Security

- CVE-2016-4478: Under certain circumstances, a remote attacker could cause denial of service due to a buffer overflow in the XMLRPC response encoding code.

- CVE-2014-9773: Remote attacker could change Atheme's behavior by registering/dropping certain accounts/nicks.

SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action.

From the Arch Linux advisory:

CVE-2016-1667: Same origin bypass in DOM. Credit to Mariusz Mlynski.

CVE-2016-1668: Same origin bypass in Blink V8 bindings. Credit to Mariusz Mlynski.

CVE-2016-1669: Buffer overflow in V8. Credit to Choongwoo Han.

CVE-2016-1670: Race condition in loader. Credit to anonymous. Note that these vulnerabilities affect the V8 engine used in other packages as well.

Google Chrome before 50.0.2661.102 on Android mishandles / (slash) and \ (backslash) characters, which allows attackers to conduct directory traversal attacks via a file: URL, related to net/base/escape.cc and net/base/filename_util.cc.

From the Red Hat advisory:

It was found that Docker would launch containers under the specified UID instead of a username. An attacker able to launch a container could use this flaw to escalate their privileges to root within the launched container.

It was discovered that there was an invalid memory and heap overflow vulnerability in dosfstools, a collection of utilities for making and checking MS-DOS FAT filesystems.

The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution.

From the Red Hat bug report:

stack (frame) overflow in getaddrinfo() when called with AF_INET, AF_INET6 (incomplete fix for CVE-2013-4458).

http://pkgs.fedoraproject.org/cgit/ioprocess.git/commit/ introduced a new upstream tarball with different md5sum stating fixes in changelog. The spec file doesn't explain how the tarball has been generated. Being 0.15.0 released lot of time ago (https://github.com/oVirt/ioprocess/releases/tag/v0.15.0) , md5sum shouldn't be changed.

Marking this as security violation.

It was reported that XmlMapper in jackson-dataformat-xml is vulnerable to XXE attack ("Improper Restriction of XML External Entity Reference").

Gustavo Grieco discovered that jansson, a C library for encoding, decoding and manipulating JSON data, did not limit the recursion depth when parsing JSON arrays and objects. This could allow remote attackers to cause a denial of service (crash) via stack exhaustion, using crafted JSON data.

A vulnerability was found in Linux kernel. There is an information leak In the USB module (drivers/usb/core/devio.c). The stack object "ci" has a total size of 8 bytes. Its last 3 bytes are padding bytes which are not initialized and leaked to userland

A flaw was found in the way the Linux kernel's ASN.1 DER decoder processed certain certificate files with tags of indefinite length. A local, unprivileged user could use a specially crafted X.509 certificate DER file to crash the system or, potentially, escalate their privileges on the system. (CVE-2016-0758, Important)

David Matlack discovered that the Kernel-based Virtual Machine (KVM) implementation in the Linux kernel did not properly restrict variable Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a guest VM could use this to cause a denial of service (system crash) in the host, expose sensitive information from the host, or possibly gain administrative privileges in the host.

CVE-2016-4581: It was reported that when first propagated copy is a slave, it causes kernel oops. This oops happens with the namespace_sem held and can be triggered by non-root users.

CVE-2016-4485: An information leak vulnerability in llc module was found in net/llc/af_llc.c. The stack object “info” has a total size of 12 bytes. Its last byte is padding which is not initialized and leaked via “put_cmsg”.

CVE-2016-4486: An information leak vulnerability in rtnetlink was found in net/core/rtnetlink.c. The stack object “map” has a total size of 32 bytes. Its last 4 bytes are padding generated by compiler. These padding bytes are not initialized and sent out via “nla_put”.

From the Arch Linux advisory:

An out-of-bound read access due to incorrect utf-8 strings handling has been in found in the _ksba_dn_to_str() function. This issue is due to an incomplete fix for CVE-2016-4356, caused by an off-by-one error when handling incorrect utf-8 strings.

A vulnerability was found in libksba. The returned length of the object from _ksba_ber_parse_tl (ti.length) was not always checked against the actual buffer length, thus leading to a read access after the end of the buffer and a crash.

Hanno Böck discovered that Libksba incorrectly handled decoding certain BER data. An attacker could use this issue to cause Libksba to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-4353)

Hanno Böck discovered that Libksba incorrectly handled decoding certain BER data. An attacker could use this issue to cause Libksba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-4354, CVE-2016-4355)

Hanno Böck discovered that Libksba incorrectly handled incorrect utf-8 strings when decoding certain DN data. An attacker could use this issue to cause Libksba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-4356)

It was found that libndp did not properly validate and check the origin of Neighbor Discovery Protocol (NDP) messages. An attacker on a non-local network could use this flaw to advertise a node as a router, allowing them to perform man-in-the-middle attacks on a connecting client, or disrupt the network connectivity of that client.

DoS in librsvg 2.40.2 parsing SVGs with circular definitions were found (they will produce stack exhaustion) by Gustavo Grieco.

From the openSUSE advisory:

libxml2 limits the number of recursions an XML document can contain so to protect against the "Billion Laughs" denial-of-service attack. Unfortunately, the underlying counter was not incremented properly in all necessary locations. Therefore, specially crafted XML documents could exhaust all available stack space and crash the XML parser without running into the recursion limit.

OCaml versions 4.02.3 and earlier have a runtime bug that, on 64-bit platforms, causes sizes arguments to an internal memmove call to be sign-extended from 32 to 64-bits before being passed to the memmove function. This leads arguments between 2GiB and 4GiB to be interpreted as larger than they are (specifically, a bit below 2^64), causing a buffer overflow. Arguments between 4GiB and 6GiB are interpreted as 4GiB smaller than they should be, causing a possible information leak.

From the Red Hat advisory:

A flaw was found in the building of containers within OpenShift Enterprise. An attacker could submit an image for building that executes commands within the container as root, allowing them to potentially escalate privileges. (CVE-2016-2160)

It was found that OpenShift Enterprise would disclose log file contents from reclaimed namespaces. An attacker could create a new namespace to access log files present in a previously deleted namespace using the same name. (CVE-2016-2149)

An information disclosure flaw was discovered in haproxy as used by OpenShift Enterprise; a cookie with the name "OPENSHIFT_[namespace]_SERVERID" was set, which contained the internal IP address of a pod. (CVE-2016-3711)

Donghai Zdh discovered that QEMU incorrectly handled the Task Priority Register(TPR). A privileged attacker inside the guest could use this issue to possibly leak host memory bytes. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-4020)

Due to incorrect data validation of intercepted HTTP Request messages Squid is vulnerable to clients bypassing the protection against CVE-2009-0801 related issues. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source (CVE-2016-4553).

hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation. (CVE-2016-4476)

wpa_supplicant 0.4.0 through 2.5 does not reject \n and \r characters in passphrase parameters, which allows local users to trigger arbitrary library loading and consequently gain privileges, or cause a denial of service (daemon outage), via a crafted (1) SET, (2) SET_CRED, or (3) SET_NETWORK command. (CVE-2016-4477)

The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ).

XMLReader class can raise an exception if an invalid character is encountered, and the exception crosses stack frames in an unsafe way that causes a higher level exception handler to access an already-freed object.