + }, + { + "VulnerabilityID": "openSUSE-SU-2020:0208-1", + "PkgName": "libudev1", + "InstalledVersion": "234-lp151.26.4.1", + "FixedVersion": "234-lp151.26.7.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for systemd", + "Description": "This update for systemd fixes the following issues:\n\n- CVE-2020-1712 (bsc#bsc#1162108)\n Fix a heap use-after-free vulnerability, when asynchronous\n Polkit queries were performed while handling Dbus messages. A local\n unprivileged attacker could have abused this flaw to crash systemd services or\n potentially execute code and elevate their privileges, by sending specially\n crafted Dbus messages.\n\n- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)\n\n- libblkid: open device in nonblock mode. (bsc#1084671)\n- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)\n- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)\n- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)\n- fileio: initialize errno to zero before we do fread()\n- fileio: try to read one byte too much in read_full_stream()\n- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)\n- logind: never elect a session that is stopping as display\n\n- journal: include kmsg lines from the systemd process which exec()d us (#8078)\n- udevd: don't use monitor after manager_exit()\n- udevd: capitalize log messages in on_sigchld()\n- udevd: merge conditions to decrease indentation\n- Revert 'udevd: fix crash when workers time out after exit is signal caught'\n- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)\n- udevd: fix crash when workers time out after exit is signal caught\n- udevd: wait for workers to finish when exiting (bsc#1106383)\n\n- Improve bash completion support (bsc#1155207)\n * shell-completion: systemctl: do not list template units in {re,}start\n * shell-completion: systemctl: pass current word to all list_unit*\n * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)\n * bash-completion: systemctl: use systemctl --no-pager\n * bash-completion: also suggest template unit files\n * bash-completion: systemctl: add missing options and verbs\n * bash-completion: use the first argument instead of the global variable (#6457)\n\n- networkd: VXLan Make group and remote variable separate (bsc#1156213)\n- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)\n- fs-util: let's avoid unnecessary strerror()\n- fs-util: introduce inotify_add_watch_and_warn() helper\n- ask-password: improve log message when inotify limit is reached (bsc#1155574)\n- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)\n- man: alias names can't be used with enable command (bsc#1151377)\n\n- Add boot option to not use swap at system start (jsc#SLE-7689)\n\n- Allow YaST to select Iranian (Persian, Farsi) keyboard layout\n (bsc#1092920)\n \nThis update was imported from the SUSE:SLE-15:Update update project.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://www.suse.com/support/security/rating/" + ] + }, { "VulnerabilityID": "openSUSE-SU-2019:2612-1", "PkgName": "libxml2-2", @@ -71,12 +220,29 @@ "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" }, "Title": "Security update for libxml2", + "Description": "This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect\nall CVEs that have been fixed over the past.\nThis update was imported from the SUSE:SLE-15:Update update project.", "Severity": "UNKNOWN", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00010.html", "https://www.suse.com/support/security/rating/" ] }, + { + "VulnerabilityID": "openSUSE-SU-2020:0255-1", + "PkgName": "libzypp", + "InstalledVersion": "17.15.0-lp151.2.3.2", + "FixedVersion": "17.19.0-lp151.2.10.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for libsolv, libzypp, zypper", + "Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html", + "https://www.suse.com/support/security/rating/" + ] + }, { "VulnerabilityID": "openSUSE-SU-2019:2551-1", "PkgName": "ncurses-utils", @@ -86,12 +252,29 @@ "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" }, "Title": "Security update for ncurses", + "Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", "https://www.suse.com/support/security/rating/" ] }, + { + "VulnerabilityID": "openSUSE-SU-2020:0062-1", + "PkgName": "openssl-1_1", + "InstalledVersion": "1.1.0i-lp151.8.3.1", + "FixedVersion": "1.1.0i-lp151.8.6.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for openssl-1_1", + "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "https://www.suse.com/support/security/rating/" + ] + }, { "VulnerabilityID": "openSUSE-SU-2019:2672-1", "PkgName": "permissions", @@ -101,12 +284,29 @@ "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" }, "Title": "Security update for permissions", + "Description": "This update for permissions fixes the following issues:\n\n- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid\n which could have allowed a squid user to gain persistence by changing the \n binary (bsc#1093414).\n- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic \n links (bsc#1150734).\n- Fixed a regression which caused sagmentation fault (bsc#1157198).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00024.html", "https://www.suse.com/support/security/rating/" ] }, + { + "VulnerabilityID": "openSUSE-SU-2020:0302-1", + "PkgName": "permissions", + "InstalledVersion": "20181116-lp151.4.6.1", + "FixedVersion": "20181116-lp151.4.12.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for permissions", + "Description": "This update for permissions fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788)\n- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).\n\nNon-security issues fixed:\n\n- Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594).\n- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00010.html", + "https://www.suse.com/support/security/rating/" + ] + }, { "VulnerabilityID": "openSUSE-SU-2019:2551-1", "PkgName": "terminfo-base", @@ -116,11 +316,28 @@ "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" }, "Title": "Security update for ncurses", + "Description": "This update for ncurses fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).\n- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).\n\nNon-security issue fixed:\n\n- Removed screen.xterm from terminfo database (bsc#1103320).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", "https://www.suse.com/support/security/rating/" ] + }, + { + "VulnerabilityID": "openSUSE-SU-2020:0255-1", + "PkgName": "zypper", + "InstalledVersion": "1.14.30-lp151.2.3.1", + "FixedVersion": "1.14.33-lp151.2.10.1", + "Layer": { + "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff" + }, + "Title": "Security update for libsolv, libzypp, zypper", + "Description": "This update for libsolv, libzypp, zypper fixes the following issues:\n\n\nSecurity issue fixed:\n\n- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).\n\nBug fixes\n\n- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).\n- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).\n- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). \n- Load only target resolvables for zypper rm (bsc#1157377).\n- Fix broken search by filelist (bsc#1135114).\n- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).\n- Do not sort out requested locales which are not available (bsc#1155678).\n- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). \n- XML add patch issue-date and issue-list (bsc#1154805).\n- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).\n- Always execute commit when adding/removing locales (fixes bsc#1155205).\n- Fix description of --table-style,-s in man page (bsc#1154804).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html", + "https://www.suse.com/support/security/rating/" + ] } ] } diff --git a/integration/testdata/opensuse-leap-423.json.golden b/integration/testdata/opensuse-leap-423.json.golden index 2848be9b57..4dc2d6c78a 100644 --- a/integration/testdata/opensuse-leap-423.json.golden +++ b/integration/testdata/opensuse-leap-423.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/opensuse-leap-423.tar.gz (opensuse.leap 42.3)", + "Type": "opensuse.leap", "Vulnerabilities": null } ] \ No newline at end of file diff --git a/integration/testdata/oraclelinux-6-slim.json.golden b/integration/testdata/oraclelinux-6-slim.json.golden index 8a916af9bb..41fd2492b3 100644 --- a/integration/testdata/oraclelinux-6-slim.json.golden +++ b/integration/testdata/oraclelinux-6-slim.json.golden @@ -1,7 +1,54 @@ [ { "Target": "testdata/fixtures/oraclelinux-6-slim.tar.gz (oracle 6.10)", + "Type": "oracle", "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "curl", + "InstalledVersion": "7.19.7-53.0.2.el6_9", + "FixedVersion": "7.19.7-54.0.2.el6_10", + "Layer": { + "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" + }, + "SeveritySource": "nvd", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "libcurl", + "InstalledVersion": "7.19.7-53.0.2.el6_9", + "FixedVersion": "7.19.7-54.0.2.el6_10", + "Layer": { + "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" + }, + "SeveritySource": "nvd", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, { "VulnerabilityID": "CVE-2019-3855", "PkgName": "libssh2", @@ -10,10 +57,13 @@ "Layer": { "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" }, + "SeveritySource": "nvd", "Title": "libssh2: Integer overflow in transport read resulting in out of bounds write", "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", - "Severity": "CRITICAL", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3855.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -42,10 +92,13 @@ "Layer": { "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" }, + "SeveritySource": "nvd", "Title": "libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write", "Description": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3856.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://access.redhat.com/errata/RHSA-2019:0679", @@ -68,10 +121,13 @@ "Layer": { "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" }, + "SeveritySource": "nvd", "Title": "libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write", "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3857.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://access.redhat.com/errata/RHSA-2019:0679", @@ -94,10 +150,13 @@ "Layer": { "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" }, + "SeveritySource": "nvd", "Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3862.html", + "http://linux.oracle.com/errata/ELSA-2019-4693.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -124,10 +183,13 @@ "Layer": { "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" }, + "SeveritySource": "nvd", "Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes", "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3863.html", + "http://linux.oracle.com/errata/ELSA-2019-1652.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://access.redhat.com/errata/RHSA-2019:0679", @@ -142,6 +204,62 @@ "https://www.libssh2.org/CVE-2019-3863.html" ] }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn", + "InstalledVersion": "3.14.3-23.3.0.1.el6_8", + "FixedVersion": "3.44.0-6.0.1.el6_10", + "Layer": { + "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" + }, + "SeveritySource": "nvd", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.14.3-23.3.0.1.el6_8", + "FixedVersion": "3.44.0-6.0.1.el6_10", + "Layer": { + "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" + }, + "SeveritySource": "nvd", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2019-1559", "PkgName": "openssl", @@ -150,10 +268,13 @@ "Layer": { "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" }, + "SeveritySource": "nvd", "Title": "openssl: 0-byte record padding oracle", "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-1559.html", + "http://linux.oracle.com/errata/ELSA-2019-2471.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", @@ -177,6 +298,52 @@ "https://www.tenable.com/security/tns-2019-02", "https://www.tenable.com/security/tns-2019-03" ] + }, + { + "VulnerabilityID": "CVE-2018-20852", + "PkgName": "python", + "InstalledVersion": "2.6.6-68.0.1.el6_10", + "FixedVersion": "2.6.6-68.0.2.el6_10", + "Layer": { + "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" + }, + "SeveritySource": "nvd", + "Title": "python: Cookie domain check returns incorrect results", + "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20852.html", + "http://linux.oracle.com/errata/ELSA-2019-4884.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", + "https://bugs.python.org/issue35121", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html", + "https://python-security.readthedocs.io/vuln/cookie-domain-check.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-20852", + "PkgName": "python-libs", + "InstalledVersion": "2.6.6-68.0.1.el6_10", + "FixedVersion": "2.6.6-68.0.2.el6_10", + "Layer": { + "DiffID": "sha256:a6f189f69066d36aff8efe2602482d28c02de433aef44ee9087b291df7e8fd08" + }, + "SeveritySource": "nvd", + "Title": "python: Cookie domain check returns incorrect results", + "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20852.html", + "http://linux.oracle.com/errata/ELSA-2019-4884.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", + "https://bugs.python.org/issue35121", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html", + "https://python-security.readthedocs.io/vuln/cookie-domain-check.html" + ] } ] } diff --git a/integration/testdata/oraclelinux-7-slim.json.golden b/integration/testdata/oraclelinux-7-slim.json.golden index 278fd6d195..2f2455b22d 100644 --- a/integration/testdata/oraclelinux-7-slim.json.golden +++ b/integration/testdata/oraclelinux-7-slim.json.golden @@ -1,7 +1,31 @@ [ { "Target": "testdata/fixtures/oraclelinux-7-slim.tar.gz (oracle 7.6)", + "Type": "oracle", "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "curl", + "InstalledVersion": "7.29.0-51.0.1.el7_6.3", + "FixedVersion": "7.29.0-54.0.5.el7_7.2", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, { "VulnerabilityID": "CVE-2018-16842", "PkgName": "curl", @@ -10,10 +34,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting", "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16842.html", + "http://linux.oracle.com/errata/ELSA-2019-2181.html", "http://www.securitytracker.com/id/1042014", "https://access.redhat.com/errata/RHSA-2019:2181", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842", @@ -35,10 +62,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash", "Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.", "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16402.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402", "https://sourceware.org/bugzilla/show_bug.cgi?id=23528", "https://usn.ubuntu.com/4012-1/" @@ -52,10 +82,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file", "Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16062.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062", @@ -73,10 +106,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash", "Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16403.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403", @@ -93,10 +129,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl", "Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18310.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23752", @@ -112,10 +151,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "elfutils: eu-size cannot handle recursive ar files", "Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18520.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23787", @@ -131,10 +173,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c", "Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18521.html", + "http://linux.oracle.com/errata/ELSA-2019-2197.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=23786", @@ -150,10 +195,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", @@ -169,10 +217,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", @@ -188,10 +239,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://access.redhat.com/errata/RHSA-2019:2197", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" @@ -205,10 +259,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", @@ -224,10 +281,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", "http://www.securityfocus.com/bid/106672", "https://access.redhat.com/errata/RHSA-2019:2118", @@ -244,10 +304,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", "http://www.securityfocus.com/bid/106672", "https://access.redhat.com/errata/RHSA-2019:2118", @@ -256,6 +319,29 @@ "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" ] }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-51.0.1.el7_6.3", + "FixedVersion": "7.29.0-54.0.5.el7_7.2", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, { "VulnerabilityID": "CVE-2018-16842", "PkgName": "libcurl", @@ -264,10 +350,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "curl: Heap-based buffer over-read in the curl tool warning formatting", "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16842.html", + "http://linux.oracle.com/errata/ELSA-2019-2181.html", "http://www.securitytracker.com/id/1042014", "https://access.redhat.com/errata/RHSA-2019:2181", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842", @@ -289,10 +378,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3858.html", + "http://linux.oracle.com/errata/ELSA-2019-2136.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html", @@ -319,10 +411,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "libssh2: Out-of-bounds reads with specially crafted SSH packets", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-3861.html", + "http://linux.oracle.com/errata/ELSA-2019-2136.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3861", @@ -343,10 +438,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", @@ -361,10 +459,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -395,16 +496,73 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" ] }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss", @@ -413,10 +571,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -447,16 +608,73 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" ] }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.0.1.el7_5", + "FixedVersion": "3.44.0-8.0.1.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn", + "InstalledVersion": "3.36.0-5.0.1.el7_5", + "FixedVersion": "3.44.0-8.0.1.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss-softokn", @@ -465,10 +683,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -499,16 +720,73 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" ] }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.0.1.el7_5", + "FixedVersion": "3.44.0-8.0.1.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.36.0-5.0.1.el7_5", + "FixedVersion": "3.44.0-8.0.1.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss-softokn-freebl", @@ -517,10 +795,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -551,16 +832,73 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" ] }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss-sysinit", @@ -569,10 +907,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -603,16 +944,73 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" ] }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-tools", + "InstalledVersion": "3.36.0-7.1.el7_6", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss-tools", @@ -621,10 +1019,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -655,16 +1056,73 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "nss: Cache side-channel variant of the Bleichenbacher attack", "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-12404.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html", "http://www.securityfocus.com/bid/107260", "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" ] }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-util", + "InstalledVersion": "3.36.0-1.1.el7_6", + "FixedVersion": "3.44.0-4.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-util", + "InstalledVersion": "3.36.0-1.1.el7_6", + "FixedVersion": "3.44.0-4.el7_7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2018-0495", "PkgName": "nss-util", @@ -673,10 +1131,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries", "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0495.html", + "http://linux.oracle.com/errata/ELSA-2019-2237.html", "http://www.securitytracker.com/id/1041144", "http://www.securitytracker.com/id/1041147", "https://access.redhat.com/errata/RHSA-2018:3221", @@ -707,10 +1168,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "openssl: timing side channel attack in the DSA signature algorithm", "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0734.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html", "http://www.securityfocus.com/bid/105758", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734", @@ -739,10 +1203,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "openssl: 0-byte record padding oracle", "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-1559.html", + "http://linux.oracle.com/errata/ELSA-2019-2471.html", "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html", @@ -767,22 +1234,6 @@ "https://www.tenable.com/security/tns-2019-03" ] }, - { - "VulnerabilityID": "CVE-2019-5010", - "PkgName": "python", - "InstalledVersion": "2.7.5-80.0.1.el7_6", - "FixedVersion": "2.7.5-86.0.1.el7", - "Layer": { - "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" - }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" - ] - }, { "VulnerabilityID": "CVE-2018-14647", "PkgName": "python", @@ -791,10 +1242,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "python: Missing salt initialization in _elementtree.c module", "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-14647.html", + "http://linux.oracle.com/errata/ELSA-2019-2030.html", "http://www.securityfocus.com/bid/105396", "http://www.securitytracker.com/id/1041740", "https://access.redhat.com/errata/RHSA-2019:1260", @@ -811,6 +1265,51 @@ "https://www.debian.org/security/2018/dsa-4307" ] }, + { + "VulnerabilityID": "CVE-2018-20852", + "PkgName": "python", + "InstalledVersion": "2.7.5-80.0.1.el7_6", + "FixedVersion": "2.7.5-86.0.3.el7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "python: Cookie domain check returns incorrect results", + "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20852.html", + "http://linux.oracle.com/errata/ELSA-2019-4884.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", + "https://bugs.python.org/issue35121", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html", + "https://python-security.readthedocs.io/vuln/cookie-domain-check.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-5010", + "PkgName": "python", + "InstalledVersion": "2.7.5-80.0.1.el7_6", + "FixedVersion": "2.7.5-86.0.1.el7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", + "Description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5010.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", + "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758" + ] + }, { "VulnerabilityID": "CVE-2019-9740", "PkgName": "python", @@ -819,10 +1318,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "python: CRLF injection via the query part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9740.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://www.securityfocus.com/bid/107466", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue36276", @@ -839,10 +1341,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "python: CRLF injection via the path part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9947.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue35906", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", @@ -859,10 +1364,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", "http://www.securityfocus.com/bid/107549", @@ -873,22 +1381,6 @@ "https://security.netapp.com/advisory/ntap-20190404-0004/" ] }, - { - "VulnerabilityID": "CVE-2019-5010", - "PkgName": "python-libs", - "InstalledVersion": "2.7.5-80.0.1.el7_6", - "FixedVersion": "2.7.5-86.0.1.el7", - "Layer": { - "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" - }, - "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", - "Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", - "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html" - ] - }, { "VulnerabilityID": "CVE-2018-14647", "PkgName": "python-libs", @@ -897,10 +1389,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "python: Missing salt initialization in _elementtree.c module", "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-14647.html", + "http://linux.oracle.com/errata/ELSA-2019-2030.html", "http://www.securityfocus.com/bid/105396", "http://www.securitytracker.com/id/1041740", "https://access.redhat.com/errata/RHSA-2019:1260", @@ -917,6 +1412,51 @@ "https://www.debian.org/security/2018/dsa-4307" ] }, + { + "VulnerabilityID": "CVE-2018-20852", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-80.0.1.el7_6", + "FixedVersion": "2.7.5-86.0.3.el7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "python: Cookie domain check returns incorrect results", + "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20852.html", + "http://linux.oracle.com/errata/ELSA-2019-4884.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", + "https://bugs.python.org/issue35121", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html", + "https://python-security.readthedocs.io/vuln/cookie-domain-check.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-5010", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-80.0.1.el7_6", + "FixedVersion": "2.7.5-86.0.1.el7", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "python: NULL pointer dereference using a specially crafted X509 certificate", + "Description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5010.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010", + "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758" + ] + }, { "VulnerabilityID": "CVE-2019-9740", "PkgName": "python-libs", @@ -925,10 +1465,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "python: CRLF injection via the query part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9740.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://www.securityfocus.com/bid/107466", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue36276", @@ -945,10 +1488,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "python: CRLF injection via the path part of the url passed to urlopen()", "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9947.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "https://access.redhat.com/errata/RHSA-2019:1260", "https://bugs.python.org/issue35906", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947", @@ -965,10 +1511,13 @@ "Layer": { "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" }, + "SeveritySource": "nvd", "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms", "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-9948.html", + "http://linux.oracle.com/errata/ELSA-2019-3520.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html", "http://www.securityfocus.com/bid/107549", @@ -978,6 +1527,30 @@ "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", "https://security.netapp.com/advisory/ntap-20190404-0004/" ] + }, + { + "VulnerabilityID": "CVE-2019-13734", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "FixedVersion": "3.7.17-8.el7_7.1", + "Layer": { + "DiffID": "sha256:4fee40bcfecff11f540de853f7f0dc71efbab8c14ea599452b617e215562e3e2" + }, + "SeveritySource": "nvd", + "Title": "sqlite: fts3: improve shadow table corruption detection", + "Description": "Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-13734.html", + "http://linux.oracle.com/errata/ELSA-2020-0273.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025466", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] } ] } diff --git a/integration/testdata/oraclelinux-8-slim.json.golden b/integration/testdata/oraclelinux-8-slim.json.golden index 1ea4cc3b14..83117a158d 100644 --- a/integration/testdata/oraclelinux-8-slim.json.golden +++ b/integration/testdata/oraclelinux-8-slim.json.golden @@ -1,6 +1,988 @@ [ { "Target": "testdata/fixtures/oraclelinux-8-slim.tar.gz (oracle 8.0)", - "Vulnerabilities": null + "Type": "oracle", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-3822", + "PkgName": "curl", + "InstalledVersion": "7.61.1-8.el8", + "FixedVersion": "7.61.1-11.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "curl: NTLMv2 type-3 header stack buffer overflow", + "Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3822.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106950", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2019-3822.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822", + "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E", + "https://security.gentoo.org/glsa/201903-03", + "https://security.netapp.com/advisory/ntap-20190315-0001/", + "https://security.netapp.com/advisory/ntap-20190719-0004/", + "https://usn.ubuntu.com/3882-1/", + "https://www.debian.org/security/2019/dsa-4386", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-16890", + "PkgName": "curl", + "InstalledVersion": "7.61.1-8.el8", + "FixedVersion": "7.61.1-11.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "curl: NTLM type-2 heap out-of-bounds buffer read", + "Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16890.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106947", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2018-16890.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890", + "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E", + "https://security.netapp.com/advisory/ntap-20190315-0001/", + "https://usn.ubuntu.com/3882-1/", + "https://www.debian.org/security/2019/dsa-4386", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-3823", + "PkgName": "curl", + "InstalledVersion": "7.61.1-8.el8", + "FixedVersion": "7.61.1-11.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "curl: SMTP end-of-response out-of-bounds read", + "Description": "libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3823.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106950", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3823", + "https://curl.haxx.se/docs/CVE-2019-3823.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823", + "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E", + "https://security.gentoo.org/glsa/201903-03", + "https://security.netapp.com/advisory/ntap-20190315-0001/", + "https://usn.ubuntu.com/3882-1/", + "https://www.debian.org/security/2019/dsa-4386", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-20483", + "PkgName": "curl", + "InstalledVersion": "7.61.1-8.el8", + "FixedVersion": "7.61.1-11.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "wget: Information exposure in set_file_metadata function in xattr.c", + "Description": "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", + "Severity": "LOW", + "References": [ + "http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS", + "http://linux.oracle.com/cve/CVE-2018-20483.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106358", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483", + "https://security.gentoo.org/glsa/201903-08", + "https://security.netapp.com/advisory/ntap-20190321-0002/", + "https://twitter.com/marcan42/status/1077676739877232640", + "https://usn.ubuntu.com/3943-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7146", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.174-6.el8", + "FixedVersion": "0.176-5.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "elfutils: buffer over-read in the ebl_object_note function in eblobjnote.c in libebl", + "Description": "In elfutils 0.175, there is a buffer over-read in the ebl_object_note function in eblobjnote.c in libebl. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted elf file, as demonstrated by eu-readelf.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7146.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://access.redhat.com/errata/RHSA-2019:3575", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7146", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24075", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24081" + ] + }, + { + "VulnerabilityID": "CVE-2019-7149", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.174-6.el8", + "FixedVersion": "0.176-5.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw", + "Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7149.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24102", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7150", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.174-6.el8", + "FixedVersion": "0.176-5.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c", + "Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7150.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24103", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-7664", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.174-6.el8", + "FixedVersion": "0.176-5.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h", + "Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7664.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://access.redhat.com/errata/RHSA-2019:2197", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24084" + ] + }, + { + "VulnerabilityID": "CVE-2019-7665", + "PkgName": "elfutils-libelf", + "InstalledVersion": "0.174-6.el8", + "FixedVersion": "0.176-5.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c", + "Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-7665.html", + "http://linux.oracle.com/errata/ELSA-2019-3575.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24089", + "https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html", + "https://usn.ubuntu.com/4012-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-12450", + "PkgName": "glib2", + "InstalledVersion": "2.56.4-1.el8", + "FixedVersion": "2.56.4-7.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress", + "Description": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-12450.html", + "http://linux.oracle.com/errata/ELSA-2019-3530.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450", + "https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/", + "https://security.netapp.com/advisory/ntap-20190606-0003/", + "https://usn.ubuntu.com/4014-1/", + "https://usn.ubuntu.com/4014-2/" + ] + }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "glibc", + "InstalledVersion": "2.28-42.0.1.el8_0.1", + "FixedVersion": "2.28-72.0.1.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "glibc-common", + "InstalledVersion": "2.28-42.0.1.el8_0.1", + "FixedVersion": "2.28-72.0.1.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2016-10739", + "PkgName": "glibc-minimal-langpack", + "InstalledVersion": "2.28-42.0.1.el8_0.1", + "FixedVersion": "2.28-72.0.1.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", + "http://www.securityfocus.com/bid/106672", + "https://access.redhat.com/errata/RHSA-2019:2118", + "https://bugzilla.redhat.com/show_bug.cgi?id=1347549", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" + ] + }, + { + "VulnerabilityID": "CVE-2019-3829", + "PkgName": "gnutls", + "InstalledVersion": "3.6.5-2.el8", + "FixedVersion": "3.6.8-8.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "gnutls: use-after-free/double-free in certificate verification", + "Description": "A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3829.html", + "http://linux.oracle.com/errata/ELSA-2019-3600.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00017.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3829", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829", + "https://gitlab.com/gnutls/gnutls/issues/694", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A3ETBUFBB4G7AITAOUYPGXVMBGVXKUAN/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7TJIBRJWGWSH6XIO2MXIQ3W6ES4R6I4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WRSOL66LHP4SD3Y2ECJDOGT4K663ECDU/", + "https://security.gentoo.org/glsa/201904-14", + "https://usn.ubuntu.com/3999-1/", + "https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27" + ] + }, + { + "VulnerabilityID": "CVE-2019-3836", + "PkgName": "gnutls", + "InstalledVersion": "3.6.5-2.el8", + "FixedVersion": "3.6.8-8.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "gnutls: invalid pointer access upon receiving async handshake messages", + "Description": "It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3836.html", + "http://linux.oracle.com/errata/ELSA-2019-3600.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00017.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3836", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3836", + "https://gitlab.com/gnutls/gnutls/issues/704", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A3ETBUFBB4G7AITAOUYPGXVMBGVXKUAN/", + "https://security.gentoo.org/glsa/201904-14", + "https://security.netapp.com/advisory/ntap-20190502-0005/", + "https://usn.ubuntu.com/3999-1/", + "https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27" + ] + }, + { + "VulnerabilityID": "CVE-2017-14503", + "PkgName": "libarchive", + "InstalledVersion": "3.3.2-3.el8", + "FixedVersion": "3.3.2-7.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libarchive: Out-of-bounds read in lha_read_data_none", + "Description": "libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2017-14503.html", + "http://linux.oracle.com/errata/ELSA-2019-3698.html", + "https://bugs.debian.org/875960", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14503", + "https://github.com/libarchive/libarchive/issues/948", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00037.html", + "https://usn.ubuntu.com/3736-1/", + "https://www.debian.org/security/2018/dsa-4360" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000877", + "PkgName": "libarchive", + "InstalledVersion": "3.3.2-3.el8", + "FixedVersion": "3.3.2-7.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libarchive: Double free in RAR decoder resulting in a denial of service", + "Description": "libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar-\u003elzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000877.html", + "http://linux.oracle.com/errata/ELSA-2019-3698.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.html", + "http://www.securityfocus.com/bid/106324", + "https://access.redhat.com/errata/RHSA-2019:2298", + "https://access.redhat.com/errata/RHSA-2019:3698", + "https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000877", + "https://github.com/libarchive/libarchive/pull/1105", + "https://github.com/libarchive/libarchive/pull/1105/commits/021efa522ad729ff0f5806c4ce53e4a6cc1daa31", + "https://lists.debian.org/debian-lts-announce/2018/12/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W645KCLWFDBDGFJHG57WOVXGE62QSIJI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF/", + "https://usn.ubuntu.com/3859-1/", + "https://www.debian.org/security/2018/dsa-4360" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000878", + "PkgName": "libarchive", + "InstalledVersion": "3.3.2-3.el8", + "FixedVersion": "3.3.2-7.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libarchive: Use after free in RAR decoder resulting in a denial of service", + "Description": "libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c that can result in Crash/DoS - it is unknown if RCE is possible. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-1000878.html", + "http://linux.oracle.com/errata/ELSA-2019-3698.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.html", + "http://www.securityfocus.com/bid/106324", + "https://access.redhat.com/errata/RHSA-2019:2298", + "https://access.redhat.com/errata/RHSA-2019:3698", + "https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000878", + "https://github.com/libarchive/libarchive/pull/1105", + "https://github.com/libarchive/libarchive/pull/1105/commits/bfcfe6f04ed20db2504db8a254d1f40a1d84eb28", + "https://lists.debian.org/debian-lts-announce/2018/12/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W645KCLWFDBDGFJHG57WOVXGE62QSIJI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF/", + "https://usn.ubuntu.com/3859-1/", + "https://www.debian.org/security/2018/dsa-4360" + ] + }, + { + "VulnerabilityID": "CVE-2019-1000019", + "PkgName": "libarchive", + "InstalledVersion": "3.3.2-3.el8", + "FixedVersion": "3.3.2-7.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libarchive: Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service", + "Description": "libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-1000019.html", + "http://linux.oracle.com/errata/ELSA-2019-3698.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.html", + "https://access.redhat.com/errata/RHSA-2019:2298", + "https://access.redhat.com/errata/RHSA-2019:3698", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000019", + "https://github.com/libarchive/libarchive/pull/1120", + "https://github.com/libarchive/libarchive/pull/1120/commits/65a23f5dbee4497064e9bb467f81138a62b0dae1", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00013.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF/", + "https://usn.ubuntu.com/3884-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-1000020", + "PkgName": "libarchive", + "InstalledVersion": "3.3.2-3.el8", + "FixedVersion": "3.3.2-7.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service", + "Description": "libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-1000020.html", + "http://linux.oracle.com/errata/ELSA-2019-3698.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.html", + "https://access.redhat.com/errata/RHSA-2019:2298", + "https://access.redhat.com/errata/RHSA-2019:3698", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000020", + "https://github.com/libarchive/libarchive/pull/1120", + "https://github.com/libarchive/libarchive/pull/1120/commits/8312eaa576014cd9b965012af51bc1f967b12423", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00013.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF/", + "https://usn.ubuntu.com/3884-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18408", + "PkgName": "libarchive", + "InstalledVersion": "3.3.2-3.el8", + "FixedVersion": "3.3.2-8.el8_1", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry", + "Description": "archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-18408.html", + "http://linux.oracle.com/errata/ELSA-2020-0271.html", + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14689", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18408", + "https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60", + "https://github.com/libarchive/libarchive/compare/v3.3.3...v3.4.0", + "https://lists.debian.org/debian-lts-announce/2019/10/msg00034.html", + "https://seclists.org/bugtraq/2019/Nov/2", + "https://usn.ubuntu.com/4169-1/", + "https://www.debian.org/security/2019/dsa-4557" + ] + }, + { + "VulnerabilityID": "CVE-2019-3822", + "PkgName": "libcurl", + "InstalledVersion": "7.61.1-8.el8", + "FixedVersion": "7.61.1-11.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "curl: NTLMv2 type-3 header stack buffer overflow", + "Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3822.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106950", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2019-3822.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822", + "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E", + "https://security.gentoo.org/glsa/201903-03", + "https://security.netapp.com/advisory/ntap-20190315-0001/", + "https://security.netapp.com/advisory/ntap-20190719-0004/", + "https://usn.ubuntu.com/3882-1/", + "https://www.debian.org/security/2019/dsa-4386", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-16890", + "PkgName": "libcurl", + "InstalledVersion": "7.61.1-8.el8", + "FixedVersion": "7.61.1-11.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "curl: NTLM type-2 heap out-of-bounds buffer read", + "Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-16890.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106947", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2018-16890.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890", + "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E", + "https://security.netapp.com/advisory/ntap-20190315-0001/", + "https://usn.ubuntu.com/3882-1/", + "https://www.debian.org/security/2019/dsa-4386", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-3823", + "PkgName": "libcurl", + "InstalledVersion": "7.61.1-8.el8", + "FixedVersion": "7.61.1-11.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "curl: SMTP end-of-response out-of-bounds read", + "Description": "libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3823.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106950", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3823", + "https://curl.haxx.se/docs/CVE-2019-3823.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823", + "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E", + "https://security.gentoo.org/glsa/201903-03", + "https://security.netapp.com/advisory/ntap-20190315-0001/", + "https://usn.ubuntu.com/3882-1/", + "https://www.debian.org/security/2019/dsa-4386", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-20483", + "PkgName": "libcurl", + "InstalledVersion": "7.61.1-8.el8", + "FixedVersion": "7.61.1-11.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "wget: Information exposure in set_file_metadata function in xattr.c", + "Description": "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", + "Severity": "LOW", + "References": [ + "http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS", + "http://linux.oracle.com/cve/CVE-2018-20483.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106358", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483", + "https://security.gentoo.org/glsa/201903-08", + "https://security.netapp.com/advisory/ntap-20190321-0002/", + "https://twitter.com/marcan42/status/1077676739877232640", + "https://usn.ubuntu.com/3943-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-20534", + "PkgName": "libdnf", + "InstalledVersion": "0.22.5-5.0.2.el8", + "FixedVersion": "0.35.1-8.0.1.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libsolv: illegal address access in pool_whatprovides in src/pool.h", + "Description": "** DISPUTED ** There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20534.html", + "http://linux.oracle.com/errata/ELSA-2019-3583.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00057.html", + "https://access.redhat.com/errata/RHSA-2019:2290", + "https://bugzilla.redhat.com/show_bug.cgi?id=1652604", + "https://bugzilla.suse.com/show_bug.cgi?id=1120631", + "https://github.com/openSUSE/libsolv/pull/291", + "https://usn.ubuntu.com/3916-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3817", + "PkgName": "libdnf", + "InstalledVersion": "0.22.5-5.0.2.el8", + "FixedVersion": "0.35.1-8.0.1.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libcomps: use after free when merging two objmrtrees", + "Description": "A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3817.html", + "http://linux.oracle.com/errata/ELSA-2019-3583.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3817", + "https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046", + "https://github.com/rpm-software-management/libcomps/issues/41" + ] + }, + { + "VulnerabilityID": "CVE-2018-20534", + "PkgName": "librepo", + "InstalledVersion": "1.9.2-1.el8", + "FixedVersion": "1.10.3-3.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libsolv: illegal address access in pool_whatprovides in src/pool.h", + "Description": "** DISPUTED ** There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20534.html", + "http://linux.oracle.com/errata/ELSA-2019-3583.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00057.html", + "https://access.redhat.com/errata/RHSA-2019:2290", + "https://bugzilla.redhat.com/show_bug.cgi?id=1652604", + "https://bugzilla.suse.com/show_bug.cgi?id=1120631", + "https://github.com/openSUSE/libsolv/pull/291", + "https://usn.ubuntu.com/3916-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3817", + "PkgName": "librepo", + "InstalledVersion": "1.9.2-1.el8", + "FixedVersion": "1.10.3-3.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libcomps: use after free when merging two objmrtrees", + "Description": "A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3817.html", + "http://linux.oracle.com/errata/ELSA-2019-3583.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3817", + "https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046", + "https://github.com/rpm-software-management/libcomps/issues/41" + ] + }, + { + "VulnerabilityID": "CVE-2018-20534", + "PkgName": "libsolv", + "InstalledVersion": "0.6.35-6.el8", + "FixedVersion": "0.7.4-3.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libsolv: illegal address access in pool_whatprovides in src/pool.h", + "Description": "** DISPUTED ** There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20534.html", + "http://linux.oracle.com/errata/ELSA-2019-3583.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00057.html", + "https://access.redhat.com/errata/RHSA-2019:2290", + "https://bugzilla.redhat.com/show_bug.cgi?id=1652604", + "https://bugzilla.suse.com/show_bug.cgi?id=1120631", + "https://github.com/openSUSE/libsolv/pull/291", + "https://usn.ubuntu.com/3916-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3817", + "PkgName": "libsolv", + "InstalledVersion": "0.6.35-6.el8", + "FixedVersion": "0.7.4-3.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libcomps: use after free when merging two objmrtrees", + "Description": "A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3817.html", + "http://linux.oracle.com/errata/ELSA-2019-3583.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3817", + "https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046", + "https://github.com/rpm-software-management/libcomps/issues/41" + ] + }, + { + "VulnerabilityID": "CVE-2019-6706", + "PkgName": "lua-libs", + "InstalledVersion": "5.3.4-10.el8", + "FixedVersion": "5.3.4-11.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "lua: use-after-free in lua_upvaluejoin in lapi.c resulting in denial of service", + "Description": "Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-6706.html", + "http://linux.oracle.com/errata/ELSA-2019-3706.html", + "http://lua.2524044.n2.nabble.com/Bug-Report-Use-after-free-in-debug-upvaluejoin-tc7685506.html", + "https://access.redhat.com/errata/RHSA-2019:3706", + "https://usn.ubuntu.com/3941-1/", + "https://www.exploit-db.com/exploits/46246/" + ] + }, + { + "VulnerabilityID": "CVE-2018-20534", + "PkgName": "microdnf", + "InstalledVersion": "3.0.1-1.el8", + "FixedVersion": "3.0.1-3.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libsolv: illegal address access in pool_whatprovides in src/pool.h", + "Description": "** DISPUTED ** There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20534.html", + "http://linux.oracle.com/errata/ELSA-2019-3583.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00057.html", + "https://access.redhat.com/errata/RHSA-2019:2290", + "https://bugzilla.redhat.com/show_bug.cgi?id=1652604", + "https://bugzilla.suse.com/show_bug.cgi?id=1120631", + "https://github.com/openSUSE/libsolv/pull/291", + "https://usn.ubuntu.com/3916-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3817", + "PkgName": "microdnf", + "InstalledVersion": "3.0.1-1.el8", + "FixedVersion": "3.0.1-3.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "libcomps: use after free when merging two objmrtrees", + "Description": "A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-3817.html", + "http://linux.oracle.com/errata/ELSA-2019-3583.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3817", + "https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046", + "https://github.com/rpm-software-management/libcomps/issues/41" + ] + }, + { + "VulnerabilityID": "CVE-2018-0734", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.1.1-8.0.1.el8", + "FixedVersion": "1:1.1.1c-2.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "openssl: timing side channel attack in the DSA signature algorithm", + "Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0734.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html", + "http://www.securityfocus.com/bid/105758", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7", + "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", + "https://security.netapp.com/advisory/ntap-20181105-0002/", + "https://security.netapp.com/advisory/ntap-20190118-0002/", + "https://security.netapp.com/advisory/ntap-20190423-0002/", + "https://usn.ubuntu.com/3840-1/", + "https://www.debian.org/security/2018/dsa-4348", + "https://www.debian.org/security/2018/dsa-4355", + "https://www.openssl.org/news/secadv/20181030.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "https://www.tenable.com/security/tns-2018-16", + "https://www.tenable.com/security/tns-2018-17" + ] + }, + { + "VulnerabilityID": "CVE-2018-0735", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.1.1-8.0.1.el8", + "FixedVersion": "1:1.1.1c-2.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "openssl: timing side channel attack in the ECDSA signature generation", + "Description": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-0735.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", + "http://www.securityfocus.com/bid/105750", + "http://www.securitytracker.com/id/1041986", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0735", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4", + "https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html", + "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/", + "https://security.netapp.com/advisory/ntap-20181105-0002/", + "https://usn.ubuntu.com/3840-1/", + "https://www.debian.org/security/2018/dsa-4348", + "https://www.openssl.org/news/secadv/20181029.txt", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-1543", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.1.1-8.0.1.el8", + "FixedVersion": "1:1.1.1c-2.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "openssl: ChaCha20-Poly1305 with long nonces", + "Description": "ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-1543.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ee22257b1418438ebaf54df98af4e24f494d1809", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f426625b6ae9a7831010750490a5f0ad689c5ba3", + "https://www.openssl.org/news/secadv/20190306.txt" + ] + }, + { + "VulnerabilityID": "CVE-2019-13734", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.26.0-3.el8", + "FixedVersion": "3.26.0-4.el8_1", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "sqlite: fts3: improve shadow table corruption detection", + "Description": "Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-13734.html", + "http://linux.oracle.com/errata/ELSA-2020-0273.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025466", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, + { + "VulnerabilityID": "CVE-2020-1712", + "PkgName": "systemd-libs", + "InstalledVersion": "239-13.0.1.el8_0.5", + "FixedVersion": "239-18.0.2.el8_1.4", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-15718", + "PkgName": "systemd-libs", + "InstalledVersion": "239-13.0.1.el8_0.5", + "FixedVersion": "239-18.0.1.el8", + "Layer": { + "DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e" + }, + "SeveritySource": "nvd", + "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", + "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-15718.html", + "http://linux.oracle.com/errata/ELSA-2019-3592.html", + "http://www.openwall.com/lists/oss-security/2019/09/03/1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" + ] + } + ] } ] \ No newline at end of file diff --git a/integration/testdata/photon-10.json.golden b/integration/testdata/photon-10.json.golden index 85fe4f2419..d7b6ef4425 100644 --- a/integration/testdata/photon-10.json.golden +++ b/integration/testdata/photon-10.json.golden @@ -1,7 +1,26 @@ [ { "Target": "testdata/fixtures/photon-10.tar.gz (photon 1.0)", + "Type": "photon", "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-18276", + "PkgName": "bash", + "InstalledVersion": "4.3.48-3.ph1", + "FixedVersion": "4.3.48-5.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped", + "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "Severity": "CRITICAL", + "References": [ + "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html", + "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff", + "https://www.youtube.com/watch?v=-wGtxJ8opa8" + ] + }, { "VulnerabilityID": "CVE-2012-6711", "PkgName": "bash", @@ -10,9 +29,10 @@ "Layer": { "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" }, + "SeveritySource": "photon", "Title": "bash: heap-based buffer overflow during echo of unsupported characters", "Description": "A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel\u0026id=863d31ae775d56b785dc5b0105b6d251515d81d5", "http://www.securityfocus.com/bid/108824", @@ -20,6 +40,207 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6711" ] }, + { + "VulnerabilityID": "CVE-2019-5481", + "PkgName": "curl", + "InstalledVersion": "7.59.0-8.ph1", + "FixedVersion": "7.59.0-9.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "curl: double free due to subsequent call of realloc()", + "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", + "Severity": "CRITICAL", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "curl", + "InstalledVersion": "7.59.0-8.ph1", + "FixedVersion": "7.59.0-9.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "CRITICAL", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18218", + "PkgName": "file", + "InstalledVersion": "5.24-3.ph1", + "FixedVersion": "5.24-4.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "file: heap-based buffer overflow in cdf_read_property_info in cdf.c", + "Description": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).", + "Severity": "CRITICAL", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218", + "https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84", + "https://lists.debian.org/debian-lts-announce/2019/10/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV6PFCEYHYALMTT45QE2U5C5TEJZQPXJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VBK6XOJR6OVWT2FUEBO7V7KCOSSLAP52/", + "https://usn.ubuntu.com/4172-1/", + "https://usn.ubuntu.com/4172-2/", + "https://www.debian.org/security/2019/dsa-4550" + ] + }, + { + "VulnerabilityID": "CVE-2019-20387", + "PkgName": "libsolv", + "InstalledVersion": "0.6.19-6.ph1", + "FixedVersion": "0.6.19-7.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "libsolv: out-of-bounds read in repodata_schema2id in repodata.c", + "Description": "repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20387", + "https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da", + "https://github.com/openSUSE/libsolv/compare/0.7.5...0.7.6", + "https://lists.debian.org/debian-lts-announce/2020/01/msg00034.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17498", + "PkgName": "libssh2", + "InstalledVersion": "1.9.0-1.ph1", + "FixedVersion": "1.9.0-2.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c", + "Description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00026.html", + "https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498", + "https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498", + "https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c#L480", + "https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94", + "https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses", + "InstalledVersion": "6.0-9.ph1", + "FixedVersion": "6.0-10.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses", + "InstalledVersion": "6.0-9.ph1", + "FixedVersion": "6.0-10.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-1547", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph1", + "FixedVersion": "1.0.2t-1.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "openssl: side-channel weak encryption vulnerability", + "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "MEDIUM", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://arxiv.org/abs/1909.01785", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, + { + "VulnerabilityID": "CVE-2019-1551", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph1", + "FixedVersion": "1.0.2u-1.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" + ] + }, { "VulnerabilityID": "CVE-2019-1563", "PkgName": "openssl", @@ -28,9 +249,10 @@ "Layer": { "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" }, + "SeveritySource": "photon", "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", @@ -43,26 +265,199 @@ ] }, { - "VulnerabilityID": "CVE-2019-1547", - "PkgName": "openssl", - "InstalledVersion": "1.0.2s-1.ph1", - "FixedVersion": "1.0.2t-1.ph1", + "VulnerabilityID": "CVE-2019-19317", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.30.1-2.ph1", "Layer": { "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" }, - "Title": "openssl: side-channel weak encryption vulnerability", - "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "LOW", + "SeveritySource": "photon", + "Title": "sqlite: omits bits from the colUsed bitmask in the case of a generated column", + "Description": "lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.", + "Severity": "CRITICAL", "References": [ - "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", - "https://arxiv.org/abs/1909.01785", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", - "https://seclists.org/bugtraq/2019/Sep/25", - "https://security.netapp.com/advisory/ntap-20190919-0002/", - "https://www.openssl.org/news/secadv/20190910.txt" + "https://github.com/sqlite/sqlite/commit/522ebfa7cee96fb325a22ea3a2464a63485886a8", + "https://github.com/sqlite/sqlite/commit/73bacb7f93eab9f4bd5a65cbc4ae242acf63c9e3", + "https://security.netapp.com/advisory/ntap-20191223-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19603", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.30.1-2.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "sqlite: mishandles certain SELECT statements with a nonexistent VIEW, leading to DoS", + "Description": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.", + "Severity": "CRITICAL", + "References": [ + "https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13", + "https://security.netapp.com/advisory/ntap-20191223-0001/", + "https://www.sqlite.org/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19646", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.30.1-2.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "sqlite: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns", + "Description": "pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.", + "Severity": "CRITICAL", + "References": [ + "https://github.com/sqlite/sqlite/commit/926f796e8feec15f3836aa0a060ed906f8ae04d3", + "https://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd", + "https://security.netapp.com/advisory/ntap-20191223-0001/", + "https://www.sqlite.org/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20218", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.30.1-2.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error", + "Description": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.", + "Severity": "CRITICAL", + "References": [ + "https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387", + "https://usn.ubuntu.com/4298-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19244", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.31.1-1.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage", + "Description": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.", + "Severity": "HIGH", + "References": [ + "https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348", + "https://usn.ubuntu.com/4205-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19880", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.30.1-2.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "sqlite: invalid pointer dereference in exprListAppendList in window.c", + "Description": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880", + "https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54", + "https://security.netapp.com/advisory/ntap-20200114-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19923", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.31.1-1.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference", + "Description": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19923", + "https://github.com/sqlite/sqlite/commit/396afe6f6aa90a31303c183e11b2b2d4b7956b35", + "https://security.netapp.com/advisory/ntap-20200114-0003/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19925", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.31.1-1.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a NULL pathname during an update of a ZIP archive", + "Description": "zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19925", + "https://github.com/sqlite/sqlite/commit/54d501092d88c0cf89bec4279951f548fb0b8618", + "https://security.netapp.com/advisory/ntap-20200114-0003/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19926", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.31.1-1.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "sqlite: error mishandling because of incomplete fix of CVE-2019-19880", + "Description": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19926", + "https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089", + "https://security.netapp.com/advisory/ntap-20200114-0003/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19959", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.31.1-1.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "sqlite: mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames", + "Description": "ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.", + "Severity": "HIGH", + "References": [ + "https://github.com/sqlite/sqlite/commit/1e490c4ca6b43a9cf8637d695907888349f69bec", + "https://github.com/sqlite/sqlite/commit/d8f2d46cbc9925e034a68aaaf60aad788d9373c1", + "https://security.netapp.com/advisory/ntap-20200204-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19645", + "PkgName": "sqlite-autoconf", + "InstalledVersion": "3.27.2-3.ph1", + "FixedVersion": "3.30.1-2.ph1", + "Layer": { + "DiffID": "sha256:9740df1ac227d21600b22524f869c9bec2d8c13446d1c8579a6195b6d855ae2b" + }, + "SeveritySource": "photon", + "Title": "sqlite: infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements", + "Description": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06", + "https://security.netapp.com/advisory/ntap-20191223-0001/" ] } ] diff --git a/integration/testdata/photon-20.json.golden b/integration/testdata/photon-20.json.golden index 2c8a31a892..e697243ee9 100644 --- a/integration/testdata/photon-20.json.golden +++ b/integration/testdata/photon-20.json.golden @@ -1,7 +1,26 @@ [ { "Target": "testdata/fixtures/photon-20.tar.gz (photon 2.0)", + "Type": "photon", "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-18276", + "PkgName": "bash", + "InstalledVersion": "4.4.12-3.ph2", + "FixedVersion": "4.4.18-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped", + "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "Severity": "CRITICAL", + "References": [ + "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html", + "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff", + "https://www.youtube.com/watch?v=-wGtxJ8opa8" + ] + }, { "VulnerabilityID": "CVE-2019-5481", "PkgName": "curl", @@ -10,13 +29,15 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", "Title": "curl: double free due to subsequent call of realloc()", "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", - "Severity": "HIGH", + "Severity": "CRITICAL", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" ] @@ -29,10 +50,13 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", "Title": "curl: heap buffer overflow in function tftp_receive_packet()", "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", - "Severity": "HIGH", + "Severity": "CRITICAL", "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5482.html", @@ -49,10 +73,13 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", "Title": "curl: NTLM type-2 heap out-of-bounds buffer read", "Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16890.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", "http://www.securityfocus.com/bid/106947", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890", "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", @@ -74,13 +101,15 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", "Title": "curl: double free due to subsequent call of realloc()", "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", - "Severity": "HIGH", + "Severity": "CRITICAL", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" ] @@ -93,10 +122,13 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", "Title": "curl: heap buffer overflow in function tftp_receive_packet()", "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", - "Severity": "HIGH", + "Severity": "CRITICAL", "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5482.html", @@ -113,10 +145,13 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", "Title": "curl: NTLM type-2 heap out-of-bounds buffer read", "Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16890.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", "http://www.securityfocus.com/bid/106947", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890", "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", @@ -138,6 +173,8 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -149,6 +186,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "e2fsprogs-libs", + "InstalledVersion": "1.43.4-2.ph2", + "FixedVersion": "1.43.4-4.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2018-20843", "PkgName": "expat-libs", @@ -157,6 +215,7 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", "Title": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS", "Description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).", "Severity": "HIGH", @@ -176,6 +235,25 @@ "https://www.debian.org/security/2019/dsa-4472" ] }, + { + "VulnerabilityID": "CVE-2019-20387", + "PkgName": "libsolv", + "InstalledVersion": "0.6.26-4.ph2", + "FixedVersion": "0.6.26-5.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "libsolv: out-of-bounds read in repodata_schema2id in repodata.c", + "Description": "repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20387", + "https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da", + "https://github.com/openSUSE/libsolv/compare/0.7.5...0.7.6", + "https://lists.debian.org/debian-lts-announce/2020/01/msg00034.html" + ] + }, { "VulnerabilityID": "CVE-2019-13115", "PkgName": "libssh2", @@ -184,9 +262,10 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", "Title": "libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write", "Description": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "https://blog.semmle.com/libssh2-integer-overflow/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115", @@ -197,25 +276,66 @@ ] }, { - "VulnerabilityID": "CVE-2019-1563", - "PkgName": "openssl", - "InstalledVersion": "1.0.2s-1.ph2", - "FixedVersion": "1.0.2t-1.ph2", + "VulnerabilityID": "CVE-2019-17498", + "PkgName": "libssh2", + "InstalledVersion": "1.8.2-1.ph2", + "FixedVersion": "1.9.0-2.ph2", "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, - "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", - "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "SeveritySource": "photon", + "Title": "libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c", + "Description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00026.html", + "https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498", + "https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498", + "https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c#L480", + "https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94", + "https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-libs", + "InstalledVersion": "6.0-14.ph2", + "FixedVersion": "6.1-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-libs", + "InstalledVersion": "6.0-14.ph2", + "FixedVersion": "6.1-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", "Severity": "MEDIUM", "References": [ - "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", - "https://seclists.org/bugtraq/2019/Sep/25", - "https://security.netapp.com/advisory/ntap-20190919-0002/", - "https://www.openssl.org/news/secadv/20190910.txt" + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] }, { @@ -226,9 +346,10 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", "Title": "openssl: side-channel weak encryption vulnerability", "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", "https://arxiv.org/abs/1909.01785", @@ -241,6 +362,101 @@ "https://www.openssl.org/news/secadv/20190910.txt" ] }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph2", + "FixedVersion": "1.0.2t-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, + { + "VulnerabilityID": "CVE-2019-19317", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.27.2-7.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: omits bits from the colUsed bitmask in the case of a generated column", + "Description": "lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service or possibly have unspecified other impact.", + "Severity": "CRITICAL", + "References": [ + "https://github.com/sqlite/sqlite/commit/522ebfa7cee96fb325a22ea3a2464a63485886a8", + "https://github.com/sqlite/sqlite/commit/73bacb7f93eab9f4bd5a65cbc4ae242acf63c9e3", + "https://security.netapp.com/advisory/ntap-20191223-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19603", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.27.2-7.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: mishandles certain SELECT statements with a nonexistent VIEW, leading to DoS", + "Description": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.", + "Severity": "CRITICAL", + "References": [ + "https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13", + "https://security.netapp.com/advisory/ntap-20191223-0001/", + "https://www.sqlite.org/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19646", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.27.2-7.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns", + "Description": "pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.", + "Severity": "CRITICAL", + "References": [ + "https://github.com/sqlite/sqlite/commit/926f796e8feec15f3836aa0a060ed906f8ae04d3", + "https://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd", + "https://security.netapp.com/advisory/ntap-20191223-0001/", + "https://www.sqlite.org/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20218", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.30.1-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error", + "Description": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.", + "Severity": "CRITICAL", + "References": [ + "https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387", + "https://usn.ubuntu.com/4298-1/" + ] + }, { "VulnerabilityID": "CVE-2019-16168", "PkgName": "sqlite-libs", @@ -249,14 +465,146 @@ "Layer": { "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" }, + "SeveritySource": "photon", + "Title": "sqlite: division by zero in whereLoopAddBtreeIndex in sqlite3.c", "Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/", "https://security.netapp.com/advisory/ntap-20190926-0003/", + "https://security.netapp.com/advisory/ntap-20200122-0003/", + "https://usn.ubuntu.com/4205-1/", "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html", + "https://www.oracle.com/security-alerts/cpujan2020.html", "https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62", "https://www.sqlite.org/src/timeline?c=98357d8c1263920b" ] + }, + { + "VulnerabilityID": "CVE-2019-19244", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.31.1-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage", + "Description": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.", + "Severity": "HIGH", + "References": [ + "https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348", + "https://usn.ubuntu.com/4205-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19880", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.30.1-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: invalid pointer dereference in exprListAppendList in window.c", + "Description": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880", + "https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54", + "https://security.netapp.com/advisory/ntap-20200114-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19923", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.31.1-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference", + "Description": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19923", + "https://github.com/sqlite/sqlite/commit/396afe6f6aa90a31303c183e11b2b2d4b7956b35", + "https://security.netapp.com/advisory/ntap-20200114-0003/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19925", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.31.1-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a NULL pathname during an update of a ZIP archive", + "Description": "zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive.", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19925", + "https://github.com/sqlite/sqlite/commit/54d501092d88c0cf89bec4279951f548fb0b8618", + "https://security.netapp.com/advisory/ntap-20200114-0003/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19926", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.31.1-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: error mishandling because of incomplete fix of CVE-2019-19880", + "Description": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19926", + "https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089", + "https://security.netapp.com/advisory/ntap-20200114-0003/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19959", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.31.1-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames", + "Description": "ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.", + "Severity": "HIGH", + "References": [ + "https://github.com/sqlite/sqlite/commit/1e490c4ca6b43a9cf8637d695907888349f69bec", + "https://github.com/sqlite/sqlite/commit/d8f2d46cbc9925e034a68aaaf60aad788d9373c1", + "https://security.netapp.com/advisory/ntap-20200204-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19645", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.30.1-1.ph2", + "Layer": { + "DiffID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66" + }, + "SeveritySource": "photon", + "Title": "sqlite: infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements", + "Description": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06", + "https://security.netapp.com/advisory/ntap-20191223-0001/" + ] } ] } diff --git a/integration/testdata/photon-30.json.golden b/integration/testdata/photon-30.json.golden index 2181c2eb0f..7671875b9a 100644 --- a/integration/testdata/photon-30.json.golden +++ b/integration/testdata/photon-30.json.golden @@ -1,7 +1,26 @@ [ { "Target": "testdata/fixtures/photon-30.tar.gz (photon 3.0)", + "Type": "photon", "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-18276", + "PkgName": "bash", + "InstalledVersion": "4.4.18-1.ph3", + "FixedVersion": "4.4.18-2.ph3", + "Layer": { + "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" + }, + "SeveritySource": "photon", + "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped", + "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "Severity": "CRITICAL", + "References": [ + "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html", + "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff", + "https://www.youtube.com/watch?v=-wGtxJ8opa8" + ] + }, { "VulnerabilityID": "CVE-2019-5481", "PkgName": "curl", @@ -10,13 +29,15 @@ "Layer": { "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" }, + "SeveritySource": "photon", "Title": "curl: double free due to subsequent call of realloc()", "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", - "Severity": "HIGH", + "Severity": "CRITICAL", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" ] @@ -29,10 +50,13 @@ "Layer": { "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" }, + "SeveritySource": "photon", "Title": "curl: heap buffer overflow in function tftp_receive_packet()", "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", - "Severity": "HIGH", + "Severity": "CRITICAL", "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5482.html", @@ -49,13 +73,15 @@ "Layer": { "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" }, + "SeveritySource": "photon", "Title": "curl: double free due to subsequent call of realloc()", "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", - "Severity": "HIGH", + "Severity": "CRITICAL", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" ] @@ -68,10 +94,13 @@ "Layer": { "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" }, + "SeveritySource": "photon", "Title": "curl: heap buffer overflow in function tftp_receive_packet()", "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", - "Severity": "HIGH", + "Severity": "CRITICAL", "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", "https://curl.haxx.se/docs/CVE-2019-5482.html", @@ -88,6 +117,8 @@ "Layer": { "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" }, + "SeveritySource": "photon", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -100,25 +131,66 @@ ] }, { - "VulnerabilityID": "CVE-2019-1563", - "PkgName": "openssl", - "InstalledVersion": "1.0.2s-1.ph3", - "FixedVersion": "1.0.2t-1.ph3", + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "e2fsprogs-libs", + "InstalledVersion": "1.44.3-2.ph3", + "FixedVersion": "1.45.5-1.ph3", "Layer": { "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" }, - "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", - "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "SeveritySource": "photon", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ - "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", - "https://seclists.org/bugtraq/2019/Sep/25", - "https://security.netapp.com/advisory/ntap-20190919-0002/", - "https://www.openssl.org/news/secadv/20190910.txt" + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20387", + "PkgName": "libsolv", + "InstalledVersion": "0.6.26-5.ph3", + "FixedVersion": "0.6.35-2.ph3", + "Layer": { + "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" + }, + "SeveritySource": "photon", + "Title": "libsolv: out-of-bounds read in repodata_schema2id in repodata.c", + "Description": "repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20387", + "https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da", + "https://github.com/openSUSE/libsolv/compare/0.7.5...0.7.6", + "https://lists.debian.org/debian-lts-announce/2020/01/msg00034.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17498", + "PkgName": "libssh2", + "InstalledVersion": "1.9.0-1.ph3", + "FixedVersion": "1.9.0-2.ph3", + "Layer": { + "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" + }, + "SeveritySource": "photon", + "Title": "libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c", + "Description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00026.html", + "https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498", + "https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498", + "https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c#L480", + "https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94", + "https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/" ] }, { @@ -129,9 +201,10 @@ "Layer": { "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" }, + "SeveritySource": "photon", "Title": "openssl: side-channel weak encryption vulnerability", "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", "https://arxiv.org/abs/1909.01785", @@ -144,6 +217,56 @@ "https://www.openssl.org/news/secadv/20190910.txt" ] }, + { + "VulnerabilityID": "CVE-2019-1551", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph3", + "FixedVersion": "1.0.2u-1.ph3", + "Layer": { + "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" + }, + "SeveritySource": "photon", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" + ] + }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph3", + "FixedVersion": "1.0.2t-1.ph3", + "Layer": { + "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" + }, + "SeveritySource": "photon", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, { "VulnerabilityID": "CVE-2019-16168", "PkgName": "sqlite-libs", @@ -152,14 +275,93 @@ "Layer": { "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" }, + "SeveritySource": "photon", + "Title": "sqlite: division by zero in whereLoopAddBtreeIndex in sqlite3.c", "Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/", "https://security.netapp.com/advisory/ntap-20190926-0003/", + "https://security.netapp.com/advisory/ntap-20200122-0003/", + "https://usn.ubuntu.com/4205-1/", "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html", + "https://www.oracle.com/security-alerts/cpujan2020.html", "https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62", "https://www.sqlite.org/src/timeline?c=98357d8c1263920b" ] + }, + { + "VulnerabilityID": "CVE-2019-19244", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph3", + "FixedVersion": "3.31.1-1.ph3", + "Layer": { + "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" + }, + "SeveritySource": "photon", + "Title": "sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage", + "Description": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.", + "Severity": "HIGH", + "References": [ + "https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348", + "https://usn.ubuntu.com/4205-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19923", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph3", + "FixedVersion": "3.31.1-1.ph3", + "Layer": { + "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" + }, + "SeveritySource": "photon", + "Title": "sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference", + "Description": "flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results).", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19923", + "https://github.com/sqlite/sqlite/commit/396afe6f6aa90a31303c183e11b2b2d4b7956b35", + "https://security.netapp.com/advisory/ntap-20200114-0003/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19926", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph3", + "FixedVersion": "3.31.1-1.ph3", + "Layer": { + "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" + }, + "SeveritySource": "photon", + "Title": "sqlite: error mishandling because of incomplete fix of CVE-2019-19880", + "Description": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.", + "Severity": "HIGH", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19926", + "https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089", + "https://security.netapp.com/advisory/ntap-20200114-0003/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19959", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph3", + "FixedVersion": "3.31.1-1.ph3", + "Layer": { + "DiffID": "sha256:0f379947a276b7b051643960392fa66c2f0cb493bc1dcd471abb5545005949fd" + }, + "SeveritySource": "photon", + "Title": "sqlite: mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames", + "Description": "ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind.", + "Severity": "HIGH", + "References": [ + "https://github.com/sqlite/sqlite/commit/1e490c4ca6b43a9cf8637d695907888349f69bec", + "https://github.com/sqlite/sqlite/commit/d8f2d46cbc9925e034a68aaaf60aad788d9373c1", + "https://security.netapp.com/advisory/ntap-20200204-0001/" + ] } ] } diff --git a/integration/testdata/trivy.db.gz b/integration/testdata/trivy.db.gz index c3c15a55fc..ba58ee7e03 100644 Binary files a/integration/testdata/trivy.db.gz and b/integration/testdata/trivy.db.gz differ diff --git a/integration/testdata/ubi-7.json.golden b/integration/testdata/ubi-7.json.golden index ed37104271..7252d31c5f 100644 --- a/integration/testdata/ubi-7.json.golden +++ b/integration/testdata/ubi-7.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/ubi-7.tar.gz (redhat 7.7)", + "Type": "redhat", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2015-5186", @@ -9,6 +10,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "Audit: log terminal emulator escape sequences handling", "Description": "Audit before 2.4.4 in Linux does not sanitize escape characters in filenames.", "Severity": "MEDIUM", @@ -20,271 +22,6 @@ "https://people.redhat.com/sgrubb/audit/ChangeLog" ] }, - { - "VulnerabilityID": "CVE-2014-6277", - "PkgName": "bash", - "InstalledVersion": "4.2.46-33.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "bash: uninitialized here document closing delimiter pointer use", - "Description": "GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.", - "Severity": "CRITICAL", - "References": [ - "http://jvn.jp/en/jp/JVN55667175/index.html", - "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126", - "http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html", - "http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html", - "http://linux.oracle.com/errata/ELSA-2014-3093", - "http://linux.oracle.com/errata/ELSA-2014-3094", - "http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html", - "http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html", - "http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html", - "http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html", - "http://marc.info/?l=bugtraq\u0026m=141330468527613\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141345648114150\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383026420882\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383081521087\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383196021590\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383244821813\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383304022067\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383353622268\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383465822787\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141450491804793\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141576728022234\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577137423233\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577241923505\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577297623641\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141585637922673\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141879528318582\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142118135300698\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142289270617409\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358026505815\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358078406056\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142721162228379\u0026w=2", - "http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html", - "http://secunia.com/advisories/58200", - "http://secunia.com/advisories/59907", - "http://secunia.com/advisories/59961", - "http://secunia.com/advisories/60024", - "http://secunia.com/advisories/60034", - "http://secunia.com/advisories/60044", - "http://secunia.com/advisories/60055", - "http://secunia.com/advisories/60063", - "http://secunia.com/advisories/60193", - "http://secunia.com/advisories/60325", - "http://secunia.com/advisories/60433", - "http://secunia.com/advisories/61065", - "http://secunia.com/advisories/61128", - "http://secunia.com/advisories/61129", - "http://secunia.com/advisories/61283", - "http://secunia.com/advisories/61287", - "http://secunia.com/advisories/61291", - "http://secunia.com/advisories/61312", - "http://secunia.com/advisories/61313", - "http://secunia.com/advisories/61328", - "http://secunia.com/advisories/61442", - "http://secunia.com/advisories/61471", - "http://secunia.com/advisories/61485", - "http://secunia.com/advisories/61503", - "http://secunia.com/advisories/61550", - "http://secunia.com/advisories/61552", - "http://secunia.com/advisories/61565", - "http://secunia.com/advisories/61603", - "http://secunia.com/advisories/61633", - "http://secunia.com/advisories/61641", - "http://secunia.com/advisories/61643", - "http://secunia.com/advisories/61654", - "http://secunia.com/advisories/61703", - "http://secunia.com/advisories/61780", - "http://secunia.com/advisories/61816", - "http://secunia.com/advisories/61857", - "http://secunia.com/advisories/62312", - "http://secunia.com/advisories/62343", - "http://support.apple.com/HT204244", - "http://support.novell.com/security/cve/CVE-2014-6277.html", - "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685541", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685604", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685733", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685749", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685914", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686131", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686246", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686445", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686479", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686494", - "http://www-01.ibm.com/support/docview.wss?uid=swg21687079", - "http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:164", - "http://www.novell.com/support/kb/doc.php?id=7015721", - "http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html", - "http://www.qnap.com/i/en/support/con_show.php?cid=61", - "http://www.ubuntu.com/usn/USN-2380-1", - "http://www.vmware.com/security/advisories/VMSA-2014-0010.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277", - "https://kb.bluecoat.com/index?page=content\u0026id=SA82", - "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10648", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10085", - "https://support.apple.com/HT205267", - "https://support.citrix.com/article/CTX200217", - "https://support.citrix.com/article/CTX200223", - "https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04497075", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04518183", - "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk102673\u0026src=securityAlerts", - "https://www.suse.com/support/shellshock/" - ] - }, - { - "VulnerabilityID": "CVE-2014-6278", - "PkgName": "bash", - "InstalledVersion": "4.2.46-33.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "bash: incorrect parsing of function definitions with nested command substitutions", - "Description": "GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.", - "Severity": "CRITICAL", - "References": [ - "http://jvn.jp/en/jp/JVN55667175/index.html", - "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126", - "http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html", - "http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html", - "http://linux.oracle.com/errata/ELSA-2014-3093", - "http://linux.oracle.com/errata/ELSA-2014-3094", - "http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html", - "http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html", - "http://marc.info/?l=bugtraq\u0026m=141330468527613\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141345648114150\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383026420882\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383081521087\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383196021590\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383244821813\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383304022067\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383353622268\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141383465822787\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141450491804793\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141576728022234\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577137423233\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577241923505\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141577297623641\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141585637922673\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=141879528318582\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142118135300698\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358026505815\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142358078406056\u0026w=2", - "http://marc.info/?l=bugtraq\u0026m=142721162228379\u0026w=2", - "http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html", - "http://packetstormsecurity.com/files/137344/Sun-Secure-Global-Desktop-Oracle-Global-Desktop-Shellshock.html", - "http://secunia.com/advisories/58200", - "http://secunia.com/advisories/59907", - "http://secunia.com/advisories/59961", - "http://secunia.com/advisories/60024", - "http://secunia.com/advisories/60034", - "http://secunia.com/advisories/60044", - "http://secunia.com/advisories/60055", - "http://secunia.com/advisories/60063", - "http://secunia.com/advisories/60193", - "http://secunia.com/advisories/60325", - "http://secunia.com/advisories/60433", - "http://secunia.com/advisories/61065", - "http://secunia.com/advisories/61128", - "http://secunia.com/advisories/61129", - "http://secunia.com/advisories/61283", - "http://secunia.com/advisories/61287", - "http://secunia.com/advisories/61291", - "http://secunia.com/advisories/61312", - "http://secunia.com/advisories/61313", - "http://secunia.com/advisories/61328", - "http://secunia.com/advisories/61442", - "http://secunia.com/advisories/61471", - "http://secunia.com/advisories/61485", - "http://secunia.com/advisories/61503", - "http://secunia.com/advisories/61550", - "http://secunia.com/advisories/61552", - "http://secunia.com/advisories/61565", - "http://secunia.com/advisories/61603", - "http://secunia.com/advisories/61633", - "http://secunia.com/advisories/61641", - "http://secunia.com/advisories/61643", - "http://secunia.com/advisories/61654", - "http://secunia.com/advisories/61703", - "http://secunia.com/advisories/61780", - "http://secunia.com/advisories/61816", - "http://secunia.com/advisories/61857", - "http://secunia.com/advisories/62312", - "http://secunia.com/advisories/62343", - "http://support.novell.com/security/cve/CVE-2014-6278.html", - "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685541", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685604", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685733", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685749", - "http://www-01.ibm.com/support/docview.wss?uid=swg21685914", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686131", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686246", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686445", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686479", - "http://www-01.ibm.com/support/docview.wss?uid=swg21686494", - "http://www-01.ibm.com/support/docview.wss?uid=swg21687079", - "http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:164", - "http://www.novell.com/support/kb/doc.php?id=7015721", - "http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html", - "http://www.qnap.com/i/en/support/con_show.php?cid=61", - "http://www.ubuntu.com/usn/USN-2380-1", - "http://www.vmware.com/security/advisories/VMSA-2014-0010.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=1147414", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278", - "https://kb.bluecoat.com/index?page=content\u0026id=SA82", - "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10648", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10085", - "https://security-tracker.debian.org/tracker/CVE-2014-6278", - "https://support.citrix.com/article/CTX200217", - "https://support.citrix.com/article/CTX200223", - "https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04497075", - "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c04518183", - "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk102673\u0026src=securityAlerts", - "https://www.exploit-db.com/exploits/39568/", - "https://www.exploit-db.com/exploits/39887/", - "https://www.suse.com/support/shellshock/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9924", - "PkgName": "bash", - "InstalledVersion": "4.2.46-33.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "bash: BASH_CMD is writable in restricted bash shells", - "Description": "rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.", - "Severity": "HIGH", - "References": [ - "http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00049.html", - "https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html", - "https://security.netapp.com/advisory/ntap-20190411-0001/" - ] - }, { "VulnerabilityID": "CVE-2012-6711", "PkgName": "bash", @@ -292,6 +29,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "bash: heap-based buffer overflow during echo of unsupported characters", "Description": "A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().", "Severity": "MEDIUM", @@ -303,1116 +41,40 @@ ] }, { - "VulnerabilityID": "CVE-2014-9939", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", + "VulnerabilityID": "CVE-2019-9924", + "PkgName": "bash", + "InstalledVersion": "4.2.46-33.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "binutils: buffer overflow in ihex.c", - "Description": "ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.", - "Severity": "HIGH", - "References": [ - "http://www.openwall.com/lists/oss-security/2015/07/31/6", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9939", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18750", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e27a9d5f22f9f7ead11738b1546d0b5c737266b" - ] - }, - { - "VulnerabilityID": "CVE-2017-13716", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Memory leak with the C++ symbol demangler routine in libiberty", - "Description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" - ] - }, - { - "VulnerabilityID": "CVE-2017-14930", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Memory leak in decode_line_info", - "Description": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14930", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22191" - ] - }, - { - "VulnerabilityID": "CVE-2017-7614", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in bfd_elf_final_link function", - "Description": "elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.", - "Severity": "HIGH", - "References": [ - "https://blogs.gentoo.org/ago/2017/04/05/binutils-two-null-pointer-dereference-in-elflink-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7614", - "https://security.gentoo.org/glsa/201709-02" - ] - }, - { - "VulnerabilityID": "CVE-2017-8421", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Memory exhaustion in objdump via a crafted PE file", - "Description": "The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8421", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21440" - ] - }, - { - "VulnerabilityID": "CVE-2018-12699", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: heap-based buffer overflow in finish_stab in stabs.c", - "Description": "finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/104540", - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", - "https://security.gentoo.org/glsa/201908-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" - ] - }, - { - "VulnerabilityID": "CVE-2015-8538", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libdwarf: Out-of-bounds read in dwarf_leb.c", - "Description": "dwarf_leb.c in libdwarf allows attackers to cause a denial of service (SIGSEGV).", + "SeveritySource": "redhat", + "Title": "bash: BASH_CMD is writable in restricted bash shells", + "Description": "rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.", "Severity": "MEDIUM", "References": [ - "http://www.openwall.com/lists/oss-security/2015/12/10/3", - "https://bugzilla.redhat.com/show_bug.cgi?id=1291299", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8538" + "http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00049.html", + "https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html", + "https://security.netapp.com/advisory/ntap-20190411-0001/" ] }, { - "VulnerabilityID": "CVE-2016-2226", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", + "VulnerabilityID": "CVE-2019-18276", + "PkgName": "bash", + "InstalledVersion": "4.2.46-33.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "gcc: Exploitable buffer overflow", - "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped", + "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "Severity": "LOW", "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90103", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2226", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687", - "https://www.exploit-db.com/exploits/42386/" - ] - }, - { - "VulnerabilityID": "CVE-2016-4487", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc: Invalid write due to a use-after-free to array btypevec", - "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90025", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4487", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481" - ] - }, - { - "VulnerabilityID": "CVE-2016-4488", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", - "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90025", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4488", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481" - ] - }, - { - "VulnerabilityID": "CVE-2016-4489", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc: Invalid write due to integer overflow", - "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90017", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4489", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492" - ] - }, - { - "VulnerabilityID": "CVE-2016-4490", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc: Write access violation", - "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90019", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4490", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498" - ] - }, - { - "VulnerabilityID": "CVE-2016-4491", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", - "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90016", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4491", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909", - "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00105.html" - ] - }, - { - "VulnerabilityID": "CVE-2016-4492", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc: Read access violations", - "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90014", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4492", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926", - "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" - ] - }, - { - "VulnerabilityID": "CVE-2016-4493", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc: Read access violations", - "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/05/05/5", - "http://www.securityfocus.com/bid/90014", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4493", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926", - "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" - ] - }, - { - "VulnerabilityID": "CVE-2016-6131", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler", - "Description": "The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/06/30/4", - "http://www.openwall.com/lists/oss-security/2016/06/30/7", - "http://www.securityfocus.com/bid/91519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696", - "https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html" - ] - }, - { - "VulnerabilityID": "CVE-2017-12449", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: out of bounds heap read in _bfd_vms_save_sized_string function", - "Description": "The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12449", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" - ] - }, - { - "VulnerabilityID": "CVE-2017-12451", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: out of bounds stack read in _bfd_xcoff_read_ar_hdr function", - "Description": "The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12451", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21786" - ] - }, - { - "VulnerabilityID": "CVE-2017-12452", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: out of bounds heap read in bfd_mach_o_i386_canonicalize_one_reloc function", - "Description": "The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12452", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" - ] - }, - { - "VulnerabilityID": "CVE-2017-12453", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: out of bounds heap read in __bfd_vms_slurp_eeom function", - "Description": "The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12453", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" - ] - }, - { - "VulnerabilityID": "CVE-2017-12454", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Arbitrary memory read in _bfd_vms_slurp_egs function", - "Description": "The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12454", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" - ] - }, - { - "VulnerabilityID": "CVE-2017-12455", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: out of bounds heap read in evax_bfd_print_emh function", - "Description": "The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12455", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" - ] - }, - { - "VulnerabilityID": "CVE-2017-12456", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: out of bounds heap read in read_symbol_stabs_debugging_inf function", - "Description": "The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12456", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" - ] - }, - { - "VulnerabilityID": "CVE-2017-12457", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in bfd_make_section_with_flags function", - "Description": "The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12457", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" - ] - }, - { - "VulnerabilityID": "CVE-2017-12458", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: out of bounds heap read in nlm_swap_auxiliary_headers_in function", - "Description": "The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12458", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" - ] - }, - { - "VulnerabilityID": "CVE-2017-12799", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based 1 byte buffer over-write in elf_read_notes function in bfd/elf.c", - "Description": "The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100292", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12799", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21933" - ] - }, - { - "VulnerabilityID": "CVE-2017-12967", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Stack-based buffer over-read in getsym function in tekhex.c", - "Description": "The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100462", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12967", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21962" - ] - }, - { - "VulnerabilityID": "CVE-2017-13710", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in the setup_group function", - "Description": "The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100499", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13710", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0c54f69295208331faab9bc5e995111a35672f9b" - ] - }, - { - "VulnerabilityID": "CVE-2017-13757", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: heap-based buffer over-read in elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100532", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13757", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22018", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=90efb6422939ca031804266fba669f77c22a274a" - ] - }, - { - "VulnerabilityID": "CVE-2017-14128", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer over-read in the decode_line_info function", - "Description": "The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14128", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22059", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e8b60085eb3e6f2c41bc0c00c0d759fa7f72780" - ] - }, - { - "VulnerabilityID": "CVE-2017-14129", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer over-read in the read_section function", - "Description": "The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100624", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14129", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22047", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e4f2723003859dc6b33ca0dadbc4a7659ebf1643" - ] - }, - { - "VulnerabilityID": "CVE-2017-14130", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer over-read in the _bfd_elf_parse_attributes function", - "Description": "The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/100625", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14130", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22058", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2a143b99fc4a5094a9cf128f3184d8e6818c8229" - ] - }, - { - "VulnerabilityID": "CVE-2017-14529", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: heap-based buffer over-read in bfd_getl16 function in peXXigen.c", - "Description": "The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14529", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22113", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4d465c689a8fb27212ef358d0aee89d60dee69a6", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dcaaca89e8618eba35193c27afcb1cfa54f74582" - ] - }, - { - "VulnerabilityID": "CVE-2017-14729", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap buffer overflow in the *_get_synthetic_symtab functions", - "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/09/25/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14729", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22170", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=56933f9e3e90eebf1018ed7417d6c1184b91db6b", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=61e3bf5f83f7e505b6bc51ef65426e5b31e6e360" - ] - }, - { - "VulnerabilityID": "CVE-2017-14745", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Integer overflow in the *_get_synthetic_symtab functions", - "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14745", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22148" - ] - }, - { - "VulnerabilityID": "CVE-2017-14932", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Infinite loop in the decode_line_info", - "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14932", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22204", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e338894dc2e603683bed2172e8e9f25b29051005" - ] - }, - { - "VulnerabilityID": "CVE-2017-14933", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Infinite loop in read_formatted_entries", - "Description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14933", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22210", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=33e0a9a056bd23e923b929a4f2ab049ade0b1c32" - ] - }, - { - "VulnerabilityID": "CVE-2017-14934", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Infinite loop in process_debug_info", - "Description": "process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101204", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14934", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22219", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=19485196044b2521af979f1e5c4a89bfb90fba0b" - ] - }, - { - "VulnerabilityID": "CVE-2017-14938", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Excessive memory allocation in _bfd_elf_slurp_version_tables", - "Description": "_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101212", - "https://blogs.gentoo.org/ago/2017/09/26/binutils-memory-allocation-failure-in-_bfd_elf_slurp_version_tables-elf-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14938", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22166", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bd61e135492ecf624880e6b78e5fcde3c9716df6" - ] - }, - { - "VulnerabilityID": "CVE-2017-14939", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer over-read in the decode_line_info", - "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101216", - "https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14939", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22169", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=515f23e63c0074ab531bc954f84ca40c6281a724", - "https://www.exploit-db.com/exploits/42970/" - ] - }, - { - "VulnerabilityID": "CVE-2017-14940", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in the scan_unit_for_symbols", - "Description": "scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/09/26/binutils-null-pointer-dereference-in-scan_unit_for_symbols-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14940", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22166", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0d76029f92182c3682d8be2c833d45bc9a2068fe" - ] - }, - { - "VulnerabilityID": "CVE-2017-14974", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in the *_get_synthetic_symtab functions", - "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14974", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22163", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e70c19e3a4c26e9c1ebf0c9170d105039b56d7cf" - ] - }, - { - "VulnerabilityID": "CVE-2017-15020", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer overflow in parse_die", - "Description": "dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-parse_die-dwarf1-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15020", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22202", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5" - ] - }, - { - "VulnerabilityID": "CVE-2017-15021", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer over-read in bfd_get_debug_link_info_1", - "Description": "bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-bfd_getl32-opncls-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15021", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22197", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52b36c51e5bf6d7600fdc6ba115b170b0e78e31d" - ] - }, - { - "VulnerabilityID": "CVE-2017-15022", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in dwarf2.c", - "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15022", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22201", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11855d8a1f11b102a702ab76e95b22082cccf2f8" - ] - }, - { - "VulnerabilityID": "CVE-2017-15023", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in read_formatted_entries", - "Description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101611", - "https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15023", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22200", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c361faae8d964db951b7100cada4dcdc983df1bf" - ] - }, - { - "VulnerabilityID": "CVE-2017-15024", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Infinite recursion in find_abstract_instance_name", - "Description": "find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/10/03/binutils-infinite-loop-in-find_abstract_instance_name-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15024", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22187", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52a93b95ec0771c97e26f0bb28630a271a667bd2" - ] - }, - { - "VulnerabilityID": "CVE-2017-15025", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Divide-by-zero in decode_line_info", - "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/10/03/binutils-divide-by-zero-in-decode_line_info-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15025", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22186", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d8010d3e75ec7194a4703774090b27486b742d48" - ] - }, - { - "VulnerabilityID": "CVE-2017-15225", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Memory leak in _bfd_dwarf2_cleanup_debug_info", - "Description": "_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15225", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22212", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b55ec8b676ed05d93ee49d6c79ae0403616c4fb0" - ] - }, - { - "VulnerabilityID": "CVE-2017-15938", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Invalid memory read in find_abstract_instance_name", - "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101610", - "https://blogs.gentoo.org/ago/2017/10/24/binutils-invalid-memory-read-in-find_abstract_instance_name-dwarf2-c/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15938", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22209", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1b86808a86077722ee4f42ff97f836b12420bb2a" - ] - }, - { - "VulnerabilityID": "CVE-2017-15939", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in the concat_filename", - "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101613", - "https://blogs.gentoo.org/ago/2017/10/24/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023/", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22205", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a54018b72d75abf2e74bf36016702da06399c1d9" - ] - }, - { - "VulnerabilityID": "CVE-2017-15996", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Excessive memory allocation in elfcomm.c", - "Description": "elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a \"buffer overflow on fuzzed archive header,\" related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101608", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15996", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22361", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d91f0b20e561e326ee91a09a76206257bde8438b" - ] - }, - { - "VulnerabilityID": "CVE-2017-16826", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Invalid memory access in the coff_slurp_line_table function", - "Description": "The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16826", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22376", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a67d66eb97e7613a38ffe6622d837303b3ecd31d" - ] - }, - { - "VulnerabilityID": "CVE-2017-16827", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Invalid free in the aout_get_external_symbols function", - "Description": "The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16827", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22306", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419" - ] - }, - { - "VulnerabilityID": "CVE-2017-16828", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Integer overflow in the display_debug_frames function", - "Description": "The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16828", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22386", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d" - ] - }, - { - "VulnerabilityID": "CVE-2017-16829", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds read in the _bfd_elf_parse_gnu_properties function", - "Description": "The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16829", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22307", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf54ebff3b7361989712fd9c0128a9b255578163" - ] - }, - { - "VulnerabilityID": "CVE-2017-16830", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Segmentation fault in the print_gnu_property_note function", - "Description": "The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101941", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16830", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22384", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6ab2c4ed51f9c4243691755e1b1d2149c6a426f4" - ] - }, - { - "VulnerabilityID": "CVE-2017-16831", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Integer overflow in coffgen.c", - "Description": "coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16831", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22385", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca" - ] - }, - { - "VulnerabilityID": "CVE-2017-16832", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Segmentation fault in the pe_bfd_read_buildid function", - "Description": "The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16832", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22373", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bb6961f18b8e832d88b490d421ca56cea16c45b" - ] - }, - { - "VulnerabilityID": "CVE-2017-17080", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer over-read in bfd_getl32", - "Description": "elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17080", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22421" - ] - }, - { - "VulnerabilityID": "CVE-2017-17121", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Memory access violation via a crafted COFF binary", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17121", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22506", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b23dc97fe237a1d9e850d7cbeee066183a00630b" - ] - }, - { - "VulnerabilityID": "CVE-2017-17122", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Excessive memory allocation in the dump_relocs_in_section function", - "Description": "The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17122", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22508", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d785b7d4b877ed465d04072e17ca19d0f47d840f" - ] - }, - { - "VulnerabilityID": "CVE-2017-17123", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in the coff_slurp_reloc_table function", - "Description": "The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17123", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22509", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4581a1c7d304ce14e714b27522ebf3d0188d6543" - ] - }, - { - "VulnerabilityID": "CVE-2017-17124", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap buffer overflow in the _bfd_coff_read_string_table function", - "Description": "The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17124", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22507", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b0029dce6867de1a2828293177b0e030d2f0f03c" - ] - }, - { - "VulnerabilityID": "CVE-2017-17125", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Buffer over-read in the _bfd_elf_get_symbol_version_string function", - "Description": "nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17125", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22443", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=160b1a618ad94988410dc81fce9189fcda5b7ff4" - ] - }, - { - "VulnerabilityID": "CVE-2017-17126", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Invalid memory access in the load_debug_section function", - "Description": "The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17126", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22510", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f425ec6600b69e39eb605f3128806ff688137ea8" + "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html", + "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff", + "https://www.youtube.com/watch?v=-wGtxJ8opa8" ] }, { @@ -1422,6 +84,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "binutils: Heap-based buffer overflow in target_specific_reloc_handling in readelf", "Description": "readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.", "Severity": "MEDIUM", @@ -1438,6 +101,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "binutils: Use-after-free in target_specific_reloc_handling in readelf", "Description": "readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.", "Severity": "MEDIUM", @@ -1447,1014 +111,6 @@ "https://sourceware.org/bugzilla/show_bug.cgi?id=21139" ] }, - { - "VulnerabilityID": "CVE-2017-6969", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer over-read in readelf when processing corrupt RL78 binaries", - "Description": "readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97065", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21156" - ] - }, - { - "VulnerabilityID": "CVE-2017-7209", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Null pointer dereference in dump_section_as_bytes function in readelf", - "Description": "The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/96994", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21135" - ] - }, - { - "VulnerabilityID": "CVE-2017-7210", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer over-reads in objdump", - "Description": "objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/96992", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21157" - ] - }, - { - "VulnerabilityID": "CVE-2017-7223", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Global buffer overflow when attempting to unget EOF character", - "Description": "GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7223", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20898" - ] - }, - { - "VulnerabilityID": "CVE-2017-7224", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Invalid write in find_nearest_line function", - "Description": "The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97277", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7224", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20892" - ] - }, - { - "VulnerabilityID": "CVE-2017-7225", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Null pointer dereference and invalid write in find_nearest_line function in addr2line", - "Description": "The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97275", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7225", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20891" - ] - }, - { - "VulnerabilityID": "CVE-2017-7226", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer over-read in pe_ILF_object_p function in libbfd", - "Description": "The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7226", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20905" - ] - }, - { - "VulnerabilityID": "CVE-2017-7227", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-based buffer overflow in ld due to missing null termination", - "Description": "GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\\0' termination of a name field in ldlex.l.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97209", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7227", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20906" - ] - }, - { - "VulnerabilityID": "CVE-2017-7299", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds read in bfd_elf_final_link function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97217", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7299", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20908" - ] - }, - { - "VulnerabilityID": "CVE-2017-7300", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-buffer overflow in aout_link_add_symbols function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97219", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7300", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20909" - ] - }, - { - "VulnerabilityID": "CVE-2017-7301", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Off-by-one error in aout_link_add_symbols function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97218", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7301", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20924" - ] - }, - { - "VulnerabilityID": "CVE-2017-7302", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds read in wap_std_reloc_out function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97216", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7302", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20921" - ] - }, - { - "VulnerabilityID": "CVE-2017-7303", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds read in find_link function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97213", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7303", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20922" - ] - }, - { - "VulnerabilityID": "CVE-2017-7304", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds read in copy_special_section_fields function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/97215", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20931" - ] - }, - { - "VulnerabilityID": "CVE-2017-8392", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in the _bfd_dwarf2_find_nearest_line function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21409" - ] - }, - { - "VulnerabilityID": "CVE-2017-8393", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds read due to wrong assumption for objcopy and strip", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8393", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21412" - ] - }, - { - "VulnerabilityID": "CVE-2017-8394", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in the _bfd_elf_large_com_section", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8394", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21414" - ] - }, - { - "VulnerabilityID": "CVE-2017-8395", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds write in the _bfd_generic_get_section_contents function", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8395", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21431" - ] - }, - { - "VulnerabilityID": "CVE-2017-8396", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds read in the existing reloc offset range tests", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8396", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21432" - ] - }, - { - "VulnerabilityID": "CVE-2017-8397", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds read and write while processing binary containing reloc(s) with negative addresses", - "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8397", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21434" - ] - }, - { - "VulnerabilityID": "CVE-2017-8398", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds read while dumping the debug information from a corrupt binary", - "Description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8398", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21438" - ] - }, - { - "VulnerabilityID": "CVE-2017-9038", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap-buffer overflow in the byte_get_little_endian", - "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98589", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9038", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d" - ] - }, - { - "VulnerabilityID": "CVE-2017-9039", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Memory consumption via many program headers", - "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98580", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9039", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5" - ] - }, - { - "VulnerabilityID": "CVE-2017-9040", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in the process_mips_specific_function", - "Description": "GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98579", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9040", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf" - ] - }, - { - "VulnerabilityID": "CVE-2017-9041", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap buffer overflow in the process_mips_specific function", - "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98598", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9041", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3" - ] - }, - { - "VulnerabilityID": "CVE-2017-9042", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Invalid variable type in readelf.c", - "Description": "readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9042", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf" - ] - }, - { - "VulnerabilityID": "CVE-2017-9043", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Shift exponent too large for type unsigned long in readelf.c", - "Description": "readelf.c in GNU Binutils 2017-04-12 has a \"shift exponent too large for type unsigned long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98591", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9043", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ddef72cdc10d82ba011a7ff81cafbbd3466acf54" - ] - }, - { - "VulnerabilityID": "CVE-2017-9044", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Out-of-bounds read in the print_symbol_for_build_attribute function", - "Description": "The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98587", - "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9044" - ] - }, - { - "VulnerabilityID": "CVE-2017-9742", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Global buffer over-read in print_insn_score16 function while disassembling corrupt score binary", - "Description": "The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99105", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9742", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21576", - "https://www.exploit-db.com/exploits/42203/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9743", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Global buffer over-read in print_insn_score32 function while disassembling corrupt score binary", - "Description": "The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99106", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9743", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21577" - ] - }, - { - "VulnerabilityID": "CVE-2017-9744", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Address violation in sh_elf_set_mach_from_flags function when disassembling a corrupt SH binary", - "Description": "The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99108", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9744", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21578" - ] - }, - { - "VulnerabilityID": "CVE-2017-9745", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap buffer over-read in _bfd_vms_slurp_etir function when handling VMS alpha binaries", - "Description": "The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99109", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9745", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21579" - ] - }, - { - "VulnerabilityID": "CVE-2017-9746", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap buffer over-read in disassemble_bytes function when disassembling a corrupt binary", - "Description": "The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99117", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9746", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21580", - "https://www.exploit-db.com/exploits/42199/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9747", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Stack-based buffer over-read in ieee_archive_p function while disassembling corrupt IEEE binary", - "Description": "The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99114", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9747", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21581", - "https://www.exploit-db.com/exploits/42200/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9748", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Stack-based buffer over-read in ieee_object_p function", - "Description": "The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99110", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9748", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21582", - "https://www.exploit-db.com/exploits/42202/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9749", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Global buffer over-read in *regs* macros when disassembling corrupt bfin binary", - "Description": "The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99113", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9749", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21586", - "https://www.exploit-db.com/exploits/42201/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9750", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Global buffer over-read in opcodes/rx-decode.opc when disassembling a corrupt RX binary", - "Description": "opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99118", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9750", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21587", - "https://www.exploit-db.com/exploits/42198/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9751", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Stack-based buffer over-read in opcodes/rl78-decode.opc when disassembling a corrupt RL78 binary", - "Description": "opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99111", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9751", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21588" - ] - }, - { - "VulnerabilityID": "CVE-2017-9752", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Heap buffer over-read in f_bfd_vms_get_value function when processing a corrupt Alpha VMA binary", - "Description": "bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99122", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9752", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21589" - ] - }, - { - "VulnerabilityID": "CVE-2017-9753", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Address violation in versados_mkobject function when disassembling a corrupt versados binary", - "Description": "The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99116", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9753", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21591" - ] - }, - { - "VulnerabilityID": "CVE-2017-9754", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Stack-based buffer over-read in process_otr function", - "Description": "The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99125", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9754", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21591" - ] - }, - { - "VulnerabilityID": "CVE-2017-9755", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Global buffer over-read in opcodes/i386-dis.c while checking invalid registers", - "Description": "opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99124", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9755", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21594" - ] - }, - { - "VulnerabilityID": "CVE-2017-9756", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Address violation in aarch64_ext_ldst_reglist function when disassembling corrupt aarch64 binary", - "Description": "The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99103", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9756", - "https://security.gentoo.org/glsa/201801-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21595", - "https://www.exploit-db.com/exploits/42204/" - ] - }, - { - "VulnerabilityID": "CVE-2017-9954", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: stack-based buffer over-read in getvalue function", - "Description": "The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99307", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9954", - "https://security.gentoo.org/glsa/201709-02", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21670" - ] - }, - { - "VulnerabilityID": "CVE-2017-9955", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: heap buffer over-read in get_build_id function", - "Description": "The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/99573", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9955", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21665" - ] - }, - { - "VulnerabilityID": "CVE-2018-12698", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: excessive memory consumption in demangle_template in cplus-dem.c", - "Description": "demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the \"Create an array for saving the template argument values\" XNEWVEC call. This can occur during execution of objdump.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/104539", - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", - "https://security.gentoo.org/glsa/201908-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" - ] - }, - { - "VulnerabilityID": "CVE-2018-12700", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Stack Exhaustion in debug_write_type in debug.c", - "Description": "A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/104541", - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", - "https://security.gentoo.org/glsa/201908-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" - ] - }, - { - "VulnerabilityID": "CVE-2018-12934", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Uncontrolled Resource Consumption in remember_Ktype in cplus-dem.c", - "Description": "remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763101", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23059" - ] - }, - { - "VulnerabilityID": "CVE-2018-14038", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libbfd: remote dos via crafted file in function aout_32_swap_std_reloc_out in aoutx.h", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-7642. Reason: This candidate is a reservation duplicate of CVE-2018-7642. Notes: All CVE users should reference CVE-2018-7642 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", - "Severity": "MEDIUM" - }, - { - "VulnerabilityID": "CVE-2018-17794", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in libiberty/cplus-dem.c:work_stuff_copy_to_from() via crafted input", - "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.", - "Severity": "MEDIUM", - "References": [ - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350" - ] - }, - { - "VulnerabilityID": "CVE-2018-17985", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Stack consumption problem caused by the cplus_demangle_type", - "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.", - "Severity": "MEDIUM", - "References": [ - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335" - ] - }, - { - "VulnerabilityID": "CVE-2018-18483", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Integer overflow in cplus-dem.c:get_count() allows for denial of service", - "Description": "The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105689", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23767" - ] - }, - { - "VulnerabilityID": "CVE-2018-18484", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Stack exhaustion in cp-demangle.c allows for denial of service", - "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105693", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636" - ] - }, - { - "VulnerabilityID": "CVE-2018-18605", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: heap-based buffer over-read in sec_merge_hash_lookup in merge.c", - "Description": "A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105754", - "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18605", - "https://security.netapp.com/advisory/ntap-20190307-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23804", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ab419ddbb2cdd17ca83618990f2cacf904ce1d61" - ] - }, - { - "VulnerabilityID": "CVE-2018-18606", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in _bfd_add_merge_section in merge_strings function in merge.c", - "Description": "An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105754", - "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18606", - "https://security.netapp.com/advisory/ntap-20190307-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23806", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45a0eaf77022963d639d6d19871dbab7b79703fc" - ] - }, - { - "VulnerabilityID": "CVE-2018-18607", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: NULL pointer dereference in elf_link_input_bfd in elflink.c", - "Description": "An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105754", - "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18607", - "https://security.netapp.com/advisory/ntap-20190307-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23805", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=102def4da826b3d9e169741421e5e67e8731909a" - ] - }, - { - "VulnerabilityID": "CVE-2018-18700", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Recursive Stack Overflow within function d_name, d_encoding, and d_local_name in cp-demangle.c", - "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681" - ] - }, - { - "VulnerabilityID": "CVE-2018-18701", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: infinite recursion in next_is_type_qual and cplus_demangle_type functions in cp-demangle.c", - "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675" - ] - }, - { - "VulnerabilityID": "CVE-2018-19932", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Integer overflow due to the IS_CONTAINED_BY_LMA macro resulting in a denial of service", - "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106144", - "https://security.gentoo.org/glsa/201908-01", - "https://security.netapp.com/advisory/ntap-20190221-0004/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23932", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7" - ] - }, - { - "VulnerabilityID": "CVE-2018-20002", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: memory leak in _bfd_generic_read_minisymbols function in syms.c", - "Description": "The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106142", - "https://security.gentoo.org/glsa/201908-01", - "https://security.netapp.com/advisory/ntap-20190221-0004/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23952", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c2f5dc30afa34696f2da0081c4ac50b958ecb0e9", - "https://support.f5.com/csp/article/K62602089" - ] - }, - { - "VulnerabilityID": "CVE-2018-20657", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", - "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106444", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", - "https://support.f5.com/csp/article/K62602089" - ] - }, { "VulnerabilityID": "CVE-2018-20673", "PkgName": "binutils", @@ -2462,6 +118,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libiberty: Integer overflow in demangle_template() function", "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", "Severity": "MEDIUM", @@ -2470,119 +127,6 @@ "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" ] }, - { - "VulnerabilityID": "CVE-2018-6323", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Integer overflow in elf_object_p function in elfcode.h", - "Description": "The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/102821", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6323", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22746", - "https://www.exploit-db.com/exploits/44035/" - ] - }, - { - "VulnerabilityID": "CVE-2018-6759", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Unchecked strnlen in opncls.c:bfd_get_debug_link_info_1() can allow lead to denial of service", - "Description": "The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/103030", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6759", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22794" - ] - }, - { - "VulnerabilityID": "CVE-2018-6872", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: out of bounds read in elf_parse_notes function in elf.c file in libbfd library", - "Description": "The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/103103", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6872", - "https://security.gentoo.org/glsa/201811-17", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22788", - "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6" - ] - }, - { - "VulnerabilityID": "CVE-2018-9138", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Stack Exhaustion in the the C++ demangling functions provided by libiberty", - "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.29 and 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_nested_args, demangle_args, do_arg, and do_type.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=23008" - ] - }, - { - "VulnerabilityID": "CVE-2018-9996", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Stack-overflow in libiberty/cplus-dem.c causes crash", - "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/103733", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304" - ] - }, - { - "VulnerabilityID": "CVE-2019-1010204", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read in gold/fileread.cc and elfcpp/elfcpp_file.h leads to denial of service", - "Description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", - "Severity": "MEDIUM", - "References": [ - "https://security.netapp.com/advisory/ntap-20190822-0001/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23765" - ] - }, - { - "VulnerabilityID": "CVE-2019-14250", - "PkgName": "binutils", - "InstalledVersion": "2.27-41.base.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "binutils: integer overflow in simple-object-elf.c leads to a heap-based buffer overflow", - "Description": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/109354", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924", - "https://gcc.gnu.org/ml/gcc-patches/2019-07/msg01003.html", - "https://security.netapp.com/advisory/ntap-20190822-0002/" - ] - }, { "VulnerabilityID": "CVE-2019-9074", "PkgName": "binutils", @@ -2590,6 +134,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "binutils: out-of-bound read in function bfd_getl32 in libbfd.c", "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an out-of-bounds read leading to a SEGV in bfd_getl32 in libbfd.c, when called from pex64_get_runtime_function in pei-x86_64.c.", "Severity": "MEDIUM", @@ -2606,6 +151,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "binutils: heap-based buffer overflow in function _bfd_archive_64_bit_slurp_armap in archive64.c", "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in archive64.c.", "Severity": "MEDIUM", @@ -2622,6 +168,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "binutils: heap-based buffer overflow in function process_mips_specific in readelf.c", "Description": "An issue was discovered in GNU Binutils 2.32. It is a heap-based buffer overflow in process_mips_specific in readelf.c via a malformed MIPS option section.", "Severity": "MEDIUM", @@ -2633,21 +180,2413 @@ ] }, { - "VulnerabilityID": "CVE-2019-12900", - "PkgName": "bzip2-libs", - "InstalledVersion": "1.0.6-13.el7", + "VulnerabilityID": "CVE-2014-9939", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "bzip2: out-of-bounds write in function BZ2_decompress", - "Description": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "binutils: buffer overflow in ihex.c", + "Description": "ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.", + "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900", - "https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html", - "https://usn.ubuntu.com/4038-1/", - "https://usn.ubuntu.com/4038-2/" + "http://www.openwall.com/lists/oss-security/2015/07/31/6", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9939", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18750", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e27a9d5f22f9f7ead11738b1546d0b5c737266b" + ] + }, + { + "VulnerabilityID": "CVE-2015-8538", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libdwarf: Out-of-bounds read in dwarf_leb.c", + "Description": "dwarf_leb.c in libdwarf allows attackers to cause a denial of service (SIGSEGV).", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2015/12/10/3", + "https://bugzilla.redhat.com/show_bug.cgi?id=1291299", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8538" + ] + }, + { + "VulnerabilityID": "CVE-2016-2226", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "gcc: Exploitable buffer overflow", + "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90103", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2226", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687", + "https://www.exploit-db.com/exploits/42386/" + ] + }, + { + "VulnerabilityID": "CVE-2016-4487", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "gcc: Invalid write due to a use-after-free to array btypevec", + "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90025", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4487", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481" + ] + }, + { + "VulnerabilityID": "CVE-2016-4488", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", + "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90025", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4488", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481" + ] + }, + { + "VulnerabilityID": "CVE-2016-4489", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "gcc: Invalid write due to integer overflow", + "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90017", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4489", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492" + ] + }, + { + "VulnerabilityID": "CVE-2016-4490", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "gcc: Write access violation", + "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90019", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4490", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498" + ] + }, + { + "VulnerabilityID": "CVE-2016-4491", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", + "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90016", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4491", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909", + "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00105.html" + ] + }, + { + "VulnerabilityID": "CVE-2016-4492", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "gcc: Read access violations", + "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90014", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4492", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926", + "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" + ] + }, + { + "VulnerabilityID": "CVE-2016-4493", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "gcc: Read access violations", + "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/05/05/5", + "http://www.securityfocus.com/bid/90014", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4493", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926", + "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" + ] + }, + { + "VulnerabilityID": "CVE-2017-12449", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in _bfd_vms_save_sized_string function", + "Description": "The _bfd_vms_save_sized_string function in vms-misc.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12449", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" + ] + }, + { + "VulnerabilityID": "CVE-2017-12451", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds stack read in _bfd_xcoff_read_ar_hdr function", + "Description": "The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff64-rs6000.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds stack read via a crafted COFF image file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12451", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21786" + ] + }, + { + "VulnerabilityID": "CVE-2017-12452", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in bfd_mach_o_i386_canonicalize_one_reloc function", + "Description": "The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted mach-o file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12452", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" + ] + }, + { + "VulnerabilityID": "CVE-2017-12453", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in __bfd_vms_slurp_eeom function", + "Description": "The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12453", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" + ] + }, + { + "VulnerabilityID": "CVE-2017-12454", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Arbitrary memory read in _bfd_vms_slurp_egs function", + "Description": "The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an arbitrary memory read via a crafted vms alpha file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12454", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" + ] + }, + { + "VulnerabilityID": "CVE-2017-12455", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in evax_bfd_print_emh function", + "Description": "The evax_bfd_print_emh function in vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted vms alpha file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12455", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" + ] + }, + { + "VulnerabilityID": "CVE-2017-12456", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in read_symbol_stabs_debugging_inf function", + "Description": "The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binutils 2.29 and earlier allows remote attackers to cause an out of bounds heap read via a crafted binary file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12456", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21813" + ] + }, + { + "VulnerabilityID": "CVE-2017-12457", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in bfd_make_section_with_flags function", + "Description": "The bfd_make_section_with_flags function in section.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause a NULL dereference via a crafted file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12457", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" + ] + }, + { + "VulnerabilityID": "CVE-2017-12458", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds heap read in nlm_swap_auxiliary_headers_in function", + "Description": "The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap read via a crafted nlm file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12458", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21840" + ] + }, + { + "VulnerabilityID": "CVE-2017-12799", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based 1 byte buffer over-write in elf_read_notes function in bfd/elf.c", + "Description": "The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100292", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12799", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21933" + ] + }, + { + "VulnerabilityID": "CVE-2017-12967", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack-based buffer over-read in getsym function in tekhex.c", + "Description": "The getsym function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a malformed tekhex binary.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100462", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12967", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21962" + ] + }, + { + "VulnerabilityID": "CVE-2017-13710", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the setup_group function", + "Description": "The setup_group function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a group section that is too small.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100499", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13710", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0c54f69295208331faab9bc5e995111a35672f9b" + ] + }, + { + "VulnerabilityID": "CVE-2017-13716", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory leak with the C++ symbol demangler routine in libiberty", + "Description": "The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22009" + ] + }, + { + "VulnerabilityID": "CVE-2017-13757", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer over-read in elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the PLT section size, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to elf_i386_get_synthetic_symtab in elf32-i386.c and elf_x86_64_get_synthetic_symtab in elf64-x86-64.c.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100532", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13757", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22018", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=90efb6422939ca031804266fba669f77c22a274a" + ] + }, + { + "VulnerabilityID": "CVE-2017-14128", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in the decode_line_info function", + "Description": "The decode_line_info function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (read_1_byte heap-based buffer over-read and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14128", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22059", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e8b60085eb3e6f2c41bc0c00c0d759fa7f72780" + ] + }, + { + "VulnerabilityID": "CVE-2017-14129", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in the read_section function", + "Description": "The read_section function in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (parse_comp_unit heap-based buffer over-read and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100624", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14129", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22047", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e4f2723003859dc6b33ca0dadbc4a7659ebf1643" + ] + }, + { + "VulnerabilityID": "CVE-2017-14130", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in the _bfd_elf_parse_attributes function", + "Description": "The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (_bfd_elf_attr_strdup heap-based buffer over-read and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/100625", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14130", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22058", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2a143b99fc4a5094a9cf128f3184d8e6818c8229" + ] + }, + { + "VulnerabilityID": "CVE-2017-14529", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer over-read in bfd_getl16 function in peXXigen.c", + "Description": "The pe_print_idata function in peXXigen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles HintName vector entries, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PE file, related to the bfd_getl16 function.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14529", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22113", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4d465c689a8fb27212ef358d0aee89d60dee69a6", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dcaaca89e8618eba35193c27afcb1cfa54f74582" + ] + }, + { + "VulnerabilityID": "CVE-2017-14729", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer overflow in the *_get_synthetic_symtab functions", + "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/09/25/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14729", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22170", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=56933f9e3e90eebf1018ed7417d6c1184b91db6b", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=61e3bf5f83f7e505b6bc51ef65426e5b31e6e360" + ] + }, + { + "VulnerabilityID": "CVE-2017-14745", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow in the *_get_synthetic_symtab functions", + "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14745", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22148" + ] + }, + { + "VulnerabilityID": "CVE-2017-14930", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory leak in decode_line_info", + "Description": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14930", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22191" + ] + }, + { + "VulnerabilityID": "CVE-2017-14932", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Infinite loop in the decode_line_info", + "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14932", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22204", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e338894dc2e603683bed2172e8e9f25b29051005" + ] + }, + { + "VulnerabilityID": "CVE-2017-14933", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Infinite loop in read_formatted_entries", + "Description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101203", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14933", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22210", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=33e0a9a056bd23e923b929a4f2ab049ade0b1c32" + ] + }, + { + "VulnerabilityID": "CVE-2017-14934", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Infinite loop in process_debug_info", + "Description": "process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101204", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14934", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22219", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=19485196044b2521af979f1e5c4a89bfb90fba0b" + ] + }, + { + "VulnerabilityID": "CVE-2017-14938", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Excessive memory allocation in _bfd_elf_slurp_version_tables", + "Description": "_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101212", + "https://blogs.gentoo.org/ago/2017/09/26/binutils-memory-allocation-failure-in-_bfd_elf_slurp_version_tables-elf-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14938", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22166", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bd61e135492ecf624880e6b78e5fcde3c9716df6" + ] + }, + { + "VulnerabilityID": "CVE-2017-14939", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in the decode_line_info", + "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles a length calculation, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to read_1_byte.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101216", + "https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14939", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22169", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=515f23e63c0074ab531bc954f84ca40c6281a724", + "https://www.exploit-db.com/exploits/42970/" + ] + }, + { + "VulnerabilityID": "CVE-2017-14940", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the scan_unit_for_symbols", + "Description": "scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/09/26/binutils-null-pointer-dereference-in-scan_unit_for_symbols-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14940", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22166", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0d76029f92182c3682d8be2c833d45bc9a2068fe" + ] + }, + { + "VulnerabilityID": "CVE-2017-14974", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the *_get_synthetic_symtab functions", + "Description": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14974", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22163", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e70c19e3a4c26e9c1ebf0c9170d105039b56d7cf" + ] + }, + { + "VulnerabilityID": "CVE-2017-15020", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer overflow in parse_die", + "Description": "dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles pointers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file, related to parse_die and parse_line_table, as demonstrated by a parse_die heap-based buffer over-read.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-parse_die-dwarf1-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15020", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22202", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5" + ] + }, + { + "VulnerabilityID": "CVE-2017-15021", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in bfd_get_debug_link_info_1", + "Description": "bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to bfd_getl32.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-bfd_getl32-opncls-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15021", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22197", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52b36c51e5bf6d7600fdc6ba115b170b0e78e31d" + ] + }, + { + "VulnerabilityID": "CVE-2017-15022", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in dwarf2.c", + "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not validate the DW_AT_name data type, which allows remote attackers to cause a denial of service (bfd_hash_hash NULL pointer dereference, or out-of-bounds access, and application crash) via a crafted ELF file, related to scan_unit_for_symbols and parse_comp_unit.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15022", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22201", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11855d8a1f11b102a702ab76e95b22082cccf2f8" + ] + }, + { + "VulnerabilityID": "CVE-2017-15023", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in read_formatted_entries", + "Description": "read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, does not properly validate the format count, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101611", + "https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15023", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22200", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c361faae8d964db951b7100cada4dcdc983df1bf" + ] + }, + { + "VulnerabilityID": "CVE-2017-15024", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Infinite recursion in find_abstract_instance_name", + "Description": "find_abstract_instance_name in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/10/03/binutils-infinite-loop-in-find_abstract_instance_name-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15024", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22187", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52a93b95ec0771c97e26f0bb28630a271a667bd2" + ] + }, + { + "VulnerabilityID": "CVE-2017-15025", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Divide-by-zero in decode_line_info", + "Description": "decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/10/03/binutils-divide-by-zero-in-decode_line_info-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15025", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22186", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d8010d3e75ec7194a4703774090b27486b742d48" + ] + }, + { + "VulnerabilityID": "CVE-2017-15225", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory leak in _bfd_dwarf2_cleanup_debug_info", + "Description": "_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15225", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22212", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b55ec8b676ed05d93ee49d6c79ae0403616c4fb0" + ] + }, + { + "VulnerabilityID": "CVE-2017-15938", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid memory read in find_abstract_instance_name", + "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101610", + "https://blogs.gentoo.org/ago/2017/10/24/binutils-invalid-memory-read-in-find_abstract_instance_name-dwarf2-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15938", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22209", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1b86808a86077722ee4f42ff97f836b12420bb2a" + ] + }, + { + "VulnerabilityID": "CVE-2017-15939", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the concat_filename", + "Description": "dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101613", + "https://blogs.gentoo.org/ago/2017/10/24/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023/", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22205", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a54018b72d75abf2e74bf36016702da06399c1d9" + ] + }, + { + "VulnerabilityID": "CVE-2017-15996", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Excessive memory allocation in elfcomm.c", + "Description": "elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a \"buffer overflow on fuzzed archive header,\" related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101608", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15996", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22361", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d91f0b20e561e326ee91a09a76206257bde8438b" + ] + }, + { + "VulnerabilityID": "CVE-2017-16826", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid memory access in the coff_slurp_line_table function", + "Description": "The coff_slurp_line_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted PE file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16826", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22376", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a67d66eb97e7613a38ffe6622d837303b3ecd31d" + ] + }, + { + "VulnerabilityID": "CVE-2017-16827", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid free in the aout_get_external_symbols function", + "Description": "The aout_get_external_symbols function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (slurp_symtab invalid free and application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16827", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22306", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419" + ] + }, + { + "VulnerabilityID": "CVE-2017-16828", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow in the display_debug_frames function", + "Description": "The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (integer overflow and heap-based buffer over-read, and application crash) or possibly have unspecified other impact via a crafted ELF file, related to print_debug_frame.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16828", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22386", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d" + ] + }, + { + "VulnerabilityID": "CVE-2017-16829", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in the _bfd_elf_parse_gnu_properties function", + "Description": "The _bfd_elf_parse_gnu_properties function in elf-properties.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not prevent negative pointers, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16829", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22307", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf54ebff3b7361989712fd9c0128a9b255578163" + ] + }, + { + "VulnerabilityID": "CVE-2017-16830", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Segmentation fault in the print_gnu_property_note function", + "Description": "The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101941", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16830", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22384", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6ab2c4ed51f9c4243691755e1b1d2149c6a426f4" + ] + }, + { + "VulnerabilityID": "CVE-2017-16831", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow in coffgen.c", + "Description": "coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate the symbol count, which allows remote attackers to cause a denial of service (integer overflow and application crash, or excessive memory allocation) or possibly have unspecified other impact via a crafted PE file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16831", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22385", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca" + ] + }, + { + "VulnerabilityID": "CVE-2017-16832", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Segmentation fault in the pe_bfd_read_buildid function", + "Description": "The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16832", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22373", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bb6961f18b8e832d88b490d421ca56cea16c45b" + ] + }, + { + "VulnerabilityID": "CVE-2017-17080", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in bfd_getl32", + "Description": "elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate sizes of core notes, which allows remote attackers to cause a denial of service (bfd_getl32 heap-based buffer over-read and application crash) via a crafted object file, related to elfcore_grok_netbsd_procinfo, elfcore_grok_openbsd_procinfo, and elfcore_grok_nto_status.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17080", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22421" + ] + }, + { + "VulnerabilityID": "CVE-2017-17121", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory access violation via a crafted COFF binary", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (memory access violation) or possibly have unspecified other impact via a COFF binary in which a relocation refers to a location after the end of the to-be-relocated section.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17121", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22506", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b23dc97fe237a1d9e850d7cbeee066183a00630b" + ] + }, + { + "VulnerabilityID": "CVE-2017-17122", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Excessive memory allocation in the dump_relocs_in_section function", + "Description": "The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29.1 does not check for reloc count integer overflows, which allows remote attackers to cause a denial of service (excessive memory allocation, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PE file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17122", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22508", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d785b7d4b877ed465d04072e17ca19d0f47d840f" + ] + }, + { + "VulnerabilityID": "CVE-2017-17123", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the coff_slurp_reloc_table function", + "Description": "The coff_slurp_reloc_table function in coffcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted COFF based file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17123", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22509", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4581a1c7d304ce14e714b27522ebf3d0188d6543" + ] + }, + { + "VulnerabilityID": "CVE-2017-17124", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer overflow in the _bfd_coff_read_string_table function", + "Description": "The _bfd_coff_read_string_table function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not properly validate the size of the external string table, which allows remote attackers to cause a denial of service (excessive memory consumption, or heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted COFF binary.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17124", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22507", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b0029dce6867de1a2828293177b0e030d2f0f03c" + ] + }, + { + "VulnerabilityID": "CVE-2017-17125", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Buffer over-read in the _bfd_elf_get_symbol_version_string function", + "Description": "nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global symbols, which allows remote attackers to cause a denial of service (_bfd_elf_get_symbol_version_string buffer over-read and application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17125", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22443", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=160b1a618ad94988410dc81fce9189fcda5b7ff4" + ] + }, + { + "VulnerabilityID": "CVE-2017-17126", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid memory access in the load_debug_section function", + "Description": "The load_debug_section function in readelf.c in GNU Binutils 2.29.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via an ELF file that lacks section headers.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17126", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22510", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f425ec6600b69e39eb605f3128806ff688137ea8" + ] + }, + { + "VulnerabilityID": "CVE-2017-6969", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in readelf when processing corrupt RL78 binaries", + "Description": "readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97065", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21156" + ] + }, + { + "VulnerabilityID": "CVE-2017-7209", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Null pointer dereference in dump_section_as_bytes function in readelf", + "Description": "The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/96994", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21135" + ] + }, + { + "VulnerabilityID": "CVE-2017-7210", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-reads in objdump", + "Description": "objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/96992", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21157" + ] + }, + { + "VulnerabilityID": "CVE-2017-7223", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer overflow when attempting to unget EOF character", + "Description": "GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7223", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20898" + ] + }, + { + "VulnerabilityID": "CVE-2017-7224", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid write in find_nearest_line function", + "Description": "The find_nearest_line function in objdump in GNU Binutils 2.28 is vulnerable to an invalid write (of size 1) while disassembling a corrupt binary that contains an empty function name, leading to a program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97277", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7224", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20892" + ] + }, + { + "VulnerabilityID": "CVE-2017-7225", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Null pointer dereference and invalid write in find_nearest_line function in addr2line", + "Description": "The find_nearest_line function in addr2line in GNU Binutils 2.28 does not handle the case where the main file name and the directory name are both empty, triggering a NULL pointer dereference and an invalid write, and leading to a program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97275", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7225", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20891" + ] + }, + { + "VulnerabilityID": "CVE-2017-7226", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer over-read in pe_ILF_object_p function in libbfd", + "Description": "The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7226", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20905" + ] + }, + { + "VulnerabilityID": "CVE-2017-7227", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-based buffer overflow in ld due to missing null termination", + "Description": "GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of '\\0' termination of a name field in ldlex.l.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97209", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7227", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20906" + ] + }, + { + "VulnerabilityID": "CVE-2017-7299", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in bfd_elf_final_link function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97217", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7299", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20908" + ] + }, + { + "VulnerabilityID": "CVE-2017-7300", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-buffer overflow in aout_link_add_symbols function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97219", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7300", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20909" + ] + }, + { + "VulnerabilityID": "CVE-2017-7301", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Off-by-one error in aout_link_add_symbols function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97218", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7301", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20924" + ] + }, + { + "VulnerabilityID": "CVE-2017-7302", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in wap_std_reloc_out function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97216", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7302", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20921" + ] + }, + { + "VulnerabilityID": "CVE-2017-7303", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in find_link function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97213", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7303", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20922" + ] + }, + { + "VulnerabilityID": "CVE-2017-7304", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in copy_special_section_fields function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/97215", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20931" + ] + }, + { + "VulnerabilityID": "CVE-2017-7614", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in bfd_elf_final_link function", + "Description": "elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/04/05/binutils-two-null-pointer-dereference-in-elflink-c/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7614", + "https://security.gentoo.org/glsa/201709-02" + ] + }, + { + "VulnerabilityID": "CVE-2017-8392", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the _bfd_dwarf2_find_nearest_line function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", + "Severity": "LOW", + "References": [ + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21409" + ] + }, + { + "VulnerabilityID": "CVE-2017-8393", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read due to wrong assumption for objcopy and strip", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8393", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21412" + ] + }, + { + "VulnerabilityID": "CVE-2017-8394", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the _bfd_elf_large_com_section", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8394", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21414" + ] + }, + { + "VulnerabilityID": "CVE-2017-8395", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds write in the _bfd_generic_get_section_contents function", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8395", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21431" + ] + }, + { + "VulnerabilityID": "CVE-2017-8396", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in the existing reloc offset range tests", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8396", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21432" + ] + }, + { + "VulnerabilityID": "CVE-2017-8397", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read and write while processing binary containing reloc(s) with negative addresses", + "Description": "The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8397", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21434" + ] + }, + { + "VulnerabilityID": "CVE-2017-8398", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read while dumping the debug information from a corrupt binary", + "Description": "dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8398", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21438" + ] + }, + { + "VulnerabilityID": "CVE-2017-8421", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory exhaustion in objdump via a crafted PE file", + "Description": "The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8421", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21440" + ] + }, + { + "VulnerabilityID": "CVE-2017-9038", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap-buffer overflow in the byte_get_little_endian", + "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98589", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9038", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d" + ] + }, + { + "VulnerabilityID": "CVE-2017-9039", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Memory consumption via many program headers", + "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98580", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9039", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5" + ] + }, + { + "VulnerabilityID": "CVE-2017-9040", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in the process_mips_specific_function", + "Description": "GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98579", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9040", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf" + ] + }, + { + "VulnerabilityID": "CVE-2017-9041", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer overflow in the process_mips_specific function", + "Description": "GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to MIPS GOT mishandling in the process_mips_specific function in readelf.c.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98598", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9041", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3" + ] + }, + { + "VulnerabilityID": "CVE-2017-9042", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Invalid variable type in readelf.c", + "Description": "readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9042", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf" + ] + }, + { + "VulnerabilityID": "CVE-2017-9043", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Shift exponent too large for type unsigned long in readelf.c", + "Description": "readelf.c in GNU Binutils 2017-04-12 has a \"shift exponent too large for type unsigned long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98591", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9043", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ddef72cdc10d82ba011a7ff81cafbbd3466acf54" + ] + }, + { + "VulnerabilityID": "CVE-2017-9044", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Out-of-bounds read in the print_symbol_for_build_attribute function", + "Description": "The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/98587", + "https://blogs.gentoo.org/ago/2017/05/12/binutils-multiple-crashes/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9044" + ] + }, + { + "VulnerabilityID": "CVE-2017-9742", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer over-read in print_insn_score16 function while disassembling corrupt score binary", + "Description": "The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99105", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9742", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21576", + "https://www.exploit-db.com/exploits/42203/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9743", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer over-read in print_insn_score32 function while disassembling corrupt score binary", + "Description": "The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99106", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9743", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21577" + ] + }, + { + "VulnerabilityID": "CVE-2017-9744", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Address violation in sh_elf_set_mach_from_flags function when disassembling a corrupt SH binary", + "Description": "The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99108", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9744", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21578" + ] + }, + { + "VulnerabilityID": "CVE-2017-9745", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer over-read in _bfd_vms_slurp_etir function when handling VMS alpha binaries", + "Description": "The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99109", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9745", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21579" + ] + }, + { + "VulnerabilityID": "CVE-2017-9746", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer over-read in disassemble_bytes function when disassembling a corrupt binary", + "Description": "The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99117", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9746", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21580", + "https://www.exploit-db.com/exploits/42199/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9747", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack-based buffer over-read in ieee_archive_p function while disassembling corrupt IEEE binary", + "Description": "The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99114", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9747", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21581", + "https://www.exploit-db.com/exploits/42200/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9748", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack-based buffer over-read in ieee_object_p function", + "Description": "The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99110", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9748", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21582", + "https://www.exploit-db.com/exploits/42202/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9749", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer over-read in *regs* macros when disassembling corrupt bfin binary", + "Description": "The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99113", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9749", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21586", + "https://www.exploit-db.com/exploits/42201/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9750", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer over-read in opcodes/rx-decode.opc when disassembling a corrupt RX binary", + "Description": "opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99118", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9750", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21587", + "https://www.exploit-db.com/exploits/42198/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9751", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack-based buffer over-read in opcodes/rl78-decode.opc when disassembling a corrupt RL78 binary", + "Description": "opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99111", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9751", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21588" + ] + }, + { + "VulnerabilityID": "CVE-2017-9752", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Heap buffer over-read in f_bfd_vms_get_value function when processing a corrupt Alpha VMA binary", + "Description": "bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99122", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9752", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21589" + ] + }, + { + "VulnerabilityID": "CVE-2017-9753", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Address violation in versados_mkobject function when disassembling a corrupt versados binary", + "Description": "The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99116", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9753", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21591" + ] + }, + { + "VulnerabilityID": "CVE-2017-9754", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack-based buffer over-read in process_otr function", + "Description": "The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99125", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9754", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21591" + ] + }, + { + "VulnerabilityID": "CVE-2017-9755", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Global buffer over-read in opcodes/i386-dis.c while checking invalid registers", + "Description": "opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99124", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9755", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21594" + ] + }, + { + "VulnerabilityID": "CVE-2017-9756", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Address violation in aarch64_ext_ldst_reglist function when disassembling corrupt aarch64 binary", + "Description": "The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99103", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9756", + "https://security.gentoo.org/glsa/201801-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21595", + "https://www.exploit-db.com/exploits/42204/" + ] + }, + { + "VulnerabilityID": "CVE-2017-9954", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: stack-based buffer over-read in getvalue function", + "Description": "The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99307", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9954", + "https://security.gentoo.org/glsa/201709-02", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21670" + ] + }, + { + "VulnerabilityID": "CVE-2017-9955", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap buffer over-read in get_build_id function", + "Description": "The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/99573", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9955", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21665" + ] + }, + { + "VulnerabilityID": "CVE-2018-12698", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: excessive memory consumption in demangle_template in cplus-dem.c", + "Description": "demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the \"Create an array for saving the template argument values\" XNEWVEC call. This can occur during execution of objdump.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/104539", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" + ] + }, + { + "VulnerabilityID": "CVE-2018-12699", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer overflow in finish_stab in stabs.c", + "Description": "finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/104540", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" + ] + }, + { + "VulnerabilityID": "CVE-2018-12700", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack Exhaustion in debug_write_type in debug.c", + "Description": "A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/104541", + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763102", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454", + "https://security.gentoo.org/glsa/201908-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23057" + ] + }, + { + "VulnerabilityID": "CVE-2018-12934", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Uncontrolled Resource Consumption in remember_Ktype in cplus-dem.c", + "Description": "remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.", + "Severity": "LOW", + "References": [ + "https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1763101", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23059" + ] + }, + { + "VulnerabilityID": "CVE-2018-17358", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: invalid memory access in _bfd_stab_section_find_nearest_line in syms.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23686" + ] + }, + { + "VulnerabilityID": "CVE-2018-17359", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: invalid memory access in bfd_zalloc in opncls.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23686" + ] + }, + { + "VulnerabilityID": "CVE-2018-17360", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer over-read in bfd_getl32 in libbfd.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23685" + ] + }, + { + "VulnerabilityID": "CVE-2018-17794", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in libiberty/cplus-dem.c:work_stuff_copy_to_from() via crafted input", + "Description": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in work_stuff_copy_to_from when called from iterate_demangle_function.", + "Severity": "LOW", + "References": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350" + ] + }, + { + "VulnerabilityID": "CVE-2018-17985", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack consumption problem caused by the cplus_demangle_type", + "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption problem caused by the cplus_demangle_type function making recursive calls to itself in certain scenarios involving many 'P' characters.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87335" + ] + }, + { + "VulnerabilityID": "CVE-2018-18483", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow in cplus-dem.c:get_count() allows for denial of service", + "Description": "The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/105689", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87602", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23767" + ] + }, + { + "VulnerabilityID": "CVE-2018-18484", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Stack exhaustion in cp-demangle.c allows for denial of service", + "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/105693", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636" + ] + }, + { + "VulnerabilityID": "CVE-2018-18605", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: heap-based buffer over-read in sec_merge_hash_lookup in merge.c", + "Description": "A heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, because _bfd_add_merge_section mishandles section merges when size is not a multiple of entsize. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/105754", + "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18605", + "https://security.netapp.com/advisory/ntap-20190307-0003/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23804", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ab419ddbb2cdd17ca83618990f2cacf904ce1d61" + ] + }, + { + "VulnerabilityID": "CVE-2018-18606", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in _bfd_add_merge_section in merge_strings function in merge.c", + "Description": "An issue was discovered in the merge_strings function in merge.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/105754", + "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18606", + "https://security.netapp.com/advisory/ntap-20190307-0003/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23806", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45a0eaf77022963d639d6d19871dbab7b79703fc" + ] + }, + { + "VulnerabilityID": "CVE-2018-18607", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: NULL pointer dereference in elf_link_input_bfd in elflink.c", + "Description": "An issue was discovered in elf_link_input_bfd in elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. There is a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section. A specially crafted ELF allows remote attackers to cause a denial of service, as demonstrated by ld.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/105754", + "https://deb.freexian.com/extended-lts/tracker/CVE-2018-18607", + "https://security.netapp.com/advisory/ntap-20190307-0003/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23805", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=102def4da826b3d9e169741421e5e67e8731909a" + ] + }, + { + "VulnerabilityID": "CVE-2018-18700", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Recursive Stack Overflow within function d_name, d_encoding, and d_local_name in cp-demangle.c", + "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions d_name(), d_encoding(), and d_local_name() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.", + "Severity": "LOW", + "References": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87681" + ] + }, + { + "VulnerabilityID": "CVE-2018-18701", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: infinite recursion in next_is_type_qual and cplus_demangle_type functions in cp-demangle.c", + "Description": "An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. There is a stack consumption vulnerability resulting from infinite recursion in the functions next_is_type_qual() and cplus_demangle_type() in cp-demangle.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via an ELF file, as demonstrated by nm.", + "Severity": "LOW", + "References": [ + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675" + ] + }, + { + "VulnerabilityID": "CVE-2018-19932", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow due to the IS_CONTAINED_BY_LMA macro resulting in a denial of service", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA macro in elf.c.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/106144", + "https://security.gentoo.org/glsa/201908-01", + "https://security.netapp.com/advisory/ntap-20190221-0004/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23932", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7" + ] + }, + { + "VulnerabilityID": "CVE-2018-20002", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: memory leak in _bfd_generic_read_minisymbols function in syms.c", + "Description": "The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/106142", + "https://security.gentoo.org/glsa/201908-01", + "https://security.netapp.com/advisory/ntap-20190221-0004/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23952", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c2f5dc30afa34696f2da0081c4ac50b958ecb0e9", + "https://support.f5.com/csp/article/K62602089" + ] + }, + { + "VulnerabilityID": "CVE-2018-20657", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", + "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-20657.html", + "http://linux.oracle.com/errata/ELSA-2019-3352.html", + "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", + "https://support.f5.com/csp/article/K62602089" + ] + }, + { + "VulnerabilityID": "CVE-2018-6323", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Integer overflow in elf_object_p function in elfcode.h", + "Description": "The elf_object_p function in elfcode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, has an unsigned integer overflow because bfd_size_type multiplication is not used. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/102821", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6323", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22746", + "https://www.exploit-db.com/exploits/44035/" + ] + }, + { + "VulnerabilityID": "CVE-2018-6759", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Unchecked strnlen in opncls.c:bfd_get_debug_link_info_1() can allow lead to denial of service", + "Description": "The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/103030", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6759", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22794" + ] + }, + { + "VulnerabilityID": "CVE-2018-6872", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: out of bounds read in elf_parse_notes function in elf.c file in libbfd library", + "Description": "The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/103103", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6872", + "https://security.gentoo.org/glsa/201811-17", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22788", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010204", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read in gold/fileread.cc and elfcpp/elfcpp_file.h leads to denial of service", + "Description": "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.", + "Severity": "LOW", + "References": [ + "https://security.netapp.com/advisory/ntap-20190822-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23765" + ] + }, + { + "VulnerabilityID": "CVE-2019-14250", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: integer overflow in simple-object-elf.c leads to a heap-based buffer overflow", + "Description": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/109354", + "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924", + "https://gcc.gnu.org/ml/gcc-patches/2019-07/msg01003.html", + "https://security.netapp.com/advisory/ntap-20190822-0002/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17450", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: denial of service via crafted ELF file", + "Description": "find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32, allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted ELF file.", + "Severity": "LOW", + "References": [ + "https://security.netapp.com/advisory/ntap-20191024-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25078" + ] + }, + { + "VulnerabilityID": "CVE-2019-17451", + "PkgName": "binutils", + "InstalledVersion": "2.27-41.base.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "binutils: integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c", + "Description": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is an integer overflow leading to a SEGV in _bfd_dwarf2_find_nearest_line in dwarf2.c, as demonstrated by nm.", + "Severity": "LOW", + "References": [ + "https://security.netapp.com/advisory/ntap-20191024-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25070", + "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848f4b9558456fdcf283ee8a32d7fd1" ] }, { @@ -2657,9 +2596,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "bzip2: heap use after free in bzip2recover", "Description": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/06/20/1", "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", @@ -2670,6 +2610,56 @@ "https://security.gentoo.org/glsa/201708-08" ] }, + { + "VulnerabilityID": "CVE-2019-12900", + "PkgName": "bzip2-libs", + "InstalledVersion": "1.0.6-13.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "bzip2: out-of-bounds write in function BZ2_decompress", + "Description": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900", + "https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html", + "https://usn.ubuntu.com/4038-1/", + "https://usn.ubuntu.com/4038-2/" + ] + }, + { + "VulnerabilityID": "CVE-2016-2781", + "PkgName": "coreutils", + "InstalledVersion": "8.22-24.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", + "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/02/28/2", + "http://www.openwall.com/lists/oss-security/2016/02/28/3" + ] + }, + { + "VulnerabilityID": "CVE-2017-18018", + "PkgName": "coreutils", + "InstalledVersion": "8.22-24.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "coreutils: race condition vulnerability in chown and chgrp", + "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", + "Severity": "MEDIUM", + "References": [ + "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2014-9471", "PkgName": "coreutils", @@ -2677,9 +2667,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "coreutils: memory corruption flaw in parse_datetime()", "Description": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://advisories.mageia.org/MGASA-2015-0029.html", "http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872", @@ -2701,9 +2692,15 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "coreutils: heap buffer overflow in sort(1) keycompare_mb()", - "Description": "No description is available for this CVE.", - "Severity": "LOW" + "Description": "The keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 on 64-bit platforms performs a size calculation without considering the number of bytes occupied by multibyte characters, which allows attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via long UTF-8 strings.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2015/05/15/1", + "https://bugzilla.suse.com/show_bug.cgi?id=928749", + "https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940" + ] }, { "VulnerabilityID": "CVE-2015-4042", @@ -2712,56 +2709,31 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "coreutils: possible buffer overflow in keycompare_mb()", - "Description": "No description is available for this CVE.", - "Severity": "LOW" - }, - { - "VulnerabilityID": "CVE-2016-2781", - "PkgName": "coreutils", - "InstalledVersion": "8.22-24.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", - "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "Description": "Integer overflow in the keycompare_mb function in sort.c in sort in GNU Coreutils through 8.23 might allow attackers to cause a denial of service (application crash) or possibly have unspecified other impact via long strings.", "Severity": "LOW", "References": [ - "http://www.openwall.com/lists/oss-security/2016/02/28/2", - "http://www.openwall.com/lists/oss-security/2016/02/28/3" + "http://openwall.com/lists/oss-security/2015/05/15/1", + "https://github.com/pixelb/coreutils/commit/bea5e36cc876ed627bb5e0eca36fdfaa6465e940" ] }, { - "VulnerabilityID": "CVE-2017-18018", - "PkgName": "coreutils", - "InstalledVersion": "8.22-24.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "coreutils: race condition vulnerability in chown and chgrp", - "Description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "Severity": "LOW", - "References": [ - "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html" - ] - }, - { - "VulnerabilityID": "CVE-2016-2037", + "VulnerabilityID": "CVE-2019-14866", "PkgName": "cpio", "InstalledVersion": "2.11-27.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "cpio: out of bounds write", - "Description": "The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.", + "SeveritySource": "redhat", + "Title": "cpio: improper input validation when writing tar header fields leads to unexpect tar generation", + "Description": "In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.", "Severity": "MEDIUM", "References": [ - "http://www.debian.org/security/2016/dsa-3483", - "http://www.openwall.com/lists/oss-security/2016/01/19/4", - "http://www.openwall.com/lists/oss-security/2016/01/22/4", - "http://www.securityfocus.com/bid/82293", - "http://www.securitytracker.com/id/1035067", - "http://www.ubuntu.com/usn/USN-2906-1" + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14866", + "https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html", + "https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html" ] }, { @@ -2771,6 +2743,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "cpio: directory traversal through symlinks", "Description": "cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.", "Severity": "LOW", @@ -2786,6 +2759,26 @@ "https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html" ] }, + { + "VulnerabilityID": "CVE-2016-2037", + "PkgName": "cpio", + "InstalledVersion": "2.11-27.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "cpio: out of bounds write", + "Description": "The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2016/dsa-3483", + "http://www.openwall.com/lists/oss-security/2016/01/19/4", + "http://www.openwall.com/lists/oss-security/2016/01/22/4", + "http://www.securityfocus.com/bid/82293", + "http://www.securitytracker.com/id/1035067", + "http://www.ubuntu.com/usn/USN-2906-1" + ] + }, { "VulnerabilityID": "CVE-2016-6318", "PkgName": "cracklib", @@ -2793,9 +2786,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "cracklib: Stack-based buffer overflow when parsing large GECOS field", "Description": "Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-08/msg00122.html", "http://www.openwall.com/lists/oss-security/2016/08/16/2", @@ -2811,9 +2805,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "cracklib: Stack-based buffer overflow when parsing large GECOS field", "Description": "Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-08/msg00122.html", "http://www.openwall.com/lists/oss-security/2016/08/16/2", @@ -2822,117 +2817,6 @@ "https://security.gentoo.org/glsa/201612-25" ] }, - { - "VulnerabilityID": "CVE-2016-8618", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: Double-free in curl_maprintf", - "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94098", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", - "https://curl.haxx.se/docs/adv_20161102D.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8619", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: Double-free in krb5 code", - "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94100", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", - "https://curl.haxx.se/CVE-2016-8619.patch", - "https://curl.haxx.se/docs/adv_20161102E.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8622", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: URL unescape heap overflow via integer truncation", - "Description": "The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94105", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622", - "https://curl.haxx.se/docs/adv_20161102H.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2017-8817", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: FTP wildcard out of bounds read", - "Description": "The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.", - "Severity": "HIGH", - "References": [ - "http://security.cucumberlinux.com/security/details.php?id=162", - "http://www.securityfocus.com/bid/102057", - "http://www.securitytracker.com/id/1039897", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/docs/adv_2017-ae72.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00040.html", - "https://security.gentoo.org/glsa/201712-04", - "https://www.debian.org/security/2017/dsa-4051" - ] - }, - { - "VulnerabilityID": "CVE-2019-5482", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: heap buffer overflow in function tftp_receive_packet()", - "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", - "https://curl.haxx.se/docs/CVE-2019-5482.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" - ] - }, { "VulnerabilityID": "CVE-2015-3153", "PkgName": "curl", @@ -2940,6 +2824,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: sensitive HTTP server headers also sent to proxies", "Description": "The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.", "Severity": "MEDIUM", @@ -2961,6 +2846,257 @@ "https://support.apple.com/kb/HT205031" ] }, + { + "VulnerabilityID": "CVE-2016-8615", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: Cookie injection for other servers", + "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8615.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94096", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", + "https://curl.haxx.se/CVE-2016-8615.patch", + "https://curl.haxx.se/docs/adv_20161102A.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8617", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: Out-of-bounds write via unchecked multiplication", + "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8617.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94097", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", + "https://curl.haxx.se/CVE-2016-8617.patch", + "https://curl.haxx.se/docs/adv_20161102C.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8618", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in curl_maprintf", + "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8618.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94098", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", + "https://curl.haxx.se/docs/adv_20161102D.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8619", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in krb5 code", + "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8619.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94100", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", + "https://curl.haxx.se/CVE-2016-8619.patch", + "https://curl.haxx.se/docs/adv_20161102E.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8624", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: Invalid URL parsing with '#'", + "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8624.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94103", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", + "https://curl.haxx.se/docs/adv_20161102J.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8625", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: IDNA 2003 makes curl use wrong host", + "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8625.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.securityfocus.com/bid/94107", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", + "https://curl.haxx.se/CVE-2016-8625.patch", + "https://curl.haxx.se/docs/adv_20161102K.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2017-1000254", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP PWD response parser out of bounds read", + "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3992", + "http://www.securityfocus.com/bid/101115", + "http://www.securitytracker.com/id/1039509", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://curl.haxx.se/673d0cd8.patch", + "https://curl.haxx.se/docs/adv_20171004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", + "https://security.gentoo.org/glsa/201712-04", + "https://support.apple.com/HT208331" + ] + }, + { + "VulnerabilityID": "CVE-2017-8817", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP wildcard out of bounds read", + "Description": "The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.", + "Severity": "MEDIUM", + "References": [ + "http://security.cucumberlinux.com/security/details.php?id=162", + "http://www.securityfocus.com/bid/102057", + "http://www.securitytracker.com/id/1039897", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://curl.haxx.se/docs/adv_2017-ae72.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00040.html", + "https://security.gentoo.org/glsa/201712-04", + "https://www.debian.org/security/2017/dsa-4051" + ] + }, + { + "VulnerabilityID": "CVE-2018-20483", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "wget: Information exposure in set_file_metadata function in xattr.c", + "Description": "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS", + "http://linux.oracle.com/cve/CVE-2018-20483.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106358", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483", + "https://security.gentoo.org/glsa/201903-08", + "https://security.netapp.com/advisory/ntap-20190321-0002/", + "https://twitter.com/marcan42/status/1077676739877232640", + "https://usn.ubuntu.com/3943-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, { "VulnerabilityID": "CVE-2016-0755", "PkgName": "curl", @@ -2968,9 +3104,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: NTLM credentials not-checked for proxy connection re-use", "Description": "The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://curl.haxx.se/docs/adv_20160127A.html", "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", @@ -2993,30 +3130,6 @@ "https://support.apple.com/HT207170" ] }, - { - "VulnerabilityID": "CVE-2016-8615", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: Cookie injection for other servers", - "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94096", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", - "https://curl.haxx.se/CVE-2016-8615.patch", - "https://curl.haxx.se/docs/adv_20161102A.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-8616", "PkgName": "curl", @@ -3024,10 +3137,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: Case insensitive password comparison", "Description": "A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8616.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94094", "http://www.securitytracker.com/id/1037192", @@ -3041,30 +3157,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8617", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: Out-of-bounds write via unchecked multiplication", - "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94097", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", - "https://curl.haxx.se/CVE-2016-8617.patch", - "https://curl.haxx.se/docs/adv_20161102C.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-8621", "PkgName": "curl", @@ -3072,10 +3164,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: curl_getdate out-of-bounds read", "Description": "The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8621.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94101", "http://www.securitytracker.com/id/1037192", @@ -3089,6 +3184,32 @@ "https://www.tenable.com/security/tns-2016-21" ] }, + { + "VulnerabilityID": "CVE-2016-8622", + "PkgName": "curl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: URL unescape heap overflow via integer truncation", + "Description": "The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8622.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94105", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622", + "https://curl.haxx.se/docs/adv_20161102H.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, { "VulnerabilityID": "CVE-2016-8623", "PkgName": "curl", @@ -3096,10 +3217,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: Use-after-free via shared cookies", "Description": "A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8623.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94106", "http://www.securitytracker.com/id/1037192", @@ -3113,52 +3237,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8624", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: Invalid URL parsing with '#'", - "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94103", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", - "https://curl.haxx.se/docs/adv_20161102J.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8625", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: IDNA 2003 makes curl use wrong host", - "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/94107", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", - "https://curl.haxx.se/CVE-2016-8625.patch", - "https://curl.haxx.se/docs/adv_20161102K.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-9586", "PkgName": "curl", @@ -3166,9 +3244,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: printf floating point buffer overflow", "Description": "curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/95019", @@ -3189,9 +3268,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: TFTP sends more than buffer size", "Description": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.debian.org/security/2017/dsa-3992", "http://www.securityfocus.com/bid/100286", @@ -3203,48 +3283,6 @@ "https://support.apple.com/HT208221" ] }, - { - "VulnerabilityID": "CVE-2017-1000254", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: FTP PWD response parser out of bounds read", - "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3992", - "http://www.securityfocus.com/bid/101115", - "http://www.securitytracker.com/id/1039509", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/673d0cd8.patch", - "https://curl.haxx.se/docs/adv_20171004.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", - "https://security.gentoo.org/glsa/201712-04", - "https://support.apple.com/HT208331" - ] - }, - { - "VulnerabilityID": "CVE-2019-5436", - "PkgName": "curl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", - "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", - "https://curl.haxx.se/docs/CVE-2019-5436.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/", - "https://security.netapp.com/advisory/ntap-20190606-0004/" - ] - }, { "VulnerabilityID": "CVE-2017-7407", "PkgName": "curl", @@ -3252,6 +3290,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: --write-out out of bounds read", "Description": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.", "Severity": "LOW", @@ -3265,46 +3304,70 @@ ] }, { - "VulnerabilityID": "CVE-2018-20483", + "VulnerabilityID": "CVE-2019-5436", "PkgName": "curl", "InstalledVersion": "7.29.0-54.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "wget: Information exposure in set_file_metadata function in xattr.c", - "Description": "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", + "SeveritySource": "redhat", + "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", + "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", "Severity": "LOW", "References": [ - "http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS", - "http://www.securityfocus.com/bid/106358", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483", - "https://security.gentoo.org/glsa/201903-08", - "https://security.netapp.com/advisory/ntap-20190321-0002/", - "https://twitter.com/marcan42/status/1077676739877232640", - "https://usn.ubuntu.com/3943-1/" + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", + "https://curl.haxx.se/docs/CVE-2019-5436.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/", + "https://security.netapp.com/advisory/ntap-20190606-0004/" ] }, { - "VulnerabilityID": "CVE-2014-3635", + "VulnerabilityID": "CVE-2019-19906", + "PkgName": "cyrus-sasl-lib", + "InstalledVersion": "2.1.26-23.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "cyrus-sasl: denial of service in _sasl_add_string function", + "Description": "cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906", + "https://github.com/cyrusimap/cyrus-sasl/issues/587", + "https://lists.debian.org/debian-lts-announce/2019/12/msg00027.html", + "https://seclists.org/bugtraq/2019/Dec/42", + "https://usn.ubuntu.com/4256-1/", + "https://www.debian.org/security/2019/dsa-4591", + "https://www.openldap.org/its/index.cgi/Incoming?id=9123" + ] + }, + { + "VulnerabilityID": "CVE-2019-12749", "PkgName": "dbus", "InstalledVersion": "1:1.10.24-13.el7_6", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "dbus: heap-based buffer overflow flaw in file descriptor passing", - "Description": "Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass", + "Description": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.", + "Severity": "HIGH", "References": [ - "http://advisories.mageia.org/MGASA-2014-0395.html", - "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", - "http://secunia.com/advisories/61378", - "http://www.debian.org/security/2014/dsa-3026", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:176", - "http://www.openwall.com/lists/oss-security/2014/09/16/9", - "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", - "http://www.securitytracker.com/id/1030864", - "http://www.ubuntu.com/usn/USN-2352-1", - "https://bugs.freedesktop.org/show_bug.cgi?id=83622" + "http://linux.oracle.com/cve/CVE-2019-12749.html", + "http://linux.oracle.com/errata/ELSA-2019-3707.html", + "http://www.openwall.com/lists/oss-security/2019/06/11/2", + "http://www.securityfocus.com/bid/108751", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00005.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/", + "https://seclists.org/bugtraq/2019/Jun/16", + "https://usn.ubuntu.com/4015-1/", + "https://usn.ubuntu.com/4015-2/", + "https://www.debian.org/security/2019/dsa-4462", + "https://www.openwall.com/lists/oss-security/2019/06/11/2" ] }, { @@ -3314,9 +3377,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service flaw in dbus-daemon", "Description": "The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0266.html", "http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8\u0026id=24c590703ca47eb71ddef453de43126b90954567", @@ -3340,9 +3404,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in file descriptor passing feature", "Description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0294.html", "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", @@ -3364,9 +3429,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service when forwarding invalid file descriptors", "Description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0294.html", "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", @@ -3382,6 +3448,30 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533" ] }, + { + "VulnerabilityID": "CVE-2014-3635", + "PkgName": "dbus", + "InstalledVersion": "1:1.10.24-13.el7_6", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "dbus: heap-based buffer overflow flaw in file descriptor passing", + "Description": "Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.", + "Severity": "MEDIUM", + "References": [ + "http://advisories.mageia.org/MGASA-2014-0395.html", + "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", + "http://secunia.com/advisories/61378", + "http://www.debian.org/security/2014/dsa-3026", + "http://www.mandriva.com/security/advisories?name=MDVSA-2015:176", + "http://www.openwall.com/lists/oss-security/2014/09/16/9", + "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", + "http://www.securitytracker.com/id/1030864", + "http://www.ubuntu.com/usn/USN-2352-1", + "https://bugs.freedesktop.org/show_bug.cgi?id=83622" + ] + }, { "VulnerabilityID": "CVE-2014-3636", "PkgName": "dbus", @@ -3389,6 +3479,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service by queuing or splitting file descriptors", "Description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.", "Severity": "LOW", @@ -3412,6 +3503,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service by creating unkillable D-Bus connections", "Description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.", "Severity": "LOW", @@ -3437,6 +3529,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in method call handling", "Description": "The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.", "Severity": "LOW", @@ -3462,6 +3555,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service flaw in incomplete connection handling", "Description": "The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.", "Severity": "LOW", @@ -3487,6 +3581,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in dbus systemd activation", "Description": "D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.", "Severity": "LOW", @@ -3501,15 +3596,18 @@ }, { "VulnerabilityID": "CVE-2019-12749", - "PkgName": "dbus", + "PkgName": "dbus-libs", "InstalledVersion": "1:1.10.24-13.el7_6", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass", "Description": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.", - "Severity": "LOW", + "Severity": "HIGH", "References": [ + "http://linux.oracle.com/cve/CVE-2019-12749.html", + "http://linux.oracle.com/errata/ELSA-2019-3707.html", "http://www.openwall.com/lists/oss-security/2019/06/11/2", "http://www.securityfocus.com/bid/108751", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749", @@ -3522,29 +3620,6 @@ "https://www.openwall.com/lists/oss-security/2019/06/11/2" ] }, - { - "VulnerabilityID": "CVE-2014-3635", - "PkgName": "dbus-libs", - "InstalledVersion": "1:1.10.24-13.el7_6", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "dbus: heap-based buffer overflow flaw in file descriptor passing", - "Description": "Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.", - "Severity": "MEDIUM", - "References": [ - "http://advisories.mageia.org/MGASA-2014-0395.html", - "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", - "http://secunia.com/advisories/61378", - "http://www.debian.org/security/2014/dsa-3026", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:176", - "http://www.openwall.com/lists/oss-security/2014/09/16/9", - "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", - "http://www.securitytracker.com/id/1030864", - "http://www.ubuntu.com/usn/USN-2352-1", - "https://bugs.freedesktop.org/show_bug.cgi?id=83622" - ] - }, { "VulnerabilityID": "CVE-2014-3477", "PkgName": "dbus-libs", @@ -3552,9 +3627,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service flaw in dbus-daemon", "Description": "The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0266.html", "http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8\u0026id=24c590703ca47eb71ddef453de43126b90954567", @@ -3578,9 +3654,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in file descriptor passing feature", "Description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0294.html", "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", @@ -3602,9 +3679,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service when forwarding invalid file descriptors", "Description": "dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://advisories.mageia.org/MGASA-2014-0294.html", "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", @@ -3620,6 +3698,30 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533" ] }, + { + "VulnerabilityID": "CVE-2014-3635", + "PkgName": "dbus-libs", + "InstalledVersion": "1:1.10.24-13.el7_6", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "dbus: heap-based buffer overflow flaw in file descriptor passing", + "Description": "Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure.", + "Severity": "MEDIUM", + "References": [ + "http://advisories.mageia.org/MGASA-2014-0395.html", + "http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html", + "http://secunia.com/advisories/61378", + "http://www.debian.org/security/2014/dsa-3026", + "http://www.mandriva.com/security/advisories?name=MDVSA-2015:176", + "http://www.openwall.com/lists/oss-security/2014/09/16/9", + "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", + "http://www.securitytracker.com/id/1030864", + "http://www.ubuntu.com/usn/USN-2352-1", + "https://bugs.freedesktop.org/show_bug.cgi?id=83622" + ] + }, { "VulnerabilityID": "CVE-2014-3636", "PkgName": "dbus-libs", @@ -3627,6 +3729,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service by queuing or splitting file descriptors", "Description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call.", "Severity": "LOW", @@ -3650,6 +3753,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service by creating unkillable D-Bus connections", "Description": "D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor.", "Severity": "LOW", @@ -3675,6 +3779,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in method call handling", "Description": "The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls.", "Severity": "LOW", @@ -3700,6 +3805,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service flaw in incomplete connection handling", "Description": "The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections.", "Severity": "LOW", @@ -3725,6 +3831,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dbus: denial of service in dbus systemd activation", "Description": "D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds.", "Severity": "LOW", @@ -3738,26 +3845,35 @@ ] }, { - "VulnerabilityID": "CVE-2019-12749", - "PkgName": "dbus-libs", - "InstalledVersion": "1:1.10.24-13.el7_6", + "VulnerabilityID": "CVE-2020-8991", + "PkgName": "device-mapper", + "InstalledVersion": "7:1.02.158-2.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass", - "Description": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.", + "SeveritySource": "redhat", + "Title": "lvm2: memory leak in vg_lookup in daemons/lvmetad/lvmetad-core.c", + "Description": "** DISPUTED ** vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages memory, leading to an lvmetad memory leak, as demonstrated by running pvs. NOTE: RedHat disputes CVE-2020-8991 as not being a vulnerability since there’s no apparent route to either privilege escalation or to denial of service through the bug.", "Severity": "LOW", "References": [ - "http://www.openwall.com/lists/oss-security/2019/06/11/2", - "http://www.securityfocus.com/bid/108751", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00005.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/", - "https://seclists.org/bugtraq/2019/Jun/16", - "https://usn.ubuntu.com/4015-1/", - "https://usn.ubuntu.com/4015-2/", - "https://www.debian.org/security/2019/dsa-4462", - "https://www.openwall.com/lists/oss-security/2019/06/11/2" + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8991", + "https://sourceware.org/git/?p=lvm2.git;a=commit;h=bcf9556b8fcd16ad8997f80cc92785f295c66701" + ] + }, + { + "VulnerabilityID": "CVE-2020-8991", + "PkgName": "device-mapper-libs", + "InstalledVersion": "7:1.02.158-2.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "lvm2: memory leak in vg_lookup in daemons/lvmetad/lvmetad-core.c", + "Description": "** DISPUTED ** vg_lookup in daemons/lvmetad/lvmetad-core.c in LVM2 2.02 mismanages memory, leading to an lvmetad memory leak, as demonstrated by running pvs. NOTE: RedHat disputes CVE-2020-8991 as not being a vulnerability since there’s no apparent route to either privilege escalation or to denial of service through the bug.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8991", + "https://sourceware.org/git/?p=lvm2.git;a=commit;h=bcf9556b8fcd16ad8997f80cc92785f295c66701" ] }, { @@ -3767,9 +3883,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "dracut: Brute force attack on LUKS password decryption via initramfs", "Description": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html", "http://www.openwall.com/lists/oss-security/2016/11/14/13", @@ -3789,9 +3906,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in allocate_elf", "Description": "The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/2", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h/", @@ -3808,9 +3926,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)", "Description": "The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/1", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c/", @@ -3828,9 +3947,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the handle_gnu_hash function", "Description": "The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98608", @@ -3847,9 +3967,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the ebl_object_note_type_name function", "Description": "The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98609", @@ -3867,9 +3988,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in elf_compress.c", "Description": "elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609", @@ -3884,9 +4006,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_group function", "Description": "The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c", @@ -3903,9 +4026,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_symtab_shndx function", "Description": "The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c", @@ -3922,9 +4046,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_sysv_hash function", "Description": "The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_sysv_hash-elflint-c", @@ -3941,9 +4066,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: elflint.c does not validate the number of sections and segments", "Description": "elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-xcalloc-xmalloc-c", @@ -3960,9 +4086,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in allocate_elf", "Description": "The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/2", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h/", @@ -3979,9 +4106,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)", "Description": "The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/1", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c/", @@ -3999,9 +4127,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the handle_gnu_hash function", "Description": "The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98608", @@ -4018,9 +4147,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the ebl_object_note_type_name function", "Description": "The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98609", @@ -4038,9 +4168,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in elf_compress.c", "Description": "elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609", @@ -4055,9 +4186,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_group function", "Description": "The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c", @@ -4074,9 +4206,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_symtab_shndx function", "Description": "The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c", @@ -4093,9 +4226,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_sysv_hash function", "Description": "The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_sysv_hash-elflint-c", @@ -4112,9 +4246,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: elflint.c does not validate the number of sections and segments", "Description": "elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-xcalloc-xmalloc-c", @@ -4131,9 +4266,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in allocate_elf", "Description": "The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/2", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h/", @@ -4150,9 +4286,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c)", "Description": "The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/03/22/1", "https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c/", @@ -4170,9 +4307,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the handle_gnu_hash function", "Description": "The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98608", @@ -4189,9 +4327,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the ebl_object_note_type_name function", "Description": "The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "http://www.securityfocus.com/bid/98609", @@ -4209,9 +4348,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Memory allocation failure in elf_compress.c", "Description": "elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7609", @@ -4226,9 +4366,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_group function", "Description": "The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c", @@ -4245,9 +4386,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_symtab_shndx function", "Description": "The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c", @@ -4264,9 +4406,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: Heap-buffer overflow in the check_sysv_hash function", "Description": "The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_sysv_hash-elflint-c", @@ -4283,9 +4426,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "elfutils: elflint.c does not validate the number of sections and segments", "Description": "elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html", "https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-xcalloc-xmalloc-c", @@ -4295,6 +4439,61 @@ "https://usn.ubuntu.com/3670-1/" ] }, + { + "VulnerabilityID": "CVE-2012-6702", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "expat: Using XML_Parse before rand() results into non-random output", + "Description": "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2016/dsa-3597", + "http://www.openwall.com/lists/oss-security/2016/06/03/8", + "http://www.openwall.com/lists/oss-security/2016/06/04/1", + "http://www.securityfocus.com/bid/91483", + "http://www.ubuntu.com/usn/USN-3010-1", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702", + "https://security.gentoo.org/glsa/201701-21", + "https://source.android.com/security/bulletin/2016-11-01.html", + "https://www.tenable.com/security/tns-2016-20" + ] + }, + { + "VulnerabilityID": "CVE-2013-0340", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "expat: internal entity expansion", + "Description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", + "Severity": "MEDIUM", + "References": [ + "http://openwall.com/lists/oss-security/2013/02/22/3", + "http://securitytracker.com/id?1028213", + "http://www.openwall.com/lists/oss-security/2013/04/12/6", + "http://www.osvdb.org/90634", + "http://www.securityfocus.com/bid/58233", + "https://security.gentoo.org/glsa/201701-21" + ] + }, + { + "VulnerabilityID": "CVE-2013-0341", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "expat: external entity expansion", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "MEDIUM" + }, { "VulnerabilityID": "CVE-2015-2716", "PkgName": "expat", @@ -4302,10 +4501,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "Mozilla: Buffer overflow when parsing compressed XML (MFSA 2015-54)", + "SeveritySource": "redhat", + "Title": "expat: Integer overflow leading to buffer overflow in XML_GetBuffer()", "Description": "Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-2716.html", + "http://linux.oracle.com/errata/ELSA-2015-1012.html", "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html", "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00054.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00000.html", @@ -4328,6 +4530,27 @@ "https://www.tenable.com/security/tns-2016-20" ] }, + { + "VulnerabilityID": "CVE-2016-4472", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "expat: Undefined behavior and pointer overflows", + "Description": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/91528", + "http://www.ubuntu.com/usn/USN-3013-1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1344251", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472", + "https://security.gentoo.org/glsa/201701-21", + "https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde", + "https://www.tenable.com/security/tns-2016-20" + ] + }, { "VulnerabilityID": "CVE-2016-5300", "PkgName": "expat", @@ -4335,9 +4558,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "expat: Little entropy used for hash initialization", "Description": "The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.debian.org/security/2016/dsa-3597", "http://www.openwall.com/lists/oss-security/2016/06/04/4", @@ -4352,99 +4576,6 @@ "https://www.tenable.com/security/tns-2016-20" ] }, - { - "VulnerabilityID": "CVE-2016-9063", - "PkgName": "expat", - "InstalledVersion": "2.1.0-10.el7_3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "firefox: Possible integer overflow to fix inside XML_Parse in Expat", - "Description": "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox \u003c 50.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/94337", - "http://www.securitytracker.com/id/1037298", - "http://www.securitytracker.com/id/1039427", - "https://bugzilla.mozilla.org/show_bug.cgi?id=1274777", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063", - "https://www.debian.org/security/2017/dsa-3898", - "https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/#CVE-2016-9063", - "https://www.mozilla.org/security/advisories/mfsa2016-89/" - ] - }, - { - "VulnerabilityID": "CVE-2012-6702", - "PkgName": "expat", - "InstalledVersion": "2.1.0-10.el7_3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "expat: Using XML_Parse before rand() results into non-random output", - "Description": "Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2016/dsa-3597", - "http://www.openwall.com/lists/oss-security/2016/06/03/8", - "http://www.openwall.com/lists/oss-security/2016/06/04/1", - "http://www.securityfocus.com/bid/91483", - "http://www.ubuntu.com/usn/USN-3010-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702", - "https://security.gentoo.org/glsa/201701-21", - "https://source.android.com/security/bulletin/2016-11-01.html", - "https://www.tenable.com/security/tns-2016-20" - ] - }, - { - "VulnerabilityID": "CVE-2013-0340", - "PkgName": "expat", - "InstalledVersion": "2.1.0-10.el7_3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "expat: internal entity expansion", - "Description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", - "Severity": "MEDIUM", - "References": [ - "http://openwall.com/lists/oss-security/2013/02/22/3", - "http://securitytracker.com/id?1028213", - "http://www.openwall.com/lists/oss-security/2013/04/12/6", - "http://www.osvdb.org/90634", - "http://www.securityfocus.com/bid/58233", - "https://security.gentoo.org/glsa/201701-21" - ] - }, - { - "VulnerabilityID": "CVE-2013-0341", - "PkgName": "expat", - "InstalledVersion": "2.1.0-10.el7_3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "expat: external entity expansion", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "MEDIUM" - }, - { - "VulnerabilityID": "CVE-2016-4472", - "PkgName": "expat", - "InstalledVersion": "2.1.0-10.el7_3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "expat: Undefined behavior and pointer overflows", - "Description": "The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/91528", - "http://www.ubuntu.com/usn/USN-3013-1", - "https://bugzilla.redhat.com/show_bug.cgi?id=1344251", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472", - "https://security.gentoo.org/glsa/201701-21", - "https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde", - "https://www.tenable.com/security/tns-2016-20" - ] - }, { "VulnerabilityID": "CVE-2017-9233", "PkgName": "expat", @@ -4452,6 +4583,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "expat: Inifinite loop due to invalid XML in external entity", "Description": "XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.", "Severity": "MEDIUM", @@ -4470,6 +4602,55 @@ "https://support.f5.com/csp/article/K03244804" ] }, + { + "VulnerabilityID": "CVE-2018-20843", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS", + "Description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).", + "Severity": "MEDIUM", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843", + "https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes", + "https://github.com/libexpat/libexpat/issues/186", + "https://github.com/libexpat/libexpat/pull/262", + "https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html", + "https://seclists.org/bugtraq/2019/Jun/39", + "https://security.netapp.com/advisory/ntap-20190703-0001/", + "https://usn.ubuntu.com/4040-1/", + "https://usn.ubuntu.com/4040-2/", + "https://www.debian.org/security/2019/dsa-4472" + ] + }, + { + "VulnerabilityID": "CVE-2016-9063", + "PkgName": "expat", + "InstalledVersion": "2.1.0-10.el7_3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "firefox: Possible integer overflow to fix inside XML_Parse in Expat", + "Description": "An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox \u003c 50.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/94337", + "http://www.securitytracker.com/id/1037298", + "http://www.securitytracker.com/id/1039427", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1274777", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9063", + "https://www.debian.org/security/2017/dsa-3898", + "https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/#CVE-2016-9063", + "https://www.mozilla.org/security/advisories/mfsa2016-89/" + ] + }, { "VulnerabilityID": "CVE-2019-15903", "PkgName": "expat", @@ -4477,10 +4658,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "expat: heap-based buffer over-read via crafted XML input", "Description": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2019-15903.html", + "http://linux.oracle.com/errata/ELSA-2019-3237.html", "http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903", "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43", @@ -4492,6 +4676,34 @@ "https://usn.ubuntu.com/4132-2/" ] }, + { + "VulnerabilityID": "CVE-2014-9620", + "PkgName": "file-libs", + "InstalledVersion": "5.11-35.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "file: limit the number of ELF notes processed", + "Description": "The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.", + "Severity": "LOW", + "References": [ + "http://advisories.mageia.org/MGASA-2015-0040.html", + "http://linux.oracle.com/cve/CVE-2014-9620.html", + "http://linux.oracle.com/errata/ELSA-2016-0760.html", + "http://mx.gw.com/pipermail/file/2014/001653.html", + "http://mx.gw.com/pipermail/file/2015/001660.html", + "http://rhn.redhat.com/errata/RHSA-2016-0760.html", + "http://www.debian.org/security/2015/dsa-3121", + "http://www.openwall.com/lists/oss-security/2015/01/17/9", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/71715", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620", + "https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4", + "https://security.gentoo.org/glsa/201503-08", + "https://usn.ubuntu.com/3686-1/" + ] + }, { "VulnerabilityID": "CVE-2015-8865", "PkgName": "file-libs", @@ -4499,9 +4711,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "file: Buffer over-write in finfo_open with malformed magic file", "Description": "The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://bugs.gw.com/view.php?id=522", "http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e", @@ -4526,31 +4739,6 @@ "https://usn.ubuntu.com/3686-2/" ] }, - { - "VulnerabilityID": "CVE-2014-9620", - "PkgName": "file-libs", - "InstalledVersion": "5.11-35.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "file: limit the number of ELF notes processed", - "Description": "The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.", - "Severity": "MEDIUM", - "References": [ - "http://advisories.mageia.org/MGASA-2015-0040.html", - "http://mx.gw.com/pipermail/file/2014/001653.html", - "http://mx.gw.com/pipermail/file/2015/001660.html", - "http://rhn.redhat.com/errata/RHSA-2016-0760.html", - "http://www.debian.org/security/2015/dsa-3121", - "http://www.openwall.com/lists/oss-security/2015/01/17/9", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/71715", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620", - "https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4", - "https://security.gentoo.org/glsa/201503-08", - "https://usn.ubuntu.com/3686-1/" - ] - }, { "VulnerabilityID": "CVE-2018-10360", "PkgName": "file-libs", @@ -4558,9 +4746,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "file: out-of-bounds read via a crafted ELF file", "Description": "The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00027.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00053.html", @@ -4571,6 +4760,24 @@ "https://usn.ubuntu.com/3686-2/" ] }, + { + "VulnerabilityID": "CVE-2019-1010180", + "PkgName": "gdb-gdbserver", + "InstalledVersion": "7.6.1-115.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "gdb: buffer overflow while opening an ELF for debugging leads to Dos, information dislosure and code execution", + "Description": "GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html", + "http://www.securityfocus.com/bid/109367", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23657" + ] + }, { "VulnerabilityID": "CVE-2016-2226", "PkgName": "gdb-gdbserver", @@ -4578,9 +4785,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Exploitable buffer overflow", "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90103", @@ -4596,9 +4804,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array btypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -4613,9 +4822,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -4630,9 +4840,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to integer overflow", "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90017", @@ -4647,9 +4858,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Write access violation", "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90019", @@ -4664,9 +4876,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90016", @@ -4682,9 +4895,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -4700,9 +4914,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -4711,25 +4926,6 @@ "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" ] }, - { - "VulnerabilityID": "CVE-2016-6131", - "PkgName": "gdb-gdbserver", - "InstalledVersion": "7.6.1-115.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler", - "Description": "The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/06/30/4", - "http://www.openwall.com/lists/oss-security/2016/06/30/7", - "http://www.securityfocus.com/bid/91519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696", - "https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html" - ] - }, { "VulnerabilityID": "CVE-2017-9778", "PkgName": "gdb-gdbserver", @@ -4737,25 +4933,15 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gdb: Malformed section in an ELF binary or a core file can cause memory exhaustion", "Description": "GNU Debugger (GDB) 8.0 and earlier fails to detect a negative length field in a DWARF section. A malformed section in an ELF binary or a core file can cause GDB to repeatedly allocate memory until a process limit is reached. This can, for example, impede efforts to analyze malware with GDB.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/99244", "https://sourceware.org/bugzilla/show_bug.cgi?id=21600" ] }, - { - "VulnerabilityID": "CVE-2018-14038", - "PkgName": "gdb-gdbserver", - "InstalledVersion": "7.6.1-115.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libbfd: remote dos via crafted file in function aout_32_swap_std_reloc_out in aoutx.h", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-7642. Reason: This candidate is a reservation duplicate of CVE-2018-7642. Notes: All CVE users should reference CVE-2018-7642 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", - "Severity": "MEDIUM" - }, { "VulnerabilityID": "CVE-2018-20657", "PkgName": "gdb-gdbserver", @@ -4763,56 +4949,76 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20657.html", + "http://linux.oracle.com/errata/ELSA-2019-3352.html", "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", "https://support.f5.com/csp/article/K62602089" ] }, { - "VulnerabilityID": "CVE-2019-1010180", - "PkgName": "gdb-gdbserver", - "InstalledVersion": "7.6.1-115.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gdb: buffer overflow while opening an ELF for debugging leads to Dos, information dislosure and code execution", - "Description": "GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/109367", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23657" - ] - }, - { - "VulnerabilityID": "CVE-2015-8391", + "VulnerabilityID": "CVE-2015-8385", "PkgName": "glib2", "InstalledVersion": "2.56.1-5.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "pcre: inefficient posix character class syntax check (8.38/16)", - "Description": "The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "CRITICAL", + "SeveritySource": "redhat", + "Title": "pcre: buffer overflow caused by named forward reference to duplicate group number (8.38/30)", + "Description": "PCRE before 8.38 mishandles the /(?|(\\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "HIGH", "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://linux.oracle.com/cve/CVE-2015-8385.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", "http://www.openwall.com/lists/oss-security/2015/11/29/1", "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/82990", + "http://www.securityfocus.com/bid/85572", "https://access.redhat.com/errata/RHSA-2016:1132", "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8391", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8385", "https://security.gentoo.org/glsa/201607-02" ] }, + { + "VulnerabilityID": "CVE-2016-3191", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12)", + "Description": "The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-3191.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://vcs.pcre.org/pcre2?view=revision\u0026revision=489", + "http://vcs.pcre.org/pcre?view=revision\u0026revision=1631", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/84810", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://bugs.debian.org/815920", + "https://bugs.debian.org/815921", + "https://bugs.exim.org/show_bug.cgi?id=1791", + "https://bugzilla.redhat.com/show_bug.cgi?id=1311503", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191", + "https://www.tenable.com/security/tns-2016-18" + ] + }, { "VulnerabilityID": "CVE-2015-2327", "PkgName": "glib2", @@ -4820,9 +5026,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: infinite recursion compiling pattern with zero-repeated groups that include recursive back reference (8.36/19)", "Description": "PCRE before 8.36 mishandles the /(((a\\2)|(a*)\\g\u003c-1\u003e))*/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -4841,10 +5048,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20)", "Description": "PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-2328.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -4858,225 +5068,6 @@ "https://jira.mongodb.org/browse/SERVER-17252" ] }, - { - "VulnerabilityID": "CVE-2015-8385", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "pcre: buffer overflow caused by named forward reference to duplicate group number (8.38/30)", - "Description": "PCRE before 8.38 mishandles the /(?|(\\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/85572", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8385", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8386", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "pcre: Buffer overflow caused by lookbehind assertion (8.38/6)", - "Description": "PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/82990", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8386", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8387", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "pcre: Integer overflow in subroutine calls (8.38/8)", - "Description": "PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8387", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8388", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)", - "Description": "PCRE before 8.38 mishandles the /(?=di(?\u003c=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://rhn.redhat.com/errata/RHSA-2016-2750.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/85576", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8388", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8390", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "pcre: uninitialized memory read triggered by malformed posix character class (8.38/22)", - "Description": "PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8390", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2015-8394", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", - "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2016-3191", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12)", - "Description": "The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.", - "Severity": "HIGH", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-1025.html", - "http://vcs.pcre.org/pcre2?view=revision\u0026revision=489", - "http://vcs.pcre.org/pcre?view=revision\u0026revision=1631", - "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", - "http://www.securityfocus.com/bid/84810", - "https://access.redhat.com/errata/RHSA-2016:1132", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://bugs.debian.org/815920", - "https://bugs.debian.org/815921", - "https://bugs.exim.org/show_bug.cgi?id=1791", - "https://bugzilla.redhat.com/show_bug.cgi?id=1311503", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191", - "https://www.tenable.com/security/tns-2016-18" - ] - }, - { - "VulnerabilityID": "CVE-2017-11164", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", - "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "Severity": "HIGH", - "References": [ - "http://openwall.com/lists/oss-security/2017/07/11/3", - "http://www.securityfocus.com/bid/99575" - ] - }, - { - "VulnerabilityID": "CVE-2018-16428", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glib2: NULL pointer dereference in g_markup_parse_context_end_parse() function in gmarkup.c", - "Description": "In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/105210", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16428", - "https://gitlab.gnome.org/GNOME/glib/commit/fccef3cc822af74699cca84cd202719ae61ca3b9", - "https://gitlab.gnome.org/GNOME/glib/issues/1364", - "https://lists.debian.org/debian-lts-announce/2019/07/msg00029.html", - "https://usn.ubuntu.com/3767-1/", - "https://usn.ubuntu.com/3767-2/" - ] - }, - { - "VulnerabilityID": "CVE-2019-12450", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress", - "Description": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450", - "https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174", - "https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/", - "https://security.netapp.com/advisory/ntap-20190606-0003/", - "https://usn.ubuntu.com/4014-1/", - "https://usn.ubuntu.com/4014-2/" - ] - }, { "VulnerabilityID": "CVE-2015-3217", "PkgName": "glib2", @@ -5084,10 +5075,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: stack overflow caused by mishandled group empty match (8.38/11)", "Description": "PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\\\.|([^\\\\\\\\W_])?)+)+$/.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-3217.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre?view=revision\u0026revision=1566", @@ -5108,10 +5102,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)", "Description": "Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2015-5073.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-1025.html", "http://rhn.redhat.com/errata/RHSA-2016-2750.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?revision=1609\u0026view=markup", @@ -5128,6 +5125,212 @@ "https://security.gentoo.org/glsa/201607-02" ] }, + { + "VulnerabilityID": "CVE-2015-8387", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "pcre: Integer overflow in subroutine calls (8.38/8)", + "Description": "PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8387", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8388", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)", + "Description": "PCRE before 8.38 mishandles the /(?=di(?\u003c=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2015-8388.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-2750.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/85576", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8388", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8390", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "pcre: uninitialized memory read triggered by malformed posix character class (8.38/22)", + "Description": "PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8390", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8391", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "pcre: inefficient posix character class syntax check (8.38/16)", + "Description": "The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2015-8391.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-2750.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/82990", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8391", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2015-8394", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", + "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2019-12450", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress", + "Description": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-12450.html", + "http://linux.oracle.com/errata/ELSA-2019-3530.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450", + "https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/", + "https://security.netapp.com/advisory/ntap-20190606-0003/", + "https://usn.ubuntu.com/4014-1/", + "https://usn.ubuntu.com/4014-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-9633", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glib: g_socket_client_connected_callback in gio/gsocketclient.c allows to cause denial of service", + "Description": "gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/107391", + "https://gitlab.gnome.org/GNOME/glib/issues/1649" + ] + }, + { + "VulnerabilityID": "CVE-2015-8386", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "pcre: Buffer overflow caused by lookbehind assertion (8.38/6)", + "Description": "PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2015-8386.html", + "http://linux.oracle.com/errata/ELSA-2016-1025.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://rhn.redhat.com/errata/RHSA-2016-1025.html", + "http://rhn.redhat.com/errata/RHSA-2016-2750.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", + "http://www.securityfocus.com/bid/82990", + "https://access.redhat.com/errata/RHSA-2016:1132", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8386", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, + { + "VulnerabilityID": "CVE-2017-11164", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", + "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/07/11/3", + "http://www.securityfocus.com/bid/99575" + ] + }, { "VulnerabilityID": "CVE-2017-7244", "PkgName": "glib2", @@ -5135,9 +5338,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)", "Description": "The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -5153,9 +5357,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -5170,9 +5375,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -5180,6 +5386,27 @@ "https://security.gentoo.org/glsa/201710-25" ] }, + { + "VulnerabilityID": "CVE-2018-16428", + "PkgName": "glib2", + "InstalledVersion": "2.56.1-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glib2: NULL pointer dereference in g_markup_parse_context_end_parse() function in gmarkup.c", + "Description": "In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/105210", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16428", + "https://gitlab.gnome.org/GNOME/glib/commit/fccef3cc822af74699cca84cd202719ae61ca3b9", + "https://gitlab.gnome.org/GNOME/glib/issues/1364", + "https://lists.debian.org/debian-lts-announce/2019/07/msg00029.html", + "https://usn.ubuntu.com/3767-1/", + "https://usn.ubuntu.com/3767-2/" + ] + }, { "VulnerabilityID": "CVE-2018-16429", "PkgName": "glib2", @@ -5187,9 +5414,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "glib2: Out-of-bounds read in g_markup_parse_context_parse() in gmarkup.c", "Description": "GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16429", "https://gitlab.gnome.org/GNOME/glib/commit/cec71705406f0b2790422f0c1aa0ff3b4b464b1b", @@ -5206,9 +5434,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "glib2: insecure permissions for files and directories", "Description": "The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb-\u003edir, NULL, NULL) and files using g_file_replace_contents (kfsb-\u003efile, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00022.html", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931234#12", @@ -5224,51 +5453,501 @@ ] }, { - "VulnerabilityID": "CVE-2019-9633", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", + "VulnerabilityID": "CVE-2009-5155", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "glib: g_socket_client_connected_callback in gio/gsocketclient.c allows to cause denial of service", - "Description": "gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent GTask remains alive during the execution of a connection-attempting enumeration, which allows remote attackers to cause a denial of service (g_socket_client_connected_callback mishandling and application crash) via a crafted web site, as demonstrated by GNOME Web (aka Epiphany).", + "SeveritySource": "redhat", + "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", + "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", "Severity": "MEDIUM", "References": [ - "http://www.securityfocus.com/bid/107391", - "https://gitlab.gnome.org/GNOME/glib/issues/1649" + "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", + "https://support.f5.com/csp/article/K64119434" ] }, { - "VulnerabilityID": "CVE-2017-16231", - "PkgName": "glib2", - "InstalledVersion": "2.56.1-5.el7", + "VulnerabilityID": "CVE-2015-8983", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", - "Description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", + "SeveritySource": "redhat", + "Title": "glibc: _IO_wstr_overflow integer overflow", + "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/72740", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", + "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" + ] + }, + { + "VulnerabilityID": "CVE-2016-1234", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", + "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", + "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", + "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", + "http://www.openwall.com/lists/oss-security/2016/03/07/16", + "http://www.securityfocus.com/bid/84204", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", + "https://security.gentoo.org/glsa/201702-11", + "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" + ] + }, + { + "VulnerabilityID": "CVE-2017-8804", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: memory leak in sunrpc when decoding malformed XDR", + "Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/05/05/2", + "http://www.securityfocus.com/bid/98339", + "https://bugzilla.suse.com/show_bug.cgi?id=1037559#c7", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21461", + "https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "MEDIUM", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" + ] + }, + { + "VulnerabilityID": "CVE-2019-9169", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", + "https://support.f5.com/csp/article/K54823184" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, + { + "VulnerabilityID": "CVE-2020-1752", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "MEDIUM" + }, + { + "VulnerabilityID": "CVE-2014-4043", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: posix_spawn_file_actions_addopen fails to copy the path argument", + "Description": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.", "Severity": "LOW", "References": [ - "http://packetstormsecurity.com/files/150897/PCRE-8.41-Buffer-Overflow.html", - "http://seclists.org/fulldisclosure/2018/Dec/33", - "http://www.openwall.com/lists/oss-security/2017/11/01/11", - "http://www.openwall.com/lists/oss-security/2017/11/01/3", - "http://www.openwall.com/lists/oss-security/2017/11/01/7", - "http://www.openwall.com/lists/oss-security/2017/11/01/8", - "http://www.securityfocus.com/bid/101688", - "https://bugs.exim.org/show_bug.cgi?id=2047" + "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.html", + "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", + "http://seclists.org/fulldisclosure/2019/Jun/18", + "http://www.mandriva.com/security/advisories?name=MDVSA-2014:152", + "http://www.securityfocus.com/bid/68006", + "https://bugzilla.redhat.com/show_bug.cgi?id=1109263", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/93784", + "https://seclists.org/bugtraq/2019/Jun/14", + "https://security.gentoo.org/glsa/201503-04", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17048", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=ChangeLog;h=3020b9ac232315df362521aeaf85f21cb9926db8;hp=d86e73963dd9fb5e21b1a28326630337226812aa;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=posix/spawn_faction_addopen.c;h=40800b8e6e81341501c0fb8a91009529e2048dec;hp=47f62425b696a4fdd511b2a057746322eb6518db;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89e435f3559c53084498e9baad22172b64429362" ] }, { - "VulnerabilityID": "CVE-2014-4043", + "VulnerabilityID": "CVE-2015-8982", "PkgName": "glibc", "InstalledVersion": "2.17-292.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", + "Title": "glibc: multiple overflows in strxfrm()", + "Description": "Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2015/02/13/3", + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/72602", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8982", + "https://sourceware.org/bugzilla/show_bug.cgi?id=16009", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed" + ] + }, + { + "VulnerabilityID": "CVE-2015-8984", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: potential denial of service in internal_fnmatch()", + "Description": "The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2015/02/26/5", + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/72789", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8984", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18032", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185", + "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" + ] + }, + { + "VulnerabilityID": "CVE-2015-8985", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: potential denial of service in pop_fail_stack()", + "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/76916", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8985", + "https://security.gentoo.org/glsa/201908-06" + ] + }, + { + "VulnerabilityID": "CVE-2016-10228", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: iconv program can hang when invoked with the -c option", + "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/03/01/10", + "http://www.securityfocus.com/bid/96525", + "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" + ] + }, + { + "VulnerabilityID": "CVE-2016-4429", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", + "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", + "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", + "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", + "http://www.securityfocus.com/bid/102073", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", + "https://source.android.com/security/bulletin/2017-12-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", + "https://usn.ubuntu.com/3759-1/", + "https://usn.ubuntu.com/3759-2/" + ] + }, + { + "VulnerabilityID": "CVE-2017-15671", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: Memory leak in glob with GLOB_TILDE", + "Description": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/101517", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22325" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010023", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", + "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/109167", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "glibc", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, + { + "VulnerabilityID": "CVE-2009-5155", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", + "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", + "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", + "https://support.f5.com/csp/article/K64119434" + ] + }, + { + "VulnerabilityID": "CVE-2015-8983", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: _IO_wstr_overflow integer overflow", + "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/02/14/9", + "http://www.securityfocus.com/bid/72740", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", + "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", + "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" + ] + }, + { + "VulnerabilityID": "CVE-2016-1234", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", + "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", + "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", + "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", + "http://www.openwall.com/lists/oss-security/2016/03/07/16", + "http://www.securityfocus.com/bid/84204", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", + "https://security.gentoo.org/glsa/201702-11", + "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" + ] + }, + { + "VulnerabilityID": "CVE-2017-8804", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: memory leak in sunrpc when decoding malformed XDR", + "Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.", + "Severity": "MEDIUM", + "References": [ + "http://www.openwall.com/lists/oss-security/2017/05/05/2", + "http://www.securityfocus.com/bid/98339", + "https://bugzilla.suse.com/show_bug.cgi?id=1037559#c7", + "https://sourceware.org/bugzilla/show_bug.cgi?id=21461", + "https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-1010022", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: stack guard protection bypass", + "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", + "Severity": "MEDIUM", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" + ] + }, + { + "VulnerabilityID": "CVE-2019-9169", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", + "https://support.f5.com/csp/article/K54823184" + ] + }, + { + "VulnerabilityID": "CVE-2020-10029", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", + "Description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00033.html", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25487", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f" + ] + }, + { + "VulnerabilityID": "CVE-2020-1752", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: use-after-free in glob() function when expanding ~user", + "Description": "A use-after-free vulnerability was found in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution.", + "Severity": "MEDIUM" + }, + { + "VulnerabilityID": "CVE-2014-4043", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", "Title": "glibc: posix_spawn_file_actions_addopen fails to copy the path argument", "Description": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.html", "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", @@ -5286,116 +5965,17 @@ "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89e435f3559c53084498e9baad22172b64429362" ] }, - { - "VulnerabilityID": "CVE-2016-4429", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", - "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", - "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", - "http://www.securityfocus.com/bid/102073", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", - "https://source.android.com/security/bulletin/2017-12-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", - "https://usn.ubuntu.com/3759-1/", - "https://usn.ubuntu.com/3759-2/" - ] - }, - { - "VulnerabilityID": "CVE-2017-8804", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: memory leak in sunrpc when decoding malformed XDR", - "Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.", - "Severity": "HIGH", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/05/05/2", - "http://www.securityfocus.com/bid/98339", - "https://bugzilla.suse.com/show_bug.cgi?id=1037559#c7", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21461", - "https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html" - ] - }, - { - "VulnerabilityID": "CVE-2019-1010022", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] - }, - { - "VulnerabilityID": "CVE-2019-9169", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/107160", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", - "https://support.f5.com/csp/article/K54823184" - ] - }, - { - "VulnerabilityID": "CVE-2009-5155", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", - "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", - "References": [ - "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", - "https://support.f5.com/csp/article/K64119434" - ] - }, { "VulnerabilityID": "CVE-2015-8982", - "PkgName": "glibc", + "PkgName": "glibc-common", "InstalledVersion": "2.17-292.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "glibc: multiple overflows in strxfrm()", "Description": "Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2015/02/13/3", "http://www.openwall.com/lists/oss-security/2017/02/14/9", @@ -5405,282 +5985,6 @@ "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed" ] }, - { - "VulnerabilityID": "CVE-2015-8983", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: _IO_wstr_overflow integer overflow", - "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/72740", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", - "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" - ] - }, - { - "VulnerabilityID": "CVE-2015-8984", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: potential denial of service in internal_fnmatch()", - "Description": "The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2015/02/26/5", - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/72789", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8984", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18032", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185", - "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" - ] - }, - { - "VulnerabilityID": "CVE-2015-8985", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: potential denial of service in pop_fail_stack()", - "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/76916", - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779392", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8985", - "https://security.gentoo.org/glsa/201908-06" - ] - }, - { - "VulnerabilityID": "CVE-2016-10228", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: iconv program can hang when invoked with the -c option", - "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", - "References": [ - "http://openwall.com/lists/oss-security/2017/03/01/10", - "http://www.securityfocus.com/bid/96525", - "https://sourceware.org/bugzilla/show_bug.cgi?id=19519" - ] - }, - { - "VulnerabilityID": "CVE-2016-1234", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", - "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", - "Severity": "MEDIUM", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", - "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", - "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www.openwall.com/lists/oss-security/2016/03/07/16", - "http://www.securityfocus.com/bid/84204", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", - "https://security.gentoo.org/glsa/201702-11", - "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" - ] - }, - { - "VulnerabilityID": "CVE-2017-15671", - "PkgName": "glibc", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: Memory leak in glob with GLOB_TILDE", - "Description": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/101517", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22325" - ] - }, - { - "VulnerabilityID": "CVE-2014-4043", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: posix_spawn_file_actions_addopen fails to copy the path argument", - "Description": "The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00012.html", - "http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", - "http://seclists.org/fulldisclosure/2019/Jun/18", - "http://www.mandriva.com/security/advisories?name=MDVSA-2014:152", - "http://www.securityfocus.com/bid/68006", - "https://bugzilla.redhat.com/show_bug.cgi?id=1109263", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/93784", - "https://seclists.org/bugtraq/2019/Jun/14", - "https://security.gentoo.org/glsa/201503-04", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17048", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=ChangeLog;h=3020b9ac232315df362521aeaf85f21cb9926db8;hp=d86e73963dd9fb5e21b1a28326630337226812aa;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blobdiff;f=posix/spawn_faction_addopen.c;h=40800b8e6e81341501c0fb8a91009529e2048dec;hp=47f62425b696a4fdd511b2a057746322eb6518db;hb=89e435f3559c53084498e9baad22172b64429362;hpb=c3a2ebe1f7541cc35937621e08c28ff88afd0845", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89e435f3559c53084498e9baad22172b64429362" - ] - }, - { - "VulnerabilityID": "CVE-2016-4429", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", - "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", - "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", - "http://www.securityfocus.com/bid/102073", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", - "https://source.android.com/security/bulletin/2017-12-01", - "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", - "https://usn.ubuntu.com/3759-1/", - "https://usn.ubuntu.com/3759-2/" - ] - }, - { - "VulnerabilityID": "CVE-2017-8804", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: memory leak in sunrpc when decoding malformed XDR", - "Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.", - "Severity": "HIGH", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/05/05/2", - "http://www.securityfocus.com/bid/98339", - "https://bugzilla.suse.com/show_bug.cgi?id=1037559#c7", - "https://sourceware.org/bugzilla/show_bug.cgi?id=21461", - "https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html" - ] - }, - { - "VulnerabilityID": "CVE-2019-1010022", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: stack guard protection bypass", - "Description": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard.", - "Severity": "HIGH", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ] - }, - { - "VulnerabilityID": "CVE-2019-9169", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/107160", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", - "https://support.f5.com/csp/article/K54823184" - ] - }, - { - "VulnerabilityID": "CVE-2009-5155", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", - "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", - "References": [ - "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=11053", - "https://sourceware.org/bugzilla/show_bug.cgi?id=18986", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672", - "https://support.f5.com/csp/article/K64119434" - ] - }, - { - "VulnerabilityID": "CVE-2015-8982", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: multiple overflows in strxfrm()", - "Description": "Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2015/02/13/3", - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/72602", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8982", - "https://sourceware.org/bugzilla/show_bug.cgi?id=16009", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed" - ] - }, - { - "VulnerabilityID": "CVE-2015-8983", - "PkgName": "glibc-common", - "InstalledVersion": "2.17-292.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "glibc: _IO_wstr_overflow integer overflow", - "Description": "Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2017/02/14/9", - "http://www.securityfocus.com/bid/72740", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8983", - "https://sourceware.org/bugzilla/show_bug.cgi?id=17269", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33", - "https://www.sourceware.org/ml/libc-alpha/2015-08/msg00609.html" - ] - }, { "VulnerabilityID": "CVE-2015-8984", "PkgName": "glibc-common", @@ -5688,9 +5992,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "glibc: potential denial of service in internal_fnmatch()", "Description": "The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2015/02/26/5", "http://www.openwall.com/lists/oss-security/2017/02/14/9", @@ -5708,9 +6013,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -5726,9 +6032,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", @@ -5736,25 +6043,27 @@ ] }, { - "VulnerabilityID": "CVE-2016-1234", + "VulnerabilityID": "CVE-2016-4429", "PkgName": "glibc-common", "InstalledVersion": "2.17-292.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "glibc: Stack-based buffer overflow in glob with GLOB_ALTDIRFUNC and crafted directory", - "Description": "Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()", + "Description": "Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets.", + "Severity": "LOW", "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184626.html", "http://lists.opensuse.org/opensuse-updates/2016-06/msg00030.html", "http://lists.opensuse.org/opensuse-updates/2016-07/msg00039.html", - "http://www.openwall.com/lists/oss-security/2016/03/07/16", - "http://www.securityfocus.com/bid/84204", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1234", - "https://security.gentoo.org/glsa/201702-11", - "https://sourceware.org/bugzilla/show_bug.cgi?id=19779", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5171f3079f2cc53e0548fc4967361f4d1ce9d7ea" + "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", + "http://www.securityfocus.com/bid/102073", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4429", + "https://source.android.com/security/bulletin/2017-12-01", + "https://sourceware.org/bugzilla/show_bug.cgi?id=20112", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc779a1a5b3035133024b21e2f339fe4219fb11c", + "https://usn.ubuntu.com/3759-1/", + "https://usn.ubuntu.com/3759-2/" ] }, { @@ -5764,15 +6073,49 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "glibc: Memory leak in glob with GLOB_TILDE", "Description": "The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101517", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671", "https://sourceware.org/bugzilla/show_bug.cgi?id=22325" ] }, + { + "VulnerabilityID": "CVE-2019-1010023", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", + "Description": "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/109167", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", + "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, + { + "VulnerabilityID": "CVE-2019-19126", + "PkgName": "glibc-common", + "InstalledVersion": "2.17-292.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", + "Description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", + "Severity": "LOW", + "References": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=25204" + ] + }, { "VulnerabilityID": "CVE-2014-4617", "PkgName": "gnupg2", @@ -5780,6 +6123,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gnupg: infinite loop when decompressing data packets", "Description": "The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.", "Severity": "MEDIUM", @@ -5799,22 +6143,6 @@ "http://www.ubuntu.com/usn/USN-2258-1" ] }, - { - "VulnerabilityID": "CVE-2018-9234", - "PkgName": "gnupg2", - "InstalledVersion": "2.0.22-5.el7_5", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys", - "Description": "GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234", - "https://dev.gnupg.org/T3844", - "https://usn.ubuntu.com/3675-1/" - ] - }, { "VulnerabilityID": "CVE-2019-13050", "PkgName": "gnupg2", @@ -5822,6 +6150,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "GnuPG: interaction between the sks-keyserver code and GnuPG allows for a Certificate Spamming Attack which leads to persistent DoS", "Description": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.", "Severity": "MEDIUM", @@ -5839,9 +6168,17 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack)", - "Description": "No description is available for this CVE.", - "Severity": "LOW" + "Description": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.", + "Severity": "LOW", + "References": [ + "http://www.cs.tau.ac.il/~tromer/radioexp/", + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" + ] }, { "VulnerabilityID": "CVE-2015-0837", @@ -5850,11 +6187,17 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libgcrypt: last-level cache side-channel attack", - "Description": "No description is available for this CVE.", + "Description": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837" + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837", + "https://ieeexplore.ieee.org/document/7163050", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" ] }, { @@ -5864,10 +6207,17 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gnupg2: invalid memory read using a garbled keyring", - "Description": "No description is available for this CVE.", + "Description": "The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.", "Severity": "LOW", "References": [ + "http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648", + "http://www.debian.org/security/2015/dsa-3184", + "http://www.openwall.com/lists/oss-security/2015/02/13/14", + "http://www.openwall.com/lists/oss-security/2015/02/14/6", + "http://www.securitytracker.com/id/1031876", + "https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1606" ] }, @@ -5878,11 +6228,38 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gnupg2: memcpy with overlapping ranges (keybox_search.c)", - "Description": "No description is available for this CVE.", + "Description": "kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and \"memcpy with overlapping ranges.\"", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1607" + "http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392", + "http://www.openwall.com/lists/oss-security/2015/02/13/14", + "http://www.openwall.com/lists/oss-security/2015/02/14/6", + "http://www.securityfocus.com/bid/72610", + "http://www.ubuntu.com/usn/usn-2554-1/", + "https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1607", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000361.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000362.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-9234", + "PkgName": "gnupg2", + "InstalledVersion": "2.0.22-5.el7_5", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys", + "Description": "GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234", + "https://dev.gnupg.org/T3844", + "https://usn.ubuntu.com/3675-1/" ] }, { @@ -5892,9 +6269,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gpgme: heap-based buffer overflow in gpgsm status handler", "Description": "Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to \"different line lengths in a specific order.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77", "http://seclists.org/oss-sec/2014/q3/266", @@ -5905,6 +6283,36 @@ "https://bugzilla.redhat.com/show_bug.cgi?id=1113267" ] }, + { + "VulnerabilityID": "CVE-2014-5351", + "PkgName": "krb5-libs", + "InstalledVersion": "1.15.1-37.el7_7.2", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "krb5: current keys returned when randomizing the keys for a service principal", + "Description": "The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.", + "Severity": "MEDIUM", + "References": [ + "http://advisories.mageia.org/MGASA-2014-0477.html", + "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018", + "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html", + "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html", + "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html", + "http://security.gentoo.org/glsa/glsa-201412-53.xml", + "http://www.mandriva.com/security/advisories?name=MDVSA-2014:224", + "http://www.securityfocus.com/bid/70380", + "http://www.securitytracker.com/id/1031003", + "http://www.ubuntu.com/usn/USN-2498-1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1145425", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/97028", + "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca", + "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html" + ] + }, { "VulnerabilityID": "CVE-2015-2695", "PkgName": "krb5-libs", @@ -5912,9 +6320,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "krb5: SPNEGO context aliasing bugs", "Description": "lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244", "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00006.html", @@ -5937,9 +6346,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "krb5: IAKERB context aliasing flaw", "Description": "lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted IAKERB packet that is mishandled during a gss_inquire_context call.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244", "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00006.html", @@ -5954,43 +6364,6 @@ "https://security.gentoo.org/glsa/201611-14" ] }, - { - "VulnerabilityID": "CVE-2017-11462", - "PkgName": "krb5-libs", - "InstalledVersion": "1.15.1-37.el7_7.2", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "krb5: Automatic sec context deletion could lead to double-free", - "Description": "Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.", - "Severity": "HIGH", - "References": [ - "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598", - "https://bugzilla.redhat.com/show_bug.cgi?id=1488873", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11462", - "https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/" - ] - }, - { - "VulnerabilityID": "CVE-2017-15088", - "PkgName": "krb5-libs", - "InstalledVersion": "1.15.1-37.el7_7.2", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "krb5: Buffer overflow in get_matching_data()", - "Description": "plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/101594", - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698", - "https://bugzilla.redhat.com/show_bug.cgi?id=1504045", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088", - "https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4", - "https://github.com/krb5/krb5/pull/707" - ] - }, { "VulnerabilityID": "CVE-2015-2697", "PkgName": "krb5-libs", @@ -5998,6 +6371,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "krb5: build_principal() memory flaw", "Description": "The build_principal_va function in lib/krb5/krb/bld_princ.c in MIT Kerberos 5 (aka krb5) before 1.14 allows remote authenticated users to cause a denial of service (out-of-bounds read and KDC crash) via an initial '\\0' character in a long realm field within a TGS request.", "Severity": "MEDIUM", @@ -6017,61 +6391,23 @@ ] }, { - "VulnerabilityID": "CVE-2018-5709", + "VulnerabilityID": "CVE-2017-15088", "PkgName": "krb5-libs", "InstalledVersion": "1.15.1-37.el7_7.2", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "krb5: integer overflow in dbentry-\u003en_key_data in kadmin/dbutil/dump.c", - "Description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", + "SeveritySource": "redhat", + "Title": "krb5: Buffer overflow in get_matching_data()", + "Description": "plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.", "Severity": "MEDIUM", "References": [ - "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow" - ] - }, - { - "VulnerabilityID": "CVE-2018-5710", - "PkgName": "krb5-libs", - "InstalledVersion": "1.15.1-37.el7_7.2", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "krb5: null pointer deference in strlen function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c", - "Description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function \"strlen\" is getting a \"NULL\" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5710", - "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service(DoS)" - ] - }, - { - "VulnerabilityID": "CVE-2014-5351", - "PkgName": "krb5-libs", - "InstalledVersion": "1.15.1-37.el7_7.2", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "krb5: current keys returned when randomizing the keys for a service principal", - "Description": "The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.", - "Severity": "LOW", - "References": [ - "http://advisories.mageia.org/MGASA-2014-0477.html", - "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018", - "http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html", - "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html", - "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html", - "http://security.gentoo.org/glsa/glsa-201412-53.xml", - "http://www.mandriva.com/security/advisories?name=MDVSA-2014:224", - "http://www.securityfocus.com/bid/70380", - "http://www.securitytracker.com/id/1031003", - "http://www.ubuntu.com/usn/USN-2498-1", - "https://bugzilla.redhat.com/show_bug.cgi?id=1145425", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/97028", - "https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca", - "https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html" + "http://www.securityfocus.com/bid/101594", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698", + "https://bugzilla.redhat.com/show_bug.cgi?id=1504045", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088", + "https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4", + "https://github.com/krb5/krb5/pull/707" ] }, { @@ -6081,9 +6417,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "krb5: Reachable assertion in the KDC using S4U2Self requests", "Description": "A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217", @@ -6093,6 +6430,25 @@ "https://security.netapp.com/advisory/ntap-20190416-0006/" ] }, + { + "VulnerabilityID": "CVE-2017-11462", + "PkgName": "krb5-libs", + "InstalledVersion": "1.15.1-37.el7_7.2", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "krb5: Automatic sec context deletion could lead to double-free", + "Description": "Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.", + "Severity": "LOW", + "References": [ + "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598", + "https://bugzilla.redhat.com/show_bug.cgi?id=1488873", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11462", + "https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/" + ] + }, { "VulnerabilityID": "CVE-2014-9114", "PkgName": "libblkid", @@ -6100,9 +6456,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -6123,9 +6480,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -6140,6 +6498,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -6160,6 +6519,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check leading to heap buffer overflow (oCERT-015-002)", "Description": "Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image.", "Severity": "MEDIUM", @@ -6184,6 +6544,46 @@ "https://security.gentoo.org/glsa/201701-06" ] }, + { + "VulnerabilityID": "CVE-2019-5094", + "PkgName": "libcom_err", + "InstalledVersion": "1.42.9-16.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", + "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html", + "https://seclists.org/bugtraq/2019/Sep/58", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887", + "https://usn.ubuntu.com/4142-2/", + "https://www.debian.org/security/2019/dsa-4535" + ] + }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libcom_err", + "InstalledVersion": "1.42.9-16.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2015-1572", "PkgName": "libcom_err", @@ -6191,9 +6591,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "e2fsprogs: potential buffer overflow in closefs() (incomplete CVE-2015-0247 fix)", "Description": "Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://advisories.mageia.org/MGASA-2015-0088.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/150606.html", @@ -6211,117 +6612,6 @@ "https://security.gentoo.org/glsa/201507-22" ] }, - { - "VulnerabilityID": "CVE-2016-8618", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: Double-free in curl_maprintf", - "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94098", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", - "https://curl.haxx.se/docs/adv_20161102D.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8619", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: Double-free in krb5 code", - "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94100", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", - "https://curl.haxx.se/CVE-2016-8619.patch", - "https://curl.haxx.se/docs/adv_20161102E.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8622", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: URL unescape heap overflow via integer truncation", - "Description": "The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.", - "Severity": "HIGH", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94105", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622", - "https://curl.haxx.se/docs/adv_20161102H.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2017-8817", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: FTP wildcard out of bounds read", - "Description": "The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.", - "Severity": "HIGH", - "References": [ - "http://security.cucumberlinux.com/security/details.php?id=162", - "http://www.securityfocus.com/bid/102057", - "http://www.securitytracker.com/id/1039897", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/docs/adv_2017-ae72.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00040.html", - "https://security.gentoo.org/glsa/201712-04", - "https://www.debian.org/security/2017/dsa-4051" - ] - }, - { - "VulnerabilityID": "CVE-2019-5482", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: heap buffer overflow in function tftp_receive_packet()", - "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", - "https://curl.haxx.se/docs/CVE-2019-5482.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" - ] - }, { "VulnerabilityID": "CVE-2015-3153", "PkgName": "libcurl", @@ -6329,6 +6619,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: sensitive HTTP server headers also sent to proxies", "Description": "The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.", "Severity": "MEDIUM", @@ -6350,6 +6641,257 @@ "https://support.apple.com/kb/HT205031" ] }, + { + "VulnerabilityID": "CVE-2016-8615", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: Cookie injection for other servers", + "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8615.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94096", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", + "https://curl.haxx.se/CVE-2016-8615.patch", + "https://curl.haxx.se/docs/adv_20161102A.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8617", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: Out-of-bounds write via unchecked multiplication", + "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8617.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94097", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", + "https://curl.haxx.se/CVE-2016-8617.patch", + "https://curl.haxx.se/docs/adv_20161102C.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8618", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in curl_maprintf", + "Description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8618.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94098", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618", + "https://curl.haxx.se/docs/adv_20161102D.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8619", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: Double-free in krb5 code", + "Description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8619.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94100", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8619", + "https://curl.haxx.se/CVE-2016-8619.patch", + "https://curl.haxx.se/docs/adv_20161102E.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8624", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: Invalid URL parsing with '#'", + "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8624.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94103", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", + "https://curl.haxx.se/docs/adv_20161102J.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2016-8625", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: IDNA 2003 makes curl use wrong host", + "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8625.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.securityfocus.com/bid/94107", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", + "https://curl.haxx.se/CVE-2016-8625.patch", + "https://curl.haxx.se/docs/adv_20161102K.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, + { + "VulnerabilityID": "CVE-2017-1000254", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP PWD response parser out of bounds read", + "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3992", + "http://www.securityfocus.com/bid/101115", + "http://www.securitytracker.com/id/1039509", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://curl.haxx.se/673d0cd8.patch", + "https://curl.haxx.se/docs/adv_20171004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", + "https://security.gentoo.org/glsa/201712-04", + "https://support.apple.com/HT208331" + ] + }, + { + "VulnerabilityID": "CVE-2017-8817", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: FTP wildcard out of bounds read", + "Description": "The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.", + "Severity": "MEDIUM", + "References": [ + "http://security.cucumberlinux.com/security/details.php?id=162", + "http://www.securityfocus.com/bid/102057", + "http://www.securitytracker.com/id/1039897", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://curl.haxx.se/docs/adv_2017-ae72.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00040.html", + "https://security.gentoo.org/glsa/201712-04", + "https://www.debian.org/security/2017/dsa-4051" + ] + }, + { + "VulnerabilityID": "CVE-2018-20483", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "wget: Information exposure in set_file_metadata function in xattr.c", + "Description": "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS", + "http://linux.oracle.com/cve/CVE-2018-20483.html", + "http://linux.oracle.com/errata/ELSA-2019-3701.html", + "http://www.securityfocus.com/bid/106358", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483", + "https://security.gentoo.org/glsa/201903-08", + "https://security.netapp.com/advisory/ntap-20190321-0002/", + "https://twitter.com/marcan42/status/1077676739877232640", + "https://usn.ubuntu.com/3943-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-5482.html", + "http://linux.oracle.com/errata/ELSA-2020-5562.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, { "VulnerabilityID": "CVE-2016-0755", "PkgName": "libcurl", @@ -6357,9 +6899,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: NTLM credentials not-checked for proxy connection re-use", "Description": "The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://curl.haxx.se/docs/adv_20160127A.html", "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", @@ -6382,30 +6925,6 @@ "https://support.apple.com/HT207170" ] }, - { - "VulnerabilityID": "CVE-2016-8615", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: Cookie injection for other servers", - "Description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94096", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615", - "https://curl.haxx.se/CVE-2016-8615.patch", - "https://curl.haxx.se/docs/adv_20161102A.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-8616", "PkgName": "libcurl", @@ -6413,10 +6932,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: Case insensitive password comparison", "Description": "A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8616.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94094", "http://www.securitytracker.com/id/1037192", @@ -6430,30 +6952,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8617", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: Out-of-bounds write via unchecked multiplication", - "Description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94097", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8617", - "https://curl.haxx.se/CVE-2016-8617.patch", - "https://curl.haxx.se/docs/adv_20161102C.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-8621", "PkgName": "libcurl", @@ -6461,10 +6959,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: curl_getdate out-of-bounds read", "Description": "The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8621.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94101", "http://www.securitytracker.com/id/1037192", @@ -6478,6 +6979,32 @@ "https://www.tenable.com/security/tns-2016-21" ] }, + { + "VulnerabilityID": "CVE-2016-8622", + "PkgName": "libcurl", + "InstalledVersion": "7.29.0-54.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "curl: URL unescape heap overflow via integer truncation", + "Description": "The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2016-8622.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/94105", + "http://www.securitytracker.com/id/1037192", + "https://access.redhat.com/errata/RHSA-2018:2486", + "https://access.redhat.com/errata/RHSA-2018:3558", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622", + "https://curl.haxx.se/docs/adv_20161102H.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622", + "https://security.gentoo.org/glsa/201701-47", + "https://www.tenable.com/security/tns-2016-21" + ] + }, { "VulnerabilityID": "CVE-2016-8623", "PkgName": "libcurl", @@ -6485,10 +7012,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: Use-after-free via shared cookies", "Description": "A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-8623.html", + "http://linux.oracle.com/errata/ELSA-2019-4652.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/94106", "http://www.securitytracker.com/id/1037192", @@ -6502,52 +7032,6 @@ "https://www.tenable.com/security/tns-2016-21" ] }, - { - "VulnerabilityID": "CVE-2016-8624", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: Invalid URL parsing with '#'", - "Description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", - "Severity": "MEDIUM", - "References": [ - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/94103", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624", - "https://curl.haxx.se/docs/adv_20161102J.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, - { - "VulnerabilityID": "CVE-2016-8625", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: IDNA 2003 makes curl use wrong host", - "Description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/94107", - "http://www.securitytracker.com/id/1037192", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625", - "https://curl.haxx.se/CVE-2016-8625.patch", - "https://curl.haxx.se/docs/adv_20161102K.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625", - "https://security.gentoo.org/glsa/201701-47", - "https://www.tenable.com/security/tns-2016-21" - ] - }, { "VulnerabilityID": "CVE-2016-9586", "PkgName": "libcurl", @@ -6555,9 +7039,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: printf floating point buffer overflow", "Description": "curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "http://www.securityfocus.com/bid/95019", @@ -6578,9 +7063,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: TFTP sends more than buffer size", "Description": "When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.debian.org/security/2017/dsa-3992", "http://www.securityfocus.com/bid/100286", @@ -6592,48 +7078,6 @@ "https://support.apple.com/HT208221" ] }, - { - "VulnerabilityID": "CVE-2017-1000254", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: FTP PWD response parser out of bounds read", - "Description": "libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3992", - "http://www.securityfocus.com/bid/101115", - "http://www.securitytracker.com/id/1039509", - "https://access.redhat.com/errata/RHSA-2018:2486", - "https://access.redhat.com/errata/RHSA-2018:3558", - "https://curl.haxx.se/673d0cd8.patch", - "https://curl.haxx.se/docs/adv_20171004.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254", - "https://security.gentoo.org/glsa/201712-04", - "https://support.apple.com/HT208331" - ] - }, - { - "VulnerabilityID": "CVE-2019-5436", - "PkgName": "libcurl", - "InstalledVersion": "7.29.0-54.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", - "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", - "https://curl.haxx.se/docs/CVE-2019-5436.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/", - "https://security.netapp.com/advisory/ntap-20190606-0004/" - ] - }, { "VulnerabilityID": "CVE-2017-7407", "PkgName": "libcurl", @@ -6641,6 +7085,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "curl: --write-out out of bounds read", "Description": "The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.", "Severity": "LOW", @@ -6654,23 +7099,23 @@ ] }, { - "VulnerabilityID": "CVE-2018-20483", + "VulnerabilityID": "CVE-2019-5436", "PkgName": "libcurl", "InstalledVersion": "7.29.0-54.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "wget: Information exposure in set_file_metadata function in xattr.c", - "Description": "set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.", + "SeveritySource": "redhat", + "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", + "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", "Severity": "LOW", "References": [ - "http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS", - "http://www.securityfocus.com/bid/106358", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483", - "https://security.gentoo.org/glsa/201903-08", - "https://security.netapp.com/advisory/ntap-20190321-0002/", - "https://twitter.com/marcan42/status/1077676739877232640", - "https://usn.ubuntu.com/3943-1/" + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", + "https://curl.haxx.se/docs/CVE-2019-5436.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/", + "https://security.netapp.com/advisory/ntap-20190606-0004/" ] }, { @@ -6680,6 +7125,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libdb: Reads DB_CONFIG from the current working directory", "Description": "Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.", "Severity": "MEDIUM", @@ -6697,6 +7143,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libdb: Reads DB_CONFIG from the current working directory", "Description": "Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.", "Severity": "MEDIUM", @@ -6714,9 +7161,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: integer overflow flaws in libgfortran", "Description": "Multiple integer overflows in libgfortran might allow remote attackers to execute arbitrary code or cause a denial of service (Fortran application crash) via vectors related to array allocation.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2014/07/24/1", "http://www.openwall.com/lists/oss-security/2014/07/31/6", @@ -6726,6 +7174,22 @@ "https://gcc.gnu.org/viewcvs/gcc/trunk/libgfortran/ChangeLog?limit_changes=0\u0026view=markup\u0026pathrev=211721" ] }, + { + "VulnerabilityID": "CVE-2018-20673", + "PkgName": "libgcc", + "InstalledVersion": "4.8.5-39.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libiberty: Integer overflow in demangle_template() function", + "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106454", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" + ] + }, { "VulnerabilityID": "CVE-2015-5276", "PkgName": "libgcc", @@ -6733,9 +7197,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Predictable randomness from std::random_device", "Description": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2015-11/msg00054.html", "http://lists.opensuse.org/opensuse-updates/2016-04/msg00052.html", @@ -6751,9 +7216,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Exploitable buffer overflow", "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90103", @@ -6769,9 +7235,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array btypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -6786,9 +7253,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -6803,9 +7271,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to integer overflow", "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90017", @@ -6820,9 +7289,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Write access violation", "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90019", @@ -6837,9 +7307,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90016", @@ -6855,9 +7326,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -6873,9 +7345,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -6884,25 +7357,6 @@ "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" ] }, - { - "VulnerabilityID": "CVE-2016-6131", - "PkgName": "libgcc", - "InstalledVersion": "4.8.5-39.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler", - "Description": "The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/06/30/4", - "http://www.openwall.com/lists/oss-security/2016/06/30/7", - "http://www.securityfocus.com/bid/91519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696", - "https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html" - ] - }, { "VulnerabilityID": "CVE-2018-20657", "PkgName": "libgcc", @@ -6910,30 +7364,19 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20657.html", + "http://linux.oracle.com/errata/ELSA-2019-3352.html", "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", "https://support.f5.com/csp/article/K62602089" ] }, - { - "VulnerabilityID": "CVE-2018-20673", - "PkgName": "libgcc", - "InstalledVersion": "4.8.5-39.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libiberty: Integer overflow in demangle_template() function", - "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106454", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" - ] - }, { "VulnerabilityID": "CVE-2019-14250", "PkgName": "libgcc", @@ -6941,9 +7384,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "binutils: integer overflow in simple-object-elf.c leads to a heap-based buffer overflow", "Description": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109354", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924", @@ -6951,6 +7395,25 @@ "https://security.netapp.com/advisory/ntap-20190822-0002/" ] }, + { + "VulnerabilityID": "CVE-2014-5270", + "PkgName": "libgcrypt", + "InstalledVersion": "1.5.3-14.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libgcrypt: ELGAMAL side-channel attack", + "Description": "Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.", + "Severity": "MEDIUM", + "References": [ + "http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html", + "http://openwall.com/lists/oss-security/2014/08/16/2", + "http://www.cs.tau.ac.il/~tromer/handsoff/", + "http://www.debian.org/security/2014/dsa-3024", + "http://www.debian.org/security/2014/dsa-3073" + ] + }, { "VulnerabilityID": "CVE-2017-7526", "PkgName": "libgcrypt", @@ -6958,6 +7421,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libgcrypt: Use of left-to-right sliding window method allows full RSA key recovery", "Description": "libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.", "Severity": "MEDIUM", @@ -6984,6 +7448,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack", "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)", "Severity": "MEDIUM", @@ -7002,26 +7467,16 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack)", - "Description": "No description is available for this CVE.", - "Severity": "LOW" - }, - { - "VulnerabilityID": "CVE-2014-5270", - "PkgName": "libgcrypt", - "InstalledVersion": "1.5.3-14.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libgcrypt: ELGAMAL side-channel attack", - "Description": "Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.", + "Description": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.", "Severity": "LOW", "References": [ - "http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html", - "http://openwall.com/lists/oss-security/2014/08/16/2", - "http://www.cs.tau.ac.il/~tromer/handsoff/", - "http://www.debian.org/security/2014/dsa-3024", - "http://www.debian.org/security/2014/dsa-3073" + "http://www.cs.tau.ac.il/~tromer/radioexp/", + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" ] }, { @@ -7031,11 +7486,17 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libgcrypt: last-level cache side-channel attack", - "Description": "No description is available for this CVE.", + "Description": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"", "Severity": "LOW", "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837" + "http://www.debian.org/security/2015/dsa-3184", + "http://www.debian.org/security/2015/dsa-3185", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837", + "https://ieeexplore.ieee.org/document/7163050", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html", + "https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html" ] }, { @@ -7045,9 +7506,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libidn: out-of-bounds read with stringprep on invalid UTF-8", "Description": "The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in jabberd2, allows context-dependent attackers to read system memory and possibly have other unspecified impact via invalid UTF-8 characters in a string, which triggers an out-of-bounds read.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c279", "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162537.html", @@ -7062,24 +7524,6 @@ "https://github.com/jabberd2/jabberd2/issues/85" ] }, - { - "VulnerabilityID": "CVE-2017-14062", - "PkgName": "libidn", - "InstalledVersion": "1.28-4.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libidn2: Integer overflow in puny_decode.c/decode_digit", - "Description": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.", - "Severity": "HIGH", - "References": [ - "http://www.debian.org/security/2017/dsa-3988", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062", - "https://gitlab.com/libidn/libidn2/blob/master/NEWS", - "https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd", - "https://lists.debian.org/debian-lts-announce/2018/07/msg00040.html" - ] - }, { "VulnerabilityID": "CVE-2015-8948", "PkgName": "libidn", @@ -7087,9 +7531,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libidn: Out-of-bounds read due to use of fgets with fixed-size buffer", "Description": "idn in GNU libidn before 1.33 might allow remote attackers to obtain sensitive memory information by reading a zero byte as input, which triggers an out-of-bounds read.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=570e68886c41c2e765e6218cb317d9a9a447a041", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00005.html", @@ -7110,9 +7555,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libidn: Out of bounds stack read in idna_to_ascii_4i", "Description": "The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via 64 bytes of input.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00098.html", @@ -7133,9 +7579,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libidn: Out-of-bounds read when reading zero byte as input", "Description": "idn in libidn before 1.33 might allow remote attackers to obtain sensitive memory information by reading a zero byte as input, which triggers an out-of-bounds read, a different vulnerability than CVE-2015-8948.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=5e3cb9c7b5bf0ce665b9d68f5ddf095af5c9ba60", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00005.html", @@ -7154,9 +7601,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libidn: Crash when given invalid UTF-8 data on input", "Description": "The stringprep_utf8_nfkc_normalize function in lib/nfkc.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted UTF-8 data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=1fbee57ef3c72db2206dd87e4162108b2f425555", "http://lists.opensuse.org/opensuse-updates/2016-08/msg00005.html", @@ -7170,6 +7618,25 @@ "https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html" ] }, + { + "VulnerabilityID": "CVE-2017-14062", + "PkgName": "libidn", + "InstalledVersion": "1.28-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libidn2: Integer overflow in puny_decode.c/decode_digit", + "Description": "Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2017/dsa-3988", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14062", + "https://gitlab.com/libidn/libidn2/blob/master/NEWS", + "https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd", + "https://lists.debian.org/debian-lts-announce/2018/07/msg00040.html" + ] + }, { "VulnerabilityID": "CVE-2014-9114", "PkgName": "libmount", @@ -7177,9 +7644,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -7200,9 +7668,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -7217,6 +7686,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -7237,11 +7707,14 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libnl: Integer overflow in nlmsg_reserve()", "Description": "An elevation of privilege vulnerability in libnl could enable a local malicious application to execute arbitrary code within the context of the Wi-Fi service. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32342065. NOTE: this issue also exists in the upstream libnl before 3.3.0 library.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://git.infradead.org/users/tgr/libnl.git/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb", + "http://linux.oracle.com/cve/CVE-2017-0553.html", + "http://linux.oracle.com/errata/ELSA-2017-2299.html", "http://lists.infradead.org/pipermail/libnl/2017-May/002313.html", "http://www.securityfocus.com/bid/97340", "http://www.securitytracker.com/id/1038201", @@ -7261,9 +7734,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -7284,9 +7758,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -7301,6 +7776,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -7321,6 +7797,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write", "Description": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.", "Severity": "MEDIUM", @@ -7333,6 +7810,28 @@ "https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html" ] }, + { + "VulnerabilityID": "CVE-2019-17498", + "PkgName": "libssh2", + "InstalledVersion": "1.8.0-3.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c", + "Description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00026.html", + "https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498", + "https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498", + "https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c#L480", + "https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94", + "https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/" + ] + }, { "VulnerabilityID": "CVE-2019-3859", "PkgName": "libssh2", @@ -7340,6 +7839,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", @@ -7373,6 +7873,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libssh2: Out-of-bounds reads with specially crafted SFTP packets", "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.", "Severity": "MEDIUM", @@ -7396,9 +7897,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: integer overflow flaws in libgfortran", "Description": "Multiple integer overflows in libgfortran might allow remote attackers to execute arbitrary code or cause a denial of service (Fortran application crash) via vectors related to array allocation.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2014/07/24/1", "http://www.openwall.com/lists/oss-security/2014/07/31/6", @@ -7408,6 +7910,22 @@ "https://gcc.gnu.org/viewcvs/gcc/trunk/libgfortran/ChangeLog?limit_changes=0\u0026view=markup\u0026pathrev=211721" ] }, + { + "VulnerabilityID": "CVE-2018-20673", + "PkgName": "libstdc++", + "InstalledVersion": "4.8.5-39.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libiberty: Integer overflow in demangle_template() function", + "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106454", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" + ] + }, { "VulnerabilityID": "CVE-2015-5276", "PkgName": "libstdc++", @@ -7415,9 +7933,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Predictable randomness from std::random_device", "Description": "The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2015-11/msg00054.html", "http://lists.opensuse.org/opensuse-updates/2016-04/msg00052.html", @@ -7433,9 +7952,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Exploitable buffer overflow", "Description": "Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90103", @@ -7451,9 +7971,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array btypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -7468,9 +7989,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to a use-after-free to array ktypevec", "Description": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"ktypevec.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90025", @@ -7485,9 +8007,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Invalid write due to integer overflow", "Description": "Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the \"demangling of virtual tables.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90017", @@ -7502,9 +8025,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Write access violation", "Description": "Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90019", @@ -7519,9 +8043,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Stack overflow due to infinite recursion in d_print_comp", "Description": "The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having \"itself as ancestor more than once.\"", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90016", @@ -7537,9 +8062,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -7555,9 +8081,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "gcc: Read access violations", "Description": "The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/05/05/5", "http://www.securityfocus.com/bid/90014", @@ -7566,25 +8093,6 @@ "https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html" ] }, - { - "VulnerabilityID": "CVE-2016-6131", - "PkgName": "libstdc++", - "InstalledVersion": "4.8.5-39.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "gcc,gdb,binutils,libitm: Stack overflow vulnerability in libiberty demangler", - "Description": "The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/06/30/4", - "http://www.openwall.com/lists/oss-security/2016/06/30/7", - "http://www.securityfocus.com/bid/91519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131", - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696", - "https://gcc.gnu.org/ml/gcc-patches/2016-06/msg02030.html" - ] - }, { "VulnerabilityID": "CVE-2018-20657", "PkgName": "libstdc++", @@ -7592,30 +8100,19 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libiberty: Memory leak in demangle_template function resulting in a denial of service", "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20657.html", + "http://linux.oracle.com/errata/ELSA-2019-3352.html", "http://www.securityfocus.com/bid/106444", + "https://access.redhat.com/errata/RHSA-2019:3352", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88539", "https://support.f5.com/csp/article/K62602089" ] }, - { - "VulnerabilityID": "CVE-2018-20673", - "PkgName": "libstdc++", - "InstalledVersion": "4.8.5-39.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libiberty: Integer overflow in demangle_template() function", - "Description": "The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for \"Create an array for saving the template argument values\") that can trigger a heap-based buffer overflow, as demonstrated by nm.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106454", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24039" - ] - }, { "VulnerabilityID": "CVE-2019-14250", "PkgName": "libstdc++", @@ -7623,9 +8120,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "binutils: integer overflow in simple-object-elf.c leads to a heap-based buffer overflow", "Description": "An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/109354", "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924", @@ -7633,23 +8131,6 @@ "https://security.netapp.com/advisory/ntap-20190822-0002/" ] }, - { - "VulnerabilityID": "CVE-2018-1000654", - "PkgName": "libtasn1", - "InstalledVersion": "4.10-1.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion", - "Description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", - "Severity": "HIGH", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", - "http://www.securityfocus.com/bid/105151", - "https://gitlab.com/gnutls/libtasn1/issues/4" - ] - }, { "VulnerabilityID": "CVE-2016-4008", "PkgName": "libtasn1", @@ -7657,6 +8138,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libtasn1: infinite loop while parsing DER certificates", "Description": "The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.", "Severity": "MEDIUM", @@ -7677,6 +8159,26 @@ "https://security.gentoo.org/glsa/201703-05" ] }, + { + "VulnerabilityID": "CVE-2018-6003", + "PkgName": "libtasn1", + "InstalledVersion": "4.10-1.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libtasn1: Stack exhaustion due to indefinite recursion during BER decoding", + "Description": "An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/?id=c593ae84cfcde8fea45787e53950e0ac71e9ca97", + "https://bugzilla.redhat.com/show_bug.cgi?id=1535926", + "https://bugzilla.suse.com/show_bug.cgi?id=1076832", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003", + "https://gitlab.com/gnutls/libtasn1/commit/946565d8eb05fbf7970ea366e817581bb5a90910", + "https://www.debian.org/security/2018/dsa-4106" + ] + }, { "VulnerabilityID": "CVE-2017-10790", "PkgName": "libtasn1", @@ -7684,9 +8186,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libtasn1: NULL pointer dereference in the _asn1_check_identifier function", "Description": "The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464141", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790", @@ -7702,9 +8205,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libtasn1: Stack-based buffer overflow in asn1_find_node()", "Description": "Two errors in the \"asn1_find_node()\" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=5520704d075802df25ce4ffccc010ba1641bd484", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", @@ -7718,22 +8222,21 @@ ] }, { - "VulnerabilityID": "CVE-2018-6003", + "VulnerabilityID": "CVE-2018-1000654", "PkgName": "libtasn1", "InstalledVersion": "4.10-1.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "libtasn1: Stack exhaustion due to indefinite recursion during BER decoding", - "Description": "An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion", + "Description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", + "Severity": "LOW", "References": [ - "http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/?id=c593ae84cfcde8fea45787e53950e0ac71e9ca97", - "https://bugzilla.redhat.com/show_bug.cgi?id=1535926", - "https://bugzilla.suse.com/show_bug.cgi?id=1076832", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003", - "https://gitlab.com/gnutls/libtasn1/commit/946565d8eb05fbf7970ea366e817581bb5a90910", - "https://www.debian.org/security/2018/dsa-4106" + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", + "http://www.securityfocus.com/bid/105151", + "https://gitlab.com/gnutls/libtasn1/issues/4" ] }, { @@ -7743,9 +8246,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -7766,9 +8270,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -7783,6 +8288,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -7796,147 +8302,6 @@ "https://www.kernel.org/pub/linux/utils/util-linux/v2.27/v2.27-ReleaseNotes" ] }, - { - "VulnerabilityID": "CVE-2016-4658", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Use after free via namespace node in XPointer ranges", - "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", - "Severity": "CRITICAL", - "References": [ - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html", - "http://www.securityfocus.com/bid/93054", - "http://www.securitytracker.com/id/1036858", - "http://www.securitytracker.com/id/1038623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658", - "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b", - "https://github.com/sparklemotion/nokogiri/issues/1615", - "https://security.gentoo.org/glsa/201701-37", - "https://support.apple.com/HT207141", - "https://support.apple.com/HT207142", - "https://support.apple.com/HT207143", - "https://support.apple.com/HT207170" - ] - }, - { - "VulnerabilityID": "CVE-2017-16931", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Mishandling parameter-entity references", - "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", - "Severity": "HIGH", - "References": [ - "http://xmlsoft.org/news.html", - "https://bugzilla.gnome.org/show_bug.cgi?id=766956", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931", - "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html" - ] - }, - { - "VulnerabilityID": "CVE-2017-7375", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Missing validation for external entities in xmlParsePEReference", - "Description": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/98877", - "http://www.securitytracker.com/id/1038623", - "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", - "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375", - "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", - "https://security.gentoo.org/glsa/201711-01", - "https://source.android.com/security/bulletin/2017-06-01", - "https://www.debian.org/security/2017/dsa-3952" - ] - }, - { - "VulnerabilityID": "CVE-2015-8806", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: heap-buffer overread in dict.c", - "Description": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"\u003c!DOCTYPE html\" substring in a crafted HTML document.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/02/03/5", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/82071", - "http://www.ubuntu.com/usn/USN-2994-1", - "http://www.ubuntu.com/usn/usn-2994-1/", - "https://bugzilla.gnome.org/show_bug.cgi?id=749115", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806", - "https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028", - "https://github.com/sparklemotion/nokogiri/issues/1473", - "https://mail.gnome.org/archives/xml/2016-May/msg00023.html", - "https://security.gentoo.org/glsa/201701-37", - "https://www.debian.org/security/2016/dsa-3593" - ] - }, - { - "VulnerabilityID": "CVE-2016-2073", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: out-of-bounds read in htmlParseNameComplex()", - "Description": "The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/01/25/6", - "http://www.openwall.com/lists/oss-security/2016/01/26/7", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/85267", - "http://www.securitytracker.com/id/1035011", - "http://www.ubuntu.com/usn/USN-2994-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073", - "https://security.gentoo.org/glsa/201701-37", - "https://www.debian.org/security/2016/dsa-3593" - ] - }, - { - "VulnerabilityID": "CVE-2016-4483", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: out-of-bounds read", - "Description": "The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.", - "Severity": "MEDIUM", - "References": [ - "http://rhn.redhat.com/errata/RHSA-2016-2957.html", - "http://www.debian.org/security/2016/dsa-3593", - "http://www.openwall.com/lists/oss-security/2016/05/03/8", - "http://www.openwall.com/lists/oss-security/2016/05/04/7", - "http://www.openwall.com/lists/oss-security/2016/06/07/4", - "http://www.openwall.com/lists/oss-security/2016/06/07/5", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/90013", - "http://www.securitytracker.com/id/1036348", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483", - "https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd", - "https://security.gentoo.org/glsa/201701-37", - "https://www.tenable.com/security/tns-2016-18" - ] - }, { "VulnerabilityID": "CVE-2016-5131", "PkgName": "libxml2", @@ -7944,9 +8309,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "libxml2: use after free triggered by XPointer paths beginning with range-to", + "SeveritySource": "redhat", + "Title": "libxml2: Use after free triggered by XPointer paths beginning with range-to", "Description": "Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html", "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", @@ -7977,44 +8343,6 @@ "https://support.apple.com/HT207170" ] }, - { - "VulnerabilityID": "CVE-2016-9318", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: XML External Entity vulnerability", - "Description": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/94347", - "https://bugzilla.gnome.org/show_bug.cgi?id=772726", - "https://github.com/lsh123/xmlsec/issues/43", - "https://security.gentoo.org/glsa/201711-01", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/3739-2/" - ] - }, - { - "VulnerabilityID": "CVE-2017-0663", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Heap buffer overflow in xmlAddID", - "Description": "A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.securityfocus.com/bid/98877", - "http://www.securitytracker.com/id/1038623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663", - "https://security.gentoo.org/glsa/201711-01", - "https://source.android.com/security/bulletin/2017-06-01" - ] - }, { "VulnerabilityID": "CVE-2017-15412", "PkgName": "libxml2", @@ -8022,9 +8350,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "chromium-browser: use after free in libxml", + "SeveritySource": "redhat", + "Title": "libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c", "Description": "Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "http://www.securitytracker.com/id/1040348", "https://access.redhat.com/errata/RHSA-2017:3401", @@ -8041,185 +8370,6 @@ "https://www.debian.org/security/2018/dsa-4086" ] }, - { - "VulnerabilityID": "CVE-2017-16932", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Infinite recursion in parameter entities", - "Description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.", - "Severity": "MEDIUM", - "References": [ - "http://xmlsoft.org/news.html", - "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html", - "https://bugzilla.gnome.org/show_bug.cgi?id=759579", - "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961", - "https://github.com/sparklemotion/nokogiri/issues/1714", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/usn/usn-3504-1/" - ] - }, - { - "VulnerabilityID": "CVE-2017-18258", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: denial of service in xz_head function in xzlib.c", - "Description": "The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18258", - "https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://security.netapp.com/advisory/ntap-20190719-0001/", - "https://usn.ubuntu.com/3739-1/" - ] - }, - { - "VulnerabilityID": "CVE-2017-8872", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Out-of-bounds read in htmlParseTryOrFinish", - "Description": "The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.", - "Severity": "MEDIUM", - "References": [ - "https://bugzilla.gnome.org/show_bug.cgi?id=775200", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872" - ] - }, - { - "VulnerabilityID": "CVE-2017-9047", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Buffer overflow in function xmlSnprintfElementContent", - "Description": "A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content-\u003etype is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content-\u003eprefix is appended to buf (if it actually fits) whereupon (ii) content-\u003ename is written to the buffer. However, the check for whether the content-\u003ename actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9048", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Stack-based buffer overflow in function xmlSnprintfElementContent", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 \u003c size. This vulnerability causes programs that use libxml2, such as PHP, to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98556", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9049", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Heap-based buffer over-read in function xmlDictComputeFastKey", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9050", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Heap-based buffer over-read in function xmlDictAddString", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98568", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050", - "https://github.com/sparklemotion/nokogiri/issues/1673", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html", - "https://security.gentoo.org/glsa/201711-01", - "https://usn.ubuntu.com/usn/usn-3424-1/" - ] - }, - { - "VulnerabilityID": "CVE-2018-14404", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: NULL pointer dereference in xpath.c:xmlXPathCompOpEval() can allow attackers to cause a denial of service", - "Description": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817", - "https://bugzilla.redhat.com/show_bug.cgi?id=1595985", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404", - "https://github.com/sparklemotion/nokogiri/issues/1785", - "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", - "https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594", - "https://gitlab.gnome.org/GNOME/libxml2/issues/10", - "https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/3739-2/" - ] - }, - { - "VulnerabilityID": "CVE-2018-14567", - "PkgName": "libxml2", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Infinite loop when --with-lzma is used allows for denial of service via crafted XML file", - "Description": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105198", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567", - "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://usn.ubuntu.com/3739-1/" - ] - }, { "VulnerabilityID": "CVE-2015-8035", "PkgName": "libxml2", @@ -8227,9 +8377,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "libxml2: DoS when parsing specially crafted XML document if XZ support is enabled", + "SeveritySource": "redhat", + "Title": "libxml2: DoS caused by incorrect error detection during XZ decompression", "Description": "The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html", "http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html", @@ -8260,146 +8411,13 @@ ] }, { - "VulnerabilityID": "CVE-2017-5969", + "VulnerabilityID": "CVE-2016-4483", "PkgName": "libxml2", "InstalledVersion": "2.9.1-6.el7_2.3", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "libxml2: Null pointer dereference in xmlSaveDoc implementation", - "Description": "** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states \"I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser.\"", - "Severity": "LOW", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/11/05/3", - "http://www.openwall.com/lists/oss-security/2017/02/13/1", - "http://www.securityfocus.com/bid/96188", - "https://bugzilla.gnome.org/show_bug.cgi?id=778519", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2016-4658", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Use after free via namespace node in XPointer ranges", - "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", - "Severity": "CRITICAL", - "References": [ - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html", - "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html", - "http://www.securityfocus.com/bid/93054", - "http://www.securitytracker.com/id/1036858", - "http://www.securitytracker.com/id/1038623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658", - "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b", - "https://github.com/sparklemotion/nokogiri/issues/1615", - "https://security.gentoo.org/glsa/201701-37", - "https://support.apple.com/HT207141", - "https://support.apple.com/HT207142", - "https://support.apple.com/HT207143", - "https://support.apple.com/HT207170" - ] - }, - { - "VulnerabilityID": "CVE-2017-16931", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Mishandling parameter-entity references", - "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", - "Severity": "HIGH", - "References": [ - "http://xmlsoft.org/news.html", - "https://bugzilla.gnome.org/show_bug.cgi?id=766956", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931", - "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html" - ] - }, - { - "VulnerabilityID": "CVE-2017-7375", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Missing validation for external entities in xmlParsePEReference", - "Description": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/98877", - "http://www.securitytracker.com/id/1038623", - "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", - "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375", - "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", - "https://security.gentoo.org/glsa/201711-01", - "https://source.android.com/security/bulletin/2017-06-01", - "https://www.debian.org/security/2017/dsa-3952" - ] - }, - { - "VulnerabilityID": "CVE-2015-8806", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: heap-buffer overread in dict.c", - "Description": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"\u003c!DOCTYPE html\" substring in a crafted HTML document.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/02/03/5", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/82071", - "http://www.ubuntu.com/usn/USN-2994-1", - "http://www.ubuntu.com/usn/usn-2994-1/", - "https://bugzilla.gnome.org/show_bug.cgi?id=749115", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806", - "https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028", - "https://github.com/sparklemotion/nokogiri/issues/1473", - "https://mail.gnome.org/archives/xml/2016-May/msg00023.html", - "https://security.gentoo.org/glsa/201701-37", - "https://www.debian.org/security/2016/dsa-3593" - ] - }, - { - "VulnerabilityID": "CVE-2016-2073", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: out-of-bounds read in htmlParseNameComplex()", - "Description": "The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document.", - "Severity": "MEDIUM", - "References": [ - "http://www.openwall.com/lists/oss-security/2016/01/25/6", - "http://www.openwall.com/lists/oss-security/2016/01/26/7", - "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", - "http://www.securityfocus.com/bid/85267", - "http://www.securitytracker.com/id/1035011", - "http://www.ubuntu.com/usn/USN-2994-1", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2073", - "https://security.gentoo.org/glsa/201701-37", - "https://www.debian.org/security/2016/dsa-3593" - ] - }, - { - "VulnerabilityID": "CVE-2016-4483", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, + "SeveritySource": "redhat", "Title": "libxml2: out-of-bounds read", "Description": "The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.", "Severity": "MEDIUM", @@ -8419,6 +8437,377 @@ "https://www.tenable.com/security/tns-2016-18" ] }, + { + "VulnerabilityID": "CVE-2016-4658", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Use after free via namespace node in XPointer ranges", + "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", + "Severity": "MEDIUM", + "References": [ + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html", + "http://www.securityfocus.com/bid/93054", + "http://www.securitytracker.com/id/1036858", + "http://www.securitytracker.com/id/1038623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658", + "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b", + "https://github.com/sparklemotion/nokogiri/issues/1615", + "https://security.gentoo.org/glsa/201701-37", + "https://support.apple.com/HT207141", + "https://support.apple.com/HT207142", + "https://support.apple.com/HT207143", + "https://support.apple.com/HT207170" + ] + }, + { + "VulnerabilityID": "CVE-2016-9318", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: XML External Entity vulnerability", + "Description": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/94347", + "https://bugzilla.gnome.org/show_bug.cgi?id=772726", + "https://github.com/lsh123/xmlsec/issues/43", + "https://security.gentoo.org/glsa/201711-01", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/3739-2/" + ] + }, + { + "VulnerabilityID": "CVE-2017-0663", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap buffer overflow in xmlAddID", + "Description": "A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.securityfocus.com/bid/98877", + "http://www.securitytracker.com/id/1038623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663", + "https://security.gentoo.org/glsa/201711-01", + "https://source.android.com/security/bulletin/2017-06-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-16931", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Mishandling parameter-entity references", + "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", + "Severity": "MEDIUM", + "References": [ + "http://xmlsoft.org/news.html", + "https://bugzilla.gnome.org/show_bug.cgi?id=766956", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931", + "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html" + ] + }, + { + "VulnerabilityID": "CVE-2017-16932", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Infinite recursion in parameter entities", + "Description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.", + "Severity": "MEDIUM", + "References": [ + "http://xmlsoft.org/news.html", + "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html", + "https://bugzilla.gnome.org/show_bug.cgi?id=759579", + "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961", + "https://github.com/sparklemotion/nokogiri/issues/1714", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/usn/usn-3504-1/" + ] + }, + { + "VulnerabilityID": "CVE-2017-7375", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Missing validation for external entities in xmlParsePEReference", + "Description": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/98877", + "http://www.securitytracker.com/id/1038623", + "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", + "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375", + "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", + "https://security.gentoo.org/glsa/201711-01", + "https://source.android.com/security/bulletin/2017-06-01", + "https://www.debian.org/security/2017/dsa-3952" + ] + }, + { + "VulnerabilityID": "CVE-2017-9047", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Buffer overflow in function xmlSnprintfElementContent", + "Description": "A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content-\u003etype is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content-\u003eprefix is appended to buf (if it actually fits) whereupon (ii) content-\u003ename is written to the buffer. However, the check for whether the content-\u003ename actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98599", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-9049", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap-based buffer over-read in function xmlDictComputeFastKey", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98601", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-9050", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap-based buffer over-read in function xmlDictAddString", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98568", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050", + "https://github.com/sparklemotion/nokogiri/issues/1673", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html", + "https://security.gentoo.org/glsa/201711-01", + "https://usn.ubuntu.com/usn/usn-3424-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-14404", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c", + "Description": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817", + "https://bugzilla.redhat.com/show_bug.cgi?id=1595985", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404", + "https://github.com/sparklemotion/nokogiri/issues/1785", + "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", + "https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594", + "https://gitlab.gnome.org/GNOME/libxml2/issues/10", + "https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/3739-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19956", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: There's a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c that could result in a crash", + "Description": "xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc-\u003eoldNs.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19956", + "https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549", + "https://lists.debian.org/debian-lts-announce/2019/12/msg00032.html", + "https://security.netapp.com/advisory/ntap-20200114-0002/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20388", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c", + "Description": "xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.", + "Severity": "MEDIUM", + "References": [ + "https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/" + ] + }, + { + "VulnerabilityID": "CVE-2020-7595", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations", + "Description": "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sparklemotion/nokogiri/issues/1992", + "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", + "https://usn.ubuntu.com/4274-1/" + ] + }, + { + "VulnerabilityID": "CVE-2017-18258", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Unrestricted memory usage in xz_head() function in xzlib.c", + "Description": "The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18258", + "https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://security.netapp.com/advisory/ntap-20190719-0001/", + "https://usn.ubuntu.com/3739-1/" + ] + }, + { + "VulnerabilityID": "CVE-2017-5969", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Null pointer dereference in xmlSaveDoc implementation", + "Description": "** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states \"I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser.\"", + "Severity": "LOW", + "References": [ + "http://www.openwall.com/lists/oss-security/2016/11/05/3", + "http://www.openwall.com/lists/oss-security/2017/02/13/1", + "http://www.securityfocus.com/bid/96188", + "https://bugzilla.gnome.org/show_bug.cgi?id=778519", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-8872", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Out-of-bounds read in htmlParseTryOrFinish", + "Description": "The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.", + "Severity": "LOW", + "References": [ + "https://bugzilla.gnome.org/show_bug.cgi?id=775200", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872" + ] + }, + { + "VulnerabilityID": "CVE-2017-9048", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Stack-based buffer overflow in function xmlSnprintfElementContent", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 \u003c size. This vulnerability causes programs that use libxml2, such as PHP, to crash.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98556", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2018-14567", + "PkgName": "libxml2", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Infinite loop caused by incorrect error detection during LZMA decompression", + "Description": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/105198", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567", + "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://usn.ubuntu.com/3739-1/" + ] + }, { "VulnerabilityID": "CVE-2016-5131", "PkgName": "libxml2-python", @@ -8426,9 +8815,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "libxml2: use after free triggered by XPointer paths beginning with range-to", + "SeveritySource": "redhat", + "Title": "libxml2: Use after free triggered by XPointer paths beginning with range-to", "Description": "Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html", "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", @@ -8459,44 +8849,6 @@ "https://support.apple.com/HT207170" ] }, - { - "VulnerabilityID": "CVE-2016-9318", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: XML External Entity vulnerability", - "Description": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/94347", - "https://bugzilla.gnome.org/show_bug.cgi?id=772726", - "https://github.com/lsh123/xmlsec/issues/43", - "https://security.gentoo.org/glsa/201711-01", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/3739-2/" - ] - }, - { - "VulnerabilityID": "CVE-2017-0663", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Heap buffer overflow in xmlAddID", - "Description": "A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.securityfocus.com/bid/98877", - "http://www.securitytracker.com/id/1038623", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663", - "https://security.gentoo.org/glsa/201711-01", - "https://source.android.com/security/bulletin/2017-06-01" - ] - }, { "VulnerabilityID": "CVE-2017-15412", "PkgName": "libxml2-python", @@ -8504,9 +8856,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "chromium-browser: use after free in libxml", + "SeveritySource": "redhat", + "Title": "libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c", "Description": "Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", - "Severity": "MEDIUM", + "Severity": "HIGH", "References": [ "http://www.securitytracker.com/id/1040348", "https://access.redhat.com/errata/RHSA-2017:3401", @@ -8523,185 +8876,6 @@ "https://www.debian.org/security/2018/dsa-4086" ] }, - { - "VulnerabilityID": "CVE-2017-16932", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Infinite recursion in parameter entities", - "Description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.", - "Severity": "MEDIUM", - "References": [ - "http://xmlsoft.org/news.html", - "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html", - "https://bugzilla.gnome.org/show_bug.cgi?id=759579", - "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961", - "https://github.com/sparklemotion/nokogiri/issues/1714", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/usn/usn-3504-1/" - ] - }, - { - "VulnerabilityID": "CVE-2017-18258", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: denial of service in xz_head function in xzlib.c", - "Description": "The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.", - "Severity": "MEDIUM", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18258", - "https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://security.netapp.com/advisory/ntap-20190719-0001/", - "https://usn.ubuntu.com/3739-1/" - ] - }, - { - "VulnerabilityID": "CVE-2017-8872", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Out-of-bounds read in htmlParseTryOrFinish", - "Description": "The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.", - "Severity": "MEDIUM", - "References": [ - "https://bugzilla.gnome.org/show_bug.cgi?id=775200", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872" - ] - }, - { - "VulnerabilityID": "CVE-2017-9047", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Buffer overflow in function xmlSnprintfElementContent", - "Description": "A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content-\u003etype is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content-\u003eprefix is appended to buf (if it actually fits) whereupon (ii) content-\u003ename is written to the buffer. However, the check for whether the content-\u003ename actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98599", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9048", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Stack-based buffer overflow in function xmlSnprintfElementContent", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 \u003c size. This vulnerability causes programs that use libxml2, such as PHP, to crash.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98556", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9049", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Heap-based buffer over-read in function xmlDictComputeFastKey", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98601", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049", - "https://security.gentoo.org/glsa/201711-01" - ] - }, - { - "VulnerabilityID": "CVE-2017-9050", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Heap-based buffer over-read in function xmlDictAddString", - "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.", - "Severity": "MEDIUM", - "References": [ - "http://www.debian.org/security/2017/dsa-3952", - "http://www.openwall.com/lists/oss-security/2017/05/15/1", - "http://www.securityfocus.com/bid/98568", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050", - "https://github.com/sparklemotion/nokogiri/issues/1673", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html", - "https://security.gentoo.org/glsa/201711-01", - "https://usn.ubuntu.com/usn/usn-3424-1/" - ] - }, - { - "VulnerabilityID": "CVE-2018-14404", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: NULL pointer dereference in xpath.c:xmlXPathCompOpEval() can allow attackers to cause a denial of service", - "Description": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817", - "https://bugzilla.redhat.com/show_bug.cgi?id=1595985", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404", - "https://github.com/sparklemotion/nokogiri/issues/1785", - "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", - "https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594", - "https://gitlab.gnome.org/GNOME/libxml2/issues/10", - "https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://usn.ubuntu.com/3739-1/", - "https://usn.ubuntu.com/3739-2/" - ] - }, - { - "VulnerabilityID": "CVE-2018-14567", - "PkgName": "libxml2-python", - "InstalledVersion": "2.9.1-6.el7_2.3", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "libxml2: Infinite loop when --with-lzma is used allows for denial of service via crafted XML file", - "Description": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/105198", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567", - "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", - "https://usn.ubuntu.com/3739-1/" - ] - }, { "VulnerabilityID": "CVE-2015-8035", "PkgName": "libxml2-python", @@ -8709,9 +8883,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "libxml2: DoS when parsing specially crafted XML document if XZ support is enabled", + "SeveritySource": "redhat", + "Title": "libxml2: DoS caused by incorrect error detection during XZ decompression", "Description": "The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ "http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html", "http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html", @@ -8741,6 +8916,330 @@ "https://support.apple.com/HT206169" ] }, + { + "VulnerabilityID": "CVE-2016-4483", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: out-of-bounds read", + "Description": "The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.", + "Severity": "MEDIUM", + "References": [ + "http://rhn.redhat.com/errata/RHSA-2016-2957.html", + "http://www.debian.org/security/2016/dsa-3593", + "http://www.openwall.com/lists/oss-security/2016/05/03/8", + "http://www.openwall.com/lists/oss-security/2016/05/04/7", + "http://www.openwall.com/lists/oss-security/2016/06/07/4", + "http://www.openwall.com/lists/oss-security/2016/06/07/5", + "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", + "http://www.securityfocus.com/bid/90013", + "http://www.securitytracker.com/id/1036348", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4483", + "https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd", + "https://security.gentoo.org/glsa/201701-37", + "https://www.tenable.com/security/tns-2016-18" + ] + }, + { + "VulnerabilityID": "CVE-2016-4658", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Use after free via namespace node in XPointer ranges", + "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.", + "Severity": "MEDIUM", + "References": [ + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html", + "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html", + "http://www.securityfocus.com/bid/93054", + "http://www.securitytracker.com/id/1036858", + "http://www.securitytracker.com/id/1038623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658", + "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b", + "https://github.com/sparklemotion/nokogiri/issues/1615", + "https://security.gentoo.org/glsa/201701-37", + "https://support.apple.com/HT207141", + "https://support.apple.com/HT207142", + "https://support.apple.com/HT207143", + "https://support.apple.com/HT207170" + ] + }, + { + "VulnerabilityID": "CVE-2016-9318", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: XML External Entity vulnerability", + "Description": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/94347", + "https://bugzilla.gnome.org/show_bug.cgi?id=772726", + "https://github.com/lsh123/xmlsec/issues/43", + "https://security.gentoo.org/glsa/201711-01", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/3739-2/" + ] + }, + { + "VulnerabilityID": "CVE-2017-0663", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap buffer overflow in xmlAddID", + "Description": "A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37104170.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.securityfocus.com/bid/98877", + "http://www.securitytracker.com/id/1038623", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663", + "https://security.gentoo.org/glsa/201711-01", + "https://source.android.com/security/bulletin/2017-06-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-16931", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Mishandling parameter-entity references", + "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.", + "Severity": "MEDIUM", + "References": [ + "http://xmlsoft.org/news.html", + "https://bugzilla.gnome.org/show_bug.cgi?id=766956", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931", + "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html" + ] + }, + { + "VulnerabilityID": "CVE-2017-16932", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Infinite recursion in parameter entities", + "Description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.", + "Severity": "MEDIUM", + "References": [ + "http://xmlsoft.org/news.html", + "https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html", + "https://bugzilla.gnome.org/show_bug.cgi?id=759579", + "https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961", + "https://github.com/sparklemotion/nokogiri/issues/1714", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/usn/usn-3504-1/" + ] + }, + { + "VulnerabilityID": "CVE-2017-7375", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Missing validation for external entities in xmlParsePEReference", + "Description": "A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/98877", + "http://www.securitytracker.com/id/1038623", + "https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa", + "https://bugzilla.redhat.com/show_bug.cgi?id=1462203", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375", + "https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e", + "https://security.gentoo.org/glsa/201711-01", + "https://source.android.com/security/bulletin/2017-06-01", + "https://www.debian.org/security/2017/dsa-3952" + ] + }, + { + "VulnerabilityID": "CVE-2017-9047", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Buffer overflow in function xmlSnprintfElementContent", + "Description": "A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content-\u003etype is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content-\u003eprefix is appended to buf (if it actually fits) whereupon (ii) content-\u003ename is written to the buffer. However, the check for whether the content-\u003ename actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about \"size\" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98599", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-9049", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap-based buffer over-read in function xmlDictComputeFastKey", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98601", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2017-9050", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Heap-based buffer over-read in function xmlDictAddString", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.", + "Severity": "MEDIUM", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98568", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050", + "https://github.com/sparklemotion/nokogiri/issues/1673", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html", + "https://security.gentoo.org/glsa/201711-01", + "https://usn.ubuntu.com/usn/usn-3424-1/" + ] + }, + { + "VulnerabilityID": "CVE-2018-14404", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c", + "Description": "A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817", + "https://bugzilla.redhat.com/show_bug.cgi?id=1595985", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404", + "https://github.com/sparklemotion/nokogiri/issues/1785", + "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", + "https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594", + "https://gitlab.gnome.org/GNOME/libxml2/issues/10", + "https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://usn.ubuntu.com/3739-1/", + "https://usn.ubuntu.com/3739-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19956", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: There's a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c that could result in a crash", + "Description": "xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc-\u003eoldNs.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19956", + "https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549", + "https://lists.debian.org/debian-lts-announce/2019/12/msg00032.html", + "https://security.netapp.com/advisory/ntap-20200114-0002/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20388", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c", + "Description": "xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.", + "Severity": "MEDIUM", + "References": [ + "https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/" + ] + }, + { + "VulnerabilityID": "CVE-2020-7595", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations", + "Description": "xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sparklemotion/nokogiri/issues/1992", + "https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/", + "https://usn.ubuntu.com/4274-1/" + ] + }, + { + "VulnerabilityID": "CVE-2017-18258", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Unrestricted memory usage in xz_head() function in xzlib.c", + "Description": "The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18258", + "https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://security.netapp.com/advisory/ntap-20190719-0001/", + "https://usn.ubuntu.com/3739-1/" + ] + }, { "VulnerabilityID": "CVE-2017-5969", "PkgName": "libxml2-python", @@ -8748,6 +9247,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "libxml2: Null pointer dereference in xmlSaveDoc implementation", "Description": "** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. NOTE: The maintainer states \"I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser.\"", "Severity": "LOW", @@ -8760,6 +9260,60 @@ "https://security.gentoo.org/glsa/201711-01" ] }, + { + "VulnerabilityID": "CVE-2017-8872", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Out-of-bounds read in htmlParseTryOrFinish", + "Description": "The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.", + "Severity": "LOW", + "References": [ + "https://bugzilla.gnome.org/show_bug.cgi?id=775200", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872" + ] + }, + { + "VulnerabilityID": "CVE-2017-9048", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Stack-based buffer overflow in function xmlSnprintfElementContent", + "Description": "libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 \u003c size. This vulnerability causes programs that use libxml2, such as PHP, to crash.", + "Severity": "LOW", + "References": [ + "http://www.debian.org/security/2017/dsa-3952", + "http://www.openwall.com/lists/oss-security/2017/05/15/1", + "http://www.securityfocus.com/bid/98556", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048", + "https://security.gentoo.org/glsa/201711-01" + ] + }, + { + "VulnerabilityID": "CVE-2018-14567", + "PkgName": "libxml2-python", + "InstalledVersion": "2.9.1-6.el7_2.3", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "libxml2: Infinite loop caused by incorrect error detection during LZMA decompression", + "Description": "libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/105198", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567", + "https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html", + "https://usn.ubuntu.com/3739-1/" + ] + }, { "VulnerabilityID": "CVE-2014-5461", "PkgName": "lua", @@ -8767,6 +9321,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "lua: overflow flaw in vararg functions", "Description": "Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.", "Severity": "MEDIUM", @@ -8788,6 +9343,32 @@ "https://security.gentoo.org/glsa/201701-53" ] }, + { + "VulnerabilityID": "CVE-2019-17543", + "PkgName": "lz4", + "InstalledVersion": "1.7.5-3.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "lz4: heap-based buffer overflow in LZ4_write32", + "Description": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html", + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941", + "https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2", + "https://github.com/lz4/lz4/issues/801", + "https://github.com/lz4/lz4/pull/756", + "https://github.com/lz4/lz4/pull/760", + "https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E" + ] + }, { "VulnerabilityID": "CVE-2017-10684", "PkgName": "ncurses", @@ -8795,9 +9376,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -8811,15 +9393,54 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", "https://security.gentoo.org/glsa/201804-13" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2017-11112", "PkgName": "ncurses", @@ -8827,9 +9448,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -8843,9 +9465,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -8859,9 +9482,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -8875,9 +9499,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -8891,9 +9516,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -8907,9 +9533,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -8923,9 +9550,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -8939,9 +9567,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -8955,9 +9584,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -8971,9 +9601,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -8982,6 +9613,21 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2018-10754", + "PkgName": "ncurses", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "ncurses", @@ -8989,9 +9635,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -9004,28 +9651,15 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_name_match", "Description": "** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643753", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217" ] }, - { - "VulnerabilityID": "CVE-2018-10754", - "PkgName": "ncurses", - "InstalledVersion": "5.9-14.20130511.el7_4", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "LOW", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" - ] - }, { "VulnerabilityID": "CVE-2017-10684", "PkgName": "ncurses-base", @@ -9033,9 +9667,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -9049,15 +9684,54 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", "https://security.gentoo.org/glsa/201804-13" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-base", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-base", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2017-11112", "PkgName": "ncurses-base", @@ -9065,9 +9739,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -9081,9 +9756,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -9097,9 +9773,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -9113,9 +9790,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -9129,9 +9807,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -9145,9 +9824,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -9161,9 +9841,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -9177,9 +9858,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -9193,9 +9875,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -9209,9 +9892,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -9220,6 +9904,21 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2018-10754", + "PkgName": "ncurses-base", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "ncurses-base", @@ -9227,9 +9926,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -9242,28 +9942,15 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_name_match", "Description": "** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643753", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217" ] }, - { - "VulnerabilityID": "CVE-2018-10754", - "PkgName": "ncurses-base", - "InstalledVersion": "5.9-14.20130511.el7_4", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "LOW", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" - ] - }, { "VulnerabilityID": "CVE-2017-10684", "PkgName": "ncurses-libs", @@ -9271,9 +9958,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -9287,15 +9975,54 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", "https://security.gentoo.org/glsa/201804-13" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-libs", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-libs", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2017-11112", "PkgName": "ncurses-libs", @@ -9303,9 +10030,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -9319,9 +10047,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -9335,9 +10064,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -9351,9 +10081,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -9367,9 +10098,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -9383,9 +10115,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -9399,9 +10132,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -9415,9 +10149,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -9431,9 +10166,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -9447,9 +10183,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -9458,6 +10195,21 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2018-10754", + "PkgName": "ncurses-libs", + "InstalledVersion": "5.9-14.20130511.el7_4", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", + "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", + "Severity": "LOW", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" + ] + }, { "VulnerabilityID": "CVE-2018-19211", "PkgName": "ncurses-libs", @@ -9465,9 +10217,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c", "Description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19211" @@ -9480,28 +10233,15 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "ncurses: Null pointer dereference at function _nc_name_match", "Description": "** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1643753", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19217" ] }, - { - "VulnerabilityID": "CVE-2018-10754", - "PkgName": "ncurses-libs", - "InstalledVersion": "5.9-14.20130511.el7_4", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.", - "Description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", - "Severity": "LOW", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10754" - ] - }, { "VulnerabilityID": "CVE-2016-1951", "PkgName": "nspr", @@ -9509,9 +10249,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "nspr: Memory allocation issue related to PR_*printf functions", "Description": "Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable Runtime (NSPR) before 4.12 allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long string to a PR_*printf function.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.securityfocus.com/bid/92385", "http://www.securitytracker.com/id/1036590", @@ -9523,6 +10264,34 @@ "https://hg.mozilla.org/projects/nspr/rev/96381e3aaae2" ] }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss", + "InstalledVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2015-2808", "PkgName": "nss", @@ -9530,6 +10299,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -9537,6 +10307,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -9645,11 +10417,14 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)", "Description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", "Severity": "MEDIUM", "References": [ "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759", + "http://linux.oracle.com/cve/CVE-2016-2183.html", + "http://linux.oracle.com/errata/ELSA-2018-2123.html", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "http://rhn.redhat.com/errata/RHSA-2017-0337.html", @@ -9682,6 +10457,7 @@ "https://access.redhat.com/errata/RHSA-2017:3240", "https://access.redhat.com/errata/RHSA-2018:2123", "https://access.redhat.com/errata/RHSA-2019:1245", + "https://access.redhat.com/errata/RHSA-2019:2859", "https://access.redhat.com/security/cve/cve-2016-2183", "https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/", "https://bto.bluecoat.com/security-advisory/sa133", @@ -9714,6 +10490,7 @@ "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008", "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.sigsac.org/ccs/CCS2016/accepted-papers/", "https://www.tenable.com/security/tns-2016-16", "https://www.tenable.com/security/tns-2016-20", @@ -9729,6 +10506,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "nss: Insufficient timing side-channel resistance in divSpoiler", "Description": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50.", "Severity": "MEDIUM", @@ -9753,6 +10531,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "nss: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA", "Description": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.", "Severity": "MEDIUM", @@ -9769,14 +10548,168 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", "Description": "No description is available for this CVE.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18508.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" ] }, + { + "VulnerabilityID": "CVE-2019-11719", + "PkgName": "nss", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds read when importing curve25519 private key", + "Description": "When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11719.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1540541", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss", + "InstalledVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11756", + "PkgName": "nss", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: UAF in sftk_FreeSession due to improper refcounting", + "Description": "Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes", + "https://www.mozilla.org/security/advisories/mfsa2019-36/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17006", + "PkgName": "nss", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Check length of inputs for cryptographic primitives", + "Description": "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17006", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2019-11727", + "PkgName": "nss", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: PKCS#1 v1.5 signatures can be used for TLS 1.3", + "Description": "A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox \u003c 68.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11727.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1552208", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727", + "https://www.mozilla.org/security/advisories/mfsa2019-21/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17023", + "PkgName": "nss", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state", + "Description": "After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox \u003c 72.", + "Severity": "LOW", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1590001", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes", + "https://usn.ubuntu.com/4234-1/", + "https://www.mozilla.org/security/advisories/mfsa2020-01/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn", + "InstalledVersion": "3.44.0-5.el7", + "FixedVersion": "3.44.0-8.el7_7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2015-2613", "PkgName": "nss-softokn", @@ -9784,6 +10717,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "NSS / JCE: missing EC parameter validation in ECDH_Derive() (OpenJDK JCE, 8075833)", "Description": "Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE.", "Severity": "MEDIUM", @@ -9811,6 +10745,51 @@ "https://security.gentoo.org/glsa/201603-14" ] }, + { + "VulnerabilityID": "CVE-2017-7781", + "PkgName": "nss-softokn", + "InstalledVersion": "3.44.0-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", + "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/100383", + "http://www.securitytracker.com/id/1039124", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", + "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", + "https://www.mozilla.org/security/advisories/mfsa2017-18/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-softokn", + "InstalledVersion": "3.44.0-5.el7", + "FixedVersion": "3.44.0-8.el7_7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, { "VulnerabilityID": "CVE-2016-1938", "PkgName": "nss-softokn", @@ -9818,9 +10797,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "Mozilla NSS: Errors in mp_div and mp_exptmod cryptographic functions", "Description": "The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html", "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html", @@ -9849,21 +10829,31 @@ ] }, { - "VulnerabilityID": "CVE-2017-7781", - "PkgName": "nss-softokn", + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-softokn-freebl", "InstalledVersion": "3.44.0-5.el7", + "FixedVersion": "3.44.0-8.el7_7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", - "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securityfocus.com/bid/100383", - "http://www.securitytracker.com/id/1039124", - "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", - "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", - "https://www.mozilla.org/security/advisories/mfsa2017-18/" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { @@ -9873,6 +10863,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "NSS / JCE: missing EC parameter validation in ECDH_Derive() (OpenJDK JCE, 8075833)", "Description": "Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE.", "Severity": "MEDIUM", @@ -9900,6 +10891,51 @@ "https://security.gentoo.org/glsa/201603-14" ] }, + { + "VulnerabilityID": "CVE-2017-7781", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.44.0-5.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", + "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/100383", + "http://www.securitytracker.com/id/1039124", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", + "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", + "https://www.mozilla.org/security/advisories/mfsa2017-18/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-softokn-freebl", + "InstalledVersion": "3.44.0-5.el7", + "FixedVersion": "3.44.0-8.el7_7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, { "VulnerabilityID": "CVE-2016-1938", "PkgName": "nss-softokn-freebl", @@ -9907,9 +10943,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "Mozilla NSS: Errors in mp_div and mp_exptmod cryptographic functions", "Description": "The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html", "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html", @@ -9938,21 +10975,31 @@ ] }, { - "VulnerabilityID": "CVE-2017-7781", - "PkgName": "nss-softokn-freebl", - "InstalledVersion": "3.44.0-5.el7", + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "Mozilla: Elliptic curve point addition error when using mixed Jacobian-affine coordinates (MFSA 2017-18)", - "Description": "An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result \"POINT_AT_INFINITY\" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox \u003c 55.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", "References": [ - "http://www.securityfocus.com/bid/100383", - "http://www.securitytracker.com/id/1039124", - "https://bugzilla.mozilla.org/show_bug.cgi?id=1352039", - "https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7781", - "https://www.mozilla.org/security/advisories/mfsa2017-18/" + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" ] }, { @@ -9962,6 +11009,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -9969,6 +11017,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -10077,11 +11127,14 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)", "Description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", "Severity": "MEDIUM", "References": [ "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759", + "http://linux.oracle.com/cve/CVE-2016-2183.html", + "http://linux.oracle.com/errata/ELSA-2018-2123.html", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "http://rhn.redhat.com/errata/RHSA-2017-0337.html", @@ -10114,6 +11167,7 @@ "https://access.redhat.com/errata/RHSA-2017:3240", "https://access.redhat.com/errata/RHSA-2018:2123", "https://access.redhat.com/errata/RHSA-2019:1245", + "https://access.redhat.com/errata/RHSA-2019:2859", "https://access.redhat.com/security/cve/cve-2016-2183", "https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/", "https://bto.bluecoat.com/security-advisory/sa133", @@ -10146,6 +11200,7 @@ "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008", "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.sigsac.org/ccs/CCS2016/accepted-papers/", "https://www.tenable.com/security/tns-2016-16", "https://www.tenable.com/security/tns-2016-20", @@ -10161,6 +11216,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "nss: Insufficient timing side-channel resistance in divSpoiler", "Description": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50.", "Severity": "MEDIUM", @@ -10185,6 +11241,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "nss: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA", "Description": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.", "Severity": "MEDIUM", @@ -10201,14 +11258,168 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", "Description": "No description is available for this CVE.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18508.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" ] }, + { + "VulnerabilityID": "CVE-2019-11719", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds read when importing curve25519 private key", + "Description": "When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11719.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1540541", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11756", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: UAF in sftk_FreeSession due to improper refcounting", + "Description": "Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes", + "https://www.mozilla.org/security/advisories/mfsa2019-36/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17006", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Check length of inputs for cryptographic primitives", + "Description": "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17006", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2019-11727", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: PKCS#1 v1.5 signatures can be used for TLS 1.3", + "Description": "A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox \u003c 68.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11727.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1552208", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727", + "https://www.mozilla.org/security/advisories/mfsa2019-21/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17023", + "PkgName": "nss-sysinit", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state", + "Description": "After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox \u003c 72.", + "Severity": "LOW", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1590001", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes", + "https://usn.ubuntu.com/4234-1/", + "https://www.mozilla.org/security/advisories/mfsa2020-01/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-tools", + "InstalledVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, { "VulnerabilityID": "CVE-2015-2808", "PkgName": "nss-tools", @@ -10216,6 +11427,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -10223,6 +11435,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -10331,11 +11545,14 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)", "Description": "The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.", "Severity": "MEDIUM", "References": [ "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759", + "http://linux.oracle.com/cve/CVE-2016-2183.html", + "http://linux.oracle.com/errata/ELSA-2018-2123.html", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "http://rhn.redhat.com/errata/RHSA-2017-0337.html", @@ -10368,6 +11585,7 @@ "https://access.redhat.com/errata/RHSA-2017:3240", "https://access.redhat.com/errata/RHSA-2018:2123", "https://access.redhat.com/errata/RHSA-2019:1245", + "https://access.redhat.com/errata/RHSA-2019:2859", "https://access.redhat.com/security/cve/cve-2016-2183", "https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/", "https://bto.bluecoat.com/security-advisory/sa133", @@ -10400,6 +11618,7 @@ "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008", "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "https://www.sigsac.org/ccs/CCS2016/accepted-papers/", "https://www.tenable.com/security/tns-2016-16", "https://www.tenable.com/security/tns-2016-20", @@ -10415,6 +11634,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "nss: Insufficient timing side-channel resistance in divSpoiler", "Description": "An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. This vulnerability affects Thunderbird \u003c 45.5, Firefox ESR \u003c 45.5, and Firefox \u003c 50.", "Severity": "MEDIUM", @@ -10439,6 +11659,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "nss: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA", "Description": "nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.", "Severity": "MEDIUM", @@ -10455,36 +11676,215 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "nss: NULL pointer dereference in several CMS functions resulting in a denial of service", "Description": "No description is available for this CVE.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-18508.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18508", "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41.1_release_notes" ] }, { - "VulnerabilityID": "CVE-2015-1546", + "VulnerabilityID": "CVE-2019-11719", + "PkgName": "nss-tools", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds read when importing curve25519 private key", + "Description": "When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11719.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1540541", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-tools", + "InstalledVersion": "3.44.0-4.el7", + "FixedVersion": "3.44.0-7.el7_7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11756", + "PkgName": "nss-tools", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: UAF in sftk_FreeSession due to improper refcounting", + "Description": "Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox \u003c 71.", + "Severity": "MEDIUM", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1508776", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes", + "https://www.mozilla.org/security/advisories/mfsa2019-36/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17006", + "PkgName": "nss-tools", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Check length of inputs for cryptographic primitives", + "Description": "A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17006", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes" + ] + }, + { + "VulnerabilityID": "CVE-2019-11727", + "PkgName": "nss-tools", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: PKCS#1 v1.5 signatures can be used for TLS 1.3", + "Description": "A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox \u003c 68.", + "Severity": "LOW", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11727.html", + "http://linux.oracle.com/errata/ELSA-2019-1951.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1552208", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727", + "https://www.mozilla.org/security/advisories/mfsa2019-21/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17023", + "PkgName": "nss-tools", + "InstalledVersion": "3.44.0-4.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state", + "Description": "After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox \u003c 72.", + "Severity": "LOW", + "References": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1590001", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes", + "https://usn.ubuntu.com/4234-1/", + "https://www.mozilla.org/security/advisories/mfsa2020-01/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11745", + "PkgName": "nss-util", + "InstalledVersion": "3.44.0-3.el7", + "FixedVersion": "3.44.0-4.el7_7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate", + "Description": "When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 68.3, Firefox ESR \u003c 68.3, and Firefox \u003c 71.", + "Severity": "HIGH", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11745.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00000.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00001.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1586176", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44.3_release_notes", + "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes", + "https://usn.ubuntu.com/4241-1/", + "https://www.mozilla.org/security/advisories/mfsa2019-36/", + "https://www.mozilla.org/security/advisories/mfsa2019-37/", + "https://www.mozilla.org/security/advisories/mfsa2019-38/" + ] + }, + { + "VulnerabilityID": "CVE-2019-11729", + "PkgName": "nss-util", + "InstalledVersion": "3.44.0-3.el7", + "FixedVersion": "3.44.0-4.el7_7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault", + "Description": "Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR \u003c 60.8, Firefox \u003c 68, and Thunderbird \u003c 60.8.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-11729.html", + "http://linux.oracle.com/errata/ELSA-2019-4190.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.html", + "https://access.redhat.com/errata/RHSA-2019:1951", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1515342", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729", + "https://www.mozilla.org/security/advisories/mfsa2019-21/", + "https://www.mozilla.org/security/advisories/mfsa2019-22/", + "https://www.mozilla.org/security/advisories/mfsa2019-23/" + ] + }, + { + "VulnerabilityID": "CVE-2019-13057", "PkgName": "openldap", "InstalledVersion": "2.4.44-21.el7_6", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "openldap: slapd crash in valueReturnFilter cleanup", - "Description": "Double free vulnerability in the get_vrFilter function in servers/slapd/filter.c in OpenLDAP 2.4.40 allows remote attackers to cause a denial of service (crash) via a crafted search query with a matched values control.", + "SeveritySource": "redhat", + "Title": "openldap: Information disclosure issue in slapd component", + "Description": "An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)", "Severity": "MEDIUM", "References": [ - "http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html", - "http://lists.opensuse.org/opensuse-updates/2015-07/msg00069.html", - "http://secunia.com/advisories/62787", - "http://www.mandriva.com/security/advisories?name=MDVSA-2015:073", - "http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a", - "http://www.openldap.org/its/?findid=8046", - "http://www.openwall.com/lists/oss-security/2015/02/07/3", - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776991", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/100938", - "https://support.apple.com/HT204659" + "http://www.openldap.org/lists/openldap-announce/201907/msg00001.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13057", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html", + "https://openldap.org/its/?findid=9038", + "https://security.netapp.com/advisory/ntap-20190822-0004/", + "https://usn.ubuntu.com/4078-1/", + "https://usn.ubuntu.com/4078-2/", + "https://www.openldap.org/its/?findid=9038", + "https://www.openldap.org/lists/openldap-announce/201907/msg00001.html" ] }, { @@ -10494,6 +11894,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "openldap: ACL restrictions bypass due to sasl_ssf value being set permanently", "Description": "An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.", "Severity": "MEDIUM", @@ -10517,6 +11918,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "openldap-servers: /usr/libexec/openldap/generate-server-cert.sh create world readable password file", "Description": "/usr/libexec/openldap/generate-server-cert.sh in openldap-servers sets weak permissions for the TLS certificate, which allows local users to obtain the TLS certificate by leveraging a race condition between the creation of the certificate, and the chmod to protect it.", "Severity": "LOW", @@ -10524,42 +11926,6 @@ "https://bugzilla.redhat.com/show_bug.cgi?id=1346120" ] }, - { - "VulnerabilityID": "CVE-2017-14159", - "PkgName": "openldap", - "InstalledVersion": "2.4.44-21.el7_6", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "openldap: Privilege escalation via PID file manipulation", - "Description": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.", - "Severity": "LOW", - "References": [ - "http://www.openldap.org/its/index.cgi?findid=8703" - ] - }, - { - "VulnerabilityID": "CVE-2019-13057", - "PkgName": "openldap", - "InstalledVersion": "2.4.44-21.el7_6", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "openldap: Information disclosure issue in slapd component", - "Description": "An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)", - "Severity": "LOW", - "References": [ - "http://www.openldap.org/lists/openldap-announce/201907/msg00001.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13057", - "https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html", - "https://openldap.org/its/?findid=9038", - "https://security.netapp.com/advisory/ntap-20190822-0004/", - "https://usn.ubuntu.com/4078-1/", - "https://usn.ubuntu.com/4078-2/", - "https://www.openldap.org/its/?findid=9038", - "https://www.openldap.org/lists/openldap-announce/201907/msg00001.html" - ] - }, { "VulnerabilityID": "CVE-2015-2808", "PkgName": "openssl-libs", @@ -10567,6 +11933,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "SSL/TLS: \"Invariance Weakness\" vulnerability in RC4 stream cipher", "Description": "The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the \"Bar Mitzvah\" issue.", "Severity": "MEDIUM", @@ -10574,6 +11941,8 @@ "http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705", "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10727", + "http://linux.oracle.com/cve/CVE-2015-2808.html", + "http://linux.oracle.com/errata/ELSA-2015-1526.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html", "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html", @@ -10675,6 +12044,29 @@ "https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf" ] }, + { + "VulnerabilityID": "CVE-2019-1547", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-19.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "openssl: side-channel weak encryption vulnerability", + "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "MEDIUM", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://arxiv.org/abs/1909.01785", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, { "VulnerabilityID": "CVE-2018-0735", "PkgName": "openssl-libs", @@ -10682,10 +12074,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "openssl: timing side channel attack in the ECDSA signature generation", "Description": "The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-0735.html", + "http://linux.oracle.com/errata/ELSA-2019-3700.html", "http://www.securityfocus.com/bid/105750", "http://www.securitytracker.com/id/1041986", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0735", @@ -10702,6 +12097,32 @@ "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" ] }, + { + "VulnerabilityID": "CVE-2019-1551", + "PkgName": "openssl-libs", + "InstalledVersion": "1:1.0.2k-19.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", + "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", + "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98", + "https://github.com/openssl/openssl/pull/10575", + "https://seclists.org/bugtraq/2019/Dec/39", + "https://seclists.org/bugtraq/2019/Dec/46", + "https://security.netapp.com/advisory/ntap-20191210-0001/", + "https://www.debian.org/security/2019/dsa-4594", + "https://www.openssl.org/news/secadv/20191206.txt", + "https://www.tenable.com/security/tns-2019-09" + ] + }, { "VulnerabilityID": "CVE-2019-1563", "PkgName": "openssl-libs", @@ -10709,9 +12130,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", @@ -10723,28 +12145,6 @@ "https://www.openssl.org/news/secadv/20190910.txt" ] }, - { - "VulnerabilityID": "CVE-2019-1547", - "PkgName": "openssl-libs", - "InstalledVersion": "1:1.0.2k-19.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "openssl: side-channel weak encryption vulnerability", - "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", - "Severity": "LOW", - "References": [ - "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", - "https://arxiv.org/abs/1909.01785", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", - "https://seclists.org/bugtraq/2019/Sep/25", - "https://security.netapp.com/advisory/ntap-20190919-0002/", - "https://www.openssl.org/news/secadv/20190910.txt" - ] - }, { "VulnerabilityID": "CVE-2015-8380", "PkgName": "pcre", @@ -10752,9 +12152,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: OOB write when pcre_exec() is called with ovecsize of 1 (8.38/10)", "Description": "The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \\01 string, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173700.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -10774,9 +12175,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: Integer overflow in subroutine calls (8.38/8)", "Description": "PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -10795,9 +12197,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: uninitialized memory read triggered by malformed posix character class (8.38/22)", "Description": "PCRE before 8.38 mishandles the [: and \\\\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", @@ -10809,65 +12212,6 @@ "https://security.gentoo.org/glsa/201607-02" ] }, - { - "VulnerabilityID": "CVE-2015-8394", - "PkgName": "pcre", - "InstalledVersion": "8.32-17.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", - "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", - "Severity": "HIGH", - "References": [ - "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/82990", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", - "https://security.gentoo.org/glsa/201607-02" - ] - }, - { - "VulnerabilityID": "CVE-2017-11164", - "PkgName": "pcre", - "InstalledVersion": "8.32-17.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", - "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "Severity": "HIGH", - "References": [ - "http://openwall.com/lists/oss-security/2017/07/11/3", - "http://www.securityfocus.com/bid/99575" - ] - }, - { - "VulnerabilityID": "CVE-2015-8382", - "PkgName": "pcre", - "InstalledVersion": "8.32-17.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "php: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)", - "Description": "The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.", - "Severity": "MEDIUM", - "References": [ - "http://git.php.net/?p=php-src.git;a=commit;h=c351b47ce85a3a147cfa801fa9f0149ab4160834", - "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", - "http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502\u0026r2=1510", - "http://www.openwall.com/lists/oss-security/2015/08/04/3", - "http://www.openwall.com/lists/oss-security/2015/11/29/1", - "http://www.securityfocus.com/bid/76157", - "https://bto.bluecoat.com/security-advisory/sa128", - "https://bugs.exim.org/show_bug.cgi?id=1537", - "https://bugzilla.redhat.com/show_bug.cgi?id=1187225", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8382" - ] - }, { "VulnerabilityID": "CVE-2015-8393", "PkgName": "pcre", @@ -10875,6 +12219,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: pcregrep -q is not always quiet (8.38/28)", "Description": "pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.", "Severity": "MEDIUM", @@ -10889,6 +12234,28 @@ "https://security.gentoo.org/glsa/201607-02" ] }, + { + "VulnerabilityID": "CVE-2015-8394", + "PkgName": "pcre", + "InstalledVersion": "8.32-17.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "pcre: Integer overflow caused by missing check for certain conditions (8.38/31)", + "Description": "PCRE before 8.38 mishandles the (?(\u003cdigits\u003e) and (?(R\u003cdigits\u003e) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.", + "Severity": "MEDIUM", + "References": [ + "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/82990", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731", + "https://security.gentoo.org/glsa/201607-02" + ] + }, { "VulnerabilityID": "CVE-2017-6004", "PkgName": "pcre", @@ -10896,6 +12263,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3)", "Description": "The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.", "Severity": "MEDIUM", @@ -10916,6 +12284,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: Invalid Unicode property lookup (8.41/7, 10.24/2)", "Description": "libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.", "Severity": "MEDIUM", @@ -10933,6 +12302,46 @@ "https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_ucd.c?r1=316\u0026r2=670\u0026sortby=date" ] }, + { + "VulnerabilityID": "CVE-2015-8382", + "PkgName": "pcre", + "InstalledVersion": "8.32-17.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "php: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)", + "Description": "The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.", + "Severity": "LOW", + "References": [ + "http://git.php.net/?p=php-src.git;a=commit;h=c351b47ce85a3a147cfa801fa9f0149ab4160834", + "http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup", + "http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502\u0026r2=1510", + "http://www.openwall.com/lists/oss-security/2015/08/04/3", + "http://www.openwall.com/lists/oss-security/2015/11/29/1", + "http://www.securityfocus.com/bid/76157", + "https://bto.bluecoat.com/security-advisory/sa128", + "https://bugs.exim.org/show_bug.cgi?id=1537", + "https://bugzilla.redhat.com/show_bug.cgi?id=1187225", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8382" + ] + }, + { + "VulnerabilityID": "CVE-2017-11164", + "PkgName": "pcre", + "InstalledVersion": "8.32-17.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", + "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/07/11/3", + "http://www.securityfocus.com/bid/99575" + ] + }, { "VulnerabilityID": "CVE-2017-7244", "PkgName": "pcre", @@ -10940,9 +12349,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)", "Description": "The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -10958,9 +12368,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -10975,9 +12386,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -10985,27 +12397,6 @@ "https://security.gentoo.org/glsa/201710-25" ] }, - { - "VulnerabilityID": "CVE-2017-16231", - "PkgName": "pcre", - "InstalledVersion": "8.32-17.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", - "Description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", - "Severity": "LOW", - "References": [ - "http://packetstormsecurity.com/files/150897/PCRE-8.41-Buffer-Overflow.html", - "http://seclists.org/fulldisclosure/2018/Dec/33", - "http://www.openwall.com/lists/oss-security/2017/11/01/11", - "http://www.openwall.com/lists/oss-security/2017/11/01/3", - "http://www.openwall.com/lists/oss-security/2017/11/01/7", - "http://www.openwall.com/lists/oss-security/2017/11/01/8", - "http://www.securityfocus.com/bid/101688", - "https://bugs.exim.org/show_bug.cgi?id=2047" - ] - }, { "VulnerabilityID": "CVE-2018-1121", "PkgName": "procps-ng", @@ -11013,9 +12404,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "procps-ng, procps: process hiding through race condition enumerating /proc", "Description": "procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://seclists.org/oss-sec/2018/q2/122", "http://www.securityfocus.com/bid/104214", @@ -11032,9 +12424,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "procps-ng, procps: denial of service in ps via mmap buffer overflow", "Description": "procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maps a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://seclists.org/oss-sec/2018/q2/122", "http://www.securityfocus.com/bid/104214", @@ -11056,9 +12449,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "procps-ng, procps: stack buffer overflow in pgrep", "Description": "procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://seclists.org/oss-sec/2018/q2/122", "http://www.securityfocus.com/bid/104214", @@ -11071,29 +12465,6 @@ "https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt" ] }, - { - "VulnerabilityID": "CVE-2017-1000158", - "PkgName": "python", - "InstalledVersion": "2.7.5-86.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", - "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", - "Severity": "HIGH", - "References": [ - "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", - "http://www.securitytracker.com/id/1039890", - "https://bugs.python.org/issue30657", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", - "https://security.gentoo.org/glsa/201805-02", - "https://www.debian.org/security/2018/dsa-4307" - ] - }, { "VulnerabilityID": "CVE-2013-1664", "PkgName": "python", @@ -11101,6 +12472,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "Python xml bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities", "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", "Severity": "MEDIUM", @@ -11125,6 +12497,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities", "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", "Severity": "MEDIUM", @@ -11150,6 +12523,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "python: hash secret can be recovered remotely", "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", "Severity": "MEDIUM", @@ -11163,23 +12537,27 @@ ] }, { - "VulnerabilityID": "CVE-2018-1000030", + "VulnerabilityID": "CVE-2017-1000158", "PkgName": "python", "InstalledVersion": "2.7.5-86.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", - "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "SeveritySource": "redhat", + "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", + "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", "Severity": "MEDIUM", "References": [ - "https://bugs.python.org/issue31530", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", - "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", - "https://security.gentoo.org/glsa/201811-02", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0" + "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", + "http://www.securitytracker.com/id/1039890", + "https://bugs.python.org/issue30657", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", + "https://security.gentoo.org/glsa/201805-02", + "https://www.debian.org/security/2018/dsa-4307" ] }, { @@ -11189,10 +12567,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "python: Cookie domain check returns incorrect results", "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20852.html", + "http://linux.oracle.com/errata/ELSA-2019-4884.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", "https://bugs.python.org/issue35121", @@ -11208,6 +12589,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "python: email.utils.parseaddr wrongly parses email addresses", "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", "Severity": "MEDIUM", @@ -11224,26 +12606,106 @@ ] }, { - "VulnerabilityID": "CVE-2017-1000158", - "PkgName": "python-libs", + "VulnerabilityID": "CVE-2019-16935", + "PkgName": "python", "InstalledVersion": "2.7.5-86.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", - "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field", + "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "Severity": "MEDIUM", "References": [ - "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", - "http://www.securitytracker.com/id/1039890", - "https://bugs.python.org/issue30657", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", - "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", - "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", - "https://security.gentoo.org/glsa/201805-02", - "https://www.debian.org/security/2018/dsa-4307" + "https://bugs.python.org/issue38243", + "https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897", + "https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213", + "https://github.com/python/cpython/pull/16373", + "https://security.netapp.com/advisory/ntap-20191017-0004/", + "https://usn.ubuntu.com/4151-1/", + "https://usn.ubuntu.com/4151-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18348", + "PkgName": "python", + "InstalledVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "python: CRLF injection via the host part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue30458#msg347282", + "https://bugzilla.redhat.com/show_bug.cgi?id=1727276", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://security.netapp.com/advisory/ntap-20191107-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2020-8492", + "PkgName": "python", + "InstalledVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS", + "Description": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue39503", + "https://github.com/python/cpython/pull/18284", + "https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html", + "https://security.netapp.com/advisory/ntap-20200221-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000030", + "PkgName": "python", + "InstalledVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", + "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "Severity": "LOW", + "References": [ + "https://bugs.python.org/issue31530", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", + "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", + "https://security.gentoo.org/glsa/201811-02", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-9674", + "PkgName": "python", + "InstalledVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py", + "Description": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue36260", + "https://bugs.python.org/issue36462", + "https://github.com/python/cpython/blob/master/Lib/zipfile.py", + "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb", + "https://security.netapp.com/advisory/ntap-20200221-0003/", + "https://www.python.org/news/security/" ] }, { @@ -11253,6 +12715,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "Python xml bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities", "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.", "Severity": "MEDIUM", @@ -11277,6 +12740,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "Python xml bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities", "Description": "The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.", "Severity": "MEDIUM", @@ -11302,6 +12766,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "python: hash secret can be recovered remotely", "Description": "Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.", "Severity": "MEDIUM", @@ -11315,23 +12780,27 @@ ] }, { - "VulnerabilityID": "CVE-2018-1000030", + "VulnerabilityID": "CVE-2017-1000158", "PkgName": "python-libs", "InstalledVersion": "2.7.5-86.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", - "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "SeveritySource": "redhat", + "Title": "python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow", + "Description": "CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)", "Severity": "MEDIUM", "References": [ - "https://bugs.python.org/issue31530", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", - "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", - "https://security.gentoo.org/glsa/201811-02", - "https://usn.ubuntu.com/3817-1/", - "https://usn.ubuntu.com/3817-2/", - "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0" + "http://python-security.readthedocs.io/vuln/cve-2017-1000158_pystring_decodeescape_integer_overflow.html", + "http://www.securitytracker.com/id/1039890", + "https://bugs.python.org/issue30657", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html", + "https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html", + "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html", + "https://security.gentoo.org/glsa/201805-02", + "https://www.debian.org/security/2018/dsa-4307" ] }, { @@ -11341,10 +12810,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "python: Cookie domain check returns incorrect results", "Description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-20852.html", + "http://linux.oracle.com/errata/ELSA-2019-4884.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00071.html", "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00074.html", "https://bugs.python.org/issue35121", @@ -11360,6 +12832,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "python: email.utils.parseaddr wrongly parses email addresses", "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", "Severity": "MEDIUM", @@ -11375,6 +12848,109 @@ "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" ] }, + { + "VulnerabilityID": "CVE-2019-16935", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field", + "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue38243", + "https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897", + "https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213", + "https://github.com/python/cpython/pull/16373", + "https://security.netapp.com/advisory/ntap-20191017-0004/", + "https://usn.ubuntu.com/4151-1/", + "https://usn.ubuntu.com/4151-2/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18348", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "python: CRLF injection via the host part of the url passed to urlopen()", + "Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)", + "Severity": "MEDIUM", + "References": [ + "https://bugs.python.org/issue30458#msg347282", + "https://bugzilla.redhat.com/show_bug.cgi?id=1727276", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://security.netapp.com/advisory/ntap-20191107-0004/" + ] + }, + { + "VulnerabilityID": "CVE-2020-8492", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS", + "Description": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue39503", + "https://github.com/python/cpython/pull/18284", + "https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html", + "https://security.netapp.com/advisory/ntap-20200221-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2018-1000030", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "python: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c", + "Description": "Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-\u003eMalloc-\u003eThread1-\u003eFree's-\u003eThread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.", + "Severity": "LOW", + "References": [ + "https://bugs.python.org/issue31530", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000030", + "https://drive.google.com/file/d/1oyR9DAZjZK_SCn3mor6NRAYLJS6ueXaY/view", + "https://security.gentoo.org/glsa/201811-02", + "https://usn.ubuntu.com/3817-1/", + "https://usn.ubuntu.com/3817-2/", + "https://www.dropbox.com/sh/sj3ee7xv55j36k7/AADwP-YfOYikBMuy32e0uvPFa?dl=0", + "https://www.oracle.com/security-alerts/cpujan2020.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-9674", + "PkgName": "python-libs", + "InstalledVersion": "2.7.5-86.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py", + "Description": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", + "https://bugs.python.org/issue36260", + "https://bugs.python.org/issue36462", + "https://github.com/python/cpython/blob/master/Lib/zipfile.py", + "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb", + "https://security.netapp.com/advisory/ntap-20200221-0003/", + "https://www.python.org/news/security/" + ] + }, { "VulnerabilityID": "CVE-2016-7091", "PkgName": "readline", @@ -11382,10 +12958,13 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "sudo: Possible info leak via INPUTRC", "Description": "sudo: It was discovered that the default sudo configuration on Red Hat Enterprise Linux and possibly other Linux implementations preserves the value of INPUTRC which could lead to information disclosure. A local user with sudo access to a restricted program that uses readline could use this flaw to read content from specially formatted files with elevated privileges provided by sudo.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-7091.html", + "http://linux.oracle.com/errata/ELSA-2016-2593.html", "http://www.securityfocus.com/bid/92615", "https://lists.gnu.org/archive/html/bug-readline/2016-05/msg00009.html", "https://rhn.redhat.com/errata/RHSA-2016-2593.html" @@ -11398,9 +12977,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -11414,6 +12994,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -11429,9 +13010,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -11445,6 +13027,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -11460,9 +13043,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -11476,6 +13060,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -11491,9 +13076,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to directories when installing packages allows privilege escalation", "Description": "It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500", "https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9", @@ -11507,6 +13093,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "rpm: Following symlinks to files when installing packages allows privilege escalation", "Description": "It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.", "Severity": "MEDIUM", @@ -11516,26 +13103,47 @@ ] }, { - "VulnerabilityID": "CVE-2016-6252", - "PkgName": "shadow-utils", - "InstalledVersion": "2:4.6-5.el7", + "VulnerabilityID": "CVE-2019-13734", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "FixedVersion": "3.7.17-8.el7_7.1", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "shadow-utils: Incorrect integer handling results in LPE", - "Description": "Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "sqlite: fts3: improve shadow table corruption detection", + "Description": "Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "Severity": "HIGH", "References": [ - "http://www.debian.org/security/2017/dsa-3793", - "http://www.openwall.com/lists/oss-security/2016/07/19/6", - "http://www.openwall.com/lists/oss-security/2016/07/19/7", - "http://www.openwall.com/lists/oss-security/2016/07/20/2", - "http://www.openwall.com/lists/oss-security/2016/07/25/7", - "http://www.securityfocus.com/bid/92055", - "https://bugzilla.suse.com/show_bug.cgi?id=979282", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252", - "https://github.com/shadow-maint/shadow/issues/27", - "https://security.gentoo.org/glsa/201706-02" + "http://linux.oracle.com/cve/CVE-2019-13734.html", + "http://linux.oracle.com/errata/ELSA-2020-0273.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025466", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5827", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "chromium-browser: out-of-bounds access in SQLite", + "Description": "Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.html", + "https://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.html", + "https://crbug.com/952406", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5827", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CPM7VPE27DUNJLXM4F5PAAEFFWOEND6X/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKN4GPMBQ3SDXWB4HL45II5CZ7P2E4AI/" ] }, { @@ -11545,9 +13153,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "sqlite: arbitrary code execution on databases with malformed schema", "Description": "The fts3_tokenizer function in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a SQL command that triggers an API call with a crafted pointer value in the second argument.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://support.apple.com/kb/HT204941", "http://support.apple.com/kb/HT204942", @@ -11555,6 +13164,225 @@ "https://security.gentoo.org/glsa/201612-21" ] }, + { + "VulnerabilityID": "CVE-2017-7000", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "chromium-browser: pointer disclosure in sqlite", + "Description": "An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the \"SQLite\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/98767", + "http://www.securityfocus.com/bid/99950", + "https://access.redhat.com/errata/RHSA-2017:1833", + "https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7000", + "https://security.gentoo.org/glsa/201709-15", + "https://support.apple.com/HT207797", + "https://support.apple.com/HT207798", + "https://www.debian.org/security/2017/dsa-3926" + ] + }, + { + "VulnerabilityID": "CVE-2019-13751", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "sqlite: fts3: improve detection of corrupted records", + "Description": "Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025465", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13751", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, + { + "VulnerabilityID": "CVE-2019-13752", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "sqlite: fts3: improve shadow table corruption detection", + "Description": "Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025470", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13752", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, + { + "VulnerabilityID": "CVE-2019-13753", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "sqlite: fts3: incorrectly removed corruption check", + "Description": "Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00032.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00036.html", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://crbug.com/1025471", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13753", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19603", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "sqlite: mishandles certain SELECT statements with a nonexistent VIEW, leading to DoS", + "Description": "SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13", + "https://security.netapp.com/advisory/ntap-20191223-0001/", + "https://www.sqlite.org/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19645", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "sqlite: infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements", + "Description": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06", + "https://security.netapp.com/advisory/ntap-20191223-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19880", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "sqlite: invalid pointer dereference in exprListAppendList in window.c", + "Description": "exprListAppendList in window.c in SQLite 3.30.1 allows attackers to trigger an invalid pointer dereference because constant integer values in ORDER BY clauses of window definitions are mishandled.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19880", + "https://github.com/sqlite/sqlite/commit/75e95e1fcd52d3ec8282edb75ac8cd0814095d54", + "https://security.netapp.com/advisory/ntap-20200114-0001/" + ] + }, + { + "VulnerabilityID": "CVE-2019-19924", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "sqlite: incorrect sqlite3WindowRewrite() error handling leads to mishandling certain parser-tree rewriting", + "Description": "SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/8654186b0236d556aa85528c2573ee0b6ab71be3", + "https://security.netapp.com/advisory/ntap-20200114-0003/" + ] + }, + { + "VulnerabilityID": "CVE-2019-20218", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error", + "Description": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.", + "Severity": "MEDIUM", + "References": [ + "https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387", + "https://usn.ubuntu.com/4298-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-8457", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "sqlite: heap out-of-bound read in function rtreenode()", + "Description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/", + "https://security.netapp.com/advisory/ntap-20190606-0002/", + "https://usn.ubuntu.com/4004-1/", + "https://usn.ubuntu.com/4004-2/", + "https://usn.ubuntu.com/4019-1/", + "https://usn.ubuntu.com/4019-2/", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "https://www.sqlite.org/releaselog/3_28_0.html", + "https://www.sqlite.org/src/info/90acdbfce9c08858" + ] + }, + { + "VulnerabilityID": "CVE-2016-6153", + "PkgName": "sqlite", + "InstalledVersion": "3.7.17-8.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "sqlite: Tempdir selection vulnerability", + "Description": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2016-08/msg00053.html", + "http://www.openwall.com/lists/oss-security/2016/07/01/1", + "http://www.openwall.com/lists/oss-security/2016/07/01/2", + "http://www.securityfocus.com/bid/91546", + "http://www.sqlite.org/cgi/src/info/67985761aa93fb61", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGQTH7V45QVHFDXJAEECHEO3HHD644WZ/", + "https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt", + "https://www.sqlite.org/releaselog/3_13_0.html", + "https://www.tenable.com/security/tns-2016-20" + ] + }, { "VulnerabilityID": "CVE-2017-10989", "PkgName": "sqlite", @@ -11562,9 +13390,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "sqlite: Heap-buffer overflow in the getNodeSize function", "Description": "The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00050.html", "http://marc.info/?l=sqlite-users\u0026m=149933696214713\u0026w=2", @@ -11585,48 +13414,6 @@ "https://usn.ubuntu.com/4019-2/" ] }, - { - "VulnerabilityID": "CVE-2019-8457", - "PkgName": "sqlite", - "InstalledVersion": "3.7.17-8.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "sqlite3: heap out-of-bound read in function rtreenode()", - "Description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", - "Severity": "HIGH", - "References": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457", - "https://security.netapp.com/advisory/ntap-20190606-0002/", - "https://usn.ubuntu.com/4004-1/", - "https://usn.ubuntu.com/4004-2/", - "https://www.sqlite.org/releaselog/3_28_0.html", - "https://www.sqlite.org/src/info/90acdbfce9c08858" - ] - }, - { - "VulnerabilityID": "CVE-2016-6153", - "PkgName": "sqlite", - "InstalledVersion": "3.7.17-8.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "sqlite: Tempdir selection vulnerability", - "Description": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2016-08/msg00053.html", - "http://www.openwall.com/lists/oss-security/2016/07/01/1", - "http://www.openwall.com/lists/oss-security/2016/07/01/2", - "http://www.securityfocus.com/bid/91546", - "http://www.sqlite.org/cgi/src/info/67985761aa93fb61", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGQTH7V45QVHFDXJAEECHEO3HHD644WZ/", - "https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt", - "https://www.sqlite.org/releaselog/3_13_0.html", - "https://www.tenable.com/security/tns-2016-20" - ] - }, { "VulnerabilityID": "CVE-2017-13685", "PkgName": "sqlite", @@ -11634,9 +13421,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "sqlite: Local DoS via dump_callback function", "Description": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg105314.html", "http://www.securityfocus.com/bid/100521", @@ -11650,37 +13438,16 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "sqlite: NULL pointer dereference in tableColumnList", "Description": "SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in shell.c because it fails to consider certain cases where `sqlite3_step(pStmt)==SQLITE_ROW` is false and a data structure is never initialized.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/101285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15286", "https://github.com/Ha0Team/crash-of-sqlite3/blob/master/poc.md" ] }, - { - "VulnerabilityID": "CVE-2017-7000", - "PkgName": "sqlite", - "InstalledVersion": "3.7.17-8.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "chromium-browser: pointer disclosure in sqlite", - "Description": "An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the \"SQLite\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/98767", - "http://www.securityfocus.com/bid/99950", - "https://access.redhat.com/errata/RHSA-2017:1833", - "https://chromereleases.googleblog.com/2017/07/stable-channel-update-for-desktop.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7000", - "https://security.gentoo.org/glsa/201709-15", - "https://support.apple.com/HT207797", - "https://support.apple.com/HT207798", - "https://www.debian.org/security/2017/dsa-3926" - ] - }, { "VulnerabilityID": "CVE-2018-8740", "PkgName": "sqlite", @@ -11688,9 +13455,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "sqlite: NULL pointer dereference with databases with schema corrupted with CREATE TABLE AS allows for denial of service", "Description": "In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00050.html", "http://www.securityfocus.com/bid/103466", @@ -11703,40 +13471,36 @@ ] }, { - "VulnerabilityID": "CVE-2019-5827", + "VulnerabilityID": "CVE-2019-19244", "PkgName": "sqlite", "InstalledVersion": "3.7.17-8.el7", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "chromium-browser: out-of-bounds access in SQLite", - "Description": "Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", - "Severity": "MEDIUM", + "SeveritySource": "redhat", + "Title": "sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage", + "Description": "sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.", + "Severity": "LOW", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.html", - "https://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.html", - "https://crbug.com/952406", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5827", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CPM7VPE27DUNJLXM4F5PAAEFFWOEND6X/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKN4GPMBQ3SDXWB4HL45II5CZ7P2E4AI/" + "https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348", + "https://usn.ubuntu.com/4205-1/" ] }, { - "VulnerabilityID": "CVE-2018-6954", + "VulnerabilityID": "CVE-2013-4392", "PkgName": "systemd", "InstalledVersion": "219-67.el7_7.1", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", - "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", + "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", + "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", - "https://github.com/systemd/systemd/issues/7986", - "https://usn.ubuntu.com/3816-1/", - "https://usn.ubuntu.com/3816-2/" + "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", + "http://www.openwall.com/lists/oss-security/2013/10/01/9", + "https://bugzilla.redhat.com/show_bug.cgi?id=859060" ] }, { @@ -11746,6 +13510,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "systemd: Unsafe handling of hard links allowing privilege escalation", "Description": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.", "Severity": "MEDIUM", @@ -11760,6 +13525,25 @@ "https://www.openwall.com/lists/oss-security/2018/01/29/4" ] }, + { + "VulnerabilityID": "CVE-2018-6954", + "PkgName": "systemd", + "InstalledVersion": "219-67.el7_7.1", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", + "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", + "https://github.com/systemd/systemd/issues/7986", + "https://usn.ubuntu.com/3816-1/", + "https://usn.ubuntu.com/3816-2/" + ] + }, { "VulnerabilityID": "CVE-2019-3842", "PkgName": "systemd", @@ -11767,6 +13551,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "systemd: Spoofing of XDG_SEAT allows for actions to be checked against \"allow_active\" instead of \"allow_any\"", "Description": "In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the \"allow_active\" element rather than \"allow_any\".", "Severity": "MEDIUM", @@ -11780,22 +13565,6 @@ "https://www.exploit-db.com/exploits/46743/" ] }, - { - "VulnerabilityID": "CVE-2013-4392", - "PkgName": "systemd", - "InstalledVersion": "219-67.el7_7.1", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", - "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "Severity": "LOW", - "References": [ - "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", - "http://www.openwall.com/lists/oss-security/2013/10/01/9", - "https://bugzilla.redhat.com/show_bug.cgi?id=859060" - ] - }, { "VulnerabilityID": "CVE-2016-6349", "PkgName": "systemd", @@ -11803,6 +13572,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "oci-register-machine: information exposure for docker containers", "Description": "The machinectl command in oci-register-machine allows local users to list running containers and possibly obtain sensitive information by running that command.", "Severity": "LOW", @@ -11815,21 +13585,38 @@ ] }, { - "VulnerabilityID": "CVE-2018-6954", + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "systemd", + "InstalledVersion": "219-67.el7_7.1", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, + { + "VulnerabilityID": "CVE-2013-4392", "PkgName": "systemd-libs", "InstalledVersion": "219-67.el7_7.1", "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, - "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", - "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", - "Severity": "HIGH", + "SeveritySource": "redhat", + "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", + "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", + "Severity": "MEDIUM", "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", - "https://github.com/systemd/systemd/issues/7986", - "https://usn.ubuntu.com/3816-1/", - "https://usn.ubuntu.com/3816-2/" + "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", + "http://www.openwall.com/lists/oss-security/2013/10/01/9", + "https://bugzilla.redhat.com/show_bug.cgi?id=859060" ] }, { @@ -11839,6 +13626,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "systemd: Unsafe handling of hard links allowing privilege escalation", "Description": "systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.", "Severity": "MEDIUM", @@ -11853,6 +13641,25 @@ "https://www.openwall.com/lists/oss-security/2018/01/29/4" ] }, + { + "VulnerabilityID": "CVE-2018-6954", + "PkgName": "systemd-libs", + "InstalledVersion": "219-67.el7_7.1", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "systemd: Mishandled symlinks in systemd-tmpfiles allows local users to obtain ownership of arbitrary files", + "Description": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6954", + "https://github.com/systemd/systemd/issues/7986", + "https://usn.ubuntu.com/3816-1/", + "https://usn.ubuntu.com/3816-2/" + ] + }, { "VulnerabilityID": "CVE-2019-3842", "PkgName": "systemd-libs", @@ -11860,6 +13667,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "systemd: Spoofing of XDG_SEAT allows for actions to be checked against \"allow_active\" instead of \"allow_any\"", "Description": "In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the \"allow_active\" element rather than \"allow_any\".", "Severity": "MEDIUM", @@ -11873,22 +13681,6 @@ "https://www.exploit-db.com/exploits/46743/" ] }, - { - "VulnerabilityID": "CVE-2013-4392", - "PkgName": "systemd-libs", - "InstalledVersion": "219-67.el7_7.1", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "systemd: TOCTOU race condition when updating file permissions and SELinux security contexts", - "Description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "Severity": "LOW", - "References": [ - "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", - "http://www.openwall.com/lists/oss-security/2013/10/01/9", - "https://bugzilla.redhat.com/show_bug.cgi?id=859060" - ] - }, { "VulnerabilityID": "CVE-2016-6349", "PkgName": "systemd-libs", @@ -11896,6 +13688,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "oci-register-machine: information exposure for docker containers", "Description": "The machinectl command in oci-register-machine allows local users to list running containers and possibly obtain sensitive information by running that command.", "Severity": "LOW", @@ -11907,6 +13700,24 @@ "https://github.com/projectatomic/oci-register-machine/pull/22" ] }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "systemd-libs", + "InstalledVersion": "219-67.el7_7.1", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, { "VulnerabilityID": "CVE-2016-6321", "PkgName": "tar", @@ -11914,6 +13725,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "tar: Bypassing the extract path name", "Description": "Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.", "Severity": "MEDIUM", @@ -11932,23 +13744,6 @@ "https://sintonen.fi/advisories/tar-extract-pathname-bypass.txt" ] }, - { - "VulnerabilityID": "CVE-2019-9923", - "PkgName": "tar", - "InstalledVersion": "2:1.26-35.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", - "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", - "Severity": "MEDIUM", - "References": [ - "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", - "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", - "http://savannah.gnu.org/bugs/?55369", - "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" - ] - }, { "VulnerabilityID": "CVE-2018-20482", "PkgName": "tar", @@ -11956,6 +13751,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "tar: Infinite read loop in sparse_dump_region function in sparse.c", "Description": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).", "Severity": "LOW", @@ -11972,6 +13768,24 @@ "https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug" ] }, + { + "VulnerabilityID": "CVE-2019-9923", + "PkgName": "tar", + "InstalledVersion": "2:1.26-35.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", + "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", + "Severity": "LOW", + "References": [ + "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", + "http://savannah.gnu.org/bugs/?55369", + "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" + ] + }, { "VulnerabilityID": "CVE-2014-9114", "PkgName": "util-linux", @@ -11979,9 +13793,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "util-linux: command injection flaw in blkid", "Description": "Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/145188.html", "http://lists.fedoraproject.org/pipermail/package-announce/2014-December/146229.html", @@ -12002,9 +13817,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -12019,6 +13835,7 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "colcrt: global-buffer-overflow", "Description": "Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.", "Severity": "LOW", @@ -12032,6 +13849,60 @@ "https://www.kernel.org/pub/linux/utils/util-linux/v2.27/v2.27-ReleaseNotes" ] }, + { + "VulnerabilityID": "CVE-2017-1000382", + "PkgName": "vim-minimal", + "InstalledVersion": "2:7.4.629-6.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "vim: Ignores umask when creating a swap file", + "Description": "VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.", + "Severity": "LOW", + "References": [ + "http://security.cucumberlinux.com/security/details.php?id=120", + "http://www.openwall.com/lists/oss-security/2017/10/31/1" + ] + }, + { + "VulnerabilityID": "CVE-2017-11109", + "PkgName": "vim-minimal", + "InstalledVersion": "2:7.4.629-6.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "vim: Use-after-free via crafted file", + "Description": "Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1468492", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11109", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html", + "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11109.html" + ] + }, + { + "VulnerabilityID": "CVE-2017-17087", + "PkgName": "vim-minimal", + "InstalledVersion": "2:7.4.629-6.el7", + "Layer": { + "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" + }, + "SeveritySource": "redhat", + "Title": "vim: Sets the group ownership of a .swp file to the editor's primary group", + "Description": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.", + "Severity": "LOW", + "References": [ + "http://openwall.com/lists/oss-security/2017/11/27/2", + "http://security.cucumberlinux.com/security/details.php?id=166", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17087", + "https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8", + "https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html" + ] + }, { "VulnerabilityID": "CVE-2017-5953", "PkgName": "vim-minimal", @@ -12039,9 +13910,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "vim: Tree length values not validated properly when handling a spell file", "Description": "vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.debian.org/security/2017/dsa-3786", "http://www.securityfocus.com/bid/96217", @@ -12059,9 +13931,10 @@ "Layer": { "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" }, + "SeveritySource": "redhat", "Title": "vim: Integer overflow at an unserialize_uep memory allocation site", "Description": "An integer overflow at an unserialize_uep memory allocation site would occur for vim before patch 8.0.0378, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/96448", "http://www.securitytracker.com/id/1037949", @@ -12071,57 +13944,6 @@ "https://groups.google.com/forum/#!topic/vim_dev/QPZc0CY9j3Y", "https://security.gentoo.org/glsa/201706-26" ] - }, - { - "VulnerabilityID": "CVE-2017-11109", - "PkgName": "vim-minimal", - "InstalledVersion": "2:7.4.629-6.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "vim: Use-after-free via crafted file", - "Description": "Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance.", - "Severity": "MEDIUM", - "References": [ - "https://bugzilla.redhat.com/show_bug.cgi?id=1468492", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11109", - "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html", - "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11109.html" - ] - }, - { - "VulnerabilityID": "CVE-2017-1000382", - "PkgName": "vim-minimal", - "InstalledVersion": "2:7.4.629-6.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "vim: Ignores umask when creating a swap file", - "Description": "VIM version 8.0.1187 (and other versions most likely) ignores umask when creating a swap file (\"[ORIGINAL_FILENAME].swp\") resulting in files that may be world readable or otherwise accessible in ways not intended by the user running the vi binary.", - "Severity": "LOW", - "References": [ - "http://security.cucumberlinux.com/security/details.php?id=120", - "http://www.openwall.com/lists/oss-security/2017/10/31/1" - ] - }, - { - "VulnerabilityID": "CVE-2017-17087", - "PkgName": "vim-minimal", - "InstalledVersion": "2:7.4.629-6.el7", - "Layer": { - "DiffID": "sha256:4468e6d912c76d5b127f3554c3cd83b7dc07cce6107c6b916299ba76fa7d15ac" - }, - "Title": "vim: Sets the group ownership of a .swp file to the editor's primary group", - "Description": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.", - "Severity": "LOW", - "References": [ - "http://openwall.com/lists/oss-security/2017/11/27/2", - "http://security.cucumberlinux.com/security/details.php?id=166", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17087", - "https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8", - "https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ", - "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html" - ] } ] } diff --git a/integration/testdata/ubuntu-1604.json.golden b/integration/testdata/ubuntu-1604.json.golden index 3abf8d99e3..a2987d5cc9 100644 --- a/integration/testdata/ubuntu-1604.json.golden +++ b/integration/testdata/ubuntu-1604.json.golden @@ -1,7 +1,25 @@ [ { "Target": "testdata/fixtures/ubuntu-1604.tar.gz (ubuntu 16.04)", + "Type": "ubuntu", "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-18276", + "PkgName": "bash", + "InstalledVersion": "4.3-14ubuntu1.4", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped", + "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html", + "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff", + "https://www.youtube.com/watch?v=-wGtxJ8opa8" + ] + }, { "VulnerabilityID": "CVE-2016-2779", "PkgName": "bsdutils", @@ -9,9 +27,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -26,10 +45,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5011.html", + "http://linux.oracle.com/errata/ELSA-2016-2605.html", "http://rhn.redhat.com/errata/RHSA-2016-2605.html", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", @@ -47,6 +69,7 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "LOW", @@ -62,8 +85,9 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Description": "dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/04/20/2", "http://www.securityfocus.com/bid/98064", @@ -78,6 +102,8 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -89,6 +115,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "e2fslibs", + "InstalledVersion": "1.42.13-1ubuntu1", + "FixedVersion": "1.42.13-1ubuntu1.2", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "e2fsprogs", @@ -97,6 +144,8 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -108,6 +157,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "e2fsprogs", + "InstalledVersion": "1.42.13-1ubuntu1", + "FixedVersion": "1.42.13-1ubuntu1.2", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2019-13050", "PkgName": "gnupg", @@ -115,9 +185,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "GnuPG: interaction between the sks-keyserver code and GnuPG allows for a Certificate Spamming Attack which leads to persistent DoS", "Description": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://access.redhat.com/articles/4264021", "https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f", @@ -125,6 +196,24 @@ "https://twitter.com/lambdafu/status/1147162583969009664" ] }, + { + "VulnerabilityID": "CVE-2019-14855", + "PkgName": "gnupg", + "InstalledVersion": "1.4.20-1ubuntu3.3", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "gnupg2: OpenPGP Key Certification Forgeries with SHA-1", + "Description": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855", + "https://dev.gnupg.org/T4755", + "https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html", + "https://rwc.iacr.org/2020/slides/Leurent.pdf" + ] + }, { "VulnerabilityID": "CVE-2019-13050", "PkgName": "gpgv", @@ -132,9 +221,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "GnuPG: interaction between the sks-keyserver code and GnuPG allows for a Certificate Spamming Attack which leads to persistent DoS", "Description": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://access.redhat.com/articles/4264021", "https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f", @@ -142,6 +232,24 @@ "https://twitter.com/lambdafu/status/1147162583969009664" ] }, + { + "VulnerabilityID": "CVE-2019-14855", + "PkgName": "gpgv", + "InstalledVersion": "1.4.20-1ubuntu3.3", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "gnupg2: OpenPGP Key Certification Forgeries with SHA-1", + "Description": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855", + "https://dev.gnupg.org/T4755", + "https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html", + "https://rwc.iacr.org/2020/slides/Leurent.pdf" + ] + }, { "VulnerabilityID": "CVE-2016-1585", "PkgName": "libapparmor1", @@ -149,8 +257,9 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://bugs.launchpad.net/apparmor/+bug/1597017" ] @@ -162,9 +271,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -179,10 +289,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5011.html", + "http://linux.oracle.com/errata/ELSA-2016-2605.html", "http://rhn.redhat.com/errata/RHSA-2016-2605.html", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", @@ -200,9 +313,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: memory corruption in memcpy-sse2-unaligned.S", "Description": "An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18269", "https://github.com/fingolfin/memmove-bug", @@ -219,10 +333,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow", "Description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-11236.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/104255", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", @@ -234,6 +351,31 @@ "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, + { + "VulnerabilityID": "CVE-2018-11237", + "PkgName": "libc-bin", + "InstalledVersion": "2.23-0ubuntu11", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper", + "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-11237.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", + "http://www.securityfocus.com/bid/104256", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3092", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237", + "https://security.netapp.com/advisory/ntap-20190329-0001/", + "https://security.netapp.com/advisory/ntap-20190401-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23196", + "https://www.exploit-db.com/exploits/44750/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, { "VulnerabilityID": "CVE-2018-6485", "PkgName": "libc-bin", @@ -241,42 +383,24 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, - { - "VulnerabilityID": "CVE-2019-9169", - "PkgName": "libc-bin", - "InstalledVersion": "2.23-0ubuntu11", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/107160", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", - "https://support.f5.com/csp/article/K54823184" - ] - }, { "VulnerabilityID": "CVE-2009-5155", "PkgName": "libc-bin", @@ -284,9 +408,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", @@ -307,10 +432,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: DNS resolver NULL pointer dereference with crafted record type", "Description": "res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2015-5180.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://www.securityfocus.com/bid/99324", "http://www.ubuntu.com/usn/USN-3239-1", "http://www.ubuntu.com/usn/USN-3239-2", @@ -331,9 +459,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -349,9 +478,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", @@ -365,10 +495,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", "http://www.securityfocus.com/bid/106672", "https://access.redhat.com/errata/RHSA-2019:2118", @@ -384,10 +517,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://www.securityfocus.com/bid/100598", "https://access.redhat.com/errata/RHSA-2018:0805", "https://arxiv.org/pdf/1205.4011.pdf", @@ -402,9 +538,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Use-after-free read access in clntudp_call in sunrpc", "Description": "Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12133", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYZL6PAKI73XYRJYL5VLDGA4FFGWMB7A/", @@ -413,28 +550,6 @@ "https://www.securityfocus.com/bid/100679" ] }, - { - "VulnerabilityID": "CVE-2018-11237", - "PkgName": "libc-bin", - "InstalledVersion": "2.23-0ubuntu11", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper", - "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/104256", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3092", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237", - "https://security.netapp.com/advisory/ntap-20190329-0001/", - "https://security.netapp.com/advisory/ntap-20190401-0001/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23196", - "https://www.exploit-db.com/exploits/44750/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "libc-bin", @@ -442,28 +557,16 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "libc-bin", - "InstalledVersion": "2.23-0ubuntu11", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" ] }, { @@ -473,6 +576,7 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -483,6 +587,45 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9169", + "PkgName": "libc-bin", + "InstalledVersion": "2.23-0ubuntu11", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", + "https://support.f5.com/csp/article/K54823184" + ] + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "libc-bin", + "InstalledVersion": "2.23-0ubuntu11", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, { "VulnerabilityID": "CVE-2017-18269", "PkgName": "libc6", @@ -490,9 +633,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: memory corruption in memcpy-sse2-unaligned.S", "Description": "An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18269", "https://github.com/fingolfin/memmove-bug", @@ -509,10 +653,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow", "Description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-11236.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/104255", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", @@ -524,6 +671,31 @@ "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, + { + "VulnerabilityID": "CVE-2018-11237", + "PkgName": "libc6", + "InstalledVersion": "2.23-0ubuntu11", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper", + "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-11237.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", + "http://www.securityfocus.com/bid/104256", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3092", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237", + "https://security.netapp.com/advisory/ntap-20190329-0001/", + "https://security.netapp.com/advisory/ntap-20190401-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23196", + "https://www.exploit-db.com/exploits/44750/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, { "VulnerabilityID": "CVE-2018-6485", "PkgName": "libc6", @@ -531,42 +703,24 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, - { - "VulnerabilityID": "CVE-2019-9169", - "PkgName": "libc6", - "InstalledVersion": "2.23-0ubuntu11", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/107160", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", - "https://support.f5.com/csp/article/K54823184" - ] - }, { "VulnerabilityID": "CVE-2009-5155", "PkgName": "libc6", @@ -574,9 +728,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", @@ -597,10 +752,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: DNS resolver NULL pointer dereference with crafted record type", "Description": "res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2015-5180.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://www.securityfocus.com/bid/99324", "http://www.ubuntu.com/usn/USN-3239-1", "http://www.ubuntu.com/usn/USN-3239-2", @@ -621,9 +779,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -639,9 +798,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", @@ -655,10 +815,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", "http://www.securityfocus.com/bid/106672", "https://access.redhat.com/errata/RHSA-2019:2118", @@ -674,10 +837,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://www.securityfocus.com/bid/100598", "https://access.redhat.com/errata/RHSA-2018:0805", "https://arxiv.org/pdf/1205.4011.pdf", @@ -692,9 +858,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Use-after-free read access in clntudp_call in sunrpc", "Description": "Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12133", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYZL6PAKI73XYRJYL5VLDGA4FFGWMB7A/", @@ -703,28 +870,6 @@ "https://www.securityfocus.com/bid/100679" ] }, - { - "VulnerabilityID": "CVE-2018-11237", - "PkgName": "libc6", - "InstalledVersion": "2.23-0ubuntu11", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper", - "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/104256", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3092", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237", - "https://security.netapp.com/advisory/ntap-20190329-0001/", - "https://security.netapp.com/advisory/ntap-20190401-0001/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23196", - "https://www.exploit-db.com/exploits/44750/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "libc6", @@ -732,28 +877,16 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "libc6", - "InstalledVersion": "2.23-0ubuntu11", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" ] }, { @@ -763,6 +896,7 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -773,6 +907,45 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9169", + "PkgName": "libc6", + "InstalledVersion": "2.23-0ubuntu11", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", + "https://support.f5.com/csp/article/K54823184" + ] + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "libc6", + "InstalledVersion": "2.23-0ubuntu11", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libcomerr2", @@ -781,6 +954,8 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -792,6 +967,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libcomerr2", + "InstalledVersion": "1.42.13-1ubuntu1", + "FixedVersion": "1.42.13-1ubuntu1.2", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2016-4484", "PkgName": "libcryptsetup4", @@ -799,9 +995,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "dracut: Brute force attack on LUKS password decryption via initramfs", "Description": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html", "http://www.openwall.com/lists/oss-security/2016/11/14/13", @@ -821,9 +1018,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -838,10 +1036,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5011.html", + "http://linux.oracle.com/errata/ELSA-2016-2605.html", "http://rhn.redhat.com/errata/RHSA-2016-2605.html", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", @@ -856,21 +1057,51 @@ "VulnerabilityID": "CVE-2019-13627", "PkgName": "libgcrypt20", "InstalledVersion": "1.6.5-2ubuntu0.5", + "FixedVersion": "1.6.5-2ubuntu0.6", "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library", "Description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", "Severity": "MEDIUM", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html", "http://www.openwall.com/lists/oss-security/2019/10/02/2", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13627", + "https://dev.gnupg.org/T4683", "https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5", "https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html", "https://minerva.crocs.fi.muni.cz/", "https://security-tracker.debian.org/tracker/CVE-2019-13627" ] }, + { + "VulnerabilityID": "CVE-2019-17543", + "PkgName": "liblz4-1", + "InstalledVersion": "0.0~r131-2ubuntu2", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "lz4: heap-based buffer overflow in LZ4_write32", + "Description": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html", + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941", + "https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2", + "https://github.com/lz4/lz4/issues/801", + "https://github.com/lz4/lz4/pull/756", + "https://github.com/lz4/lz4/pull/760", + "https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E" + ] + }, { "VulnerabilityID": "CVE-2016-2779", "PkgName": "libmount1", @@ -878,9 +1109,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -895,10 +1127,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5011.html", + "http://linux.oracle.com/errata/ELSA-2016-2605.html", "http://rhn.redhat.com/errata/RHSA-2016-2605.html", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", @@ -916,9 +1151,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -932,9 +1168,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -948,9 +1185,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -964,9 +1202,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -980,9 +1219,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -996,9 +1236,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -1012,9 +1253,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -1028,9 +1270,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -1044,9 +1287,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -1060,9 +1304,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -1076,9 +1321,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -1092,9 +1338,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -1103,6 +1350,44 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "libncurses5", + "InstalledVersion": "6.0+20160213-1ubuntu1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "libncurses5", + "InstalledVersion": "6.0+20160213-1ubuntu1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2017-10684", "PkgName": "libncursesw5", @@ -1110,9 +1395,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -1126,9 +1412,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -1142,9 +1429,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -1158,9 +1446,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -1174,9 +1463,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -1190,9 +1480,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -1206,9 +1497,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -1222,9 +1514,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -1238,9 +1531,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -1254,9 +1548,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -1270,9 +1565,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -1286,9 +1582,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -1297,6 +1594,44 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "libncursesw5", + "InstalledVersion": "6.0+20160213-1ubuntu1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "libncursesw5", + "InstalledVersion": "6.0+20160213-1ubuntu1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2017-11164", "PkgName": "libpcre3", @@ -1304,9 +1639,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/07/11/3", "http://www.securityfocus.com/bid/99575" @@ -1319,9 +1655,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3)", "Description": "The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/96295", "http://www.securitytracker.com/id/1037850", @@ -1339,9 +1676,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "pcre: Invalid Unicode property lookup (8.41/7, 10.24/2)", "Description": "libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97030", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -1363,9 +1701,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "pcre: invalid memory read in _pcre32_xclass (pcre_xclass.c)", "Description": "The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -1381,9 +1720,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -1398,9 +1738,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -1415,9 +1756,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -1432,10 +1774,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5011.html", + "http://linux.oracle.com/errata/ELSA-2016-2605.html", "http://rhn.redhat.com/errata/RHSA-2016-2605.html", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", @@ -1454,6 +1799,8 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -1465,6 +1812,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libss2", + "InstalledVersion": "1.42.13-1ubuntu1", + "FixedVersion": "1.42.13-1ubuntu1.2", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2018-20839", "PkgName": "libsystemd0", @@ -1472,6 +1840,7 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker", "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.", "Severity": "MEDIUM", @@ -1484,16 +1853,37 @@ ] }, { - "VulnerabilityID": "CVE-2018-16888", + "VulnerabilityID": "CVE-2020-1712", "PkgName": "libsystemd0", "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-16888", + "PkgName": "libsystemd0", + "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", @@ -1501,6 +1891,25 @@ "https://security.netapp.com/advisory/ntap-20190307-0007/" ] }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "libsystemd0", + "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, { "VulnerabilityID": "CVE-2017-10684", "PkgName": "libtinfo5", @@ -1508,9 +1917,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -1524,9 +1934,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -1540,9 +1951,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -1556,9 +1968,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -1572,9 +1985,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -1588,9 +2002,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -1604,9 +2019,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -1620,9 +2036,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -1636,9 +2053,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -1652,9 +2070,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -1668,9 +2087,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -1684,9 +2104,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -1695,6 +2116,44 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "libtinfo5", + "InstalledVersion": "6.0+20160213-1ubuntu1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "libtinfo5", + "InstalledVersion": "6.0+20160213-1ubuntu1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2018-20839", "PkgName": "libudev1", @@ -1702,6 +2161,7 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker", "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.", "Severity": "MEDIUM", @@ -1714,16 +2174,37 @@ ] }, { - "VulnerabilityID": "CVE-2018-16888", + "VulnerabilityID": "CVE-2020-1712", "PkgName": "libudev1", "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-16888", + "PkgName": "libudev1", + "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", @@ -1731,6 +2212,25 @@ "https://security.netapp.com/advisory/ntap-20190307-0007/" ] }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "libudev1", + "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, { "VulnerabilityID": "CVE-2016-2779", "PkgName": "libuuid1", @@ -1738,9 +2238,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -1755,10 +2256,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5011.html", + "http://linux.oracle.com/errata/ELSA-2016-2605.html", "http://rhn.redhat.com/errata/RHSA-2016-2605.html", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", @@ -1769,6 +2273,23 @@ "https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/?id=7164a1c3" ] }, + { + "VulnerabilityID": "CVE-2013-4235", + "PkgName": "login", + "InstalledVersion": "1:4.2-3.1ubuntu5.4", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", + "Description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2013-4235", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", + "https://security-tracker.debian.org/tracker/CVE-2013-4235" + ] + }, { "VulnerabilityID": "CVE-2017-12424", "PkgName": "login", @@ -1776,9 +2297,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "shadow-utils: Buffer overflow via newusers tool", "Description": "In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630", "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675", @@ -1794,25 +2316,15 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", "https://security.gentoo.org/glsa/201805-09" ] }, - { - "VulnerabilityID": "CVE-2013-4235", - "PkgName": "login", - "InstalledVersion": "1:4.2-3.1ubuntu5.4", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", - "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.", - "Severity": "LOW" - }, { "VulnerabilityID": "CVE-2016-2779", "PkgName": "mount", @@ -1820,9 +2332,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -1837,10 +2350,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5011.html", + "http://linux.oracle.com/errata/ELSA-2016-2605.html", "http://rhn.redhat.com/errata/RHSA-2016-2605.html", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", @@ -1858,9 +2374,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: memory corruption in memcpy-sse2-unaligned.S", "Description": "An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18269", "https://github.com/fingolfin/memmove-bug", @@ -1877,10 +2394,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow", "Description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-11236.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/104255", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", @@ -1892,6 +2412,31 @@ "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, + { + "VulnerabilityID": "CVE-2018-11237", + "PkgName": "multiarch-support", + "InstalledVersion": "2.23-0ubuntu11", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper", + "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2018-11237.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", + "http://www.securityfocus.com/bid/104256", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3092", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237", + "https://security.netapp.com/advisory/ntap-20190329-0001/", + "https://security.netapp.com/advisory/ntap-20190401-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23196", + "https://www.exploit-db.com/exploits/44750/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, { "VulnerabilityID": "CVE-2018-6485", "PkgName": "multiarch-support", @@ -1899,42 +2444,24 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Integer overflow in posix_memalign in memalign functions", "Description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ "http://bugs.debian.org/878159", + "http://linux.oracle.com/cve/CVE-2018-6485.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/102912", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485", "https://security.netapp.com/advisory/ntap-20190404-0003/", "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://usn.ubuntu.com/4218-1/", "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" ] }, - { - "VulnerabilityID": "CVE-2019-9169", - "PkgName": "multiarch-support", - "InstalledVersion": "2.23-0ubuntu11", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", - "References": [ - "http://www.securityfocus.com/bid/107160", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", - "https://support.f5.com/csp/article/K54823184" - ] - }, { "VulnerabilityID": "CVE-2009-5155", "PkgName": "multiarch-support", @@ -1942,9 +2469,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", @@ -1965,10 +2493,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: DNS resolver NULL pointer dereference with crafted record type", "Description": "res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2015-5180.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://www.securityfocus.com/bid/99324", "http://www.ubuntu.com/usn/USN-3239-1", "http://www.ubuntu.com/usn/USN-3239-2", @@ -1989,9 +2520,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -2007,9 +2539,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", @@ -2023,10 +2556,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", "http://www.securityfocus.com/bid/106672", "https://access.redhat.com/errata/RHSA-2019:2118", @@ -2042,10 +2578,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Fragmentation attacks possible when EDNS0 is enabled", "Description": "The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2017-12132.html", + "http://linux.oracle.com/errata/ELSA-2018-0805.html", "http://www.securityfocus.com/bid/100598", "https://access.redhat.com/errata/RHSA-2018:0805", "https://arxiv.org/pdf/1205.4011.pdf", @@ -2060,9 +2599,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: Use-after-free read access in clntudp_call in sunrpc", "Description": "Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12133", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYZL6PAKI73XYRJYL5VLDGA4FFGWMB7A/", @@ -2071,28 +2611,6 @@ "https://www.securityfocus.com/bid/100679" ] }, - { - "VulnerabilityID": "CVE-2018-11237", - "PkgName": "multiarch-support", - "InstalledVersion": "2.23-0ubuntu11", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper", - "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/104256", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3092", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237", - "https://security.netapp.com/advisory/ntap-20190329-0001/", - "https://security.netapp.com/advisory/ntap-20190401-0001/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23196", - "https://www.exploit-db.com/exploits/44750/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "multiarch-support", @@ -2100,28 +2618,16 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "multiarch-support", - "InstalledVersion": "2.23-0ubuntu11", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" ] }, { @@ -2131,6 +2637,7 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -2141,6 +2648,45 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9169", + "PkgName": "multiarch-support", + "InstalledVersion": "2.23-0ubuntu11", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", + "https://support.f5.com/csp/article/K54823184" + ] + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "multiarch-support", + "InstalledVersion": "2.23-0ubuntu11", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, { "VulnerabilityID": "CVE-2017-10684", "PkgName": "ncurses-base", @@ -2148,9 +2694,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -2164,9 +2711,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -2180,9 +2728,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -2196,9 +2745,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -2212,9 +2762,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -2228,9 +2779,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -2244,9 +2796,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -2260,9 +2813,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -2276,9 +2830,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -2292,9 +2847,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -2308,9 +2864,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -2324,9 +2881,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -2335,6 +2893,44 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-base", + "InstalledVersion": "6.0+20160213-1ubuntu1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-base", + "InstalledVersion": "6.0+20160213-1ubuntu1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2017-10684", "PkgName": "ncurses-bin", @@ -2342,9 +2938,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c", "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684", @@ -2358,9 +2955,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function", "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685", @@ -2374,9 +2972,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in append_acs function", "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112", @@ -2390,9 +2989,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function", "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113", @@ -2406,9 +3006,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Infinite loop in the next_char function", "Description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13728", @@ -2422,9 +3023,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the _nc_save_str function", "Description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13729", @@ -2438,9 +3040,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function _nc_read_entry_source()", "Description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13730", @@ -2454,9 +3057,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function postprocess_termcap()", "Description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13731", @@ -2470,9 +3074,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function dump_uses()", "Description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13732", @@ -2486,9 +3091,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function fmt_entry", "Description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13733", @@ -2502,9 +3108,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Illegal address access in the function _nc_safe_strcat", "Description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13734", @@ -2518,9 +3125,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "ncurses: Stack-based buffer overflow in the _nc_write_entry function", "Description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://invisible-island.net/ncurses/NEWS.html#t20171125", "http://packetstormsecurity.com/files/145045/GNU-ncurses-6.0-tic-Denial-Of-Service.html", @@ -2529,6 +3137,61 @@ "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-bin", + "InstalledVersion": "6.0+20160213-1ubuntu1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-bin", + "InstalledVersion": "6.0+20160213-1ubuntu1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2013-4235", + "PkgName": "passwd", + "InstalledVersion": "1:4.2-3.1ubuntu5.4", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", + "Description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2013-4235", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", + "https://security-tracker.debian.org/tracker/CVE-2013-4235" + ] + }, { "VulnerabilityID": "CVE-2017-12424", "PkgName": "passwd", @@ -2536,9 +3199,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "shadow-utils: Buffer overflow via newusers tool", "Description": "In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630", "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675", @@ -2554,25 +3218,15 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", "https://security.gentoo.org/glsa/201805-09" ] }, - { - "VulnerabilityID": "CVE-2013-4235", - "PkgName": "passwd", - "InstalledVersion": "1:4.2-3.1ubuntu5.4", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", - "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.", - "Severity": "LOW" - }, { "VulnerabilityID": "CVE-2018-20839", "PkgName": "systemd", @@ -2580,6 +3234,7 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker", "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.", "Severity": "MEDIUM", @@ -2592,16 +3247,37 @@ ] }, { - "VulnerabilityID": "CVE-2018-16888", + "VulnerabilityID": "CVE-2020-1712", "PkgName": "systemd", "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-16888", + "PkgName": "systemd", + "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", @@ -2609,6 +3285,25 @@ "https://security.netapp.com/advisory/ntap-20190307-0007/" ] }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "systemd", + "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, { "VulnerabilityID": "CVE-2018-20839", "PkgName": "systemd-sysv", @@ -2616,6 +3311,7 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker", "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.", "Severity": "MEDIUM", @@ -2628,16 +3324,37 @@ ] }, { - "VulnerabilityID": "CVE-2018-16888", + "VulnerabilityID": "CVE-2020-1712", "PkgName": "systemd-sysv", "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-16888", + "PkgName": "systemd-sysv", + "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", "Title": "systemd: kills privileged process if unprivileged PIDFile was tampered", "Description": "It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.", "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2018-16888.html", + "http://linux.oracle.com/errata/ELSA-2019-2091.html", "https://access.redhat.com/errata/RHSA-2019:2091", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16888", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16888", @@ -2645,6 +3362,25 @@ "https://security.netapp.com/advisory/ntap-20190307-0007/" ] }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "systemd-sysv", + "InstalledVersion": "229-4ubuntu21.22", + "FixedVersion": "229-4ubuntu21.27", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, { "VulnerabilityID": "CVE-2018-20482", "PkgName": "tar", @@ -2652,6 +3388,7 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "tar: Infinite read loop in sparse_dump_region function in sparse.c", "Description": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).", "Severity": "LOW", @@ -2668,6 +3405,24 @@ "https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug" ] }, + { + "VulnerabilityID": "CVE-2019-9923", + "PkgName": "tar", + "InstalledVersion": "1.28-2.1ubuntu0.1", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", + "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", + "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", + "Severity": "LOW", + "References": [ + "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", + "http://savannah.gnu.org/bugs/?55369", + "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" + ] + }, { "VulnerabilityID": "CVE-2016-2779", "PkgName": "util-linux", @@ -2675,9 +3430,10 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: runuser tty hijack via TIOCSTI ioctl", "Description": "runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2016/02/27/1", "http://www.openwall.com/lists/oss-security/2016/02/27/2", @@ -2692,10 +3448,13 @@ "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Extended partition loop in MBR partition table leads to DOS", "Description": "The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-5011.html", + "http://linux.oracle.com/errata/ELSA-2016-2605.html", "http://rhn.redhat.com/errata/RHSA-2016-2605.html", "http://www-01.ibm.com/support/docview.wss?uid=isg3T1024543", "http://www-01.ibm.com/support/docview.wss?uid=nas8N1021801", @@ -2707,15 +3466,59 @@ ] }, { - "VulnerabilityID": "CVE-2016-9841", + "VulnerabilityID": "CVE-2016-9840", "PkgName": "zlib1g", "InstalledVersion": "1:1.2.8.dfsg-2ubuntu4.1", + "FixedVersion": "1:1.2.8.dfsg-2ubuntu4.3", "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "zlib: Out-of-bounds pointer arithmetic in inftrees.c", + "Description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html", + "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html", + "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html", + "http://www.openwall.com/lists/oss-security/2016/12/05/21", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/95131", + "http://www.securitytracker.com/id/1039427", + "https://access.redhat.com/errata/RHSA-2017:1220", + "https://access.redhat.com/errata/RHSA-2017:1221", + "https://access.redhat.com/errata/RHSA-2017:1222", + "https://access.redhat.com/errata/RHSA-2017:2999", + "https://access.redhat.com/errata/RHSA-2017:3046", + "https://access.redhat.com/errata/RHSA-2017:3047", + "https://access.redhat.com/errata/RHSA-2017:3453", + "https://bugzilla.redhat.com/show_bug.cgi?id=1402345", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840", + "https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7", + "https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html", + "https://security.gentoo.org/glsa/201701-56", + "https://support.apple.com/HT208112", + "https://support.apple.com/HT208113", + "https://support.apple.com/HT208115", + "https://support.apple.com/HT208144", + "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib", + "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf" + ] + }, + { + "VulnerabilityID": "CVE-2016-9841", + "PkgName": "zlib1g", + "InstalledVersion": "1:1.2.8.dfsg-2ubuntu4.1", + "FixedVersion": "1:1.2.8.dfsg-2ubuntu4.3", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", "Title": "zlib: Out-of-bounds pointer arithmetic in inffast.c", "Description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html", "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html", @@ -2750,15 +3553,59 @@ ] }, { - "VulnerabilityID": "CVE-2016-9843", + "VulnerabilityID": "CVE-2016-9842", "PkgName": "zlib1g", "InstalledVersion": "1:1.2.8.dfsg-2ubuntu4.1", + "FixedVersion": "1:1.2.8.dfsg-2ubuntu4.3", "Layer": { "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" }, + "SeveritySource": "ubuntu", + "Title": "zlib: Undefined left shift of negative number", + "Description": "The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html", + "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html", + "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html", + "http://www.openwall.com/lists/oss-security/2016/12/05/21", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/95131", + "http://www.securitytracker.com/id/1039427", + "https://access.redhat.com/errata/RHSA-2017:1220", + "https://access.redhat.com/errata/RHSA-2017:1221", + "https://access.redhat.com/errata/RHSA-2017:1222", + "https://access.redhat.com/errata/RHSA-2017:2999", + "https://access.redhat.com/errata/RHSA-2017:3046", + "https://access.redhat.com/errata/RHSA-2017:3047", + "https://access.redhat.com/errata/RHSA-2017:3453", + "https://bugzilla.redhat.com/show_bug.cgi?id=1402348", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842", + "https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7", + "https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html", + "https://security.gentoo.org/glsa/201701-56", + "https://support.apple.com/HT208112", + "https://support.apple.com/HT208113", + "https://support.apple.com/HT208115", + "https://support.apple.com/HT208144", + "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib", + "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf" + ] + }, + { + "VulnerabilityID": "CVE-2016-9843", + "PkgName": "zlib1g", + "InstalledVersion": "1:1.2.8.dfsg-2ubuntu4.1", + "FixedVersion": "1:1.2.8.dfsg-2ubuntu4.3", + "Layer": { + "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" + }, + "SeveritySource": "ubuntu", "Title": "zlib: Big-endian out-of-bounds pointer", "Description": "The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html", "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html", @@ -2791,86 +3638,6 @@ "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib", "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf" ] - }, - { - "VulnerabilityID": "CVE-2016-9840", - "PkgName": "zlib1g", - "InstalledVersion": "1:1.2.8.dfsg-2ubuntu4.1", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "zlib: Out-of-bounds pointer arithmetic in inftrees.c", - "Description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html", - "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html", - "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html", - "http://www.openwall.com/lists/oss-security/2016/12/05/21", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/95131", - "http://www.securitytracker.com/id/1039427", - "https://access.redhat.com/errata/RHSA-2017:1220", - "https://access.redhat.com/errata/RHSA-2017:1221", - "https://access.redhat.com/errata/RHSA-2017:1222", - "https://access.redhat.com/errata/RHSA-2017:2999", - "https://access.redhat.com/errata/RHSA-2017:3046", - "https://access.redhat.com/errata/RHSA-2017:3047", - "https://access.redhat.com/errata/RHSA-2017:3453", - "https://bugzilla.redhat.com/show_bug.cgi?id=1402345", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840", - "https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7", - "https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html", - "https://security.gentoo.org/glsa/201701-56", - "https://support.apple.com/HT208112", - "https://support.apple.com/HT208113", - "https://support.apple.com/HT208115", - "https://support.apple.com/HT208144", - "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib", - "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf" - ] - }, - { - "VulnerabilityID": "CVE-2016-9842", - "PkgName": "zlib1g", - "InstalledVersion": "1:1.2.8.dfsg-2ubuntu4.1", - "Layer": { - "DiffID": "sha256:f749b9b0fb213e9897417a985aaa9753d41bff474e1d0c0d1d266c4512eaf031" - }, - "Title": "zlib: Undefined left shift of negative number", - "Description": "The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html", - "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html", - "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html", - "http://www.openwall.com/lists/oss-security/2016/12/05/21", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/95131", - "http://www.securitytracker.com/id/1039427", - "https://access.redhat.com/errata/RHSA-2017:1220", - "https://access.redhat.com/errata/RHSA-2017:1221", - "https://access.redhat.com/errata/RHSA-2017:1222", - "https://access.redhat.com/errata/RHSA-2017:2999", - "https://access.redhat.com/errata/RHSA-2017:3046", - "https://access.redhat.com/errata/RHSA-2017:3047", - "https://access.redhat.com/errata/RHSA-2017:3453", - "https://bugzilla.redhat.com/show_bug.cgi?id=1402348", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842", - "https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7", - "https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html", - "https://security.gentoo.org/glsa/201701-56", - "https://support.apple.com/HT208112", - "https://support.apple.com/HT208113", - "https://support.apple.com/HT208115", - "https://support.apple.com/HT208144", - "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib", - "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf" - ] } ] } diff --git a/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden b/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden index be92863a97..49908f78ce 100644 --- a/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden +++ b/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden @@ -1,6 +1,7 @@ [ { "Target": "testdata/fixtures/ubuntu-1804.tar.gz (ubuntu 18.04)", + "Type": "ubuntu", "Vulnerabilities": [ { "VulnerabilityID": "CVE-2019-5094", @@ -10,6 +11,8 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -21,6 +24,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "e2fsprogs", + "InstalledVersion": "1.44.1-1ubuntu1.1", + "FixedVersion": "1.44.1-1ubuntu1.3", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libcom-err2", @@ -29,6 +53,8 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -40,6 +66,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libcom-err2", + "InstalledVersion": "1.44.1-1ubuntu1.1", + "FixedVersion": "1.44.1-1ubuntu1.3", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libext2fs2", @@ -48,6 +95,8 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -59,6 +108,90 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libext2fs2", + "InstalledVersion": "1.44.1-1ubuntu1.1", + "FixedVersion": "1.44.1-1ubuntu1.3", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-13627", + "PkgName": "libgcrypt20", + "InstalledVersion": "1.8.1-4ubuntu1.1", + "FixedVersion": "1.8.1-4ubuntu1.2", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library", + "Description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html", + "http://www.openwall.com/lists/oss-security/2019/10/02/2", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13627", + "https://dev.gnupg.org/T4683", + "https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html", + "https://minerva.crocs.fi.muni.cz/", + "https://security-tracker.debian.org/tracker/CVE-2019-13627" + ] + }, + { + "VulnerabilityID": "CVE-2019-12290", + "PkgName": "libidn2-0", + "InstalledVersion": "2.0.4-1.1build2", + "FixedVersion": "2.0.4-1.1ubuntu0.2", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.", + "Severity": "MEDIUM", + "References": [ + "https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5", + "https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de", + "https://gitlab.com/libidn/libidn2/merge_requests/71", + "https://usn.ubuntu.com/4168-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18224", + "PkgName": "libidn2-0", + "InstalledVersion": "2.0.4-1.1build2", + "FixedVersion": "2.0.4-1.1ubuntu0.2", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c", + "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224", + "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c", + "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/", + "https://usn.ubuntu.com/4168-1/" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libss2", @@ -67,6 +200,8 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -78,6 +213,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libss2", + "InstalledVersion": "1.44.1-1ubuntu1.1", + "FixedVersion": "1.44.1-1ubuntu1.3", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2019-15718", "PkgName": "libsystemd0", @@ -86,17 +242,94 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-15718.html", + "http://linux.oracle.com/errata/ELSA-2019-3592.html", "http://www.openwall.com/lists/oss-security/2019/09/03/1", "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" ] }, + { + "VulnerabilityID": "CVE-2020-1712", + "PkgName": "libsystemd0", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "libsystemd0", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3843", + "PkgName": "libsystemd0", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: services with DynamicUser can create SUID/SGID binaries", + "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/108116", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/", + "https://security.netapp.com/advisory/ntap-20190619-0002/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3844", + "PkgName": "libsystemd0", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries", + "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/108096", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844", + "https://security.netapp.com/advisory/ntap-20190619-0002/" + ] + }, { "VulnerabilityID": "CVE-2019-15718", "PkgName": "libudev1", @@ -105,17 +338,94 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", - "Severity": "LOW", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2019-15718.html", + "http://linux.oracle.com/errata/ELSA-2019-3592.html", "http://www.openwall.com/lists/oss-security/2019/09/03/1", "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" ] }, + { + "VulnerabilityID": "CVE-2020-1712", + "PkgName": "libudev1", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "libudev1", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3843", + "PkgName": "libudev1", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: services with DynamicUser can create SUID/SGID binaries", + "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/108116", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/", + "https://security.netapp.com/advisory/ntap-20190619-0002/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3844", + "PkgName": "libudev1", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries", + "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/108096", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844", + "https://security.netapp.com/advisory/ntap-20190619-0002/" + ] + }, { "VulnerabilityID": "CVE-2019-11922", "PkgName": "libzstd1", @@ -124,6 +434,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Description": "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.", "Severity": "MEDIUM", "References": [ diff --git a/integration/testdata/ubuntu-1804.json.golden b/integration/testdata/ubuntu-1804.json.golden index ce860f8c24..f358f9fed6 100644 --- a/integration/testdata/ubuntu-1804.json.golden +++ b/integration/testdata/ubuntu-1804.json.golden @@ -1,7 +1,25 @@ [ { "Target": "testdata/fixtures/ubuntu-1804.tar.gz (ubuntu 18.04)", + "Type": "ubuntu", "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-18276", + "PkgName": "bash", + "InstalledVersion": "4.4.18-2ubuntu1.2", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped", + "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html", + "https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff", + "https://www.youtube.com/watch?v=-wGtxJ8opa8" + ] + }, { "VulnerabilityID": "CVE-2018-7738", "PkgName": "bsdutils", @@ -9,9 +27,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names", "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/103367", "https://bugs.debian.org/892179", @@ -28,6 +47,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "coreutils: Non-privileged session can escape to the parent session in chroot", "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "Severity": "LOW", @@ -43,8 +63,9 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Description": "dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/04/20/2", "http://www.securityfocus.com/bid/98064", @@ -59,6 +80,8 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -70,6 +93,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "e2fsprogs", + "InstalledVersion": "1.44.1-1ubuntu1.1", + "FixedVersion": "1.44.1-1ubuntu1.3", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2018-7738", "PkgName": "fdisk", @@ -77,9 +121,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names", "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/103367", "https://bugs.debian.org/892179", @@ -96,9 +141,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "GnuPG: interaction between the sks-keyserver code and GnuPG allows for a Certificate Spamming Attack which leads to persistent DoS", "Description": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "https://access.redhat.com/articles/4264021", "https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f", @@ -106,6 +152,24 @@ "https://twitter.com/lambdafu/status/1147162583969009664" ] }, + { + "VulnerabilityID": "CVE-2019-14855", + "PkgName": "gpgv", + "InstalledVersion": "2.2.4-1ubuntu1.2", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "gnupg2: OpenPGP Key Certification Forgeries with SHA-1", + "Description": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.", + "Severity": "LOW", + "References": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855", + "https://dev.gnupg.org/T4755", + "https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html", + "https://rwc.iacr.org/2020/slides/Leurent.pdf" + ] + }, { "VulnerabilityID": "CVE-2018-7738", "PkgName": "libblkid1", @@ -113,9 +177,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names", "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/103367", "https://bugs.debian.org/892179", @@ -132,10 +197,13 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow", "Description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-11236.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/104255", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", @@ -148,25 +216,52 @@ ] }, { - "VulnerabilityID": "CVE-2019-9169", + "VulnerabilityID": "CVE-2018-11237", "PkgName": "libc-bin", "InstalledVersion": "2.27-3ubuntu1", "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, - "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", + "SeveritySource": "ubuntu", + "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper", + "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.", + "Severity": "MEDIUM", "References": [ - "http://www.securityfocus.com/bid/107160", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", - "https://support.f5.com/csp/article/K54823184" + "http://linux.oracle.com/cve/CVE-2018-11237.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", + "http://www.securityfocus.com/bid/104256", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3092", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237", + "https://security.netapp.com/advisory/ntap-20190329-0001/", + "https://security.netapp.com/advisory/ntap-20190401-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23196", + "https://www.exploit-db.com/exploits/44750/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-19591", + "PkgName": "libc-bin", + "InstalledVersion": "2.27-3ubuntu1", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106037", + "http://www.securitytracker.com/id/1042174", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19591", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO7WHN52GFMC5F2I2232GFIPSSXWFV7G/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M52KE4YR3GNMHQUOS3DKAGZD5TQ5D5UH/", + "https://security.gentoo.org/glsa/201903-09", + "https://security.netapp.com/advisory/ntap-20190321-0003/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23927", + "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=NEWS;hb=HEAD", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d527c860f5a3f0ed687bd03f0cb464612dc23408" ] }, { @@ -176,9 +271,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", @@ -199,9 +295,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -217,9 +314,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", @@ -233,10 +331,13 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", "http://www.securityfocus.com/bid/106672", "https://access.redhat.com/errata/RHSA-2019:2118", @@ -245,51 +346,6 @@ "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" ] }, - { - "VulnerabilityID": "CVE-2018-11237", - "PkgName": "libc-bin", - "InstalledVersion": "2.27-3ubuntu1", - "Layer": { - "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" - }, - "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper", - "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/104256", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3092", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237", - "https://security.netapp.com/advisory/ntap-20190329-0001/", - "https://security.netapp.com/advisory/ntap-20190401-0001/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23196", - "https://www.exploit-db.com/exploits/44750/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" - ] - }, - { - "VulnerabilityID": "CVE-2018-19591", - "PkgName": "libc-bin", - "InstalledVersion": "2.27-3ubuntu1", - "Layer": { - "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" - }, - "Title": "glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106037", - "http://www.securitytracker.com/id/1042174", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19591", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO7WHN52GFMC5F2I2232GFIPSSXWFV7G/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M52KE4YR3GNMHQUOS3DKAGZD5TQ5D5UH/", - "https://security.gentoo.org/glsa/201903-09", - "https://security.netapp.com/advisory/ntap-20190321-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23927", - "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=NEWS;hb=HEAD", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d527c860f5a3f0ed687bd03f0cb464612dc23408" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "libc-bin", @@ -297,28 +353,16 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "libc-bin", - "InstalledVersion": "2.27-3ubuntu1", - "Layer": { - "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" ] }, { @@ -328,6 +372,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -338,6 +383,45 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9169", + "PkgName": "libc-bin", + "InstalledVersion": "2.27-3ubuntu1", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", + "https://support.f5.com/csp/article/K54823184" + ] + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "libc-bin", + "InstalledVersion": "2.27-3ubuntu1", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, { "VulnerabilityID": "CVE-2018-11236", "PkgName": "libc6", @@ -345,10 +429,13 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow", "Description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.", - "Severity": "HIGH", + "Severity": "MEDIUM", "References": [ + "http://linux.oracle.com/cve/CVE-2018-11236.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", "http://www.securityfocus.com/bid/104255", "https://access.redhat.com/errata/RHBA-2019:0327", "https://access.redhat.com/errata/RHSA-2018:3092", @@ -361,25 +448,52 @@ ] }, { - "VulnerabilityID": "CVE-2019-9169", + "VulnerabilityID": "CVE-2018-11237", "PkgName": "libc6", "InstalledVersion": "2.27-3ubuntu1", "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, - "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", - "Severity": "HIGH", + "SeveritySource": "ubuntu", + "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper", + "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.", + "Severity": "MEDIUM", "References": [ - "http://www.securityfocus.com/bid/107160", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", - "https://support.f5.com/csp/article/K54823184" + "http://linux.oracle.com/cve/CVE-2018-11237.html", + "http://linux.oracle.com/errata/ELSA-2018-3092.html", + "http://www.securityfocus.com/bid/104256", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://access.redhat.com/errata/RHSA-2018:3092", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237", + "https://security.netapp.com/advisory/ntap-20190329-0001/", + "https://security.netapp.com/advisory/ntap-20190401-0001/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23196", + "https://www.exploit-db.com/exploits/44750/", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ] + }, + { + "VulnerabilityID": "CVE-2018-19591", + "PkgName": "libc6", + "InstalledVersion": "2.27-3ubuntu1", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106037", + "http://www.securitytracker.com/id/1042174", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19591", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO7WHN52GFMC5F2I2232GFIPSSXWFV7G/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M52KE4YR3GNMHQUOS3DKAGZD5TQ5D5UH/", + "https://security.gentoo.org/glsa/201903-09", + "https://security.netapp.com/advisory/ntap-20190321-0003/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=23927", + "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=NEWS;hb=HEAD", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d527c860f5a3f0ed687bd03f0cb464612dc23408" ] }, { @@ -389,9 +503,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result", "Description": "In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5155", @@ -412,9 +527,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: potential denial of service in pop_fail_stack()", "Description": "The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.openwall.com/lists/oss-security/2017/02/14/9", "http://www.securityfocus.com/bid/76916", @@ -430,9 +546,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: iconv program can hang when invoked with the -c option", "Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/03/01/10", "http://www.securityfocus.com/bid/96525", @@ -446,10 +563,13 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters", "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ + "http://linux.oracle.com/cve/CVE-2016-10739.html", + "http://linux.oracle.com/errata/ELSA-2019-3513.html", "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html", "http://www.securityfocus.com/bid/106672", "https://access.redhat.com/errata/RHSA-2019:2118", @@ -458,51 +578,6 @@ "https://sourceware.org/bugzilla/show_bug.cgi?id=20018" ] }, - { - "VulnerabilityID": "CVE-2018-11237", - "PkgName": "libc6", - "InstalledVersion": "2.27-3ubuntu1", - "Layer": { - "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" - }, - "Title": "glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper", - "Description": "An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/104256", - "https://access.redhat.com/errata/RHBA-2019:0327", - "https://access.redhat.com/errata/RHSA-2018:3092", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237", - "https://security.netapp.com/advisory/ntap-20190329-0001/", - "https://security.netapp.com/advisory/ntap-20190401-0001/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23196", - "https://www.exploit-db.com/exploits/44750/", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" - ] - }, - { - "VulnerabilityID": "CVE-2018-19591", - "PkgName": "libc6", - "InstalledVersion": "2.27-3ubuntu1", - "Layer": { - "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" - }, - "Title": "glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c", - "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.", - "Severity": "MEDIUM", - "References": [ - "http://www.securityfocus.com/bid/106037", - "http://www.securitytracker.com/id/1042174", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19591", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO7WHN52GFMC5F2I2232GFIPSSXWFV7G/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M52KE4YR3GNMHQUOS3DKAGZD5TQ5D5UH/", - "https://security.gentoo.org/glsa/201903-09", - "https://security.netapp.com/advisory/ntap-20190321-0003/", - "https://sourceware.org/bugzilla/show_bug.cgi?id=23927", - "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=NEWS;hb=HEAD", - "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d527c860f5a3f0ed687bd03f0cb464612dc23408" - ] - }, { "VulnerabilityID": "CVE-2018-20796", "PkgName": "libc6", @@ -510,28 +585,16 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/107160", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "https://security.netapp.com/advisory/ntap-20190315-0002/" - ] - }, - { - "VulnerabilityID": "CVE-2019-9192", - "PkgName": "libc6", - "InstalledVersion": "2.27-3ubuntu1", - "Layer": { - "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" - }, - "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", - "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "Severity": "MEDIUM", - "References": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269" + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" ] }, { @@ -541,6 +604,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "glibc: memcmp function incorrectly returns zero", "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.", "Severity": "LOW", @@ -551,6 +615,45 @@ "https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html" ] }, + { + "VulnerabilityID": "CVE-2019-9169", + "PkgName": "libc6", + "InstalledVersion": "2.27-3ubuntu1", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read", + "Description": "In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.", + "Severity": "LOW", + "References": [ + "http://www.securityfocus.com/bid/107160", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140", + "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10278", + "https://security.netapp.com/advisory/ntap-20190315-0002/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=24114", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9", + "https://support.f5.com/csp/article/K54823184" + ] + }, + { + "VulnerabilityID": "CVE-2019-9192", + "PkgName": "libc6", + "InstalledVersion": "2.27-3ubuntu1", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", + "Description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "Severity": "LOW", + "References": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", + "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libcom-err2", @@ -559,6 +662,8 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -570,6 +675,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libcom-err2", + "InstalledVersion": "1.44.1-1ubuntu1.1", + "FixedVersion": "1.44.1-1ubuntu1.3", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2019-5094", "PkgName": "libext2fs2", @@ -578,6 +704,8 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -589,6 +717,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libext2fs2", + "InstalledVersion": "1.44.1-1ubuntu1.1", + "FixedVersion": "1.44.1-1ubuntu1.3", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2018-7738", "PkgName": "libfdisk1", @@ -596,9 +745,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names", "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/103367", "https://bugs.debian.org/892179", @@ -608,6 +758,29 @@ "https://www.debian.org/security/2018/dsa-4134" ] }, + { + "VulnerabilityID": "CVE-2019-13627", + "PkgName": "libgcrypt20", + "InstalledVersion": "1.8.1-4ubuntu1.1", + "FixedVersion": "1.8.1-4ubuntu1.2", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library", + "Description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html", + "http://www.openwall.com/lists/oss-security/2019/10/02/2", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13627", + "https://dev.gnupg.org/T4683", + "https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html", + "https://minerva.crocs.fi.muni.cz/", + "https://security-tracker.debian.org/tracker/CVE-2019-13627" + ] + }, { "VulnerabilityID": "CVE-2019-12904", "PkgName": "libgcrypt20", @@ -615,9 +788,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack", "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00049.html", "https://dev.gnupg.org/T4541", @@ -626,25 +800,6 @@ "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12904.html" ] }, - { - "VulnerabilityID": "CVE-2019-13627", - "PkgName": "libgcrypt20", - "InstalledVersion": "1.8.1-4ubuntu1.1", - "Layer": { - "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" - }, - "Description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", - "Severity": "MEDIUM", - "References": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00060.html", - "http://www.openwall.com/lists/oss-security/2019/10/02/2", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13627", - "https://github.com/gpg/libgcrypt/releases/tag/libgcrypt-1.8.5", - "https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html", - "https://minerva.crocs.fi.muni.cz/", - "https://security-tracker.debian.org/tracker/CVE-2019-13627" - ] - }, { "VulnerabilityID": "CVE-2018-16868", "PkgName": "libgnutls30", @@ -652,6 +807,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "gnutls: Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification", "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.", "Severity": "LOW", @@ -671,6 +827,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "nettle: Leaky data conversion exposing a manager oracle", "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.", "Severity": "LOW", @@ -681,6 +838,72 @@ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16869" ] }, + { + "VulnerabilityID": "CVE-2019-12290", + "PkgName": "libidn2-0", + "InstalledVersion": "2.0.4-1.1build2", + "FixedVersion": "2.0.4-1.1ubuntu0.2", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.", + "Severity": "MEDIUM", + "References": [ + "https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5", + "https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de", + "https://gitlab.com/libidn/libidn2/merge_requests/71", + "https://usn.ubuntu.com/4168-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-18224", + "PkgName": "libidn2-0", + "InstalledVersion": "2.0.4-1.1build2", + "FixedVersion": "2.0.4-1.1ubuntu0.2", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c", + "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.", + "Severity": "MEDIUM", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224", + "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c", + "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/", + "https://usn.ubuntu.com/4168-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-17543", + "PkgName": "liblz4-1", + "InstalledVersion": "0.0~r131-2ubuntu3", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "lz4: heap-based buffer overflow in LZ4_write32", + "Description": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html", + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941", + "https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2", + "https://github.com/lz4/lz4/issues/801", + "https://github.com/lz4/lz4/pull/756", + "https://github.com/lz4/lz4/pull/760", + "https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E", + "https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E" + ] + }, { "VulnerabilityID": "CVE-2018-7738", "PkgName": "libmount1", @@ -688,9 +911,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names", "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/103367", "https://bugs.debian.org/892179", @@ -700,6 +924,82 @@ "https://www.debian.org/security/2018/dsa-4134" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "libncurses5", + "InstalledVersion": "6.1-1ubuntu1.18.04", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "libncurses5", + "InstalledVersion": "6.1-1ubuntu1.18.04", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "libncursesw5", + "InstalledVersion": "6.1-1ubuntu1.18.04", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "libncursesw5", + "InstalledVersion": "6.1-1ubuntu1.18.04", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2018-16869", "PkgName": "libnettle6", @@ -707,6 +1007,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "nettle: Leaky data conversion exposing a manager oracle", "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.", "Severity": "LOW", @@ -724,9 +1025,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", "Description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://openwall.com/lists/oss-security/2017/07/11/3", "http://www.securityfocus.com/bid/99575" @@ -739,9 +1041,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -756,9 +1059,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/97067", "https://access.redhat.com/errata/RHSA-2018:2486", @@ -773,9 +1077,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names", "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/103367", "https://bugs.debian.org/892179", @@ -793,6 +1098,8 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: crafted ext4 partition leads to out-of-bounds write", "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "Severity": "MEDIUM", "References": [ @@ -804,6 +1111,27 @@ "https://www.debian.org/security/2019/dsa-4535" ] }, + { + "VulnerabilityID": "CVE-2019-5188", + "PkgName": "libss2", + "InstalledVersion": "1.44.1-1ubuntu1.1", + "FixedVersion": "1.44.1-1ubuntu1.3", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "e2fsprogs: Out-of-bounds write in e2fsck/rehash.c", + "Description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973", + "https://usn.ubuntu.com/4249-1/" + ] + }, { "VulnerabilityID": "CVE-2018-20839", "PkgName": "libsystemd0", @@ -811,6 +1139,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker", "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.", "Severity": "MEDIUM", @@ -823,15 +1152,76 @@ ] }, { - "VulnerabilityID": "CVE-2019-3843", + "VulnerabilityID": "CVE-2019-15718", "PkgName": "libsystemd0", "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.28", "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", + "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", + "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-15718.html", + "http://linux.oracle.com/errata/ELSA-2019-3592.html", + "http://www.openwall.com/lists/oss-security/2019/09/03/1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" + ] + }, + { + "VulnerabilityID": "CVE-2020-1712", + "PkgName": "libsystemd0", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "libsystemd0", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3843", + "PkgName": "libsystemd0", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", "Title": "systemd: services with DynamicUser can create SUID/SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/108116", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843", @@ -843,37 +1233,20 @@ "VulnerabilityID": "CVE-2019-3844", "PkgName": "libsystemd0", "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/108096", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844", "https://security.netapp.com/advisory/ntap-20190619-0002/" ] }, - { - "VulnerabilityID": "CVE-2019-15718", - "PkgName": "libsystemd0", - "InstalledVersion": "237-3ubuntu10.25", - "FixedVersion": "237-3ubuntu10.28", - "Layer": { - "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" - }, - "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", - "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", - "Severity": "LOW", - "References": [ - "http://www.openwall.com/lists/oss-security/2019/09/03/1", - "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" - ] - }, { "VulnerabilityID": "CVE-2018-1000654", "PkgName": "libtasn1-6", @@ -881,9 +1254,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion", "Description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.html", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html", @@ -891,6 +1265,44 @@ "https://gitlab.com/gnutls/libtasn1/issues/4" ] }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "libtinfo5", + "InstalledVersion": "6.1-1ubuntu1.18.04", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "libtinfo5", + "InstalledVersion": "6.1-1ubuntu1.18.04", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, { "VulnerabilityID": "CVE-2018-20839", "PkgName": "libudev1", @@ -898,6 +1310,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "systemd: mishandling of the current keyboard mode check leading to passwords being disclosed in cleartext to attacker", "Description": "systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.", "Severity": "MEDIUM", @@ -910,15 +1323,76 @@ ] }, { - "VulnerabilityID": "CVE-2019-3843", + "VulnerabilityID": "CVE-2019-15718", "PkgName": "libudev1", "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.28", "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", + "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", + "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2019-15718.html", + "http://linux.oracle.com/errata/ELSA-2019-3592.html", + "http://www.openwall.com/lists/oss-security/2019/09/03/1", + "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15718", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" + ] + }, + { + "VulnerabilityID": "CVE-2020-1712", + "PkgName": "libudev1", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: use-after-free when asynchronous polkit queries are performed", + "Description": "A heap use-after-free vulnerability was found in systemd, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.", + "Severity": "MEDIUM", + "References": [ + "http://linux.oracle.com/cve/CVE-2020-1712.html", + "http://linux.oracle.com/errata/ELSA-2020-0575.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-20386", + "PkgName": "libudev1", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received", + "Description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html", + "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad", + "https://security.netapp.com/advisory/ntap-20200210-0002/", + "https://usn.ubuntu.com/4269-1/" + ] + }, + { + "VulnerabilityID": "CVE-2019-3843", + "PkgName": "libudev1", + "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", "Title": "systemd: services with DynamicUser can create SUID/SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/108116", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843", @@ -930,37 +1404,20 @@ "VulnerabilityID": "CVE-2019-3844", "PkgName": "libudev1", "InstalledVersion": "237-3ubuntu10.25", + "FixedVersion": "237-3ubuntu10.38", "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "systemd: services with DynamicUser can get new privileges and create SGID binaries", "Description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", - "Severity": "MEDIUM", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/108096", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3844", "https://security.netapp.com/advisory/ntap-20190619-0002/" ] }, - { - "VulnerabilityID": "CVE-2019-15718", - "PkgName": "libudev1", - "InstalledVersion": "237-3ubuntu10.25", - "FixedVersion": "237-3ubuntu10.28", - "Layer": { - "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" - }, - "Title": "systemd: systemd-resolved allows unprivileged users to configure DNS", - "Description": "In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.", - "Severity": "LOW", - "References": [ - "http://www.openwall.com/lists/oss-security/2019/09/03/1", - "https://bugzilla.redhat.com/show_bug.cgi?id=1746057", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRE5IS24XTF5WNZGH2L7GSQJKARBOEGL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIKGKXZ5OEGOEYURHLJHEMFYNLEGAW5B/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2WNHRJW4XI6H5YMDG4BUFGPAXWUMUVG/" - ] - }, { "VulnerabilityID": "CVE-2018-7738", "PkgName": "libuuid1", @@ -968,9 +1425,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names", "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/103367", "https://bugs.debian.org/892179", @@ -988,6 +1446,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Description": "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.", "Severity": "MEDIUM", "References": [ @@ -998,21 +1457,6 @@ "https://www.facebook.com/security/advisories/cve-2019-11922" ] }, - { - "VulnerabilityID": "CVE-2018-7169", - "PkgName": "login", - "InstalledVersion": "1:4.5-1ubuntu2", - "Layer": { - "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" - }, - "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", - "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "Severity": "MEDIUM", - "References": [ - "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", - "https://security.gentoo.org/glsa/201805-09" - ] - }, { "VulnerabilityID": "CVE-2013-4235", "PkgName": "login", @@ -1020,9 +1464,31 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", - "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.", - "Severity": "LOW" + "Description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2013-4235", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", + "https://security-tracker.debian.org/tracker/CVE-2013-4235" + ] + }, + { + "VulnerabilityID": "CVE-2018-7169", + "PkgName": "login", + "InstalledVersion": "1:4.5-1ubuntu2", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", + "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", + "Severity": "LOW", + "References": [ + "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", + "https://security.gentoo.org/glsa/201805-09" + ] }, { "VulnerabilityID": "CVE-2018-7738", @@ -1031,9 +1497,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names", "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/103367", "https://bugs.debian.org/892179", @@ -1044,18 +1511,79 @@ ] }, { - "VulnerabilityID": "CVE-2018-7169", - "PkgName": "passwd", - "InstalledVersion": "1:4.5-1ubuntu2", + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-base", + "InstalledVersion": "6.1-1ubuntu1.18.04", "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, - "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", - "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "Severity": "MEDIUM", + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", "References": [ - "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", - "https://security.gentoo.org/glsa/201805-09" + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-base", + "InstalledVersion": "6.1-1ubuntu1.18.04", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17594", + "PkgName": "ncurses-bin", + "InstalledVersion": "6.1-1ubuntu1.18.04", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-17595", + "PkgName": "ncurses-bin", + "InstalledVersion": "6.1-1ubuntu1.18.04", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c", + "Description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "Severity": "LOW", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" ] }, { @@ -1065,9 +1593,31 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", - "Description": "A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.", - "Severity": "LOW" + "Description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "Severity": "LOW", + "References": [ + "https://access.redhat.com/security/cve/cve-2013-4235", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", + "https://security-tracker.debian.org/tracker/CVE-2013-4235" + ] + }, + { + "VulnerabilityID": "CVE-2018-7169", + "PkgName": "passwd", + "InstalledVersion": "1:4.5-1ubuntu2", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", + "Description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", + "Severity": "LOW", + "References": [ + "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", + "https://security.gentoo.org/glsa/201805-09" + ] }, { "VulnerabilityID": "CVE-2018-20482", @@ -1076,6 +1626,7 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "tar: Infinite read loop in sparse_dump_region function in sparse.c", "Description": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).", "Severity": "LOW", @@ -1092,6 +1643,24 @@ "https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug" ] }, + { + "VulnerabilityID": "CVE-2019-9923", + "PkgName": "tar", + "InstalledVersion": "1.29b-2ubuntu0.1", + "Layer": { + "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" + }, + "SeveritySource": "ubuntu", + "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c", + "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", + "Severity": "LOW", + "References": [ + "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120", + "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html", + "http://savannah.gnu.org/bugs/?55369", + "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" + ] + }, { "VulnerabilityID": "CVE-2018-7738", "PkgName": "util-linux", @@ -1099,9 +1668,10 @@ "Layer": { "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f" }, + "SeveritySource": "ubuntu", "Title": "util-linux: Shell command injection in unescaped bash-completed mount point names", "Description": "In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.", - "Severity": "HIGH", + "Severity": "LOW", "References": [ "http://www.securityfocus.com/bid/103367", "https://bugs.debian.org/892179", diff --git a/internal/standalone/run.go b/internal/standalone/run.go index 39b52374ef..507b32e155 100644 --- a/internal/standalone/run.go +++ b/internal/standalone/run.go @@ -102,7 +102,7 @@ func run(c config.Config) (err error) { vulnClient := initializeVulnerabilityClient() for i := range results { - vulnClient.FillInfo(results[i].Vulnerabilities, c.Light) + vulnClient.FillInfo(results[i].Vulnerabilities, results[i].Type) results[i].Vulnerabilities = vulnClient.Filter(results[i].Vulnerabilities, c.Severities, c.IgnoreUnfixed, c.IgnoreFile) } diff --git a/pkg/report/writer.go b/pkg/report/writer.go index e95edb06e9..2aa84194f9 100644 --- a/pkg/report/writer.go +++ b/pkg/report/writer.go @@ -20,6 +20,7 @@ type Results []Result type Result struct { Target string `json:"Target"` + Type string `json:"Type,omitempty"` Vulnerabilities []types.DetectedVulnerability `json:"Vulnerabilities"` } diff --git a/pkg/rpc/client/client.go b/pkg/rpc/client/client.go index 2f230db474..c8e7fa38a5 100644 --- a/pkg/rpc/client/client.go +++ b/pkg/rpc/client/client.go @@ -4,12 +4,13 @@ import ( "context" "net/http" + ftypes "github.com/aquasecurity/fanal/types" + "github.com/aquasecurity/trivy/pkg/types" "github.com/google/wire" "golang.org/x/xerrors" - ftypes "github.com/aquasecurity/fanal/types" "github.com/aquasecurity/trivy/pkg/report" r "github.com/aquasecurity/trivy/pkg/rpc" rpc "github.com/aquasecurity/trivy/rpc/scanner" diff --git a/pkg/rpc/client/client_test.go b/pkg/rpc/client/client_test.go index 81e17d8cdb..55e9056966 100644 --- a/pkg/rpc/client/client_test.go +++ b/pkg/rpc/client/client_test.go @@ -152,6 +152,7 @@ func TestScanner_Scan(t *testing.T) { Description: "Denial os Service", Severity: common.Severity_CRITICAL, References: []string{"http://exammple.com"}, + SeveritySource: "nvd", Layer: &common.Layer{ DiffId: "sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10", }, @@ -177,6 +178,7 @@ func TestScanner_Scan(t *testing.T) { Severity: "CRITICAL", References: []string{"http://exammple.com"}, }, + SeveritySource: "nvd", Layer: ftypes.Layer{ DiffID: "sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10", }, diff --git a/pkg/rpc/convert.go b/pkg/rpc/convert.go index 5ec9586173..7779f00145 100644 --- a/pkg/rpc/convert.go +++ b/pkg/rpc/convert.go @@ -115,6 +115,7 @@ func ConvertToRpcVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil Digest: vuln.Layer.Digest, DiffId: vuln.Layer.DiffID, }, + SeveritySource: vuln.SeveritySource, }) } return rpcVulns @@ -142,11 +143,13 @@ func ConvertFromRpcResults(rpcResults []*scanner.Result) []report.Result { Digest: vuln.Layer.Digest, DiffID: vuln.Layer.DiffId, }, + SeveritySource: vuln.SeveritySource, }) } results = append(results, report.Result{ Target: result.Target, Vulnerabilities: vulns, + Type: result.Type, }) } return results @@ -299,6 +302,7 @@ func ConvertToRpcScanResponse(results report.Results, os *ftypes.OS, eosl bool) rpcResults = append(rpcResults, &scanner.Result{ Target: result.Target, Vulnerabilities: ConvertToRpcVulns(result.Vulnerabilities), + Type: result.Type, }) } diff --git a/pkg/rpc/server/library/server.go b/pkg/rpc/server/library/server.go index 38aa009b06..e1bdaa5e3d 100644 --- a/pkg/rpc/server/library/server.go +++ b/pkg/rpc/server/library/server.go @@ -39,7 +39,7 @@ func (s *Server) Detect(_ context.Context, req *proto.LibDetectRequest) (res *pr return nil, err } - s.vulnClient.FillInfo(vulns, false) + s.vulnClient.FillInfo(vulns, "") return &proto.DetectResponse{Vulnerabilities: rpc.ConvertToRpcVulns(vulns)}, nil } diff --git a/pkg/rpc/server/library/server_test.go b/pkg/rpc/server/library/server_test.go index 8ecb1f9e58..9cfc57202a 100644 --- a/pkg/rpc/server/library/server_test.go +++ b/pkg/rpc/server/library/server_test.go @@ -100,7 +100,6 @@ func TestServer_Detect(t *testing.T) { }, }, }, - Light: false, }, }, wantRes: &proto.DetectResponse{ diff --git a/pkg/rpc/server/listen_test.go b/pkg/rpc/server/listen_test.go index 01309701d5..8e48b47f2a 100644 --- a/pkg/rpc/server/listen_test.go +++ b/pkg/rpc/server/listen_test.go @@ -20,7 +20,7 @@ import ( ) func TestMain(m *testing.M) { - log.InitLogger(false, false) + _ = log.InitLogger(false, false) os.Exit(m.Run()) } diff --git a/pkg/rpc/server/ospkg/server.go b/pkg/rpc/server/ospkg/server.go index ae4c4f67bd..d9df2b41a6 100644 --- a/pkg/rpc/server/ospkg/server.go +++ b/pkg/rpc/server/ospkg/server.go @@ -39,7 +39,7 @@ func (s *Server) Detect(_ context.Context, req *proto.OSDetectRequest) (res *pro return nil, err } - s.vulnClient.FillInfo(vulns, false) + s.vulnClient.FillInfo(vulns, "") return &proto.DetectResponse{Vulnerabilities: rpc.ConvertToRpcVulns(vulns), Eosl: eosl}, nil } diff --git a/pkg/rpc/server/ospkg/server_test.go b/pkg/rpc/server/ospkg/server_test.go index 8fc04f9e9e..9fb379a7ef 100644 --- a/pkg/rpc/server/ospkg/server_test.go +++ b/pkg/rpc/server/ospkg/server_test.go @@ -20,7 +20,7 @@ import ( ) func TestMain(m *testing.M) { - log.InitLogger(false, false) + _ = log.InitLogger(false, false) code := m.Run() os.Exit(code) } @@ -88,7 +88,6 @@ func TestServer_Detect(t *testing.T) { }, }, }, - Light: false, }, }, wantRes: &proto.DetectResponse{ diff --git a/pkg/rpc/server/server.go b/pkg/rpc/server/server.go index 0684d28487..d6c42a9eec 100644 --- a/pkg/rpc/server/server.go +++ b/pkg/rpc/server/server.go @@ -42,7 +42,7 @@ func (s *ScanServer) Scan(_ context.Context, in *rpcScanner.ScanRequest) (*rpcSc } for i := range results { - s.vulnClient.FillInfo(results[i].Vulnerabilities, false) + s.vulnClient.FillInfo(results[i].Vulnerabilities, results[i].Type) } return rpc.ConvertToRpcScanResponse(results, os, eosl), nil } diff --git a/pkg/rpc/server/server_test.go b/pkg/rpc/server/server_test.go index 2da0613f03..178baba6e9 100644 --- a/pkg/rpc/server/server_test.go +++ b/pkg/rpc/server/server_test.go @@ -73,8 +73,10 @@ func TestScanServer_Scan(t *testing.T) { InstalledVersion: "1.2.3", FixedVersion: "1.2.4", Vulnerability: dbTypes.Vulnerability{}, + SeveritySource: "nvd", }, }, + Type: "alpine", }, }, OsFound: &ftypes.OS{ @@ -92,9 +94,10 @@ func TestScanServer_Scan(t *testing.T) { InstalledVersion: "1.2.3", FixedVersion: "1.2.4", Vulnerability: dbTypes.Vulnerability{}, + SeveritySource: "nvd", }, }, - Light: false, + ReportType: "alpine", }, }, want: &rpcScanner.ScanResponse{ @@ -112,9 +115,11 @@ func TestScanServer_Scan(t *testing.T) { PkgName: "musl", InstalledVersion: "1.2.3", FixedVersion: "1.2.4", + SeveritySource: "nvd", Layer: &common.Layer{}, }, }, + Type: "alpine", }, }, }, diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go index 50e478860b..2b7fd4dbb2 100644 --- a/pkg/scanner/local/scan.go +++ b/pkg/scanner/local/scan.go @@ -119,6 +119,7 @@ func (s Scanner) scanOSPkg(target, osFamily, osName string, pkgs []ftypes.Packag result := &report.Result{ Target: imageDetail, Vulnerabilities: vulns, + Type: osFamily, } return result, eosl, nil } @@ -134,6 +135,7 @@ func (s Scanner) scanLibrary(apps []ftypes.Application) (report.Results, error) results = append(results, report.Result{ Target: app.FilePath, Vulnerabilities: vulns, + Type: app.Type, }) } sort.Slice(results, func(i, j int) bool { diff --git a/pkg/scanner/local/scan_test.go b/pkg/scanner/local/scan_test.go index 948140561a..c92fcc0700 100644 --- a/pkg/scanner/local/scan_test.go +++ b/pkg/scanner/local/scan_test.go @@ -4,7 +4,7 @@ import ( "errors" "testing" - ospkgDetector "github.com/aquasecurity/trivy/pkg/detector/ospkg" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" "github.com/stretchr/testify/require" @@ -12,6 +12,7 @@ import ( ftypes "github.com/aquasecurity/fanal/types" dtypes "github.com/aquasecurity/go-dep-parser/pkg/types" + ospkgDetector "github.com/aquasecurity/trivy/pkg/detector/ospkg" "github.com/aquasecurity/trivy/pkg/report" "github.com/aquasecurity/trivy/pkg/types" ) @@ -149,6 +150,7 @@ func TestScanner_Scan(t *testing.T) { }, }, }, + Type: vulnerability.Alpine, }, { Target: "/app/Gemfile.lock", @@ -163,6 +165,7 @@ func TestScanner_Scan(t *testing.T) { }, }, }, + Type: "bundler", }, }, wantOS: &ftypes.OS{ @@ -243,6 +246,7 @@ func TestScanner_Scan(t *testing.T) { }, }, }, + Type: "bundler", }, }, wantOS: &ftypes.OS{}, @@ -334,6 +338,7 @@ func TestScanner_Scan(t *testing.T) { }, }, }, + Type: "bundler", }, }, wantOS: &ftypes.OS{ @@ -458,6 +463,7 @@ func TestScanner_Scan(t *testing.T) { }, }, }, + Type: "bundler", }, { Target: "/app/composer-lock.json", @@ -472,6 +478,7 @@ func TestScanner_Scan(t *testing.T) { }, }, }, + Type: "composer", }, }, wantOS: &ftypes.OS{ diff --git a/pkg/scanner/scan_test.go b/pkg/scanner/scan_test.go index e0f5691da1..42e8b4bedb 100644 --- a/pkg/scanner/scan_test.go +++ b/pkg/scanner/scan_test.go @@ -29,7 +29,7 @@ func TestScanner_ScanImage(t *testing.T) { args args analyzeExpectation AnalyzerAnalyzeExpectation scanExpectation ScanExpectation - want report.Results + wantResults report.Results wantErr string }{ { @@ -73,6 +73,18 @@ func TestScanner_ScanImage(t *testing.T) { }, }, }, + { + Target: "node-app/package-lock.json", + Vulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2019-11358", + PkgName: "jquery", + InstalledVersion: "3.3.9", + FixedVersion: ">=3.4.0", + }, + }, + Type: "npm", + }, }, OsFound: &ftypes.OS{ Family: "alpine", @@ -81,7 +93,7 @@ func TestScanner_ScanImage(t *testing.T) { Eols: true, }, }, - want: report.Results{ + wantResults: report.Results{ { Target: "alpine:3.11", Vulnerabilities: []types.DetectedVulnerability{ @@ -97,6 +109,18 @@ func TestScanner_ScanImage(t *testing.T) { }, }, }, + { + Target: "node-app/package-lock.json", + Vulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2019-11358", + PkgName: "jquery", + InstalledVersion: "3.3.9", + FixedVersion: ">=3.4.0", + }, + }, + Type: "npm", + }, }, }, { @@ -154,7 +178,7 @@ func TestScanner_ScanImage(t *testing.T) { analyzer.ApplyAnalyzeExpectation(tt.analyzeExpectation) s := NewScanner(d, analyzer) - got, err := s.ScanImage(tt.args.options) + gotResults, err := s.ScanImage(tt.args.options) if tt.wantErr != "" { require.NotNil(t, err, tt.name) require.Contains(t, err.Error(), tt.wantErr, tt.name) @@ -163,7 +187,7 @@ func TestScanner_ScanImage(t *testing.T) { require.NoError(t, err, tt.name) } - assert.Equal(t, tt.want, got) + assert.Equal(t, tt.wantResults, gotResults, tt.name) }) } } diff --git a/pkg/types/vulnerability.go b/pkg/types/vulnerability.go index 29e009ec7a..8b43879771 100644 --- a/pkg/types/vulnerability.go +++ b/pkg/types/vulnerability.go @@ -11,6 +11,7 @@ type DetectedVulnerability struct { InstalledVersion string `json:",omitempty"` FixedVersion string `json:",omitempty"` Layer ftypes.Layer `json:",omitempty"` + SeveritySource string `json:",omitempty"` types.Vulnerability } diff --git a/pkg/vulnerability/mock_operation.go b/pkg/vulnerability/mock_operation.go index 673e7041ba..6c5093b077 100644 --- a/pkg/vulnerability/mock_operation.go +++ b/pkg/vulnerability/mock_operation.go @@ -12,10 +12,10 @@ type MockOperation struct { } type FillInfoArgs struct { - Vulns []types.DetectedVulnerability - VulnsAnything bool - Light bool - LightAnything bool + Vulns []types.DetectedVulnerability + VulnsAnything bool + ReportType string + ReportTypeAnything bool } type FillInfoExpectation struct { @@ -29,10 +29,10 @@ func (_m *MockOperation) ApplyFillInfoExpectation(e FillInfoExpectation) { } else { args = append(args, e.Args.Vulns) } - if e.Args.LightAnything { + if e.Args.ReportTypeAnything { args = append(args, mock.Anything) } else { - args = append(args, e.Args.Light) + args = append(args, e.Args.ReportType) } _m.On("FillInfo", args...) } @@ -43,9 +43,9 @@ func (_m *MockOperation) ApplyFillInfoExpectations(expectations []FillInfoExpect } } -// FillInfo provides a mock function with given fields: vulns, light -func (_m *MockOperation) FillInfo(vulns []types.DetectedVulnerability, light bool) { - _m.Called(vulns, light) +// FillInfo provides a mock function with given fields: vulns, reportType +func (_m *MockOperation) FillInfo(vulns []types.DetectedVulnerability, reportType string) { + _m.Called(vulns, reportType) } type FilterArgs struct { diff --git a/pkg/vulnerability/vulnerability.go b/pkg/vulnerability/vulnerability.go index 089adc1634..dc238030b4 100644 --- a/pkg/vulnerability/vulnerability.go +++ b/pkg/vulnerability/vulnerability.go @@ -6,6 +6,8 @@ import ( "sort" "strings" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" + "github.com/google/wire" "github.com/aquasecurity/trivy-db/pkg/db" @@ -27,7 +29,7 @@ var SuperSet = wire.NewSet( ) type Operation interface { - FillInfo(vulns []types.DetectedVulnerability, light bool) + FillInfo(vulns []types.DetectedVulnerability, reportType string) Filter(vulns []types.DetectedVulnerability, severities []dbTypes.Severity, ignoreUnfixed bool, ignoreFile string) []types.DetectedVulnerability } @@ -40,21 +42,50 @@ func NewClient(dbc db.Config) Client { return Client{dbc: dbc} } -func (c Client) FillInfo(vulns []types.DetectedVulnerability, light bool) { +func (c Client) FillInfo(vulns []types.DetectedVulnerability, reportType string) { var err error - var severity dbTypes.Severity for i := range vulns { - if light { - severity, err = c.dbc.GetSeverity(vulns[i].VulnerabilityID) - vulns[i].Vulnerability.Severity = severity.String() - } else { - vulns[i].Vulnerability, err = c.dbc.GetVulnerability(vulns[i].VulnerabilityID) - } + vulns[i].Vulnerability, err = c.dbc.GetVulnerability(vulns[i].VulnerabilityID) if err != nil { log.Logger.Warnf("Error while getting vulnerability details: %s\n", err) continue } + + var source string + switch reportType { + case vulnerability.Ubuntu, vulnerability.Alpine, vulnerability.RedHat, vulnerability.RedHatOVAL, vulnerability.Debian, vulnerability.DebianOVAL, vulnerability.Fedora, vulnerability.Amazon, vulnerability.OracleOVAL, vulnerability.SuseCVRF, vulnerability.OpenSuseCVRF, vulnerability.Photon: + source = reportType + case vulnerability.CentOS: // CentOS doesn't have its own so we use RedHat + source = vulnerability.RedHat + case "npm", "yarn": + source = vulnerability.NodejsSecurityWg + case "pipenv", "poetry": + source = vulnerability.PythonSafetyDB + case "bundler": + source = vulnerability.RubySec + case "cargo": + source = vulnerability.RustSec + case "composer": + source = vulnerability.PhpSecurityAdvisories + } + c.getVendorSeverity(&vulns[i], source) + vulns[i].Vulnerability.VendorSeverity = nil // Remove VendorSeverity from Results + } +} + +func (c Client) getVendorSeverity(vuln *types.DetectedVulnerability, reportType string) { + if vs, ok := vuln.Vulnerability.VendorSeverity[reportType]; ok { + vuln.Vulnerability.Severity = vs.String() + vuln.SeveritySource = reportType + return + } + + // Try NVD as a fallback if it exists + if vs, ok := vuln.Vulnerability.VendorSeverity[vulnerability.Nvd]; ok { + vuln.Vulnerability.Severity = vs.String() + vuln.SeveritySource = vulnerability.Nvd + return } } diff --git a/pkg/vulnerability/vulnerability_test.go b/pkg/vulnerability/vulnerability_test.go index d73a94999e..71f9c28f1c 100644 --- a/pkg/vulnerability/vulnerability_test.go +++ b/pkg/vulnerability/vulnerability_test.go @@ -4,9 +4,11 @@ import ( "os" "testing" - "github.com/aquasecurity/trivy/pkg/log" "golang.org/x/xerrors" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" + + "github.com/aquasecurity/trivy/pkg/log" "github.com/aquasecurity/trivy/pkg/types" "github.com/aquasecurity/trivy-db/pkg/db" @@ -27,18 +29,18 @@ func TestMain(m *testing.M) { func TestClient_FillInfo(t *testing.T) { type args struct { - vulns []types.DetectedVulnerability - light bool + vulns []types.DetectedVulnerability + reportType string } tests := []struct { - name string - getSeverity []db.GetSeverityExpectation - getVulnerability []db.GetVulnerabilityExpectation - args args - expected []types.DetectedVulnerability + name string + getSeverity []db.GetSeverityExpectation + getVulnerability []db.GetVulnerabilityExpectation + args args + expectedVulnerabilities []types.DetectedVulnerability }{ { - name: "happy path", + name: "happy path, with only OS vulnerability but no vendor severity, no NVD", getVulnerability: []db.GetVulnerabilityExpectation{ { Args: db.GetVulnerabilityArgs{ @@ -58,9 +60,9 @@ func TestClient_FillInfo(t *testing.T) { vulns: []types.DetectedVulnerability{ {VulnerabilityID: "CVE-2019-0001"}, }, - light: false, + reportType: vulnerability.Ubuntu, }, - expected: []types.DetectedVulnerability{ + expectedVulnerabilities: []types.DetectedVulnerability{ { VulnerabilityID: "CVE-2019-0001", Vulnerability: dbTypes.Vulnerability{ @@ -73,47 +75,187 @@ func TestClient_FillInfo(t *testing.T) { }, }, { - name: "happy path with light option", - getSeverity: []db.GetSeverityExpectation{ + name: "happy path, with only OS vulnerability but no vendor severity, yes NVD", + getVulnerability: []db.GetVulnerabilityExpectation{ { - Args: db.GetSeverityArgs{ + Args: db.GetVulnerabilityArgs{ VulnerabilityID: "CVE-2019-0001", }, - Returns: db.GetSeverityReturns{ - Severity: dbTypes.SeverityCritical, - }, - }, - { - Args: db.GetSeverityArgs{ - VulnerabilityID: "CVE-2019-0002", - }, - Returns: db.GetSeverityReturns{ - Severity: dbTypes.SeverityHigh, + Returns: db.GetVulnerabilityReturns{ + Vulnerability: dbTypes.Vulnerability{ + Title: "dos", + Description: "dos vulnerability", + VendorSeverity: dbTypes.VendorSeverity{ + vulnerability.Nvd: dbTypes.SeverityLow, + }, + References: []string{"http://example.com"}, + }, }, }, }, args: args{ vulns: []types.DetectedVulnerability{ {VulnerabilityID: "CVE-2019-0001"}, - {VulnerabilityID: "CVE-2019-0002"}, }, - light: true, + reportType: vulnerability.Ubuntu, }, - expected: []types.DetectedVulnerability{ + expectedVulnerabilities: []types.DetectedVulnerability{ { VulnerabilityID: "CVE-2019-0001", Vulnerability: dbTypes.Vulnerability{ - Severity: dbTypes.SeverityCritical.String(), + Title: "dos", + Description: "dos vulnerability", + Severity: dbTypes.SeverityLow.String(), + References: []string{"http://example.com"}, + }, + SeveritySource: vulnerability.Nvd, + }, + }, + }, + { + name: "happy path, with only OS vulnerability but no severity, no vendor severity, no NVD", + getVulnerability: []db.GetVulnerabilityExpectation{ + { + Args: db.GetVulnerabilityArgs{ + VulnerabilityID: "CVE-2019-0001", + }, + Returns: db.GetVulnerabilityReturns{ + Vulnerability: dbTypes.Vulnerability{ + Title: "dos", + Description: "dos vulnerability", + References: []string{"http://example.com"}, + }, }, }, + }, + args: args{ + vulns: []types.DetectedVulnerability{ + {VulnerabilityID: "CVE-2019-0001"}, + }, + reportType: vulnerability.Ubuntu, + }, + expectedVulnerabilities: []types.DetectedVulnerability{ { - VulnerabilityID: "CVE-2019-0002", + VulnerabilityID: "CVE-2019-0001", Vulnerability: dbTypes.Vulnerability{ - Severity: dbTypes.SeverityHigh.String(), + Title: "dos", + Description: "dos vulnerability", + References: []string{"http://example.com"}, }, }, }, }, + { + name: "happy path, with only OS vulnerability, yes vendor severity", + getVulnerability: []db.GetVulnerabilityExpectation{ + { + Args: db.GetVulnerabilityArgs{ + VulnerabilityID: "CVE-2019-0001", + }, + Returns: db.GetVulnerabilityReturns{ + Vulnerability: dbTypes.Vulnerability{ + Title: "dos", + Description: "dos vulnerability", + Severity: dbTypes.SeverityMedium.String(), + VendorSeverity: dbTypes.VendorSeverity{ + vulnerability.RedHat: dbTypes.SeverityLow, // CentOS uses RedHat + }, + References: []string{"http://example.com"}, + }, + }, + }, + }, + args: args{ + vulns: []types.DetectedVulnerability{ + {VulnerabilityID: "CVE-2019-0001"}, + }, + reportType: vulnerability.CentOS, + }, + expectedVulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2019-0001", + Vulnerability: dbTypes.Vulnerability{ + Title: "dos", + Description: "dos vulnerability", + Severity: dbTypes.SeverityLow.String(), + References: []string{"http://example.com"}, + }, + SeveritySource: vulnerability.RedHat, + }, + }, + }, + { + name: "happy path light db, with only OS vulnerability, yes vendor severity", + getVulnerability: []db.GetVulnerabilityExpectation{ + { + Args: db.GetVulnerabilityArgs{ + VulnerabilityID: "CVE-2019-0001", + }, + Returns: db.GetVulnerabilityReturns{ + Vulnerability: dbTypes.Vulnerability{ + Severity: dbTypes.SeverityMedium.String(), + VendorSeverity: dbTypes.VendorSeverity{ + vulnerability.Ubuntu: dbTypes.SeverityLow, + }, + }, + }, + }, + }, + args: args{ + vulns: []types.DetectedVulnerability{ + {VulnerabilityID: "CVE-2019-0001"}, + }, + reportType: vulnerability.Ubuntu, + }, + expectedVulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2019-0001", + Vulnerability: dbTypes.Vulnerability{ + Severity: dbTypes.SeverityLow.String(), + }, + SeveritySource: vulnerability.Ubuntu, + }, + }, + }, + { + name: "happy path, with only library vulnerability", + getVulnerability: []db.GetVulnerabilityExpectation{ + { + Args: db.GetVulnerabilityArgs{ + VulnerabilityID: "CVE-2020-0001", + }, + Returns: db.GetVulnerabilityReturns{ + Vulnerability: dbTypes.Vulnerability{ + Title: "COVID-19", + Description: "a nasty virus vulnerability for humans", + Severity: dbTypes.SeverityMedium.String(), + VendorSeverity: dbTypes.VendorSeverity{ + vulnerability.PythonSafetyDB: dbTypes.SeverityCritical, + }, + References: []string{"https://www.who.int/emergencies/diseases/novel-coronavirus-2019"}, + }, + }, + }, + }, + args: args{ + vulns: []types.DetectedVulnerability{ + {VulnerabilityID: "CVE-2020-0001"}, + }, + reportType: "poetry", + }, + expectedVulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2020-0001", + Vulnerability: dbTypes.Vulnerability{ + Title: "COVID-19", + Description: "a nasty virus vulnerability for humans", + Severity: dbTypes.SeverityCritical.String(), + References: []string{"https://www.who.int/emergencies/diseases/novel-coronavirus-2019"}, + }, + SeveritySource: vulnerability.PythonSafetyDB, + }, + }, + }, { name: "GetVulnerability returns an error", getVulnerability: []db.GetVulnerabilityExpectation{ @@ -130,39 +272,11 @@ func TestClient_FillInfo(t *testing.T) { vulns: []types.DetectedVulnerability{ {VulnerabilityID: "CVE-2019-0004"}, }, - light: false, }, - expected: []types.DetectedVulnerability{ + expectedVulnerabilities: []types.DetectedVulnerability{ {VulnerabilityID: "CVE-2019-0004"}, }, }, - { - name: "GetSeverity returns an error", - getSeverity: []db.GetSeverityExpectation{ - { - Args: db.GetSeverityArgs{ - VulnerabilityID: "CVE-2019-0003", - }, - Returns: db.GetSeverityReturns{ - Err: xerrors.New("failed"), - }, - }, - }, - args: args{ - vulns: []types.DetectedVulnerability{ - {VulnerabilityID: "CVE-2019-0003"}, - }, - light: true, - }, - expected: []types.DetectedVulnerability{ - { - VulnerabilityID: "CVE-2019-0003", - Vulnerability: dbTypes.Vulnerability{ - Severity: dbTypes.SeverityUnknown.String(), - }, - }, - }, - }, } for _, tt := range tests { @@ -175,8 +289,8 @@ func TestClient_FillInfo(t *testing.T) { dbc: mockDBConfig, } - c.FillInfo(tt.args.vulns, tt.args.light) - assert.Equal(t, tt.expected, tt.args.vulns, tt.name) + c.FillInfo(tt.args.vulns, tt.args.reportType) + assert.Equal(t, tt.expectedVulnerabilities, tt.args.vulns, tt.name) mockDBConfig.AssertExpectations(t) }) } diff --git a/rpc/common/service.pb.go b/rpc/common/service.pb.go index 4d47714a7a..09de3481c1 100644 --- a/rpc/common/service.pb.go +++ b/rpc/common/service.pb.go @@ -367,6 +367,7 @@ type Vulnerability struct { Severity Severity `protobuf:"varint,7,opt,name=severity,proto3,enum=trivy.common.Severity" json:"severity,omitempty"` References []string `protobuf:"bytes,8,rep,name=references,proto3" json:"references,omitempty"` Layer *Layer `protobuf:"bytes,10,opt,name=layer,proto3" json:"layer,omitempty"` + SeveritySource string `protobuf:"bytes,11,opt,name=severity_source,json=severitySource,proto3" json:"severity_source,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -460,6 +461,13 @@ func (m *Vulnerability) GetLayer() *Layer { return nil } +func (m *Vulnerability) GetSeveritySource() string { + if m != nil { + return m.SeveritySource + } + return "" +} + type Layer struct { Digest string `protobuf:"bytes,1,opt,name=digest,proto3" json:"digest,omitempty"` DiffId string `protobuf:"bytes,2,opt,name=diff_id,json=diffId,proto3" json:"diff_id,omitempty"` @@ -521,42 +529,44 @@ func init() { func init() { proto.RegisterFile("rpc/common/service.proto", fileDescriptor_6e749acacaaabfff) } var fileDescriptor_6e749acacaaabfff = []byte{ - // 592 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x54, 0x4d, 0x6f, 0xd3, 0x40, - 0x10, 0xc5, 0xce, 0x87, 0x9d, 0x71, 0x0b, 0x66, 0x29, 0xc5, 0xa8, 0x12, 0x44, 0xe6, 0x92, 0x82, - 0x94, 0x42, 0x7a, 0x80, 0x6b, 0x69, 0x2b, 0x6a, 0xd1, 0xa6, 0x95, 0x4b, 0x5b, 0x09, 0x09, 0x45, - 0x5b, 0x7b, 0x9c, 0xac, 0xea, 0xd8, 0xd6, 0xae, 0x89, 0xf0, 0x9f, 0xe5, 0x5f, 0x70, 0x47, 0xbb, - 0x5e, 0xa7, 0x49, 0xc5, 0x85, 0xdb, 0xbe, 0x79, 0x2f, 0xf3, 0xde, 0x4c, 0x76, 0x0d, 0x1e, 0x2f, - 0xa2, 0xbd, 0x28, 0x9f, 0xcf, 0xf3, 0x6c, 0x4f, 0x20, 0x5f, 0xb0, 0x08, 0x87, 0x05, 0xcf, 0xcb, - 0x9c, 0x6c, 0x94, 0x9c, 0x2d, 0xaa, 0x61, 0xcd, 0xf9, 0xef, 0xc1, 0x3c, 0xbf, 0x24, 0xdb, 0xd0, - 0x4d, 0xe8, 0x9c, 0xa5, 0x95, 0x67, 0xf4, 0x8d, 0x41, 0x2f, 0xd4, 0x88, 0x10, 0x68, 0x67, 0x74, - 0x8e, 0x9e, 0xa9, 0xaa, 0xea, 0xec, 0xff, 0x00, 0xe7, 0x82, 0x46, 0x77, 0x74, 0x8a, 0x41, 0x96, - 0xe4, 0x64, 0x07, 0x7a, 0x09, 0x4b, 0x71, 0x52, 0xd0, 0x72, 0xa6, 0x7f, 0x6d, 0xcb, 0xc2, 0x05, - 0x2d, 0x67, 0xe4, 0x03, 0xd8, 0x45, 0xad, 0x15, 0x9e, 0xd9, 0x6f, 0x0d, 0x9c, 0xd1, 0xf3, 0xe1, - 0xaa, 0xfd, 0x50, 0x77, 0x0a, 0x97, 0x32, 0x5f, 0x80, 0x73, 0x50, 0x14, 0x29, 0x8b, 0x68, 0xc9, - 0xf2, 0x4c, 0x26, 0x28, 0xab, 0x02, 0x75, 0x67, 0x75, 0x5e, 0xb7, 0x34, 0x1f, 0x58, 0xee, 0x43, - 0x2f, 0x65, 0xb7, 0x9c, 0x72, 0x86, 0xc2, 0x6b, 0xfd, 0xcb, 0xf3, 0x54, 0xd1, 0x55, 0x78, 0xaf, - 0xf3, 0xff, 0x18, 0x60, 0xe9, 0x28, 0xcb, 0x99, 0x8d, 0xfb, 0x99, 0x89, 0x07, 0xd6, 0x02, 0xb9, - 0x60, 0x79, 0xa6, 0xfd, 0x1a, 0x28, 0x19, 0x8e, 0x29, 0x52, 0x81, 0x5e, 0xab, 0x66, 0x34, 0x24, - 0x5b, 0xd0, 0xc1, 0x22, 0x8f, 0x66, 0x5e, 0xbb, 0x6f, 0x0c, 0x3a, 0x61, 0x0d, 0x64, 0x77, 0xca, - 0xa3, 0x99, 0xd7, 0xa9, 0xbb, 0xcb, 0x33, 0x79, 0x09, 0xb6, 0xe0, 0xd1, 0x44, 0xb9, 0x76, 0xeb, - 0x26, 0x82, 0x47, 0x63, 0x69, 0xfc, 0x1a, 0x1c, 0x49, 0x35, 0xe6, 0x96, 0x62, 0x41, 0xf0, 0xe8, - 0x5a, 0xfb, 0x6b, 0x41, 0x93, 0xc1, 0x5e, 0x0a, 0x42, 0x1d, 0x63, 0x07, 0x7a, 0x52, 0x50, 0x47, - 0xe9, 0xa9, 0x28, 0xd2, 0xed, 0x58, 0x62, 0xff, 0x23, 0x58, 0x7a, 0x1b, 0xff, 0x37, 0xb6, 0xff, - 0xdb, 0x84, 0xcd, 0xeb, 0x9f, 0x69, 0x86, 0x9c, 0xde, 0xb2, 0x94, 0x95, 0x15, 0xd9, 0x05, 0x77, - 0xb1, 0x5a, 0x98, 0xb0, 0x58, 0xf7, 0x7a, 0xb2, 0x56, 0x0f, 0x62, 0x39, 0x6f, 0x71, 0x37, 0x9d, - 0xac, 0xdc, 0x2c, 0xab, 0xb8, 0x9b, 0xaa, 0x79, 0xdf, 0xc1, 0x53, 0x96, 0x89, 0x92, 0xa6, 0x29, - 0xc6, 0xcb, 0xa9, 0xeb, 0xc5, 0xba, 0x4b, 0xa2, 0x99, 0xfd, 0x0d, 0x6c, 0x26, 0xec, 0xd7, 0x8a, - 0xb0, 0xad, 0x84, 0x1b, 0xaa, 0xd8, 0x88, 0xb6, 0xa0, 0x53, 0xb2, 0x32, 0x45, 0xbd, 0xf1, 0x1a, - 0x90, 0x3e, 0x38, 0x31, 0x8a, 0x88, 0xb3, 0x42, 0xde, 0x32, 0xbd, 0xf5, 0xd5, 0x12, 0x19, 0x81, - 0x2d, 0x70, 0x81, 0x9c, 0x95, 0x95, 0x5a, 0xfb, 0xe3, 0xd1, 0xf6, 0xfa, 0x35, 0xba, 0xd4, 0x6c, - 0xb8, 0xd4, 0x91, 0x57, 0x00, 0x1c, 0x13, 0xe4, 0x98, 0x45, 0x28, 0x3c, 0xbb, 0xdf, 0x92, 0xff, - 0xc5, 0x7d, 0x85, 0xec, 0x42, 0x27, 0xa5, 0x15, 0x72, 0x0f, 0xfa, 0xc6, 0xc0, 0x19, 0x3d, 0x7b, - 0x70, 0x2f, 0x25, 0x15, 0xd6, 0x0a, 0xff, 0x13, 0x74, 0x14, 0x96, 0x4f, 0x33, 0x66, 0x53, 0x14, - 0x65, 0xf3, 0x34, 0x6b, 0x44, 0x5e, 0x80, 0x15, 0xb3, 0x24, 0x91, 0x6b, 0x36, 0x1b, 0x22, 0x49, - 0x82, 0xf8, 0xed, 0x11, 0xd8, 0x4d, 0x34, 0xe2, 0x80, 0x75, 0x35, 0xfe, 0x3a, 0x3e, 0xbf, 0x19, - 0xbb, 0x8f, 0x88, 0x05, 0xad, 0xd3, 0xf3, 0x1b, 0xd7, 0x20, 0x00, 0xdd, 0xb3, 0xe3, 0xa3, 0xe0, - 0xea, 0xcc, 0x35, 0x89, 0x0d, 0xed, 0x93, 0xe0, 0xcb, 0x89, 0xdb, 0x22, 0x1b, 0x60, 0x1f, 0x86, - 0xc1, 0xb7, 0xe0, 0xf0, 0xe0, 0xd4, 0x6d, 0x7f, 0xb6, 0xbf, 0x77, 0xeb, 0x58, 0xb7, 0x5d, 0xf5, - 0xd9, 0xd8, 0xff, 0x1b, 0x00, 0x00, 0xff, 0xff, 0xec, 0xc8, 0x65, 0x39, 0x52, 0x04, 0x00, 0x00, + // 613 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x54, 0x5d, 0x6f, 0xd3, 0x30, + 0x14, 0x25, 0x4d, 0xdb, 0xa4, 0x37, 0xfb, 0x08, 0x66, 0x8c, 0xa0, 0x49, 0x50, 0x85, 0x07, 0x3a, + 0x90, 0x3a, 0xe8, 0x1e, 0xe0, 0x75, 0x6c, 0x13, 0x8b, 0xd8, 0xba, 0x29, 0x63, 0x9b, 0x84, 0x84, + 0x2a, 0xcf, 0x71, 0x5a, 0x6b, 0x69, 0x12, 0xd9, 0x59, 0x45, 0x7e, 0x01, 0xbf, 0x98, 0x77, 0x64, + 0xc7, 0xc9, 0xda, 0x89, 0x17, 0xde, 0x7c, 0xcf, 0x39, 0xb9, 0xe7, 0x9e, 0x1b, 0x27, 0xe0, 0xf1, + 0x9c, 0xec, 0x91, 0x6c, 0x3e, 0xcf, 0xd2, 0x3d, 0x41, 0xf9, 0x82, 0x11, 0x3a, 0xcc, 0x79, 0x56, + 0x64, 0x68, 0xad, 0xe0, 0x6c, 0x51, 0x0e, 0x2b, 0xce, 0xff, 0x00, 0xad, 0xf3, 0x4b, 0xb4, 0x0d, + 0xdd, 0x18, 0xcf, 0x59, 0x52, 0x7a, 0x46, 0xdf, 0x18, 0xf4, 0x42, 0x5d, 0x21, 0x04, 0xed, 0x14, + 0xcf, 0xa9, 0xd7, 0x52, 0xa8, 0x3a, 0xfb, 0x3f, 0xc1, 0xb9, 0xc0, 0xe4, 0x0e, 0x4f, 0x69, 0x90, + 0xc6, 0x19, 0xda, 0x81, 0x5e, 0xcc, 0x12, 0x3a, 0xc9, 0x71, 0x31, 0xd3, 0x4f, 0xdb, 0x12, 0xb8, + 0xc0, 0xc5, 0x0c, 0x7d, 0x04, 0x3b, 0xaf, 0xb4, 0xc2, 0x6b, 0xf5, 0xcd, 0x81, 0x33, 0x7a, 0x3e, + 0x5c, 0xb6, 0x1f, 0xea, 0x4e, 0x61, 0x23, 0xf3, 0x05, 0x38, 0x07, 0x79, 0x9e, 0x30, 0x82, 0x0b, + 0x96, 0xa5, 0x72, 0x82, 0xa2, 0xcc, 0xa9, 0xee, 0xac, 0xce, 0xab, 0x96, 0xad, 0x47, 0x96, 0xfb, + 0xd0, 0x4b, 0xd8, 0x2d, 0xc7, 0x9c, 0x51, 0xe1, 0x99, 0xff, 0xf2, 0x3c, 0x55, 0x74, 0x19, 0x3e, + 0xe8, 0xfc, 0x3f, 0x06, 0x58, 0x7a, 0x94, 0x26, 0xb3, 0xf1, 0x90, 0x19, 0x79, 0x60, 0x2d, 0x28, + 0x17, 0x2c, 0x4b, 0xb5, 0x5f, 0x5d, 0x4a, 0x86, 0xd3, 0x84, 0x62, 0x41, 0x3d, 0xb3, 0x62, 0x74, + 0x89, 0xb6, 0xa0, 0x43, 0xf3, 0x8c, 0xcc, 0xbc, 0x76, 0xdf, 0x18, 0x74, 0xc2, 0xaa, 0x90, 0xdd, + 0x31, 0x27, 0x33, 0xaf, 0x53, 0x75, 0x97, 0x67, 0xf4, 0x12, 0x6c, 0xc1, 0xc9, 0x44, 0xb9, 0x76, + 0xab, 0x26, 0x82, 0x93, 0xb1, 0x34, 0x7e, 0x0d, 0x8e, 0xa4, 0x6a, 0x73, 0x4b, 0xb1, 0x20, 0x38, + 0xb9, 0xd6, 0xfe, 0x5a, 0x50, 0xcf, 0x60, 0x37, 0x82, 0x50, 0x8f, 0xb1, 0x03, 0x3d, 0x29, 0xa8, + 0x46, 0xe9, 0xa9, 0x51, 0xa4, 0xdb, 0xb1, 0xac, 0xfd, 0x4f, 0x60, 0xe9, 0x6d, 0xfc, 0x5f, 0x6c, + 0xff, 0xb7, 0x09, 0xeb, 0xd7, 0xf7, 0x49, 0x4a, 0x39, 0xbe, 0x65, 0x09, 0x2b, 0x4a, 0xb4, 0x0b, + 0xee, 0x62, 0x19, 0x98, 0xb0, 0x48, 0xf7, 0xda, 0x5c, 0xc1, 0x83, 0x48, 0xe6, 0xcd, 0xef, 0xa6, + 0x93, 0xa5, 0x9b, 0x65, 0xe5, 0x77, 0x53, 0x95, 0xf7, 0x3d, 0x3c, 0x65, 0xa9, 0x28, 0x70, 0x92, + 0xd0, 0xa8, 0x49, 0x5d, 0x2d, 0xd6, 0x6d, 0x88, 0x3a, 0xfb, 0x1b, 0x58, 0x8f, 0xd9, 0xaf, 0x25, + 0x61, 0x5b, 0x09, 0xd7, 0x14, 0x58, 0x8b, 0xb6, 0xa0, 0x53, 0xb0, 0x22, 0xa1, 0x7a, 0xe3, 0x55, + 0x81, 0xfa, 0xe0, 0x44, 0x54, 0x10, 0xce, 0x72, 0x79, 0xcb, 0xf4, 0xd6, 0x97, 0x21, 0x34, 0x02, + 0x5b, 0xd0, 0x05, 0xe5, 0xac, 0x28, 0xd5, 0xda, 0x37, 0x46, 0xdb, 0xab, 0xd7, 0xe8, 0x52, 0xb3, + 0x61, 0xa3, 0x43, 0xaf, 0x00, 0x38, 0x8d, 0x29, 0xa7, 0x29, 0xa1, 0xc2, 0xb3, 0xfb, 0xa6, 0x7c, + 0x17, 0x0f, 0x08, 0xda, 0x85, 0x4e, 0x82, 0x4b, 0xca, 0x3d, 0xe8, 0x1b, 0x03, 0x67, 0xf4, 0xec, + 0xd1, 0xbd, 0x94, 0x54, 0x58, 0x29, 0xd0, 0x5b, 0xd8, 0xac, 0xdb, 0x4e, 0x44, 0x76, 0xcf, 0x09, + 0xf5, 0x1c, 0x35, 0xe4, 0x46, 0x0d, 0x5f, 0x2a, 0xd4, 0xff, 0x0c, 0x1d, 0xf5, 0xa0, 0xfc, 0x86, + 0x23, 0x36, 0xa5, 0xa2, 0xa8, 0xbf, 0xe1, 0xaa, 0x42, 0x2f, 0xc0, 0x8a, 0x58, 0x1c, 0xcb, 0xf7, + 0xd1, 0xaa, 0x89, 0x38, 0x0e, 0xa2, 0x77, 0x47, 0x60, 0xd7, 0x19, 0x90, 0x03, 0xd6, 0xd5, 0xf8, + 0xdb, 0xf8, 0xfc, 0x66, 0xec, 0x3e, 0x41, 0x16, 0x98, 0xa7, 0xe7, 0x37, 0xae, 0x81, 0x00, 0xba, + 0x67, 0xc7, 0x47, 0xc1, 0xd5, 0x99, 0xdb, 0x42, 0x36, 0xb4, 0x4f, 0x82, 0xaf, 0x27, 0xae, 0x89, + 0xd6, 0xc0, 0x3e, 0x0c, 0x83, 0xef, 0xc1, 0xe1, 0xc1, 0xa9, 0xdb, 0xfe, 0x62, 0xff, 0xe8, 0x56, + 0xf3, 0xdf, 0x76, 0xd5, 0xff, 0x65, 0xff, 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xd2, 0xe0, 0xac, + 0x75, 0x7b, 0x04, 0x00, 0x00, } diff --git a/rpc/common/service.proto b/rpc/common/service.proto index 8821f8031c..0b80ea5a62 100644 --- a/rpc/common/service.proto +++ b/rpc/common/service.proto @@ -50,6 +50,7 @@ message Vulnerability { Severity severity = 7; repeated string references = 8; Layer layer = 10; + string severity_source = 11; } message Layer { diff --git a/rpc/scanner/service.pb.go b/rpc/scanner/service.pb.go index 075640f7bb..2e699d13d1 100644 --- a/rpc/scanner/service.pb.go +++ b/rpc/scanner/service.pb.go @@ -182,6 +182,7 @@ func (m *ScanResponse) GetResults() []*Result { type Result struct { Target string `protobuf:"bytes,1,opt,name=target,proto3" json:"target,omitempty"` Vulnerabilities []*common.Vulnerability `protobuf:"bytes,2,rep,name=vulnerabilities,proto3" json:"vulnerabilities,omitempty"` + Type string `protobuf:"bytes,3,opt,name=type,proto3" json:"type,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -226,6 +227,13 @@ func (m *Result) GetVulnerabilities() []*common.Vulnerability { return nil } +func (m *Result) GetType() string { + if m != nil { + return m.Type + } + return "" +} + func init() { proto.RegisterType((*ScanRequest)(nil), "trivy.scanner.v1.ScanRequest") proto.RegisterType((*ScanOptions)(nil), "trivy.scanner.v1.ScanOptions") @@ -236,28 +244,28 @@ func init() { func init() { proto.RegisterFile("rpc/scanner/service.proto", fileDescriptor_60d0e837512b18d4) } var fileDescriptor_60d0e837512b18d4 = []byte{ - // 361 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x52, 0xc1, 0x6b, 0xbb, 0x30, - 0x18, 0x45, 0x5b, 0x6a, 0x8d, 0x3f, 0xf8, 0x95, 0x1c, 0x86, 0x6d, 0xd9, 0x10, 0x4f, 0x65, 0x07, - 0x65, 0x0e, 0xb6, 0xfb, 0xa0, 0x87, 0x9e, 0x3a, 0xd2, 0xb1, 0xc3, 0x2e, 0x25, 0xd5, 0x0f, 0x17, - 0x50, 0x63, 0x93, 0x28, 0xf3, 0x1f, 0xd9, 0xdf, 0x3b, 0x4c, 0x2c, 0xac, 0x1d, 0xbd, 0x25, 0xef, - 0x3d, 0xbf, 0xf7, 0xde, 0x67, 0xd0, 0x5c, 0xd4, 0x69, 0x2c, 0x53, 0x5a, 0x55, 0x20, 0x62, 0x09, - 0xa2, 0x65, 0x29, 0x44, 0xb5, 0xe0, 0x8a, 0xe3, 0x99, 0x12, 0xac, 0xed, 0xa2, 0x81, 0x8c, 0xda, - 0x87, 0xc5, 0x53, 0xce, 0xd4, 0x67, 0x73, 0x88, 0x52, 0x5e, 0xc6, 0xf4, 0xd8, 0x50, 0x09, 0x69, - 0x23, 0x98, 0xea, 0x62, 0xad, 0x8c, 0xfb, 0x51, 0x29, 0x2f, 0x4b, 0x5e, 0x9d, 0x4f, 0x0a, 0xbf, - 0x2d, 0xe4, 0xed, 0x52, 0x5a, 0x11, 0x38, 0x36, 0x20, 0x15, 0xbe, 0x41, 0x13, 0x45, 0x45, 0x0e, - 0xca, 0xb7, 0x02, 0x6b, 0xe5, 0x92, 0xe1, 0x86, 0xe7, 0x68, 0xca, 0x4a, 0x9a, 0xc3, 0x9e, 0x65, - 0xbe, 0xad, 0x19, 0x47, 0xdf, 0x37, 0x19, 0x5e, 0x22, 0xb7, 0xa0, 0x1d, 0x88, 0x3d, 0xcb, 0xa4, - 0x3f, 0x0a, 0x46, 0x2b, 0x97, 0x4c, 0x35, 0xb0, 0xc9, 0x24, 0x7e, 0x46, 0x0e, 0xaf, 0x15, 0xe3, - 0x95, 0xf4, 0xc7, 0x81, 0xb5, 0xf2, 0x92, 0xdb, 0xe8, 0x32, 0x7b, 0xd4, 0xfb, 0x6f, 0x8d, 0x88, - 0x9c, 0xd4, 0xe1, 0xbd, 0xc9, 0x35, 0xe0, 0xbd, 0x49, 0xdb, 0x14, 0xd5, 0x5e, 0x75, 0x35, 0xf8, - 0x96, 0x31, 0xe9, 0x81, 0xb7, 0xae, 0x86, 0xf0, 0x0b, 0xfd, 0x33, 0x1d, 0x64, 0xcd, 0x2b, 0x09, - 0x38, 0x40, 0x36, 0x97, 0xba, 0x80, 0x97, 0xcc, 0x06, 0x3f, 0xd3, 0x3e, 0xda, 0xee, 0x88, 0xcd, - 0x25, 0xc6, 0x68, 0x0c, 0x5c, 0x16, 0xba, 0xca, 0x94, 0xe8, 0x33, 0x4e, 0x90, 0x23, 0x40, 0x36, - 0x85, 0x32, 0x2d, 0xbc, 0xc4, 0xff, 0x1b, 0x95, 0x68, 0x01, 0x39, 0x09, 0xc3, 0x1c, 0x4d, 0x0c, - 0x74, 0x75, 0x71, 0x6b, 0xf4, 0xbf, 0xcf, 0x09, 0x82, 0x1e, 0x58, 0xc1, 0x14, 0x03, 0xe9, 0xdb, - 0x7a, 0xfa, 0xf2, 0x3c, 0xd8, 0xfb, 0x2f, 0x51, 0x47, 0x2e, 0xbf, 0x49, 0x5e, 0x91, 0xb3, 0x33, - 0x31, 0xf0, 0x1a, 0x8d, 0xfb, 0x23, 0xbe, 0xb2, 0xc9, 0xe1, 0x4f, 0x2e, 0xee, 0xae, 0xd1, 0x66, - 0x49, 0x2f, 0xee, 0x87, 0x33, 0x50, 0x87, 0x89, 0x7e, 0x0b, 0x8f, 0x3f, 0x01, 0x00, 0x00, 0xff, - 0xff, 0x22, 0xf3, 0x23, 0xc0, 0x72, 0x02, 0x00, 0x00, + // 367 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x52, 0x4d, 0x6b, 0x83, 0x30, + 0x18, 0x46, 0x5b, 0x6a, 0x8d, 0x83, 0x95, 0x1c, 0x86, 0x6d, 0xd9, 0x10, 0x4f, 0x65, 0x07, 0x65, + 0x0e, 0xb6, 0xfb, 0xa0, 0x87, 0x9e, 0x3a, 0xd2, 0xb1, 0xc3, 0x2e, 0x25, 0xd5, 0x97, 0x2e, 0xa0, + 0xc6, 0x26, 0x51, 0x26, 0xfb, 0x1f, 0xfb, 0xbd, 0xc3, 0xc4, 0xc2, 0xda, 0xd1, 0xdb, 0xfb, 0xf1, + 0xf8, 0x7c, 0xbc, 0x06, 0x4d, 0x45, 0x95, 0xc6, 0x32, 0xa5, 0x65, 0x09, 0x22, 0x96, 0x20, 0x1a, + 0x96, 0x42, 0x54, 0x09, 0xae, 0x38, 0x9e, 0x28, 0xc1, 0x9a, 0x36, 0xea, 0x97, 0x51, 0xf3, 0x30, + 0x7b, 0xda, 0x33, 0xf5, 0x59, 0xef, 0xa2, 0x94, 0x17, 0x31, 0x3d, 0xd4, 0x54, 0x42, 0x5a, 0x0b, + 0xa6, 0xda, 0x58, 0x23, 0xe3, 0x8e, 0x2a, 0xe5, 0x45, 0xc1, 0xcb, 0x53, 0xa6, 0xf0, 0xc7, 0x42, + 0xde, 0x26, 0xa5, 0x25, 0x81, 0x43, 0x0d, 0x52, 0xe1, 0x1b, 0x34, 0x52, 0x54, 0xec, 0x41, 0xf9, + 0x56, 0x60, 0x2d, 0x5c, 0xd2, 0x77, 0x78, 0x8a, 0xc6, 0xac, 0xa0, 0x7b, 0xd8, 0xb2, 0xcc, 0xb7, + 0xf5, 0xc6, 0xd1, 0xfd, 0x2a, 0xc3, 0x73, 0xe4, 0xe6, 0xb4, 0x05, 0xb1, 0x65, 0x99, 0xf4, 0x07, + 0xc1, 0x60, 0xe1, 0x92, 0xb1, 0x1e, 0xac, 0x32, 0x89, 0x9f, 0x91, 0xc3, 0x2b, 0xc5, 0x78, 0x29, + 0xfd, 0x61, 0x60, 0x2d, 0xbc, 0xe4, 0x36, 0x3a, 0xf7, 0x1e, 0x75, 0xfa, 0x6b, 0x03, 0x22, 0x47, + 0x74, 0x78, 0x6f, 0x7c, 0xf5, 0xf3, 0x4e, 0xa4, 0xa9, 0xf3, 0x72, 0xab, 0xda, 0x0a, 0x7c, 0xcb, + 0x88, 0x74, 0x83, 0xb7, 0xb6, 0x82, 0xf0, 0x0b, 0x5d, 0x99, 0x0c, 0xb2, 0xe2, 0xa5, 0x04, 0x1c, + 0x20, 0x9b, 0x4b, 0x1d, 0xc0, 0x4b, 0x26, 0xbd, 0x9e, 0x49, 0x1f, 0xad, 0x37, 0xc4, 0xe6, 0x12, + 0x63, 0x34, 0x04, 0x2e, 0x73, 0x1d, 0x65, 0x4c, 0x74, 0x8d, 0x13, 0xe4, 0x08, 0x90, 0x75, 0xae, + 0x4c, 0x0a, 0x2f, 0xf1, 0xff, 0x5b, 0x25, 0x1a, 0x40, 0x8e, 0xc0, 0xf0, 0x1b, 0x8d, 0xcc, 0xe8, + 0xe2, 0xe1, 0x96, 0xe8, 0xba, 0xf3, 0x09, 0x82, 0xee, 0x58, 0xce, 0x14, 0x03, 0xe9, 0xdb, 0x9a, + 0x7d, 0x7e, 0x6a, 0xec, 0xfd, 0x0f, 0xa8, 0x25, 0xe7, 0xdf, 0x74, 0x86, 0x75, 0xf4, 0x81, 0x26, + 0xd7, 0x75, 0xf2, 0x8a, 0x9c, 0x8d, 0xb1, 0x86, 0x97, 0x68, 0xd8, 0x95, 0xf8, 0xc2, 0x75, 0xfb, + 0xbf, 0x3b, 0xbb, 0xbb, 0xb4, 0x36, 0x87, 0x7b, 0x71, 0x3f, 0x9c, 0x7e, 0xb5, 0x1b, 0xe9, 0xf7, + 0xf1, 0xf8, 0x1b, 0x00, 0x00, 0xff, 0xff, 0xb4, 0xfb, 0xa8, 0xd9, 0x86, 0x02, 0x00, 0x00, } diff --git a/rpc/scanner/service.proto b/rpc/scanner/service.proto index 643dfd4c6b..24e695822f 100644 --- a/rpc/scanner/service.proto +++ b/rpc/scanner/service.proto @@ -30,4 +30,5 @@ message ScanResponse { message Result { string target = 1; repeated common.Vulnerability vulnerabilities = 2; -} + string type = 3; +} \ No newline at end of file diff --git a/rpc/scanner/service.twirp.go b/rpc/scanner/service.twirp.go index 886558233f..1d527d2249 100644 --- a/rpc/scanner/service.twirp.go +++ b/rpc/scanner/service.twirp.go @@ -857,28 +857,28 @@ func callClientError(ctx context.Context, h *twirp.ClientHooks, err twirp.Error) } var twirpFileDescriptor0 = []byte{ - // 361 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x52, 0xc1, 0x6b, 0xbb, 0x30, - 0x18, 0x45, 0x5b, 0x6a, 0x8d, 0x3f, 0xf8, 0x95, 0x1c, 0x86, 0x6d, 0xd9, 0x10, 0x4f, 0x65, 0x07, - 0x65, 0x0e, 0xb6, 0xfb, 0xa0, 0x87, 0x9e, 0x3a, 0xd2, 0xb1, 0xc3, 0x2e, 0x25, 0xd5, 0x0f, 0x17, - 0x50, 0x63, 0x93, 0x28, 0xf3, 0x1f, 0xd9, 0xdf, 0x3b, 0x4c, 0x2c, 0xac, 0x1d, 0xbd, 0x25, 0xef, - 0x3d, 0xbf, 0xf7, 0xde, 0x67, 0xd0, 0x5c, 0xd4, 0x69, 0x2c, 0x53, 0x5a, 0x55, 0x20, 0x62, 0x09, - 0xa2, 0x65, 0x29, 0x44, 0xb5, 0xe0, 0x8a, 0xe3, 0x99, 0x12, 0xac, 0xed, 0xa2, 0x81, 0x8c, 0xda, - 0x87, 0xc5, 0x53, 0xce, 0xd4, 0x67, 0x73, 0x88, 0x52, 0x5e, 0xc6, 0xf4, 0xd8, 0x50, 0x09, 0x69, - 0x23, 0x98, 0xea, 0x62, 0xad, 0x8c, 0xfb, 0x51, 0x29, 0x2f, 0x4b, 0x5e, 0x9d, 0x4f, 0x0a, 0xbf, - 0x2d, 0xe4, 0xed, 0x52, 0x5a, 0x11, 0x38, 0x36, 0x20, 0x15, 0xbe, 0x41, 0x13, 0x45, 0x45, 0x0e, - 0xca, 0xb7, 0x02, 0x6b, 0xe5, 0x92, 0xe1, 0x86, 0xe7, 0x68, 0xca, 0x4a, 0x9a, 0xc3, 0x9e, 0x65, - 0xbe, 0xad, 0x19, 0x47, 0xdf, 0x37, 0x19, 0x5e, 0x22, 0xb7, 0xa0, 0x1d, 0x88, 0x3d, 0xcb, 0xa4, - 0x3f, 0x0a, 0x46, 0x2b, 0x97, 0x4c, 0x35, 0xb0, 0xc9, 0x24, 0x7e, 0x46, 0x0e, 0xaf, 0x15, 0xe3, - 0x95, 0xf4, 0xc7, 0x81, 0xb5, 0xf2, 0x92, 0xdb, 0xe8, 0x32, 0x7b, 0xd4, 0xfb, 0x6f, 0x8d, 0x88, - 0x9c, 0xd4, 0xe1, 0xbd, 0xc9, 0x35, 0xe0, 0xbd, 0x49, 0xdb, 0x14, 0xd5, 0x5e, 0x75, 0x35, 0xf8, - 0x96, 0x31, 0xe9, 0x81, 0xb7, 0xae, 0x86, 0xf0, 0x0b, 0xfd, 0x33, 0x1d, 0x64, 0xcd, 0x2b, 0x09, - 0x38, 0x40, 0x36, 0x97, 0xba, 0x80, 0x97, 0xcc, 0x06, 0x3f, 0xd3, 0x3e, 0xda, 0xee, 0x88, 0xcd, - 0x25, 0xc6, 0x68, 0x0c, 0x5c, 0x16, 0xba, 0xca, 0x94, 0xe8, 0x33, 0x4e, 0x90, 0x23, 0x40, 0x36, - 0x85, 0x32, 0x2d, 0xbc, 0xc4, 0xff, 0x1b, 0x95, 0x68, 0x01, 0x39, 0x09, 0xc3, 0x1c, 0x4d, 0x0c, - 0x74, 0x75, 0x71, 0x6b, 0xf4, 0xbf, 0xcf, 0x09, 0x82, 0x1e, 0x58, 0xc1, 0x14, 0x03, 0xe9, 0xdb, - 0x7a, 0xfa, 0xf2, 0x3c, 0xd8, 0xfb, 0x2f, 0x51, 0x47, 0x2e, 0xbf, 0x49, 0x5e, 0x91, 0xb3, 0x33, - 0x31, 0xf0, 0x1a, 0x8d, 0xfb, 0x23, 0xbe, 0xb2, 0xc9, 0xe1, 0x4f, 0x2e, 0xee, 0xae, 0xd1, 0x66, - 0x49, 0x2f, 0xee, 0x87, 0x33, 0x50, 0x87, 0x89, 0x7e, 0x0b, 0x8f, 0x3f, 0x01, 0x00, 0x00, 0xff, - 0xff, 0x22, 0xf3, 0x23, 0xc0, 0x72, 0x02, 0x00, 0x00, + // 367 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x52, 0x4d, 0x6b, 0x83, 0x30, + 0x18, 0x46, 0x5b, 0x6a, 0x8d, 0x83, 0x95, 0x1c, 0x86, 0x6d, 0xd9, 0x10, 0x4f, 0x65, 0x07, 0x65, + 0x0e, 0xb6, 0xfb, 0xa0, 0x87, 0x9e, 0x3a, 0xd2, 0xb1, 0xc3, 0x2e, 0x25, 0xd5, 0x97, 0x2e, 0xa0, + 0xc6, 0x26, 0x51, 0x26, 0xfb, 0x1f, 0xfb, 0xbd, 0xc3, 0xc4, 0xc2, 0xda, 0xd1, 0xdb, 0xfb, 0xf1, + 0xf8, 0x7c, 0xbc, 0x06, 0x4d, 0x45, 0x95, 0xc6, 0x32, 0xa5, 0x65, 0x09, 0x22, 0x96, 0x20, 0x1a, + 0x96, 0x42, 0x54, 0x09, 0xae, 0x38, 0x9e, 0x28, 0xc1, 0x9a, 0x36, 0xea, 0x97, 0x51, 0xf3, 0x30, + 0x7b, 0xda, 0x33, 0xf5, 0x59, 0xef, 0xa2, 0x94, 0x17, 0x31, 0x3d, 0xd4, 0x54, 0x42, 0x5a, 0x0b, + 0xa6, 0xda, 0x58, 0x23, 0xe3, 0x8e, 0x2a, 0xe5, 0x45, 0xc1, 0xcb, 0x53, 0xa6, 0xf0, 0xc7, 0x42, + 0xde, 0x26, 0xa5, 0x25, 0x81, 0x43, 0x0d, 0x52, 0xe1, 0x1b, 0x34, 0x52, 0x54, 0xec, 0x41, 0xf9, + 0x56, 0x60, 0x2d, 0x5c, 0xd2, 0x77, 0x78, 0x8a, 0xc6, 0xac, 0xa0, 0x7b, 0xd8, 0xb2, 0xcc, 0xb7, + 0xf5, 0xc6, 0xd1, 0xfd, 0x2a, 0xc3, 0x73, 0xe4, 0xe6, 0xb4, 0x05, 0xb1, 0x65, 0x99, 0xf4, 0x07, + 0xc1, 0x60, 0xe1, 0x92, 0xb1, 0x1e, 0xac, 0x32, 0x89, 0x9f, 0x91, 0xc3, 0x2b, 0xc5, 0x78, 0x29, + 0xfd, 0x61, 0x60, 0x2d, 0xbc, 0xe4, 0x36, 0x3a, 0xf7, 0x1e, 0x75, 0xfa, 0x6b, 0x03, 0x22, 0x47, + 0x74, 0x78, 0x6f, 0x7c, 0xf5, 0xf3, 0x4e, 0xa4, 0xa9, 0xf3, 0x72, 0xab, 0xda, 0x0a, 0x7c, 0xcb, + 0x88, 0x74, 0x83, 0xb7, 0xb6, 0x82, 0xf0, 0x0b, 0x5d, 0x99, 0x0c, 0xb2, 0xe2, 0xa5, 0x04, 0x1c, + 0x20, 0x9b, 0x4b, 0x1d, 0xc0, 0x4b, 0x26, 0xbd, 0x9e, 0x49, 0x1f, 0xad, 0x37, 0xc4, 0xe6, 0x12, + 0x63, 0x34, 0x04, 0x2e, 0x73, 0x1d, 0x65, 0x4c, 0x74, 0x8d, 0x13, 0xe4, 0x08, 0x90, 0x75, 0xae, + 0x4c, 0x0a, 0x2f, 0xf1, 0xff, 0x5b, 0x25, 0x1a, 0x40, 0x8e, 0xc0, 0xf0, 0x1b, 0x8d, 0xcc, 0xe8, + 0xe2, 0xe1, 0x96, 0xe8, 0xba, 0xf3, 0x09, 0x82, 0xee, 0x58, 0xce, 0x14, 0x03, 0xe9, 0xdb, 0x9a, + 0x7d, 0x7e, 0x6a, 0xec, 0xfd, 0x0f, 0xa8, 0x25, 0xe7, 0xdf, 0x74, 0x86, 0x75, 0xf4, 0x81, 0x26, + 0xd7, 0x75, 0xf2, 0x8a, 0x9c, 0x8d, 0xb1, 0x86, 0x97, 0x68, 0xd8, 0x95, 0xf8, 0xc2, 0x75, 0xfb, + 0xbf, 0x3b, 0xbb, 0xbb, 0xb4, 0x36, 0x87, 0x7b, 0x71, 0x3f, 0x9c, 0x7e, 0xb5, 0x1b, 0xe9, 0xf7, + 0xf1, 0xf8, 0x1b, 0x00, 0x00, 0xff, 0xff, 0xb4, 0xfb, 0xa8, 0xd9, 0x86, 0x02, 0x00, 0x00, }