Security

Nicolas Gregoire and Kevin Schaller discovered that Batik would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption.

Array index error in the MidiManagerUsb::DispatchSendMidiData function in media/midi/midi_manager_usb.cc in Google Chrome before 41.0.2272.76 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging renderer access to provide an invalid port index that triggers an out-of-bounds write operation, a different vulnerability than CVE-2015-1212.

From the SUSE advisory:

A memory leak in the TLS hostname extension was fixed, which could be used by remote attackers to run SSL services out of memory.

From the Fedora advisory:

librsync previously used a truncated MD4 "strong" check sum to match blocks. However, MD4 is not cryptographically strong. It's possible that an attacker who can control the contents of one part of a file could use it to control other regions of the file, if it's transferred using librsync/rdiff. For example this might occur in a database, mailbox, or VM image containing some attacker-controlled data. To mitigate this issue, signatures will by default be computed with a 256-bit BLAKE2 hash. Old versions of librsync will complain about a bad magic number when given these signature files. Backward compatibility can be obtained using the new `rdiff sig --hash=md4` option or through specifying the "signature magic" in the API, but this should not be used when either the old or new file contain untrusted data. Deltas generated from those signatures will also use BLAKE2 during generation, but produce output that can be read by old versions.

Access bypass (Password reset URLs - Drupal 6 and 7)

Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password.

Open redirect (Several vectors including the "destination" URL parameter - Drupal 6 and 7)

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

Using the latest openSUSE Factory snapshot (also present in openSUSE 13.2 RC1) GNOME automatically unlocks if fprintd is present

The user never gets asked for a password
The user never has an opportunity to enter their fingerprint

journal shows fprintd starting each time the lock screen is activated, but no errors or warnings to imply it's misbehaving

Removing fprintd 'resolves' the issue but disables fingerprint authentication

It was discovered that GnuTLS did not perform date and time checks on CA certificates, contrary to expectations. This issue only affected Ubuntu 10.04 LTS.

Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. (CVE-2015-2150)

From the Red Hat bugzilla:

A flaw was found in the method that the linux kernel handles userspace tuning of the Reliable Datagram Sockets (RDS) system settings. The incorrect handling allowed a trusted user to set multiple RDS sysctls for RDS with specially formatted data. Reading from these files also returned data from other sysctl settings that would be exposed via the same permissions to this user. (CVE-2015-2042)

From the openSUSE advisory:

krb5: denial of service in krb5_read_message.

Malformed UTF-8 data could have caused an out of bounds read in the UTF-8 decoding routines, causing an invalid read access.

CVE-2015-2318: Mono's implementation of the SSL/TLS stack failed to check the order of the handshake messages. Which would allow various attacks on the protocol to succeed. ("SKIP-TLS")

CVE-2015-2319: Mono's implementation of SSL/TLS also contained support for the weak EXPORT cyphers and was susceptible to the FREAK attack.

CVE-2015-2320: Mono contained SSLv2 fallback code, which is no longer needed and can be considered insecure.

In Moodle before 2.6.9, by modifying URL a logged in user can view the list of another user's contacts, number of unread messages and list of their courses (CVE-2015-2266).

In Moodle before 2.6.9, authentication in mdeploy can be bypassed. It is theoretically possible to extract files anywhere on the system where the web server has write access. The attacking user must know details about the system and already have significant permissions on the site (CVE-2015-2267).

In Moodle before 2.6.9, a non-optimal regular expression in the "Convert links to URLs" filter could be exploited to create extra server load or make particular pages unavailable (CVE-2015-2268).

In Moodle before 2.6.9, it is possible to create HTML injection through blocks with configurable titles, however this could only be exploited by users who are already marked as XSS-trusted (CVE-2015-2269).

In Moodle before 2.6.9, for the custom themes that use blocks regions in the base layout the blocks for inaccessible courses could be displayed together with sensitive course-related information. Most of the themes, including all standard Moodle themes, are not affected (CVE-2015-2270).

In Moodle before 2.6.9, users without proper permission are able to mark tags as inappropriate. Since this capability is given to authenticated users by default, this is not an issue for most sites (CVE-2015-2271).

In Moodle before 2.6.9, even when user's password is forced to be changed on login, user could still use it for authentication in order to create the web service token and therefore extend the life of the temporary password via web services (CVE-2015-2272).

In Moodle before 2.6.9, Quiz statistics report did not properly escape student responses and could be used for XSS attack (CVE-2015-2273).

CVE-2015-0817: ilxu1a reported a flaw in Mozilla's implementation of typed array bounds checking in JavaScript just-in-time compilation (JIT) and its management of bounds checking for heap access. This flaw can be leveraged into the reading and writing of memory allowing for arbitrary code execution on the local system.

CVE-2015-0818: Mariusz Mlynski discovered a method to run arbitrary scripts in a privileged context. This bypassed the same-origin policy protections by using a flaw in the processing of SVG format content navigation.

From the Debian advisory:

CVE-2015-0286 Stephen Henson discovered that the ASN1_TYPE_cmp() function can be crashed, resulting in denial of service.

CVE-2015-0287 Emilia Kaesper discovered a memory corruption in ASN.1 parsing.

CVE-2015-0289 Michal Zalewski discovered a NULL pointer dereference in the PKCS#7 parsing code, resulting in denial of service.

CVE-2015-0292 It was discovered that missing input sanitising in base64 decoding might result in memory corruption.

CVE-2015-0209 It was discovered that a malformed EC private key might result in memory corruption.

CVE-2015-0288 It was discovered that missing input sanitising in the X509_to_X509_REQ() function might result in denial of service.

From the OpenSSL advisory:

A malicious client can trigger an OPENSSL_assert (i.e., an abort) in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message.

Emmanuel Law discovered an integer overflow in the processing of ZIP archives, resulting in denial of service or potentially the execution of arbitrary code.

From the Zend advisory:

Zend\Validator\Csrf, starting in the Zend Framework 2.3 series, was not correctly identifying null or mal-formatted token identifiers, leading to false positive validations, and thus potentially allowing for Cross-Site Request Forgery vectors.

Andrey Babak discovered that Django incorrectly handled strip_tags. A remote attacker could possibly use this issue to cause Django to enter an infinite loop, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2316)

Daniel Chatfield discovered that Django incorrectly handled user-supplied redirect URLs. A remote attacker could possibly use this issue to perform a cross-site scripting attack. (CVE-2015-2317)

It was reported that Qt Creator does not verify SSH host key when using built-in SSH client.

Several denial-of-service issues have been discovered in Tor, a connection-based low-latency anonymous communication system.

• Jowr discovered that very high DNS query load on a relay could trigger an assertion error.

• A relay could crash with an assertion error if a buffer of exactly the wrong layout was passed to buf_pullup() at exactly the wrong time.

CVEs were not available when this entry was created, and were added later. See the Tor release announcement for details.

Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support. (CVE-2015-2152)

The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guests to cause a denial of service by causing a large number messages to be logged. (CVE-2015-1563)

Anton Rager and Jonathan Brossard from the Salesforce.com Product Security Team and Ben Laurie of Google discovered a denial of service vulnerability in xerces-c, a validating XML parser library for C++. The parser mishandles certain kinds of malformed input documents, resulting in a segmentation fault during a parse operation. An unauthenticated attacker could use this flaw to cause an application using the xerces-c library to crash.