Security

An attacker can craft a malicious summary within a bug report to host malicious javascript code. This code will be served to a user when he or she navigates to the bug's dependency graph.

An attacker is able to submit a malicious bug report and execute arbitrary javascript code in the client's browser by using the bugzilla server as a pivot.

The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.

The print_option function in dhcp-common.c in dhcpcd through 6.10.2 misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted message (CVE-2014-7913).

Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

The gdk-pixbuf2.0 library is vulnerable to overflows in the pixops_composite_nearest(), pixops_composite_color_nearest() and pixops_process() functions in pixops/pixops.c (CVE-2015-8875).

Vulnerabilities that allow to read or write outside memory bounds (heap, stack) as well as some null-pointer derreferences to cause a denial of service when parsing SVG files.

CVE-2016-4569: A vulnerability was found in Linux kernel. There is an information leak in file sound/core/timer.c of the latest mainline Linux kernel, the stack object “tread” has a total size of 32 bytes. It contains a 8-bytes padding, which is not initialized but sent to user via copy_to_user, resulting a kernel leak.

CVE-2016-4558: A flaw was found in the Linux kernel's implementation of BPF in which systems with more than 32GB of physical memory and unlimited RLIMIT_MEMLOCK settings an application can overflow a 32 bit refcount.

Additionally in the same environment, malicious applications can overflow a map refcount on larger memory (1Tb). When the overflow wraps to zero a reference can be held while being free'd. This can lead to a use after free.

It was discovered that there was a stack consumption vulnerability in the libgd2 graphics library which allowed remote attackers to cause a denial of service via a crafted imagefilltoborder call.

libxml2 limits the number of recursions an XML document can contain so to protect against the "Billion Laughs" denial-of-service attack. Unfortunately, the underlying counter was not incremented properly in all necessary locations. Therefore, specially crafted XML documents could exhaust all available stack space and crash the XML parser without running into the recursion limit (CVE-2016-3705).

In Moodle before 2.8.12, users are able to change profile fields that were locked by the administrator (CVE-2016-3729).

In Moodle before 2.8.12, names of hidden forums or discussions could be disclosed as part of the error message on the subscription page (CVE-2016-3731).

In Moodle before 2.8.12, users can view badges of other users without proper permissions (CVE-2016-3732).

In Moodle before 2.8.12, during the course restore, teachers could overwrite the idnumber even without having the capability to change it (CVE-2016-3733).

In Moodle before 2.8.12, possible CSRF in the URL that marks forum posts as read (CVE-2016-3734).

NetworkManager before 1.0.12 is vulnerable to a race condition that could lead to a local information leak.

An origin validation vulnerability was found in OpenShift Enterprise. An attacker could potentially access API credentials stored in a web browser's localStorage if anonymous access was granted to a service/proxy or pod/proxy API for a specific pod, and an authorized access_token was provided in the query parameter. (CVE-2016-3703)

A vulnerability was found in the STI build process in OpenShift Enterprise. Access to STI builds was not properly restricted, allowing an attacker to use STI builds to access the Docker socket and escalate their privileges. (CVE-2016-3738)

A flaw was found in OpenShift Enterprise when multi-tenant SDN is enabled and a build is run within a namespace that would normally be isolated from pods in other namespaces. If an s2i build is run in such an environment the container being built can access network resources on pods that should not be available to it. (CVE-2016-3708)

CVE-2016-2334 (arbitrary code execution): An exploitable heap overflow vulnerability exists in the NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip that can lead to arbitrary code execution. Before decompression, ExtractZlibFile method read block size and its offset from file and after that read block data into static size buffer "buf". Because there is no check whether size of block is bigger than size of "buf", malformed size of block exceeding mentioned "buf" size will cause buffer overflow and heap corruption.

CVE-2016-2335 (arbitrary code execution): An out of bound read vulnerability exists in the CInArchive::ReadFileItem method functionality of 7zip for handling UDF files that can lead to denial of service or code execution. Because volumes can have more than one partition map their objects are keep in object vector. To start looking for item, method tries to achieve proper partition object using to this mentioned partition maps object vector and "PartitionRef" field from Long Allocation Descriptor. Lack of checking whether "PartitionRef" field is bigger than available amount of partition map objects cause read out of bounds and can lead in some circumstances to arbitrary code execution.

Hans Jerry Illikainen discovered that the PHP Zip extension incorrectly handled certain malformed Zip archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3078)

It was discovered that PHP incorrectly handled invalid indexes in the SplDoublyLinkedList class. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-3132)

CVE-2016-4342: Heap corruption in tar/zip/phar parser (bsc#977991)

CVE-2016-4343: Uninitialized pointer in phar_make_dirstream() (bsc#977992)

CVE-2016-4346: heap overflow in ext/standard/string.c (bsc#977994)

**Version 2.7.13** (2016-05-09) * **security** #18733 limited the maximum length of a submitted username (fabpot) * bug #18730 [FrameworkBundle] prevent calling get() for service_container service (xabbuh) * bug #18709 [DependencyInjection] top-level anonymous services must be public (xabbuh) * bug #18692 add Event annotation for KernelEvents (Haehnchen) * bug #18246 [DependencyInjection] fix ambiguous services schema (backbone87)

Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which uses PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts.

Stack-based buffer overflow in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.12.x before 1.12.11 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long string in a packet.

Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. (CVE-2016-4566)

Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via the query string. (CVE-2016-4567)