From nobody Mon Dec 13 16:54:08 2021 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D775C18D9448; Mon, 13 Dec 2021 16:54:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JCSJz1F9gz4WR8; Mon, 13 Dec 2021 16:54:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EB4211815A; Mon, 13 Dec 2021 16:54:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BDGsAgB082075; Mon, 13 Dec 2021 16:54:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BDGs89s082067; Mon, 13 Dec 2021 16:54:08 GMT (envelope-from git) Date: Mon, 13 Dec 2021 16:54:08 GMT Message-Id: <202112131654.1BDGs89s082067@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Ashish SHUKLA Subject: git: 590bbd1574de - main - security/vuxml: Fix tab/spaces in openhab2, and solr entries List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ashish X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 590bbd1574de464c91d8673a02e670b37ca73ed8 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639414451; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BSR7i1nPvRuj+jCF5fYyqzGjcjjJv5TrRj8rJfKDvXs=; b=IQ8kXMZU4jUvfYu4fu/U4phFgEBm8wT3qVPdlLvoG3b5+AWdaQbSw0CkroPUoWo8fz7ULk I3DV12xUNWMoA9n26TL6PdG5GnZGFiuKX6O3zp/j6OMzsPtwKo3fpEdfmEbOuVOlG56xfb x6e83ui+d3UgtYXmC/PW2sw03JXsQhObOgYTBlWx3aFzL8obIWmCWbmPNx97tBEwhgJ0hP DKAiaAB3PAzuhJuUdjmCHKZn3//n+zJ9KqoFF8hvNxulX4ia6yYCGP0VYAYRgr7E3OrK9y utZXUFlUmENlVkdWfmN5t97HoID+Z8i5I6zs180z8LQaG64eQS18TancM0buKg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639414451; a=rsa-sha256; cv=none; b=H1UrpBJSKf7MpaGCrmd8vECu619qi9YMWKaIFJ5yYez/zL4vP3yHQOWn5o0HREk75dw+EJ rXrliEem478PdjKglVO7jJ6RvwSqML62XSlAkWACrncSm3NR/poH3uE7maTmTBxdV7DIOf /9GJoAAb+kd4FVjljV58aooHiXwCSIb14Aq1fgUDrbIS0Oou0HOAJGoLftn84QWFLLC6s7 NzokfUrbT7b8/QHv+hnXZSmxpMu5UKbHBPRCgO6Vkwe451Vz3wKyAAu/feSarLt9ELdHM8 l3nanVxUPtoleAmCt+HRATwG3wgFINOH6B2Sye13soUfAuAmKN02bHAd+P2JPw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by ashish: URL: https://cgit.FreeBSD.org/ports/commit/?id=590bbd1574de464c91d8673a02e670b37ca73ed8 commit 590bbd1574de464c91d8673a02e670b37ca73ed8 Author: Ashish SHUKLA AuthorDate: 2021-12-13 16:48:00 +0000 Commit: Ashish SHUKLA CommitDate: 2021-12-13 16:48:00 +0000 security/vuxml: Fix tab/spaces in openhab2, and solr entries This was breaking make validate for the entry I am trying to add While here also purge the likely accidentally added file vuln.xml.unexpanded in 00bad07fd782 --- security/vuxml/vuln-2021.xml | 6 +- security/vuxml/vuln.xml.unexpanded | 189118 ---------------------------------- 2 files changed, 3 insertions(+), 189121 deletions(-) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 75671f1f2c33..66346c65163b 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -2,9 +2,9 @@ openhab -- log4j remote code injection - openhab2 + openhab2 openhab - 2.5.12 + 2.5.12 3.1.1 @@ -41,7 +41,7 @@

Solr reports:

Apache Solr affected by Apache Log4J

-
+ diff --git a/security/vuxml/vuln.xml.unexpanded b/security/vuxml/vuln.xml.unexpanded deleted file mode 100644 index e7964ff18921..000000000000 --- a/security/vuxml/vuln.xml.unexpanded +++ /dev/null @@ -1,189118 +0,0 @@ - - - - - - - - - - - - - - - - - - - - -]> - - - - Solr -- Apache Log4J - - - apache-solr - 8.11.0 - - - - -

Solr reports:

-
-

Apache Solr affected by Apache Log4J

-
- - - - CVE-2021-44228 - https://solr.apache.org/security.html - - - 2021-12-10 - 2021-12-13 - - - - - OpenSearch -- Log4Shell - - - opensearch - 1.2.1 - - - - -

OpenSearch reports:

-
-

A recently published security issue (CVE-2021-44228) affects several versions of the broadly-used Apache Log4j library. Some software in the OpenSearch project includes versions of Log4j referenced in this CVE. While, at time of writing, the team has not found a reproduceable example in OpenSearch of remote code execution (RCE) described in this issue, its severity is such that all users should take mitigation measures. As recommended by the advisory, the team has released OpenSearch 1.2.1, which updates Log4j to version 2.15.0. For those who cannot upgrade to 1.2.1, the Log4j website outlines additional measures to mitigate the issue. This patch release also addresses CVE-2021-4352 in t he OpenSearch Docker distributions..

-
- - - - CVE-2021-44228 - https://opensearch.org/blog/releases/2021/12/update-to-1-2-1/ - - - 2021-12-11 - 2021-12-13 - - - - - Grafana -- Path Traversal - - - grafana8 - grafana - 8.0.08.0.7 - 8.1.08.1.8 - 8.2.08.2.7 - 8.3.08.3.1 - - - - -

Grafana Labs reports:

-
-

Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

-

The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.

-

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

-
    -
  • <grafana_host_url>/public/plugins/alertlist/
    • -
  • <grafana_host_url>/public/plugins/annolist/
    • -
  • <grafana_host_url>/public/plugins/barchart/
    • -
  • <grafana_host_url>/public/plugins/bargauge/
    • -
  • <grafana_host_url>/public/plugins/candlestick/
    • -
  • <grafana_host_url>/public/plugins/cloudwatch/
    • -
  • <grafana_host_url>/public/plugins/dashlist/
    • -
  • <grafana_host_url>/public/plugins/elasticsearch/
    • -
  • <grafana_host_url>/public/plugins/gauge/
    • -
  • <grafana_host_url>/public/plugins/geomap/
    • -
  • <grafana_host_url>/public/plugins/gettingstarted/
    • -
  • <grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
    • -
  • <grafana_host_url>/public/plugins/graph/
    • -
  • <grafana_host_url>/public/plugins/heatmap/
    • -
  • <grafana_host_url>/public/plugins/histogram/
    • -
  • <grafana_host_url>/public/plugins/influxdb/
    • -
  • <grafana_host_url>/public/plugins/jaeger/
    • -
  • <grafana_host_url>/public/plugins/logs/
    • -
  • <grafana_host_url>/public/plugins/loki/
    • -
  • <grafana_host_url>/public/plugins/mssql/
    • -
  • <grafana_host_url>/public/plugins/mysql/
    • -
  • <grafana_host_url>/public/plugins/news/
    • -
  • <grafana_host_url>/public/plugins/nodeGraph/
    • -
  • <grafana_host_url>/public/plugins/opentsdb
    • -
  • <grafana_host_url>/public/plugins/piechart/
    • -
  • <grafana_host_url>/public/plugins/pluginlist/
    • -
  • <grafana_host_url>/public/plugins/postgres/
    • -
  • <grafana_host_url>/public/plugins/prometheus/
    • -
  • <grafana_host_url>/public/plugins/stackdriver/
    • -
  • <grafana_host_url>/public/plugins/stat/
    • -
  • <grafana_host_url>/public/plugins/state-timeline/
    • -
  • <grafana_host_url>/public/plugins/status-history/
    • -
  • <grafana_host_url>/public/plugins/table/
    • -
  • <grafana_host_url>/public/plugins/table-old/
    • -
  • <grafana_host_url>/public/plugins/tempo/
    • -
  • <grafana_host_url>/public/plugins/testdata/
    • -
  • <grafana_host_url>/public/plugins/text/
    • -
  • <grafana_host_url>/public/plugins/timeseries/
    • -
  • <grafana_host_url>/public/plugins/welcome/
    • -
  • <grafana_host_url>/public/plugins/zipkin/
    • -
-
- - - - CVE-2021-43798 - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ - - - 2021-12-03 - 2021-12-11 - - - - - Grafana -- Incorrect Access Control - - - grafana8 - grafana - 8.0.08.2.4 - - - - -

Grafana Labs reports:

-
-

When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.

-
- - - - CVE-2021-41244 - https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/ - - - 2021-11-02 - 2021-12-11 - - - - - Grafana -- XSS - - - grafana8 - grafana - 8.0.08.2.3 - - - - -

Grafana Labs reports:

-
-

If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.

-

The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.

-

There are two ways an unauthenticated user can open a page in Grafana that contains the login button:

-
    -
  • Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
    • -
  • The link is to an unauthenticated page. The following pages are vulnerable: -
      -
    • /dashboard-solo/snapshot/*
      • -
    • /dashboard/snapshot/*
      • -
    • /invite/:code
      • -
    -
    • -
-

The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}

-

An example of an expression would be: {{constructor.constructor(‘alert(1)’)()}}. This can be included in the link URL like this:

-

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1

-

When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.

-
- - - - CVE-2021-41174 - https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/ - - - 2021-10-21 - 2021-12-11 - - - - - p7zip -- usage of uninitialized memory - - - p7zip - 18.05 - - - - -

NVD reports:

-
-

- Incorrect initialization logic of RAR decoder objects in - 7-Zip 18.03 and before can lead to usage of - uninitialized memory, allowing remote attackers to cause - a denial of service (segmentation fault) or execute - arbitrary code via a crafted RAR archive. -

-
- - - - CVE-2018-10115 - https://nvd.nist.gov/vuln/detail/CVE-2018-10115 - - - 2018-05-02 - 2021-12-11 - - - - - graylog -- include log4j patches - - - graylog - 4.2.3 - - - - -

Apache Software Foundation repos:

-
-

Apache Log4j2 JNDI features do not protect against attacker - controlled LDAP and other JNDI related endpoints. An attacker - who can control log messages or paramters can execute arbitrary - code from attacker-controller LDAP servers when message lookup - substitution is enabled. -

-
- - - - CVE-2021-44228 - https://github.com/Graylog2/graylog2-server/commit/d3e441f1126f0dc292e986879039a87c59375b2a - https://logging.apache.org/log4j/2.x/security.html - - - 2021-12-10 - 2021-12-11 - - - - - go -- multiple vulnerabilities - - - go - 1.17.5,1 - - - - -

The Go project reports:

-
-

net/http: limit growth of header canonicalization cache. An - attacker can cause unbounded memory growth in a Go server accepting - HTTP/2 requests.

-
-
-

syscall: don’t close fd 0 on ForkExec error. When a Go program - running on a Unix system is out of file descriptors and calls - syscall.ForkExec (including indirectly by using the os/exec - package), syscall.ForkExec can close file descriptor 0 as it fails. - If this happens (or can be provoked) repeatedly, it can result in - misdirected I/O such as writing network traffic intended for one - connection to a different connection, or content intended for one - file to a different one.

-
- - - - CVE-2021-44716 - https://github.com/golang/go/issues/50058 - CVE-2021-44717 - https://github.com/golang/go/issues/50057 - - - 2021-12-08 - 2021-12-09 - - - - - chromium -- multiple vulnerabilities - - - chromium - 96.0.4664.93 - - - - -

Chrome Releases reports:

-
-

This release contains 22 security fixes, including:

-
    -
  • [1267661] High CVE-2021-4052: Use after free in web apps. - Reported by Wei Yuan of MoyunSec VLab on 2021-11-07
    • -
  • [1267791] High CVE-2021-4053: Use after free in UI. Reported by - Rox on 2021-11-08
    • -
  • [1265806] High CVE-2021-4079: Out of bounds write in WebRTC. - Reported by Brendon Tiszka on 2021-11-01
    • -
  • [1239760] High CVE-2021-4054: Incorrect security UI in autofill. - Reported by Alesandro Ortiz on 2021-08-13
    • -
  • [1268738] High CVE-2021-4078: Type confusion in V8. Reported by - Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on - 2021-11-09
    • -
  • [1266510] High CVE-2021-4055: Heap buffer overflow in - extensions. Reported by Chen Rong on 2021-11-03
    • -
  • [1260939] High CVE-2021-4056: Type Confusion in loader. Reported - by @__R0ng of 360 Alpha Lab on 2021-10-18
    • -
  • [1262183] High CVE-2021-4057: Use after free in file API. - Reported by Sergei Glazunov of Google Project Zero on - 2021-10-21
    • -
  • [1267496] High CVE-2021-4058: Heap buffer overflow in ANGLE. - Reported by Abraruddin Khan and Omair on 2021-11-06
    • -
  • [1270990] High CVE-2021-4059: Insufficient data validation in - loader. Reported by Luan Herrera (@lbherrera_) on 2021-11-17
    • -
  • [1271456] High CVE-2021-4061: Type Confusion in V8. Reported by - Paolo Severini on 2021-11-18
    • -
  • [1272403] High CVE-2021-4062: Heap buffer overflow in BFCache. - Reported by Leecraso and Guang Gong of 360 Alpha Lab on - 2021-11-22
    • -
  • [1273176] High CVE-2021-4063: Use after free in developer tools. - Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability - Research on 2021-11-23
    • -
  • [1273197] High CVE-2021-4064: Use after free in screen capture. - Reported by @ginggilBesel on 2021-11-23
    • -
  • [1273674] High CVE-2021-4065: Use after free in autofill. - Reported by 5n1p3r0010 on 2021-11-25
    • -
  • [1274499] High CVE-2021-4066: Integer underflow in ANGLE. - Reported by Jaehun Jeong(@n3sk) of Theori on 2021-11-29
    • -
  • [1274641] High CVE-2021-4067: Use after free in window manager. - Reported by @ginggilBesel on 2021-11-29
    • -
  • [1265197] Low CVE-2021-4068: Insufficient validation of - untrusted input in new tab page. Reported by NDevTK on - 2021-10-31
    • -
-
- - - - CVE-2021-4052 - CVE-2021-4053 - CVE-2021-4054 - CVE-2021-4055 - CVE-2021-4056 - CVE-2021-4057 - CVE-2021-4058 - CVE-2021-4059 - CVE-2021-4061 - CVE-2021-4062 - CVE-2021-4063 - CVE-2021-4064 - CVE-2021-4065 - CVE-2021-4066 - CVE-2021-4067 - CVE-2021-4068 - CVE-2021-4078 - CVE-2021-4079 - https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html - - - 2021-12-06 - 2021-12-07 - - - - - Gitlab -- Multiple Vulnerabilities - - - gitlab-ce - 14.5.014.5.2 - 14.4.014.4.4 - 014.3.6 - - - - -

Gitlab reports:

-
-

Group members with developer role can escalate their privilege to maintainer on projects that they import

-

When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API

-

Collision in access memoization leads to potential elevated privileges on groups and projects

-

Project access token names are returned for unauthenticated requesters

-

Sensitive info disclosure in logs

-

Disclosure of a user's custom project and group templates

-

ReDoS in Maven package version

-

Potential denial of service via the Diff feature

-

Regular Expression Denial of Service via user comments

-

Service desk email accessible by any project member

-

Regular Expression Denial of Service via quick actions

-

IDOR in "external status check" API leaks data about any status check on the instance

-

Default branch name visible in public projects restricting access to the source code repository

-

Deploy token allows access to disabled project Wiki

-

Regular Expression Denial of Service via deploy Slash commands

-

Users can reply to Vulnerability Report discussions despite Only Project Members settings

-

Unauthorised deletion of protected branches

-

Author can approve Merge Request after having access revoked

-

HTML Injection via Swagger UI

-
- - - - CVE-2021-39944 - CVE-2021-39935 - CVE-2021-39937 - CVE-2021-39915 - CVE-2021-39919 - CVE-2021-39930 - CVE-2021-39940 - CVE-2021-39932 - CVE-2021-39933 - CVE-2021-39934 - CVE-2021-39917 - CVE-2021-39916 - CVE-2021-39941 - CVE-2021-39936 - CVE-2021-39938 - CVE-2021-39918 - CVE-2021-39931 - CVE-2021-39945 - CVE-2021-39910 - https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/ - - - 2021-12-06 - 2021-12-07 - - - - - NSS -- Memory corruption - - - nss - 3.73 - - - - -

The Mozilla project reports:

-
-

Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures (Critical)

-

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR - are vulnerable to a heap overflow when handling DER-encoded DSA or - RSA-PSS signatures. Applications using NSS for handling signatures - encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be - impacted. Applications using NSS for certificate validation or other - TLS, X.509, OCSP or CRL functionality may be impacted, depending on - how they configure NSS.

-
- - - - CVE-2021-43527 - https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ - - - 2021-12-01 - 2021-12-02 - - - - - mailman < 2.1.38 -- CSRF vulnerability of list mod or member against list admin page - - - mailman - 2.1.38 - - - mailman-exim4 - 2.1.38 - - - mailman-exim4-with-htdig - 2.1.38 - - - mailman-postfix - 2.1.38 - - - mailman-postfix-with-htdig - 2.1.38 - - - mailman-with-htdig - 2.1.38 - - - - -

Mark Sapiro reports:

-
-

A list moderator or list member can potentially carry out a CSRF attack - by getting a list admin to visit a crafted web page.

-
- - - - CVE-2021-44227 - https://bugs.launchpad.net/mailman/+bug/1952384 - https://www.mail-archive.com/mailman-users@python.org/msg73979.html - - - 2021-11-25 - 2021-12-01 - - - - - rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse - - - ruby - 2.6.0,12.6.9,1 - 2.7.0,12.7.5,1 - 3.0.0,13.0.3,1 - - - ruby26 - 2.6.0,12.6.9,1 - - - ruby27 - 2.7.0,12.7.5,1 - - - ruby30 - 3.0.0,13.0.3,1 - - - rubygem-cgi - 0.3.1 - - - - -

ooooooo_q reports:

-
-

- The old versions of CGI::Cookie.parse applied - URL decoding to cookie names. An attacker could exploit - this vulnerability to spoof security prefixes in cookie - names, which may be able to trick a vulnerable - application. -

-

- By this fix, CGI::Cookie.parse no longer - decodes cookie names. Note that this is an incompatibility - if cookie names that you are using include - non-alphanumeric characters that are URL-encoded. -

-
- - - - CVE-2021-41819 - https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/ - - - 2021-11-24 - 2021-11-24 - - - - - rubygem-cgi -- buffer overrun in CGI.escape_html - - - ruby - 2.7.0,12.7.5,1 - 3.0.0,13.0.3,1 - - - ruby27 - 2.7.0,12.7.5,1 - - - ruby30 - 3.0.0,13.0.3,1 - - - rubygem-cgi - 0.3.1 - - - - -

chamal reports:

-
-

- A security vulnerability that causes buffer overflow when - you pass a very large string (> 700 MB) to - CGI.escape_html on a platform where - long type takes 4 bytes, typically, Windows. -

-
- - - - CVE-2021-41816 - https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/ - - - 2021-11-24 - 2021-11-24 - - - - - py-matrix-synapse -- several vulnerabilities - - - py36-matrix-synapse - py37-matrix-synapse - py38-matrix-synapse - py39-matrix-synapse - py310-matrix-synapse - 1.47.1 - - - - -

Matrix developers report:

-
-

This release patches one high severity issue affecting - Synapse installations 1.47.0 and earlier using the media repository. - An attacker could cause these Synapses to download a remote file - and store it in a directory outside the media repository.

-

Note that:

-
    -
  • This only affects homeservers using Synapse's built-in media - repository, as opposed to synapse-s3-storage-provider or - matrix-media-repo.
    • -
  • Attackers cannot control the exact name or destination of the - stored file.
    • -
-
- - - - ports/259994 - CVE-2021-41281 - https://matrix.org/blog/2021/11/23/synapse-1-47-1-released - - - 2021-11-18 - 2021-11-23 - - - - - advancecomp -- multiple vulnerabilities - - - advancecomp - 2.1.6 - - - - -

Joonun Jang reports:

-
-

heap buffer overflow running advzip with "-l poc" option

-

Running 'advzip -l poc' with the attached file raises heap buffer overflow - which may allow a remote attacker to cause unspecified impact including denial-of-service attack. - I expected the program to terminate without segfault, but the program crashes as follow. [...] -

-
-

and other vulnerabilities.

- - - - CVE-2018-1056 - CVE-2019-8379 - CVE-2019-8383 - CVE-2019-9210 - - - 2018-07-29 - 2021-11-19 - - - - - chromium -- multiple vulnerabilities - - - chromium - 96.0.4664.45 - - - - -

Chrome Releases reports:

-
-

This release contains 25 security fixes, including:

-
    -
  • [1263620] High CVE-2021-38008: Use after free in media. Reported - by Marcin Towalski of Cisco Talos on 2021-10-26
    • -
  • [1260649] High CVE-2021-38009: Inappropriate implementation in - cache. Reported by Luan Herrera (@lbherrera_) on 2021-10-16
    • -
  • [1240593] High CVE-2021-38006: Use after free in storage - foundation. Reported by Sergei Glazunov of Google Project Zero on - 2021-08-17
    • -
  • [1254189] High CVE-2021-38007: Type Confusion in V8. Reported by - Polaris Feng and SGFvamll at Singular Security Lab on - 2021-09-29
    • -
  • [1241091] High CVE-2021-38005: Use after free in loader. - Reported by Sergei Glazunov of Google Project Zero on - 2021-08-18
    • -
  • [1264477] High CVE-2021-38010: Inappropriate implementation in - service workers. Reported by Sergei Glazunov of Google Project - Zero on 2021-10-28
    • -
  • [1268274] High CVE-2021-38011: Use after free in storage - foundation. Reported by Sergei Glazunov of Google Project Zero on - 2021-11-09
    • -
  • [1262791] Medium CVE-2021-38012: Type Confusion in V8. Reported - by Yonghwi Jin (@jinmo123) on 2021-10-24
    • -
  • [1242392] Medium CVE-2021-38013: Heap buffer overflow in - fingerprint recognition. Reported by raven (@raid_akame) on - 2021-08-23
    • -
  • [1248567] Medium CVE-2021-38014: Out of bounds write in - Swiftshader. Reported by Atte Kettunen of OUSPG on 2021-09-10
    • -
  • [957553] Medium CVE-2021-38015: Inappropriate implementation in - input. Reported by David Erceg on 2019-04-29
    • -
  • [1244289] Medium CVE-2021-38016: Insufficient policy - enforcement in background fetch. Reported by Maurice Dauer on - 2021-08-28
    • -
  • [1256822] Medium CVE-2021-38017: Insufficient policy enforcement - in iframe sandbox. Reported by NDevTK on 2021-10-05
    • -
  • [1197889] Medium CVE-2021-38018: Inappropriate implementation in - navigation. Reported by Alesandro Ortiz on 2021-04-11
    • -
  • [1251179] Medium CVE-2021-38019: Insufficient policy enforcement - in CORS. Reported by Maurice Dauer on 2021-09-20
    • -
  • [1259694] Medium CVE-2021-38020: Insufficient policy enforcement - in contacts picker. Reported by Luan Herrera (@lbherrera_) on - 2021-10-13
    • -
  • [1233375] Medium CVE-2021-38021: Inappropriate implementation in - referrer. Reported by Prakash (@1lastBr3ath) and Jun Kokatsu on - 2021-07-27
    • -
  • [1248862] Low CVE-2021-38022: Inappropriate implementation in - WebAuthentication. Reported by Michal Kepkowski on 2021-09-13
    • -
-
- - - - CVE-2021-38005 - CVE-2021-38006 - CVE-2021-38007 - CVE-2021-38008 - CVE-2021-38009 - CVE-2021-38010 - CVE-2021-38011 - CVE-2021-38012 - CVE-2021-38013 - CVE-2021-38014 - CVE-2021-38015 - CVE-2021-38016 - CVE-2021-38017 - CVE-2021-38018 - CVE-2021-38019 - CVE-2021-38020 - CVE-2021-38021 - CVE-2021-38022 - https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html - - - 2021-11-15 - 2021-11-16 - - - - - rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods - - - ruby - 2.6.0,12.6.9,1 - 2.7.0,12.7.5,1 - 3.0.0,13.0.3,1 - - - ruby26 - 2.6.0,12.6.9,1 - - - ruby27 - 2.7.0,12.7.5,1 - - - ruby30 - 3.0.0,13.0.3,1 - - - rubygem-date - 3.2.1 - - - - -

Stanislav Valkanov reports:

-
-

- Date's parsing methods including Date.parse - are using Regexps internally, some of which are vulnerable - against regular expression denial of service. Applications - and libraries that apply such methods to untrusted input - may be affected. -

-
- - - - CVE-2021-41817 - https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/ - - - 2021-11-15 - 2021-11-15 - 2021-11-24 - - - - - Roundcube -- Multiple vulnerabilities - - - roundcube - 1.4.12,1 - - - *** 188183 LINES SKIPPED ***