git: 6954792fe916 - main - security/vuxml: Create 2021 entity
Li-Wen Hsu
lwhsu at FreeBSD.org
Wed Jun 23 14:34:55 UTC 2021
The branch main has been updated by lwhsu:
URL: https://cgit.FreeBSD.org/ports/commit/?id=6954792fe916862afd25cf6ce961bd7062dfb21f
commit 6954792fe916862afd25cf6ce961bd7062dfb21f
Author: Li-Wen Hsu <lwhsu at FreeBSD.org>
AuthorDate: 2021-06-23 14:34:34 +0000
Commit: Li-Wen Hsu <lwhsu at FreeBSD.org>
CommitDate: 2021-06-23 14:34:34 +0000
security/vuxml: Create 2021 entity
Let's create a new entity in the beginning of each year and append to it,
instead of massive copying in the end of each year.
---
security/vuxml/files/tidy.xsl | 1 +
security/vuxml/vuln-2021.xml | 6374 ++++++++++++++++++++++++++++++++++++++++
security/vuxml/vuln.xml | 6377 +----------------------------------------
3 files changed, 6377 insertions(+), 6375 deletions(-)
diff --git a/security/vuxml/files/tidy.xsl b/security/vuxml/files/tidy.xsl
index 8ca03fb4de1b..8bf948a94b6e 100644
--- a/security/vuxml/files/tidy.xsl
+++ b/security/vuxml/files/tidy.xsl
@@ -43,6 +43,7 @@ result in more namespace declarations than we wish.
<!ENTITY vuln-2018 SYSTEM "vuln-2018.xml">
<!ENTITY vuln-2019 SYSTEM "vuln-2019.xml">
<!ENTITY vuln-2020 SYSTEM "vuln-2020.xml">
+<!ENTITY vuln-2021 SYSTEM "vuln-2021.xml">
]>
]]></xsl:text>
<xsl:apply-templates />
diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
new file mode 100644
index 000000000000..54bd2e2f0caa
--- /dev/null
+++ b/security/vuxml/vuln-2021.xml
@@ -0,0 +1,6374 @@
+ <vuln vid="f3fc2b50-d36a-11eb-a32c-00a0989e4ec1">
+ <topic>dovecot-pigeonhole -- Sieve excessive resource usage</topic>
+ <affects>
+ <package>
+ <name>dovecot-pigeonhole</name>
+ <range><lt>2.3.15</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Dovecot team reports reports:</p>
+ <blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html">
+ <p>Sieve interpreter is not protected against abusive
+ scripts that claim excessive resource usage. Fixed by limiting the
+ user CPU time per single script execution and cumulatively over
+ several script runs within a configurable timeout period. Sufficiently
+ large CPU time usage is summed in the Sieve script binary and execution
+ is blocked when the sum exceeds the limit within that time. The block
+ is lifted when the script is updated after the resource usage times out.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2020-28200</cvename>
+ <url>https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html</url>
+ </references>
+ <dates>
+ <discovery>2020-09-23</discovery>
+ <entry>2021-06-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="d18f431d-d360-11eb-a32c-00a0989e4ec1">
+ <topic>dovecot -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>dovecot</name>
+ <range><ge>2.3.11</ge><lt>2.3.14.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Dovecot team reports:</p>
+ <blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html">
+ <p>CVE-2021-29157: Dovecot does not correctly escape kid and azp
+ fields in JWT tokens.
+ This may be used to supply attacker controlled keys to validate
+ tokens in some configurations. This requires attacker
+ to be able to write files to
+ local disk.</p>
+ </blockquote>
+ <blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html">
+ <p>CVE-2021-33515: On-path attacker could inject plaintext commands
+ before STARTTLS negotiation that would be executed after STARTTLS
+ finished with the client. Only the SMTP submission service is
+ affected.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-29157</cvename>
+ <url>https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html</url>
+ <cvename>CVE-2021-33515</cvename>
+ <url>>https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html</url>
+ </references>
+ <dates>
+ <discovery>2021-03-22</discovery>
+ <entry>2021-06-22</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="0e561c06-d13a-11eb-92be-0800273f11ea">
+ <topic>gitea -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitea</name>
+ <range><lt>1.14.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Gitea Team reports for release 1.14.3:</p>
+ <blockquote cite="https://blog.gitea.io/2021/06/gitea-1.14.3-is-released/">
+ <ul>
+ <li>Encrypt migration credentials at rest (#15895) (#16187)</li>
+ <li>Only check access tokens if they are likely to be tokens
+ (#16164) (#16171)</li>
+ <li>Add missing SameSite settings for the i_like_gitea cookie
+ (#16037) (#16039)</li>
+ <li>Fix setting of SameSite on cookies (#15989) (#15991)</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/go-gitea/gitea/releases/tag/v1.14.3</url>
+ <freebsdpr>ports/256720</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2021-05-16</discovery>
+ <entry>2021-06-19</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="afdc7579-d023-11eb-bcad-3065ec8fd3ec">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>91.0.4472.114</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html">
+ <p>This release includes 4 security fixes, including:</p>
+ <ul>
+ <li>[1219857] High CVE-2021-30554: Use after free in WebGL. Reported
+ by anonymous on 2021-06-15</li>
+ <li>[1215029] High CVE-2021-30555: Use after free in Sharing.
+ Reported by David Erceg on 2021-06-01</li>
+ <li>[1212599] High CVE-2021-30556: Use after free in WebAudio.
+ Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-24</li>
+ <li>[1202102] High CVE-2021-30557: Use after free in TabGroups.
+ Reported by David Erceg on 2021-04-23</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-30554</cvename>
+ <cvename>CVE-2021-30555</cvename>
+ <cvename>CVE-2021-30556</cvename>
+ <cvename>CVE-2021-30557</cvename>
+ <url>https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html</url>
+ </references>
+ <dates>
+ <discovery>2021-06-17</discovery>
+ <entry>2021-06-18</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="9f27ac74-cdee-11eb-930d-fc4dd43e2b6a">
+ <topic>ircII -- denial of service</topic>
+ <affects>
+ <package>
+ <name>ircii</name>
+ <range><lt>20210314</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Michael Ortmann reports:</p>
+ <blockquote cite="https://www.openwall.com/lists/oss-security/2021/03/24/2">
+ <p>ircii has a bug in parsing CTCP UTC messages.</p>
+ <p>Its unknown if this could also be used for arbitrary code execution.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-29376</cvename>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29376</url>
+ </references>
+ <dates>
+ <discovery>2021-03-02</discovery>
+ <entry>2021-03-30</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="cce76eca-ca16-11eb-9b84-d4c9ef517024">
+ <topic>Apache httpd -- Multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>apache24</name>
+ <range><lt>2.4.48</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Apache httpd reports:</p>
+ <blockquote cite="https://httpd.apache.org/security/vulnerabilities_24.html">
+ <ul>
+ <li>moderate: mod_proxy_wstunnel tunneling of non Upgraded
+ connections (CVE-2019-17567)</li>
+ <li>moderate: Improper Handling of Insufficient Privileges
+ (CVE-2020-13938)</li>
+ <li>low: mod_proxy_http NULL pointer dereference
+ (CVE-2020-13950)</li>
+ <li>low: mod_auth_digest possible stack overflow by one nul byte
+ (CVE-2020-35452)</li>
+ <li>low: mod_session NULL pointer dereference (CVE-2021-26690)</li>
+ <li>low: mod_session response handling heap overflow (CVE-2021-26691)</li>
+ <li>moderate: Unexpected URL matching with 'MergeSlashes OFF'
+ (CVE-2021-30641)</li>
+ <li>important: NULL pointer dereference on specially crafted HTTP/2
+ request (CVE-2021-31618)</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2019-17567</cvename>
+ <cvename>CVE-2020-13938</cvename>
+ <cvename>CVE-2020-13950</cvename>
+ <cvename>CVE-2020-35452</cvename>
+ <cvename>CVE-2021-26690</cvename>
+ <cvename>CVE-2021-26691</cvename>
+ <cvename>CVE-2021-30641</cvename>
+ <cvename>CVE-2021-31618</cvename>
+ <url>https://httpd.apache.org/security/vulnerabilities_24.html</url>
+ </references>
+ <dates>
+ <discovery>2021-06-09</discovery>
+ <entry>2021-06-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c9e2a1a7-caa1-11eb-904f-14dae9d5a9d2">
+ <topic>dragonfly -- argument injection</topic>
+ <affects>
+ <package>
+ <name>rubygem-dragonfly</name>
+ <range><lt>2.4.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>NVD reports:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-33564">
+ <p>An argument injection vulnerability in the Dragonfly
+ gem before 1.4.0 for Ruby allows remote attackers to read
+ and write to arbitrary files via a crafted URL when the
+ verify_url option is disabled. This may lead to code
+ execution. The problem occurs because the generate and
+ process features mishandle use of the ImageMagick convert
+ utility.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-33564</cvename>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2021-33564</url>
+ <url>https://github.com/mlr0p/CVE-2021-33564</url>
+ <url>https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564</url>
+ </references>
+ <dates>
+ <discovery>2021-05-24</discovery>
+ <entry>2021-06-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e4cd0b38-c9f9-11eb-87e1-08002750c711">
+ <topic>cacti -- SQL Injection was possible due to incorrect validation order</topic>
+ <affects>
+ <package>
+ <name>cacti</name>
+ <range><ge>1.2</ge><lt>1.2.17</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Cati team reports:</p>
+ <blockquote cite="https://github.com/Cacti/cacti/issues/4022">
+ <p>Due to a lack of validation, data_debug.php can be the source of a SQL injection.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>2020-35701</cvename>
+ <url>https://github.com/Cacti/cacti/issues/4022</url>
+ </references>
+ <dates>
+ <discovery>2020-12-24</discovery>
+ <entry>2021-06-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="20b3ab21-c9df-11eb-8558-3065ec8fd3ec">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>91.0.4472.101</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html">
+ <p>This release contains 14 security fixes, including:</p>
+ <ul>
+ <li>[1212618] Critical CVE-2021-30544: Use after free in BFCache.
+ Reported by Rong Jian and Guang Gong of 360 Alpha Lab on
+ 2021-05-24</li>
+ <li>[1201031] High CVE-2021-30545: Use after free in Extensions.
+ Reported by kkwon with everpall and kkomdal on 2021-04-21</li>
+ <li>[1206911] High CVE-2021-30546: Use after free in Autofill.
+ Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability
+ Research on 2021-05-08</li>
+ <li>[1210414] High CVE-2021-30547: Out of bounds write in ANGLE.
+ Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on
+ 2021-05-18</li>
+ <li>[1210487] High CVE-2021-30548: Use after free in Loader.
+ Reported by Yangkang(@dnpushme) & Wanglu of Qihoo360 Qex Team
+ on 2021-05-18</li>
+ <li>[1212498] High CVE-2021-30549: Use after free in Spell check.
+ Reported by David Erceg on 2021-05-23</li>
+ <li>[1212500] High CVE-2021-30550: Use after free in Accessibility.
+ Reported by David Erceg on 2021-05-23</li>
+ <li>[1216437] High CVE-2021-30551: Type Confusion in V8. Reported by
+ Sergei Glazunov of Google Project Zero on 2021-06-04</li>
+ <li>[1200679] Medium CVE-2021-30552: Use after free in Extensions.
+ Reported by David Erceg on 2021-04-20</li>
+ <li>[1209769] Medium CVE-2021-30553: Use after free in Network
+ service. Reported by Anonymous on 2021-05-17</li>
+ </ul>
+ <p>Google is aware that an exploit for CVE-2021-30551 exists in the
+ wild.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-30544</cvename>
+ <cvename>CVE-2021-30545</cvename>
+ <cvename>CVE-2021-30546</cvename>
+ <cvename>CVE-2021-30547</cvename>
+ <cvename>CVE-2021-30548</cvename>
+ <cvename>CVE-2021-30549</cvename>
+ <cvename>CVE-2021-30550</cvename>
+ <cvename>CVE-2021-30551</cvename>
+ <cvename>CVE-2021-30552</cvename>
+ <cvename>CVE-2021-30553</cvename>
+ <url>https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2021-06-10</discovery>
+ <entry>2021-06-10</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="fc1bcbca-c88b-11eb-9120-f02f74d0e4bd">
+ <topic>dino -- Path traversal in Dino file transfers</topic>
+ <affects>
+ <package>
+ <name>dino</name>
+ <range><lt>0.2.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Dino team reports:</p>
+ <blockquote cite="https://dino.im/security/cve-2021-33896/">
+ <p>It was discovered that when a user receives and downloads
+ a file in Dino, URI-encoded path separators in the file name
+ will be decoded, allowing an attacker to traverse
+ directories and create arbitrary files in the context of the
+ user.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-33896</cvename>
+ <mlist msgid="392f934a-f937-7b29-5f7f-5df3ee60d8a8 at .larma.de">https://marc.info/?l=oss-security&m=162308719412719</mlist>
+ <url>https://dino.im/security/cve-2021-33896/</url>
+ </references>
+ <dates>
+ <discovery>2021-06-07</discovery>
+ <entry>2021-06-08</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="45b8716b-c707-11eb-b9a0-6805ca0b3d42">
+ <topic>pglogical -- shell command injection in pglogical.create_subscription()</topic>
+ <affects>
+ <package>
+ <name>pglogical</name>
+ <range><lt>2.3.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>2ndQuadrant reports:</p>
+ <blockquote cite="https://github.com/2ndQuadrant/pglogical/releases/tag/REL2_3_4">
+ <ul>
+ <li>
+ Fix pg_dump/pg_restore execution (CVE-2021-3515)<br />
+ <br />
+ Correctly escape the connection string for both pg_dump
+ and pg_restore so that exotic database and user names are
+ handled correctly.<br />
+ <br />
+ Reported by Pedro Gallegos
+ </li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-3515</cvename>
+ <url>https://github.com/2ndQuadrant/pglogical/releases/tag/REL2_3_4</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1954112</url>
+ </references>
+ <dates>
+ <discovery>2021-06-01</discovery>
+ <entry>2021-06-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f70ab05e-be06-11eb-b983-000c294bb613">
+ <topic>drupal7 -- fix possible CSS</topic>
+ <affects>
+ <package>
+ <name>drupal7</name>
+ <range><gt>7.0</gt><lt>7.80</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Drupal Security team reports:</p>
+ <blockquote cite="https://www.drupal.org/sa-core-2021-002">
+ <p>Drupal core's sanitization API fails to properly filter
+ cross-site scripting under certain circumstances.
+ Not all sites and users are affected, but configuration
+ changes to prevent the exploit might be impractical
+ and will vary between sites. Therefore, we recommend
+ all sites update to this release as soon as
+ possible.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2020-13672</cvename>
+ </references>
+ <dates>
+ <discovery>2021-04-21</discovery>
+ <entry>2021-06-06</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="36a35d83-c560-11eb-84ab-e0d55e2a8bf9">
+ <topic>polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync</topic>
+ <affects>
+ <package>
+ <name>polkit</name>
+ <range><lt>0.119</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Cedric Buissart reports:</p>
+ <blockquote cite="https://seclists.org/oss-sec/2021/q2/180">
+ <p>The function <code>polkit_system_bus_name_get_creds_sync</code> is used to get the
+ uid and pid of the process requesting the action. It does this by
+ sending the unique bus name of the requesting process, which is
+ typically something like ":1.96", to <code>dbus-daemon</code>. These unique names
+ are assigned and managed by <code>dbus-daemon</code> and cannot be forged, so this
+ is a good way to check the privileges of the requesting process.</p>
+ <p>The vulnerability happens when the requesting process disconnects from
+ <code>dbus-daemon</code> just before the call to
+ <code>polkit_system_bus_name_get_creds_sync</code> starts. In this scenario, the
+ unique bus name is no longer valid, so <code>dbus-daemon</code> sends back an error
+ reply. This error case is handled in
+ <code>polkit_system_bus_name_get_creds_sync</code> by setting the value of the
+ <code>error</code> parameter, but it still returns <code>TRUE</code>, rather than <code>FALSE</code>.
+ This behavior means that all callers of
+ <code>polkit_system_bus_name_get_creds_sync</code> need to carefully check whether
+ an error was set. If the calling function forgets to check for errors
+ then it will think that the uid of the requesting process is 0 (because
+ the <code>AsyncGetBusNameCredsData</code> struct is zero initialized). In other
+ words, it will think that the action was requested by a root process,
+ and will therefore allow it.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-3560</cvename>
+ <url>https://seclists.org/oss-sec/2021/q2/180</url>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560</url>
+ <url>https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a</url>
+ </references>
+ <dates>
+ <discovery>2021-06-03</discovery>
+ <entry>2021-06-04</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="69815a1d-c31d-11eb-9633-b42e99a1b9c3">
+ <topic>SOGo -- SAML user authentication impersonation</topic>
+ <affects>
+ <package>
+ <name>sogo</name>
+ <range><lt>5.1.1</lt></range>
+ </package>
+ <package>
+ <name>sogo-activesync</name>
+ <range><lt>5.1.1</lt></range>
+ </package>
+ <package>
+ <name>sogo2</name>
+ <range><lt>2.4.1</lt></range>
+ </package>
+ <package>
+ <name>sogo2-activesync</name>
+ <range><lt>2.4.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>sogo.nu reports:</p>
+ <blockquote cite="https://www.sogo.nu/news/2021/saml-vulnerability.html">
+ <p>SOGo was not validating the signatures of any SAML assertions it received.</p>
+ <p>This means any actor with network access to the deployment could impersonate</p>
+ <p>users when SAML was the authentication method.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-33054</cvename>
+ <url>https://www.sogo.nu/news/2021/saml-vulnerability.html</url>
+ <url>https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html</url>
+ </references>
+ <dates>
+ <discovery>2021-06-01</discovery>
+ <entry>2021-06-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c7855866-c511-11eb-ae1d-b42e991fc52e">
+ <topic>tauthon -- Regular Expression Denial of Service</topic>
+ <affects>
+ <package>
+ <name>tauthon</name>
+ <range><lt>2.8.3</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p></p>
+ <blockquote cite="https://github.com/naftaliharris/tauthon/blob/master/Misc/NEWS.d/2.8.3.rst">
+ <p>The :class:`~urllib.request.AbstractBasicAuthHandler` class
+ of the :mod:`urllib.request` module uses an inefficient
+ regular expression which can be exploited by an
+ attacker to cause a denial of service</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2020-8492</cvename>
+ <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492</url>
+ </references>
+ <dates>
+ <discovery>2020-01-30</discovery>
+ <entry>2021-06-04</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="417de1e6-c31b-11eb-9633-b42e99a1b9c3">
+ <topic>lasso -- signature checking failure</topic>
+ <affects>
+ <package>
+ <name>lasso</name>
+ <range><lt>2.7.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>entrouvert reports:</p>
+ <blockquote cite="https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0">
+ <p>When AuthnResponse messages are not signed (which is
+ permitted by the specifiation), all assertion's signatures should be
+ checked, but currently after the first signed assertion is checked all
+ following assertions are accepted without checking their signature, and
+ the last one is considered the main assertion.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-28091</cvename>
+ <url>https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0</url>
+ </references>
+ <dates>
+ <discovery>2021-06-01</discovery>
+ <entry>2021-06-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="079b3641-c4bd-11eb-a22a-693f0544ae52">
+ <topic>go -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>go</name>
+ <range><lt>1.16.5,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Go project reports:</p>
+ <blockquote cite="https://github.com/golang/go/issues/45910">
+ <p>The SetString and UnmarshalText methods of math/big.Rat may cause a
+ panic or an unrecoverable fatal error if passed inputs with very
+ large exponents.</p>
+ </blockquote>
+ <blockquote cite="https://github.com/golang/go/issues/46313">
+ <p>ReverseProxy in net/http/httputil could be made to forward certain
+ hop-by-hop headers, including Connection. In case the target of the
+ ReverseProxy was itself a reverse proxy, this would let an attacker
+ drop arbitrary headers, including those set by the
+ ReverseProxy.Director.</p>
+ </blockquote>
+ <blockquote cite="https://github.com/golang/go/issues/46241">
+ <p>The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
+ functions in net, and their respective methods on the Resolver type
+ may return arbitrary values retrieved from DNS which do not follow
+ the established RFC 1035 rules for domain names. If these names are
+ used without further sanitization, for instance unsafely included in
+ HTML, they may allow for injection of unexpected content. Note that
+ LookupTXT may still return arbitrary values that could require
+ sanitization before further use.</p>
+ </blockquote>
+ <blockquote cite="https://github.com/golang/go/issues/46242">
+ <p>The NewReader and OpenReader functions in archive/zip can cause a
+ panic or an unrecoverable fatal error when reading an archive that
+ claims to contain a large number of files, regardless of its actual
+ size.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-33198</cvename>
+ <url>https://github.com/golang/go/issues/45910</url>
+ <cvename>CVE-2021-33197</cvename>
+ <url>https://github.com/golang/go/issues/46313</url>
+ <cvename>CVE-2021-33195</cvename>
+ <url>https://github.com/golang/go/issues/46241</url>
+ <cvename>CVE-2021-33196</cvename>
+ <url>https://github.com/golang/go/issues/46242</url>
+ </references>
+ <dates>
+ <discovery>2021-05-01</discovery>
+ <entry>2021-06-03</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="3000acee-c45d-11eb-904f-14dae9d5a9d2">
+ <topic>aiohttp -- open redirect vulnerability</topic>
+ <affects>
+ <package>
+ <name>py36-aiohttp</name>
+ <name>py37-aiohttp</name>
+ <name>py38-aiohttp</name>
+ <name>py39-aiohttp</name>
+ <range><le>3.7.3</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Sviatoslav Sydorenko reports:</p>
+ <blockquote cite="https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg">
+ <p>Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.</p>
+ <p>It is caused by a bug in the <code>aiohttp.web_middlewares.normalize_path_middleware</code> middleware.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-21330</cvename>
+ <url>https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2021-21330</url>
+ </references>
+ <dates>
+ <discovery>2021-02-25</discovery>
+ <entry>2021-06-03</entry>
+ <modified>2021-06-23</modified>
+ </dates>
+ </vuln>
+
+ <vuln vid="a550d62c-f78d-4407-97d9-93876b6741b9">
+ <topic>zeek -- several potential DoS vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>zeek</name>
+ <range><lt>4.0.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Tim Wojtulewicz of Corelight reports:</p>
+ <blockquote cite="https://github.com/zeek/zeek/releases/tag/v4.0.2">
+ <p> Fix potential Undefined Behavior in decode_netbios_name()
+ and decode_netbios_name_type() BIFs. The latter has a
+ possibility of a remote heap-buffer-overread, making this
+ a potential DoS vulnerability.</p>
+ <p> Add some extra length checking when parsing mobile
+ ipv6 packets. Due to the possibility of reading invalid
+ headers from remote sources, this is a potential DoS
+ vulnerability. </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/zeek/zeek/releases/tag/v4.0.2</url>
+ </references>
+ <dates>
+ <discovery>2021-04-30</discovery>
+ <entry>2021-06-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c7ec6375-c3cf-11eb-904f-14dae9d5a9d2">
+ <topic>PyYAML -- arbitrary code execution</topic>
+ <affects>
+ <package>
+ <name>py36-yaml</name>
+ <name>py37-yaml</name>
+ <name>py38-yaml</name>
+ <name>py39-yaml</name>
+ <range><lt>5.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>A vulnerability was discovered in the PyYAML library
+ in versions before 5.4, where it is susceptible to arbitrary
+ code execution when it processes untrusted YAML files
+ through the full_load method or with the FullLoader loader.
+ Applications that use the library to process untrusted
+ input may be vulnerable to this flaw. This flaw allows
+ an attacker to execute arbitrary code on the system by
+ abusing the python/object/new constructor. This flaw is
+ due to an incomplete fix for CVE-2020-1747.</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2020-14343</cvename>
+ <url>https://github.com/yaml/pyyaml/issues/420</url>
+ <url>https://access.redhat.com/security/cve/CVE-2020-14343</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=1860466</url>
+ </references>
+ <dates>
+ <discovery>2020-07-22</discovery>
+ <entry>2021-06-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="e24fb8f8-c39a-11eb-9370-b42e99a1b9c3">
+ <topic>isc-dhcp -- remotely exploitable vulnerability</topic>
+ <affects>
+ <package>
+ <name>isc-dhcp44-relay</name>
+ <range><lt>4.4.2-P1</lt></range>
+ </package>
+ <package>
+ <name>isc-dhcp44-server</name>
+ <range><lt>4.4.2-P1</lt></range>
+ </package>
+ <package>
+ <name>isc-dhcp44-client</name>
+ <range><lt>4.4.2-P1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Michael McNally reports:</p>
+ <blockquote cite="https://seclists.org/oss-sec/2021/q2/170">
+ <p>Program code used by the ISC DHCP package to read and parse stored leases</p>
+ <p>has a defect that can be exploited by an attacker to cause one of several
+ undesirable outcomes</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-25217</cvename>
+ <url>https://kb.isc.org/docs/cve-2021-25217</url>
+ </references>
+ <dates>
+ <discovery>2021-05-26</discovery>
+ <entry>2021-06-02</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="5f52d646-c31f-11eb-8dcf-001b217b3468">
+ <topic>Gitlab -- Multiple Vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>gitlab-ce</name>
+ <range><ge>13.12.0</ge><lt>13.12.2</lt></range>
+ <range><ge>13.11.0</ge><lt>13.11.5</lt></range>
+ <range><ge>7.10.0</ge><lt>13.10.5</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Gitlab reports:</p>
+ <blockquote cite="https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/">
+ <p>Stealing GitLab OAuth access tokens using XSLeaks in Safari</p>
+ <p>Denial of service through recursive triggered pipelines</p>
+ <p>Unauthenticated CI lint API may lead to information disclosure and SSRF</p>
+ <p>Server-side DoS through rendering crafted Markdown documents</p>
+ <p>Issue and merge request length limit is not being enforced</p>
+ <p>Insufficient Expired Password Validation</p>
+ <p>XSS in blob viewer of notebooks</p>
+ <p>Logging of Sensitive Information</p>
+ <p>On-call rotation information exposed when removing a member</p>
+ <p>Spoofing commit author for signed commits</p>
+ <p>Enable qsh verification for Atlassian Connect</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-22181</cvename>
+ <url>https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/</url>
+ </references>
+ <dates>
+ <discovery>2021-06-01</discovery>
+ <entry>2021-06-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="8eb69cd0-c2ec-11eb-b6e7-8c164567ca3c">
+ <topic>redis -- integer overflow</topic>
+ <affects>
+ <package>
+ <name>redis</name>
+ <range><ge>6.0.0</ge><lt>6.0.14</lt></range>
+ </package>
+ <package>
+ <name>redis-devel</name>
+ <range><ge>6.2.0</ge><lt>6.2.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Redis development team reports:</p>
+ <blockquote cite="https://groups.google.com/g/redis-db/c/RLTwi1kKsCI">
+ <p>An integer overflow bug in Redis version 6.0 or newer can be
+ exploited using the STRALGO LCS command to corrupt the heap and
+ potentially result with remote code execution. This is a result
+ of an incomplete fix by CVE-2021-29477.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-32625</cvename>
+ <url>https://groups.google.com/g/redis-db/c/RLTwi1kKsCI</url>
+ </references>
+ <dates>
+ <discovery>2021-06-01</discovery>
+ <entry>2021-06-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="58d6ed66-c2e8-11eb-9fb0-6451062f0f7a">
+ <topic>libX11 -- Arbitrary code execution</topic>
+ <affects>
+ <package>
+ <name>libX11</name>
+ <range><lt>1.7.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The X.org project reports:</p>
+ <blockquote cite="https://lists.freedesktop.org/archives/xorg/2021-May/060699.html">
+ <p>XLookupColor() and other X libraries function lack proper validation
+ of the length of their string parameters. If those parameters can be
+ controlled by an external application (for instance a color name that
+ can be emitted via a terminal control sequence) it can lead to the
+ emission of extra X protocol requests to the X server.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-31535</cvename>
+ <url>https://lists.freedesktop.org/archives/xorg/2021-May/060699.html</url>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2021-31535</url>
+ </references>
+ <dates>
+ <discovery>2021-05-11</discovery>
+ <entry>2021-06-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="59ab72fb-bccf-11eb-a38d-6805ca1caf5c">
+ <topic>Prometheus -- arbitrary redirects</topic>
+ <affects>
+ <package>
+ <name>prometheus2</name>
+ <range><ge>2.23.0</ge><lt>2.26.1</lt></range>
+ <range><eq>2.27.0</eq></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Prometheus reports:</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-29622">
+ <p>
+ Prometheus is an open-source monitoring system and time series
+ database. In 2.23.0, Prometheus changed its default UI to the New
+ ui. To ensure a seamless transition, the URL's prefixed by /new
+ redirect to /. Due to a bug in the code, it is possible for an
+ attacker to craft an URL that can redirect to any other URL, in the
+ /new endpoint. If a user visits a prometheus server with a
+ specially crafted address, they can be redirected to an arbitrary
+ URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In
+ 2.28.0, the /new endpoint will be removed completely. The
+ workaround is to disable access to /new via a reverse proxy in
+ front of Prometheus.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2021-29622</cvename>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2021-29622</url>
+ </references>
+ <dates>
+ <discovery>2021-05-18</discovery>
+ <entry>2021-06-01</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="fd24a530-c202-11eb-b217-b42e99639323">
+ <topic>wayland -- integer overflow</topic>
+ <affects>
+ <package>
+ <name>wayland</name>
+ <range><lt>1.19.0_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Tobias Stoeckmann reports:</p>
+ <blockquote
+ cite="https://gitlab.freedesktop.org/wayland/wayland/-/merge_requests/133">
+ <p>The libXcursor fix for CVE-2013-2003 has never been imported into wayland, leaving it vulnerable to it.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2013-2003</cvename>
+ <url>https://gitlab.freedesktop.org/wayland/wayland/-/merge_requests/133</url>
+ <freebsdpr>ports/256273</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2021-05-02</discovery>
+ <entry>2021-05-31</entry>
+ </dates>
*** 11820 LINES SKIPPED ***
More information about the dev-commits-ports-main
mailing list