1
0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-07 06:40:06 +00:00
freebsd-ports/security/vuxml/vuln-2021.xml
Juraj Lutter 73672272c0 security/vuxml: Fix dovecot entry
Fix stray ">" character in a CVE URL.
2021-06-30 17:39:09 +02:00

6529 lines
238 KiB
XML

<vuln vid="7003b62d-7252-46ff-a9df-1b1900f1e65b">
<topic>RabbitMQ -- Denial of Service via improper input validation</topic>
<affects>
<package>
<name>rabbitmq</name>
<range><lt>3.8.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jonathon Knudsen of Synopsys Cybersecurity Research Center reports:</p>
<blockquote cite="https://tanzu.vmware.com/security/cve-2021-22116">
<p>All versions prior to 3.8.16 are prone to a denial of service
vulnerability due to improper input validation in AMQP 1.0 client
connection endpoint. A malicious client can exploit the vulnerability
by sending malicious AMQP messages to the target RabbitMQ instance
having the AMQP 1.0 plugin enabled.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-22116</cvename>
<url>https://tanzu.vmware.com/security/cve-2021-22116</url>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22116</url>
</references>
<dates>
<discovery>2021-05-10</discovery>
<entry>2021-06-28</entry>
</dates>
</vuln>
<vuln vid="7c555ce3-658d-4589-83dd-4b6a31c5d610">
<topic>RabbitMQ-C -- integer overflow leads to heap corruption</topic>
<affects>
<package>
<name>rabbitmq-c</name>
<name>rabbitmq-c-devel</name>
<range><lt>0.10.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>alanxz reports:</p>
<blockquote cite="https://github.com/alanxz/rabbitmq-c/commit/fc85be7123050b91b054e45b91c78d3241a5047a">
<p>When parsing a frame header, validate that the frame_size is less than
or equal to INT32_MAX. Given frame_max is limited between 0 and
INT32_MAX in amqp_login and friends, this does not change the API.
This prevents a potential buffer overflow when a malicious client sends
a frame_size that is close to UINT32_MAX, in which causes an overflow
when computing state-&gt;target_size resulting in a small value there. A
buffer is then allocated with the small amount, then memcopy copies the
frame_size writing to memory beyond the end of the buffer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2019-18609</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18609</url>
</references>
<dates>
<discovery>2019-10-29</discovery>
<entry>2021-06-25</entry>
</dates>
</vuln>
<vuln vid="41bc849f-d5ef-11eb-ae37-589cfc007716">
<topic>PuppetDB -- SQL Injection</topic>
<affects>
<package>
<name>puppetdb6</name>
<range><lt>6.17.0</lt></range>
</package>
<package>
<name>puppetdb7</name>
<range><lt>7.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Puppet reports:</p>
<blockquote cite="https://puppet.com/docs/puppetdb/latest/release_notes.html#security-fixes">
<p>Fixed an issue where someone with the ability to query PuppetDB
could arbitrarily write, update, or delete data CVE-2021-27021
PDB-5138.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-27021</cvename>
<url>https://puppet.com/security/cve/cve-2021-27021/</url>
<url>https://tickets.puppetlabs.com/browse/PDB-5138</url>
</references>
<dates>
<discovery>2021-06-24</discovery>
<entry>2021-06-25</entry>
</dates>
</vuln>
<vuln vid="4c9159ea-d4c9-11eb-aeee-8c164582fbac">
<topic>Ansible -- Templating engine bug</topic>
<affects>
<package>
<name>py36-ansible-core</name>
<name>py37-ansible-core</name>
<name>py38-ansible-core</name>
<name>py39-ansible-core</name>
<range><lt>2.11.2</lt></range>
</package>
<package>
<name>py36-ansible-base</name>
<name>py37-ansible-base</name>
<name>py38-ansible-base</name>
<name>py39-ansible-base</name>
<range><lt>2.10.11</lt></range>
</package>
<package>
<name>py36-ansible2</name>
<name>py37-ansible2</name>
<name>py38-ansible2</name>
<name>py39-ansible2</name>
<range><lt>2.9.23</lt></range>
</package>
<package>
<name>py36-ansible</name>
<name>py37-ansible</name>
<name>py38-ansible</name>
<name>py39-ansible</name>
<range><lt>2.9.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ansible developers report:</p>
<blockquote cite="https://github.com/ansible/ansible/blob/stable-2.11/changelogs/CHANGELOG-v2.11.rst#security-fixes">
<p>Templating engine fix for not preserving usnafe status
when trying to preserve newlines.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-3583</cvename>
<url>https://github.com/ansible/ansible/blob/stable-2.11/changelogs/CHANGELOG-v2.11.rst#security-fixes</url>
<url>https://github.com/ansible/ansible/blob/stable-2.10/changelogs/CHANGELOG-v2.10.rst#security-fixes</url>
<url>https://github.com/ansible/ansible/pull/74960</url>
<url>https://groups.google.com/g/ansible-announce/c/tmIgD1DpZJg</url>
</references>
<dates>
<discovery>2021-06-10</discovery>
<entry>2021-06-24</entry>
<modified>2021-06-25</modified>
</dates>
</vuln>
<vuln vid="f3fc2b50-d36a-11eb-a32c-00a0989e4ec1">
<topic>dovecot-pigeonhole -- Sieve excessive resource usage</topic>
<affects>
<package>
<name>dovecot-pigeonhole</name>
<range><lt>0.5.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dovecot team reports reports:</p>
<blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html">
<p>Sieve interpreter is not protected against abusive
scripts that claim excessive resource usage. Fixed by limiting the
user CPU time per single script execution and cumulatively over
several script runs within a configurable timeout period. Sufficiently
large CPU time usage is summed in the Sieve script binary and execution
is blocked when the sum exceeds the limit within that time. The block
is lifted when the script is updated after the resource usage times out.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-28200</cvename>
<url>https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html</url>
</references>
<dates>
<discovery>2020-09-23</discovery>
<entry>2021-06-22</entry>
</dates>
</vuln>
<vuln vid="d18f431d-d360-11eb-a32c-00a0989e4ec1">
<topic>dovecot -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dovecot</name>
<range><ge>2.3.11</ge><lt>2.3.14.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dovecot team reports:</p>
<blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html">
<p>CVE-2021-29157: Dovecot does not correctly escape kid and azp
fields in JWT tokens.
This may be used to supply attacker controlled keys to validate
tokens in some configurations. This requires attacker
to be able to write files to
local disk.</p>
</blockquote>
<blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html">
<p>CVE-2021-33515: On-path attacker could inject plaintext commands
before STARTTLS negotiation that would be executed after STARTTLS
finished with the client. Only the SMTP submission service is
affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-29157</cvename>
<url>https://dovecot.org/pipermail/dovecot-news/2021-June/000461.html</url>
<cvename>CVE-2021-33515</cvename>
<url>https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html</url>
</references>
<dates>
<discovery>2021-03-22</discovery>
<entry>2021-06-22</entry>
</dates>
</vuln>
<vuln vid="0e561c06-d13a-11eb-92be-0800273f11ea">
<topic>gitea -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gitea</name>
<range><lt>1.14.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Gitea Team reports for release 1.14.3:</p>
<blockquote cite="https://blog.gitea.io/2021/06/gitea-1.14.3-is-released/">
<ul>
<li>Encrypt migration credentials at rest (#15895) (#16187)</li>
<li>Only check access tokens if they are likely to be tokens
(#16164) (#16171)</li>
<li>Add missing SameSite settings for the i_like_gitea cookie
(#16037) (#16039)</li>
<li>Fix setting of SameSite on cookies (#15989) (#15991)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/go-gitea/gitea/releases/tag/v1.14.3</url>
<freebsdpr>ports/256720</freebsdpr>
</references>
<dates>
<discovery>2021-05-16</discovery>
<entry>2021-06-19</entry>
</dates>
</vuln>
<vuln vid="afdc7579-d023-11eb-bcad-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>91.0.4472.114</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html">
<p>This release includes 4 security fixes, including:</p>
<ul>
<li>[1219857] High CVE-2021-30554: Use after free in WebGL. Reported
by anonymous on 2021-06-15</li>
<li>[1215029] High CVE-2021-30555: Use after free in Sharing.
Reported by David Erceg on 2021-06-01</li>
<li>[1212599] High CVE-2021-30556: Use after free in WebAudio.
Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-24</li>
<li>[1202102] High CVE-2021-30557: Use after free in TabGroups.
Reported by David Erceg on 2021-04-23</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-30554</cvename>
<cvename>CVE-2021-30555</cvename>
<cvename>CVE-2021-30556</cvename>
<cvename>CVE-2021-30557</cvename>
<url>https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html</url>
</references>
<dates>
<discovery>2021-06-17</discovery>
<entry>2021-06-18</entry>
</dates>
</vuln>
<vuln vid="9f27ac74-cdee-11eb-930d-fc4dd43e2b6a">
<topic>ircII -- denial of service</topic>
<affects>
<package>
<name>ircii</name>
<range><lt>20210314</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael Ortmann reports:</p>
<blockquote cite="https://www.openwall.com/lists/oss-security/2021/03/24/2">
<p>ircii has a bug in parsing CTCP UTC messages.</p>
<p>Its unknown if this could also be used for arbitrary code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-29376</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29376</url>
</references>
<dates>
<discovery>2021-03-02</discovery>
<entry>2021-03-30</entry>
</dates>
</vuln>
<vuln vid="cce76eca-ca16-11eb-9b84-d4c9ef517024">
<topic>Apache httpd -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>apache24</name>
<range><lt>2.4.48</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache httpd reports:</p>
<blockquote cite="https://httpd.apache.org/security/vulnerabilities_24.html">
<ul>
<li>moderate: mod_proxy_wstunnel tunneling of non Upgraded
connections (CVE-2019-17567)</li>
<li>moderate: Improper Handling of Insufficient Privileges
(CVE-2020-13938)</li>
<li>low: mod_proxy_http NULL pointer dereference
(CVE-2020-13950)</li>
<li>low: mod_auth_digest possible stack overflow by one nul byte
(CVE-2020-35452)</li>
<li>low: mod_session NULL pointer dereference (CVE-2021-26690)</li>
<li>low: mod_session response handling heap overflow (CVE-2021-26691)</li>
<li>moderate: Unexpected URL matching with 'MergeSlashes OFF'
(CVE-2021-30641)</li>
<li>important: NULL pointer dereference on specially crafted HTTP/2
request (CVE-2021-31618)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2019-17567</cvename>
<cvename>CVE-2020-13938</cvename>
<cvename>CVE-2020-13950</cvename>
<cvename>CVE-2020-35452</cvename>
<cvename>CVE-2021-26690</cvename>
<cvename>CVE-2021-26691</cvename>
<cvename>CVE-2021-30641</cvename>
<cvename>CVE-2021-31618</cvename>
<url>https://httpd.apache.org/security/vulnerabilities_24.html</url>
</references>
<dates>
<discovery>2021-06-09</discovery>
<entry>2021-06-10</entry>
</dates>
</vuln>
<vuln vid="c9e2a1a7-caa1-11eb-904f-14dae9d5a9d2">
<topic>dragonfly -- argument injection</topic>
<affects>
<package>
<name>rubygem-dragonfly</name>
<range><lt>2.4.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-33564">
<p>An argument injection vulnerability in the Dragonfly
gem before 1.4.0 for Ruby allows remote attackers to read
and write to arbitrary files via a crafted URL when the
verify_url option is disabled. This may lead to code
execution. The problem occurs because the generate and
process features mishandle use of the ImageMagick convert
utility.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-33564</cvename>
<url>https://nvd.nist.gov/vuln/detail/CVE-2021-33564</url>
<url>https://github.com/mlr0p/CVE-2021-33564</url>
<url>https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/</url>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564</url>
</references>
<dates>
<discovery>2021-05-24</discovery>
<entry>2021-06-11</entry>
</dates>
</vuln>
<vuln vid="e4cd0b38-c9f9-11eb-87e1-08002750c711">
<topic>cacti -- SQL Injection was possible due to incorrect validation order</topic>
<affects>
<package>
<name>cacti</name>
<range><ge>1.2</ge><lt>1.2.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cati team reports:</p>
<blockquote cite="https://github.com/Cacti/cacti/issues/4022">
<p>Due to a lack of validation, data_debug.php can be the source of a SQL injection.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-35701</cvename>
<url>https://github.com/Cacti/cacti/issues/4022</url>
</references>
<dates>
<discovery>2020-12-24</discovery>
<entry>2021-06-10</entry>
<modified>2021-06-24</modified>
</dates>
</vuln>
<vuln vid="20b3ab21-c9df-11eb-8558-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>91.0.4472.101</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html">
<p>This release contains 14 security fixes, including:</p>
<ul>
<li>[1212618] Critical CVE-2021-30544: Use after free in BFCache.
Reported by Rong Jian and Guang Gong of 360 Alpha Lab on
2021-05-24</li>
<li>[1201031] High CVE-2021-30545: Use after free in Extensions.
Reported by kkwon with everpall and kkomdal on 2021-04-21</li>
<li>[1206911] High CVE-2021-30546: Use after free in Autofill.
Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability
Research on 2021-05-08</li>
<li>[1210414] High CVE-2021-30547: Out of bounds write in ANGLE.
Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on
2021-05-18</li>
<li>[1210487] High CVE-2021-30548: Use after free in Loader.
Reported by Yangkang(@dnpushme) &amp; Wanglu of Qihoo360 Qex Team
on 2021-05-18</li>
<li>[1212498] High CVE-2021-30549: Use after free in Spell check.
Reported by David Erceg on 2021-05-23</li>
<li>[1212500] High CVE-2021-30550: Use after free in Accessibility.
Reported by David Erceg on 2021-05-23</li>
<li>[1216437] High CVE-2021-30551: Type Confusion in V8. Reported by
Sergei Glazunov of Google Project Zero on 2021-06-04</li>
<li>[1200679] Medium CVE-2021-30552: Use after free in Extensions.
Reported by David Erceg on 2021-04-20</li>
<li>[1209769] Medium CVE-2021-30553: Use after free in Network
service. Reported by Anonymous on 2021-05-17</li>
</ul>
<p>Google is aware that an exploit for CVE-2021-30551 exists in the
wild.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-30544</cvename>
<cvename>CVE-2021-30545</cvename>
<cvename>CVE-2021-30546</cvename>
<cvename>CVE-2021-30547</cvename>
<cvename>CVE-2021-30548</cvename>
<cvename>CVE-2021-30549</cvename>
<cvename>CVE-2021-30550</cvename>
<cvename>CVE-2021-30551</cvename>
<cvename>CVE-2021-30552</cvename>
<cvename>CVE-2021-30553</cvename>
<url>https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2021-06-10</discovery>
<entry>2021-06-10</entry>
</dates>
</vuln>
<vuln vid="fc1bcbca-c88b-11eb-9120-f02f74d0e4bd">
<topic>dino -- Path traversal in Dino file transfers</topic>
<affects>
<package>
<name>dino</name>
<range><lt>0.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dino team reports:</p>
<blockquote cite="https://dino.im/security/cve-2021-33896/">
<p>It was discovered that when a user receives and downloads
a file in Dino, URI-encoded path separators in the file name
will be decoded, allowing an attacker to traverse
directories and create arbitrary files in the context of the
user.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-33896</cvename>
<mlist msgid="392f934a-f937-7b29-5f7f-5df3ee60d8a8@.larma.de">https://marc.info/?l=oss-security&amp;m=162308719412719</mlist>
<url>https://dino.im/security/cve-2021-33896/</url>
</references>
<dates>
<discovery>2021-06-07</discovery>
<entry>2021-06-08</entry>
</dates>
</vuln>
<vuln vid="45b8716b-c707-11eb-b9a0-6805ca0b3d42">
<topic>pglogical -- shell command injection in pglogical.create_subscription()</topic>
<affects>
<package>
<name>pglogical</name>
<range><lt>2.3.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>2ndQuadrant reports:</p>
<blockquote cite="https://github.com/2ndQuadrant/pglogical/releases/tag/REL2_3_4">
<ul>
<li>
Fix pg_dump/pg_restore execution (CVE-2021-3515)<br />
<br />
Correctly escape the connection string for both pg_dump
and pg_restore so that exotic database and user names are
handled correctly.<br />
<br />
Reported by Pedro Gallegos
</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-3515</cvename>
<url>https://github.com/2ndQuadrant/pglogical/releases/tag/REL2_3_4</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1954112</url>
</references>
<dates>
<discovery>2021-06-01</discovery>
<entry>2021-06-06</entry>
</dates>
</vuln>
<vuln vid="f70ab05e-be06-11eb-b983-000c294bb613">
<topic>drupal7 -- fix possible CSS</topic>
<affects>
<package>
<name>drupal7</name>
<range><gt>7.0</gt><lt>7.80</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security team reports:</p>
<blockquote cite="https://www.drupal.org/sa-core-2021-002">
<p>Drupal core's sanitization API fails to properly filter
cross-site scripting under certain circumstances.
Not all sites and users are affected, but configuration
changes to prevent the exploit might be impractical
and will vary between sites. Therefore, we recommend
all sites update to this release as soon as
possible.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-13672</cvename>
</references>
<dates>
<discovery>2021-04-21</discovery>
<entry>2021-06-06</entry>
</dates>
</vuln>
<vuln vid="36a35d83-c560-11eb-84ab-e0d55e2a8bf9">
<topic>polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync</topic>
<affects>
<package>
<name>polkit</name>
<range><lt>0.119</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cedric Buissart reports:</p>
<blockquote cite="https://seclists.org/oss-sec/2021/q2/180">
<p>The function <code>polkit_system_bus_name_get_creds_sync</code> is used to get the
uid and pid of the process requesting the action. It does this by
sending the unique bus name of the requesting process, which is
typically something like ":1.96", to <code>dbus-daemon</code>. These unique names
are assigned and managed by <code>dbus-daemon</code> and cannot be forged, so this
is a good way to check the privileges of the requesting process.</p>
<p>The vulnerability happens when the requesting process disconnects from
<code>dbus-daemon</code> just before the call to
<code>polkit_system_bus_name_get_creds_sync</code> starts. In this scenario, the
unique bus name is no longer valid, so <code>dbus-daemon</code> sends back an error
reply. This error case is handled in
<code>polkit_system_bus_name_get_creds_sync</code> by setting the value of the
<code>error</code> parameter, but it still returns <code>TRUE</code>, rather than <code>FALSE</code>.
This behavior means that all callers of
<code>polkit_system_bus_name_get_creds_sync</code> need to carefully check whether
an error was set. If the calling function forgets to check for errors
then it will think that the uid of the requesting process is 0 (because
the <code>AsyncGetBusNameCredsData</code> struct is zero initialized). In other
words, it will think that the action was requested by a root process,
and will therefore allow it.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-3560</cvename>
<url>https://seclists.org/oss-sec/2021/q2/180</url>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560</url>
<url>https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a</url>
</references>
<dates>
<discovery>2021-06-03</discovery>
<entry>2021-06-04</entry>
</dates>
</vuln>
<vuln vid="69815a1d-c31d-11eb-9633-b42e99a1b9c3">
<topic>SOGo -- SAML user authentication impersonation</topic>
<affects>
<package>
<name>sogo</name>
<range><lt>5.1.1</lt></range>
</package>
<package>
<name>sogo-activesync</name>
<range><lt>5.1.1</lt></range>
</package>
<package>
<name>sogo2</name>
<range><lt>2.4.1</lt></range>
</package>
<package>
<name>sogo2-activesync</name>
<range><lt>2.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>sogo.nu reports:</p>
<blockquote cite="https://www.sogo.nu/news/2021/saml-vulnerability.html">
<p>SOGo was not validating the signatures of any SAML assertions it received.</p>
<p>This means any actor with network access to the deployment could impersonate</p>
<p>users when SAML was the authentication method.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-33054</cvename>
<url>https://www.sogo.nu/news/2021/saml-vulnerability.html</url>
<url>https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html</url>
</references>
<dates>
<discovery>2021-06-01</discovery>
<entry>2021-06-02</entry>
</dates>
</vuln>
<vuln vid="c7855866-c511-11eb-ae1d-b42e991fc52e">
<topic>tauthon -- Regular Expression Denial of Service</topic>
<affects>
<package>
<name>tauthon</name>
<range><lt>2.8.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p></p>
<blockquote cite="https://github.com/naftaliharris/tauthon/blob/master/Misc/NEWS.d/2.8.3.rst">
<p>The :class:`~urllib.request.AbstractBasicAuthHandler` class
of the :mod:`urllib.request` module uses an inefficient
regular expression which can be exploited by an
attacker to cause a denial of service</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-8492</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492</url>
</references>
<dates>
<discovery>2020-01-30</discovery>
<entry>2021-06-04</entry>
</dates>
</vuln>
<vuln vid="417de1e6-c31b-11eb-9633-b42e99a1b9c3">
<topic>lasso -- signature checking failure</topic>
<affects>
<package>
<name>lasso</name>
<range><lt>2.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>entrouvert reports:</p>
<blockquote cite="https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0">
<p>When AuthnResponse messages are not signed (which is
permitted by the specifiation), all assertion's signatures should be
checked, but currently after the first signed assertion is checked all
following assertions are accepted without checking their signature, and
the last one is considered the main assertion.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-28091</cvename>
<url>https://git.entrouvert.org/lasso.git/tree/NEWS?id=v2.7.0</url>
</references>
<dates>
<discovery>2021-06-01</discovery>
<entry>2021-06-01</entry>
</dates>
</vuln>
<vuln vid="079b3641-c4bd-11eb-a22a-693f0544ae52">
<topic>go -- multiple vulnerabilities</topic>
<affects>
<package>
<name>go</name>
<range><lt>1.16.5,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Go project reports:</p>
<blockquote cite="https://github.com/golang/go/issues/45910">
<p>The SetString and UnmarshalText methods of math/big.Rat may cause a
panic or an unrecoverable fatal error if passed inputs with very
large exponents.</p>
</blockquote>
<blockquote cite="https://github.com/golang/go/issues/46313">
<p>ReverseProxy in net/http/httputil could be made to forward certain
hop-by-hop headers, including Connection. In case the target of the
ReverseProxy was itself a reverse proxy, this would let an attacker
drop arbitrary headers, including those set by the
ReverseProxy.Director.</p>
</blockquote>
<blockquote cite="https://github.com/golang/go/issues/46241">
<p>The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
functions in net, and their respective methods on the Resolver type
may return arbitrary values retrieved from DNS which do not follow
the established RFC 1035 rules for domain names. If these names are
used without further sanitization, for instance unsafely included in
HTML, they may allow for injection of unexpected content. Note that
LookupTXT may still return arbitrary values that could require
sanitization before further use.</p>
</blockquote>
<blockquote cite="https://github.com/golang/go/issues/46242">
<p>The NewReader and OpenReader functions in archive/zip can cause a
panic or an unrecoverable fatal error when reading an archive that
claims to contain a large number of files, regardless of its actual
size.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-33198</cvename>
<url>https://github.com/golang/go/issues/45910</url>
<cvename>CVE-2021-33197</cvename>
<url>https://github.com/golang/go/issues/46313</url>
<cvename>CVE-2021-33195</cvename>
<url>https://github.com/golang/go/issues/46241</url>
<cvename>CVE-2021-33196</cvename>
<url>https://github.com/golang/go/issues/46242</url>
</references>
<dates>
<discovery>2021-05-01</discovery>
<entry>2021-06-03</entry>
</dates>
</vuln>
<vuln vid="3000acee-c45d-11eb-904f-14dae9d5a9d2">
<topic>aiohttp -- open redirect vulnerability</topic>
<affects>
<package>
<name>py36-aiohttp</name>
<name>py37-aiohttp</name>
<name>py38-aiohttp</name>
<name>py39-aiohttp</name>
<range><le>3.7.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sviatoslav Sydorenko reports:</p>
<blockquote cite="https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg">
<p>Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.</p>
<p>It is caused by a bug in the <code>aiohttp.web_middlewares.normalize_path_middleware</code> middleware.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21330</cvename>
<url>https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg</url>
<url>https://nvd.nist.gov/vuln/detail/CVE-2021-21330</url>
</references>
<dates>
<discovery>2021-02-25</discovery>
<entry>2021-06-03</entry>
<modified>2021-06-23</modified>
</dates>
</vuln>
<vuln vid="a550d62c-f78d-4407-97d9-93876b6741b9">
<topic>zeek -- several potential DoS vulnerabilities</topic>
<affects>
<package>
<name>zeek</name>
<range><lt>4.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tim Wojtulewicz of Corelight reports:</p>
<blockquote cite="https://github.com/zeek/zeek/releases/tag/v4.0.2">
<p> Fix potential Undefined Behavior in decode_netbios_name()
and decode_netbios_name_type() BIFs. The latter has a
possibility of a remote heap-buffer-overread, making this
a potential DoS vulnerability.</p>
<p> Add some extra length checking when parsing mobile
ipv6 packets. Due to the possibility of reading invalid
headers from remote sources, this is a potential DoS
vulnerability. </p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/zeek/zeek/releases/tag/v4.0.2</url>
</references>
<dates>
<discovery>2021-04-30</discovery>
<entry>2021-06-02</entry>
</dates>
</vuln>
<vuln vid="c7ec6375-c3cf-11eb-904f-14dae9d5a9d2">
<topic>PyYAML -- arbitrary code execution</topic>
<affects>
<package>
<name>py36-yaml</name>
<name>py37-yaml</name>
<name>py38-yaml</name>
<name>py39-yaml</name>
<range><lt>5.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A vulnerability was discovered in the PyYAML library
in versions before 5.4, where it is susceptible to arbitrary
code execution when it processes untrusted YAML files
through the full_load method or with the FullLoader loader.
Applications that use the library to process untrusted
input may be vulnerable to this flaw. This flaw allows
an attacker to execute arbitrary code on the system by
abusing the python/object/new constructor. This flaw is
due to an incomplete fix for CVE-2020-1747.</p>
</body>
</description>
<references>
<cvename>CVE-2020-14343</cvename>
<url>https://github.com/yaml/pyyaml/issues/420</url>
<url>https://access.redhat.com/security/cve/CVE-2020-14343</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1860466</url>
</references>
<dates>
<discovery>2020-07-22</discovery>
<entry>2021-06-02</entry>
</dates>
</vuln>
<vuln vid="e24fb8f8-c39a-11eb-9370-b42e99a1b9c3">
<topic>isc-dhcp -- remotely exploitable vulnerability</topic>
<affects>
<package>
<name>isc-dhcp44-relay</name>
<range><lt>4.4.2-P1</lt></range>
</package>
<package>
<name>isc-dhcp44-server</name>
<range><lt>4.4.2-P1</lt></range>
</package>
<package>
<name>isc-dhcp44-client</name>
<range><lt>4.4.2-P1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael McNally reports:</p>
<blockquote cite="https://seclists.org/oss-sec/2021/q2/170">
<p>Program code used by the ISC DHCP package to read and parse stored leases</p>
<p>has a defect that can be exploited by an attacker to cause one of several
undesirable outcomes</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-25217</cvename>
<url>https://kb.isc.org/docs/cve-2021-25217</url>
</references>
<dates>
<discovery>2021-05-26</discovery>
<entry>2021-06-02</entry>
</dates>
</vuln>
<vuln vid="5f52d646-c31f-11eb-8dcf-001b217b3468">
<topic>Gitlab -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>gitlab-ce</name>
<range><ge>13.12.0</ge><lt>13.12.2</lt></range>
<range><ge>13.11.0</ge><lt>13.11.5</lt></range>
<range><ge>7.10.0</ge><lt>13.10.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gitlab reports:</p>
<blockquote cite="https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/">
<p>Stealing GitLab OAuth access tokens using XSLeaks in Safari</p>
<p>Denial of service through recursive triggered pipelines</p>
<p>Unauthenticated CI lint API may lead to information disclosure and SSRF</p>
<p>Server-side DoS through rendering crafted Markdown documents</p>
<p>Issue and merge request length limit is not being enforced</p>
<p>Insufficient Expired Password Validation</p>
<p>XSS in blob viewer of notebooks</p>
<p>Logging of Sensitive Information</p>
<p>On-call rotation information exposed when removing a member</p>
<p>Spoofing commit author for signed commits</p>
<p>Enable qsh verification for Atlassian Connect</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-22181</cvename>
<url>https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/</url>
</references>
<dates>
<discovery>2021-06-01</discovery>
<entry>2021-06-01</entry>
</dates>
</vuln>
<vuln vid="8eb69cd0-c2ec-11eb-b6e7-8c164567ca3c">
<topic>redis -- integer overflow</topic>
<affects>
<package>
<name>redis</name>
<range><ge>6.0.0</ge><lt>6.0.14</lt></range>
</package>
<package>
<name>redis-devel</name>
<range><ge>6.2.0</ge><lt>6.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redis development team reports:</p>
<blockquote cite="https://groups.google.com/g/redis-db/c/RLTwi1kKsCI">
<p>An integer overflow bug in Redis version 6.0 or newer can be
exploited using the STRALGO LCS command to corrupt the heap and
potentially result with remote code execution. This is a result
of an incomplete fix by CVE-2021-29477.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-32625</cvename>
<url>https://groups.google.com/g/redis-db/c/RLTwi1kKsCI</url>
</references>
<dates>
<discovery>2021-06-01</discovery>
<entry>2021-06-01</entry>
</dates>
</vuln>
<vuln vid="58d6ed66-c2e8-11eb-9fb0-6451062f0f7a">
<topic>libX11 -- Arbitrary code execution</topic>
<affects>
<package>
<name>libX11</name>
<range><lt>1.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The X.org project reports:</p>
<blockquote cite="https://lists.freedesktop.org/archives/xorg/2021-May/060699.html">
<p>XLookupColor() and other X libraries function lack proper validation
of the length of their string parameters. If those parameters can be
controlled by an external application (for instance a color name that
can be emitted via a terminal control sequence) it can lead to the
emission of extra X protocol requests to the X server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-31535</cvename>
<url>https://lists.freedesktop.org/archives/xorg/2021-May/060699.html</url>
<url>https://nvd.nist.gov/vuln/detail/CVE-2021-31535</url>
</references>
<dates>
<discovery>2021-05-11</discovery>
<entry>2021-06-01</entry>
</dates>
</vuln>
<vuln vid="59ab72fb-bccf-11eb-a38d-6805ca1caf5c">
<topic>Prometheus -- arbitrary redirects</topic>
<affects>
<package>
<name>prometheus2</name>
<range><ge>2.23.0</ge><lt>2.26.1</lt></range>
<range><eq>2.27.0</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Prometheus reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-29622">
<p>
Prometheus is an open-source monitoring system and time series
database. In 2.23.0, Prometheus changed its default UI to the New
ui. To ensure a seamless transition, the URL's prefixed by /new
redirect to /. Due to a bug in the code, it is possible for an
attacker to craft an URL that can redirect to any other URL, in the
/new endpoint. If a user visits a prometheus server with a
specially crafted address, they can be redirected to an arbitrary
URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In
2.28.0, the /new endpoint will be removed completely. The
workaround is to disable access to /new via a reverse proxy in
front of Prometheus.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-29622</cvename>
<url>https://nvd.nist.gov/vuln/detail/CVE-2021-29622</url>
</references>
<dates>
<discovery>2021-05-18</discovery>
<entry>2021-06-01</entry>
</dates>
</vuln>
<vuln vid="fd24a530-c202-11eb-b217-b42e99639323">
<topic>wayland -- integer overflow</topic>
<affects>
<package>
<name>wayland</name>
<range><lt>1.19.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tobias Stoeckmann reports:</p>
<blockquote
cite="https://gitlab.freedesktop.org/wayland/wayland/-/merge_requests/133">
<p>The libXcursor fix for CVE-2013-2003 has never been imported into wayland, leaving it vulnerable to it.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2003</cvename>
<url>https://gitlab.freedesktop.org/wayland/wayland/-/merge_requests/133</url>
<freebsdpr>ports/256273</freebsdpr>
</references>
<dates>
<discovery>2021-05-02</discovery>
<entry>2021-05-31</entry>
</dates>
</vuln>
<vuln vid="107c7a76-beaa-11eb-b87a-901b0ef719ab">
<topic>FreeBSD -- Missing message validation in libradius(3)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>13.0</ge><lt>13.0_1</lt></range>
<range><ge>12.2</ge><lt>12.2_7</lt></range>
<range><ge>11.4</ge><lt>11.4_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>libradius did not perform sufficient validation of received messages.</p>
<p>rad_get_attr(3) did not verify that the attribute length is valid before
subtracting the length of the Type and Length fields. As a result, it
could return success while also providing a bogus length of SIZE_T_MAX -
2 for the Value field.</p>
<p>When processing attributes to find an optional authenticator,
is_valid_response() failed to verify that each attribute length is
non-zero and could thus enter an infinite loop.</p>
<h1>Impact:</h1>
<p>A server may use libradius(3) to process messages from RADIUS clients.
In this case, a malicious client could trigger a denial-of-service in
the server. A client using libradius(3) to process messages from a
server is susceptible to the same problem.</p>
<p>The impact of the rad_get_attr(3) bug depends on how the returned length
is validated and used by the consumer. It is possible that libradius(3)
applications will crash or enter an infinite loop when calling
rad_get_attr(3) on untrusted RADIUS messages.</p>
</body>
</description>
<references>
<cvename>CVE-2021-29629</cvename>
<freebsdsa>SA-21:12.libradius</freebsdsa>
</references>
<dates>
<discovery>2021-05-27</discovery>
<entry>2021-05-27</entry>
</dates>
</vuln>
<vuln vid="d1ac6a6a-bea8-11eb-b87a-901b0ef719ab">
<topic>FreeBSD-kernel -- SMAP bypass</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>13.0</ge><lt>13.0_1</lt></range>
<range><ge>12.2</ge><lt>12.2_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The FreeBSD kernel enables SMAP during boot when the CPU reports that
the SMAP capability is present. Subroutines such as copyin() and
copyout() are responsible for disabling SMAP around the sections of code
that perform user memory accesses.</p>
<p>Such subroutines must handle page faults triggered when user memory is
not mapped. The kernel's page fault handler checks the validity of the
fault, and if it is indeed valid it will map a page and resume copying.
If the fault is invalid, the fault handler returns control to a
trampoline which aborts the operation and causes an error to be
returned. In this second scenario, a bug in the implementation of SMAP
support meant that SMAP would remain disabled until the thread returns
to user mode.</p>
<h1>Impact:</h1>
<p>This bug may be used to bypass the protections provided by SMAP for the
duration of a system call. It could thus be combined with other kernel
bugs to craft an exploit.</p>
</body>
</description>
<references>
<cvename>CVE-2021-29628</cvename>
<freebsdsa>SA-21:11.smap</freebsdsa>
</references>
<dates>
<discovery>2021-05-27</discovery>
<entry>2021-05-27</entry>
</dates>
</vuln>
<vuln vid="674ed047-be0a-11eb-b927-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>91.0.4472.77</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html">
<p>This release contains 32 security fixes, including:</p>
<ul>
<li>[1208721] High CVE-2021-30521: Heap buffer overflow in Autofill.
Reported by ZhanJia Song on 2021-05-13</li>
<li>[1176218] High CVE-2021-30522: Use after free in WebAudio.
Reported by Piotr Bania of Cisco Talos on 2021-02-09</li>
<li>[1187797] High CVE-2021-30523: Use after free in WebRTC.
Reported by Tolyan Korniltsev on 2021-03-13</li>
<li>[1197146] High CVE-2021-30524: Use after free in TabStrip.
Reported by David Erceg on 2021-04-08</li>
<li>[1197888] High CVE-2021-30525: Use after free in TabGroups.
Reported by David Erceg on 2021-04-11</li>
<li>[1198717] High CVE-2021-30526: Out of bounds write in
TabStrip. Reported by David Erceg on 2021-04-13</li>
<li>[1199198] High CVE-2021-30527: Use after free in WebUI.
Reported by David Erceg on 2021-04-15</li>
<li>[1206329] High CVE-2021-30528: Use after free in
WebAuthentication. Reported by Man Yue Mo of GitHub Security Lab on
2021-05-06</li>
<li>[1195278] Medium CVE-2021-30529: Use after free in Bookmarks.
Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of
360 Alpha Lab on 2021-04-02</li>
<li>[1201033] Medium CVE-2021-30530: Out of bounds memory access
in WebAudio. Reported by kkwon on 2021-04-21</li>
<li>[1115628] Medium CVE-2021-30531: Insufficient policy
enforcement in Content Security Policy. Reported by Philip Papurt on
2020-08-12</li>
<li>[1117687] Medium CVE-2021-30532: Insufficient policy
enforcement in Content Security Policy. Reported by Philip Papurt on
2020-08-18</li>
<li>[1145553] Medium CVE-2021-30533: Insufficient policy
enforcement in PopupBlocker. Reported by Eliya Stein on
2020-11-04</li>
<li>[1151507] Medium CVE-2021-30534: Insufficient policy
enforcement in iFrameSandbox. Reported by Alesandro Ortiz on
2020-11-20</li>
<li>[1194899] Medium CVE-2021-30535: Double free in ICU. Reported
by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on
2021-04-01</li>
<li>[1145024] Medium CVE-2021-21212: Insufficient data validation
in networking. Reported by Hugo Hue and Sze Yiu Chau of the Chinese
University of Hong Kong on 2020-11-03</li>
<li>[1194358] Low CVE-2021-30536: Out of bounds read in V8.
Reported by Chris Salls (@salls) on 2021-03-31</li>
<li>[830101] Low CVE-2021-30537: Insufficient policy enforcement
in cookies. Reported by Jun Kokatsu (@shhnjk) on 2018-04-06</li>
<li>[1115045] Low CVE-2021-30538: Insufficient policy enforcement
in content security policy. Reported by Tianze Ding (@D1iv3) of
Tencent Security Xuanwu Lab on 2020-08-11</li>
<li>[971231] Low CVE-2021-30539: Insufficient policy enforcement
in content security policy. Reported by unnamed researcher on
2019-06-05</li>
<li>[1184147] Low CVE-2021-30540: Incorrect security UI in
payments. Reported by @retsew0x01 on 2021-03-03</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-30521</cvename>
<cvename>CVE-2021-30522</cvename>
<cvename>CVE-2021-30523</cvename>
<cvename>CVE-2021-30524</cvename>
<cvename>CVE-2021-30525</cvename>
<cvename>CVE-2021-30526</cvename>
<cvename>CVE-2021-30527</cvename>
<cvename>CVE-2021-30528</cvename>
<cvename>CVE-2021-30529</cvename>
<cvename>CVE-2021-30530</cvename>
<cvename>CVE-2021-30531</cvename>
<cvename>CVE-2021-30532</cvename>
<cvename>CVE-2021-30533</cvename>
<cvename>CVE-2021-30534</cvename>
<cvename>CVE-2021-30535</cvename>
<cvename>CVE-2021-21212</cvename>
<cvename>CVE-2021-30536</cvename>
<cvename>CVE-2021-30537</cvename>
<cvename>CVE-2021-30538</cvename>
<cvename>CVE-2021-30539</cvename>
<cvename>CVE-2021-30540</cvename>
<url>https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html</url>
</references>
<dates>
<discovery>2021-05-25</discovery>
<entry>2021-05-26</entry>
</dates>
</vuln>
<vuln vid="21ec4428-bdaa-11eb-a04e-641c67a117d8">
<topic>libzmq4 -- Denial of Service</topic>
<affects>
<package>
<name>libzmq4</name>
<range><lt>4.3.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google's oss-fuzz project reports:</p>
<blockquote cite="https://github.com/zeromq/libzmq/releases/tag/v4.3.3">
<p>Denial-of-Service on CURVE/ZAP-protected servers by
unauthenticated clients.
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered to
the library, but the server application never receives them.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-15166</cvename>
<url>https://github.com/zeromq/libzmq/releases/tag/v4.3.3</url>
<url>https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m</url>
<freebsdpr>ports/255102</freebsdpr>
</references>
<dates>
<discovery>2020-09-07</discovery>
<entry>2021-05-25</entry>
</dates>
</vuln>
<vuln vid="6954a2b0-bda8-11eb-a04e-641c67a117d8">
<topic>libzmq4 -- Stack overflow</topic>
<affects>
<package>
<name>libzmq4</name>
<range><lt>4.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Fang-Pen Lin reports:</p>
<blockquote cite="https://github.com/zeromq/libzmq/releases/tag/v4.3.2">
<p>A remote, unauthenticated client connecting to a
libzmq application, running with a socket listening with CURVE
encryption/authentication enabled, may cause a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. Users running public servers with the above configuration
are highly encouraged to upgrade as soon as possible, as there are no
known mitigations.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2019-13132</cvename>
<url>https://github.com/zeromq/libzmq/releases/tag/v4.3.2</url>
<url>https://github.com/zeromq/libzmq/issues/3558</url>
<freebsdpr>ports/255102</freebsdpr>
</references>
<dates>
<discovery>2019-06-27</discovery>
<entry>2021-05-25</entry>
</dates>
</vuln>
<vuln vid="0882f019-bd60-11eb-9bdd-8c164567ca3c">
<topic>NGINX -- 1-byte memory overwrite in resolver</topic>
<affects>
<package>
<name>nginx</name>
<range><lt>1.20.1,2</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><lt>1.21.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NGINX team reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017">
<p>1-byte memory overwrite might occur during DNS server response
processing if the "resolver" directive was used, allowing an
attacker who is able to forge UDP packets from the DNS server
to cause worker process crash or, potentially, arbitrary code
execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-23017</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017</url>
</references>
<dates>
<discovery>2021-05-25</discovery>
<entry>2021-05-25</entry>
</dates>
</vuln>
<vuln vid="58b22f3a-bc71-11eb-b9c9-6cc21735f730">
<topic>PG Partition Manager -- arbitrary code execution</topic>
<affects>
<package>
<name>pg_partman</name>
<range><lt>4.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PG Partition Manager reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-33204">
<p>
In the pg_partman (aka PG Partition Manager) extension before 4.5.1
for PostgreSQL, arbitrary code execution can be achieved via
SECURITY DEFINER functions because an explicit search_path is not
set.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-33204</cvename>
<url>https://nvd.nist.gov/vuln/detail/CVE-2021-33204</url>
</references>
<dates>
<discovery>2021-05-21</discovery>
<entry>2021-05-24</entry>
</dates>
</vuln>
<vuln vid="5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9">
<topic>texproc/expat2 -- billion laugh attack</topic>
<affects>
<package>
<name>expat</name>
<range><lt>2.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kurt Seifried reports:</p>
<blockquote cite="https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/">
<p>So here are the CVE's for the two big ones, libxml2 and expat.
Both are affected by the expansion of internal entities
(which can be used to consume resources) and external entities
(which can cause a denial of service against other services, be
used to port scan, etc.).</p>
<p>A billion laughs attack is a type of denial-of-service attack
which is aimed at parsers of XML documents.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0340</cvename>
<url>https://www.openwall.com/lists/oss-security/2013/02/22/3</url>
<url>https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/</url>
<url>https://nvd.nist.gov/vuln/detail/CVE-2013-0340</url>
</references>
<dates>
<discovery>2013-02-21</discovery>
<entry>2021-05-24</entry>
</dates>
</vuln>
<vuln vid="524bd03a-bb75-11eb-bf35-080027f515ea">
<topic>libxml2 -- Possible denial of service</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.9.10_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel Veillard reports:</p>
<blockquote cite="https://ubuntu.com/security/CVE-2021-3541">
<p>
A flaw was found in libxml2. Exponential entity expansion attack
its possible bypassing all existing protection mechanisms and
leading to denial of service.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-3541</cvename>
<url>https://ubuntu.com/security/CVE-2021-3541</url>
<url>https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e</url>
</references>
<dates>
<discovery>2021-05-18</discovery>
<entry>2021-05-23</entry>
</dates>
</vuln>
<vuln vid="62da9702-b4cc-11eb-b9c9-6cc21735f730">
<topic>PostgreSQL server -- two security issues</topic>
<affects>
<package>
<name>postgresql13-server</name>
<range><lt>13.3</lt></range>
</package>
<package>
<name>postgresql12-server</name>
<range><lt>12.7</lt></range>
</package>
<package>
<name>postgresql11-server</name>
<range><lt>11.12</lt></range>
</package>
<package>
<name>postgresql10-server</name>
<range><lt>10.17</lt></range>
</package>
<package>
<name>postgresql96-server</name>
<range><lt>9.6.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL project reports:</p>
<blockquote cite="https://www.postgresql.org/support/security/CVE-2021-32028/">
<p>Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE</p>
<p>
Using an INSERT ... ON CONFLICT ... DO UPDATE command on a
purpose-crafted table, an attacker can read arbitrary bytes of
server memory. In the default configuration, any authenticated
database user can create prerequisite objects and complete this
attack at will. A user lacking the CREATE and TEMPORARY privileges
on all databases and the CREATE privilege on all schemas cannot use
this attack at will..
</p>
</blockquote>
<blockquote cite="https://www.postgresql.org/support/security/CVE-2021-32027/">
<p>
Buffer overrun from integer overflow in array subscripting
calculations
</p>
<p>
While modifying certain SQL array values, missing bounds checks let
authenticated database users write arbitrary bytes to a wide area of
server memory.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.postgresql.org/support/security/CVE-2021-32027/</url>
<url>https://www.postgresql.org/support/security/CVE-2021-32028/</url>
</references>
<dates>
<discovery>2021-05-13</discovery>
<entry>2021-05-14</entry>
</dates>
</vuln>
<vuln vid="76e0bb86-b4cb-11eb-b9c9-6cc21735f730">
<topic>PostgreSQL -- Memory disclosure in partitioned-table UPDATE ... RETURNING</topic>
<affects>
<package>
<name>postgresql13-server</name>
<range><lt>13.3</lt></range>
</package>
<package>
<name>postgresql12-server</name>
<range><lt>12.7</lt></range>
</package>
<package>
<name>postgresql11-server</name>
<range><lt>11.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL project reports:</p>
<blockquote cite="https://www.postgresql.org/support/security/CVE-2021-32029/">
<p>
Using an UPDATE ... RETURNING on a purpose-crafted partitioned
table, an attacker can read arbitrary bytes of server memory. In the
default configuration, any authenticated database user can create
prerequisite objects and complete this attack at will. A user
lacking the CREATE and TEMPORARY privileges on all databases and the
CREATE privilege on all schemas typically cannot use this attack at
will.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.postgresql.org/support/security/CVE-2021-32029/</url>
</references>
<dates>
<discovery>2021-05-13</discovery>
<entry>2021-05-14</entry>
</dates>
</vuln>
<vuln vid="fc75570a-b417-11eb-a23d-c7ab331fd711">
<topic>Prosody -- multiple vulnerabilities</topic>
<affects>
<package>
<name>prosody</name>
<range><lt>0.11.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Prosody security advisory 2021-05-12 reports:</p>
<blockquote cite="https://prosody.im/security/advisory_20210512/">
<p>
This advisory details 5 new security vulnerabilities discovered in the
Prosody.im XMPP server software. All issues are fixed in the 0.11.9
release default configuration.
</p>
<ul>
<li>CVE-2021-32918: DoS via insufficient memory consumption controls</li>
<li>CVE-2021-32920: DoS via repeated TLS renegotiation causing excessive CPU consumption</li>
<li>CVE-2021-32921: Use of timing-dependent string comparison with sensitive values</li>
<li>CVE-2021-32917: Use of mod_proxy65 is unrestricted in default configuration</li>
<li>CVE-2021-32919: Undocumented dialback-without-dialback option insecure</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-32918</cvename>
<cvename>CVE-2021-32920</cvename>
<cvename>CVE-2021-32921</cvename>
<cvename>CVE-2021-32917</cvename>
<cvename>CVE-2021-32919</cvename>
</references>
<dates>
<discovery>2021-05-12</discovery>
<entry>2021-05-13</entry>
</dates>
</vuln>
<vuln vid="3e0ca488-b3f6-11eb-a5f7-a0f3c100ae18">
<topic>ImageMagick6 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ImageMagick6</name>
<name>ImageMagick6-nox11</name>
<range><lt>6.9.12.12,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ImageMagick">
<p>Several vulnerabilities have been discovered in ImageMagick:</p>
<ul>
<li>CVE-2021-20309: A flaw was found in ImageMagick in versions before 6.9.12,
where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger
undefined behavior via a crafted image file submitted to an application using ImageMagick.</li>
<li>CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 in gem.c.
This flaw allows an attacker who submits a crafted file that is processed by ImageMagick
to trigger undefined behavior through a division by zero.</li>
<li>CVE-2020-29599: ImageMagick before 6.9.11-40 mishandles the -authenticate option,
which allows setting a password for password-protected PDF files.</li>
<li>And maybe some others…</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-29599</cvename>
<cvename>CVE-2021-20176</cvename>
<cvename>CVE-2021-20309</cvename>
</references>
<dates>
<discovery>2020-12-17</discovery>
<entry>2021-05-13</entry>
</dates>
</vuln>
<vuln vid="a7c60af1-b3f1-11eb-a5f7-a0f3c100ae18">
<topic>ImageMagick7 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ImageMagick7</name>
<name>ImageMagick7-nox11</name>
<range><lt>7.0.11.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ImageMagick">
<p>Several vulnerabilities have been discovered in ImageMagick:</p>
<ul>
<li>CVE-2021-20313: A flaw was found in ImageMagick in versions before 7.0.11.
A potential cipher leak when the calculate signatures in TransformSignature is possible.</li>
<li>CVE-2021-20312: A flaw was found in ImageMagick in versions 7.0.11,
where an integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger
undefined behavior via a crafted image file that is submitted by an attacker and
processed by an application using ImageMagick.</li>
<li>CVE-2021-20311: A flaw was found in ImageMagick in versions before 7.0.11,
where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c
may trigger undefined behavior via a crafted image file that is submitted by an
attacker processed by an application using ImageMagick.</li>
<li>CVE-2021-20310: A flaw was found in ImageMagick in versions before 7.0.11,
where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger
undefined behavior via a crafted image file that is submitted by an attacker
and processed by an application using ImageMagick.</li>
<li>CVE-2021-20309: A flaw was found in ImageMagick in versions before 7.0.11,
where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger
undefined behavior via a crafted image file submitted to an application using ImageMagick.</li>
<li>And several others…</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-27829</cvename>
<cvename>CVE-2020-29599</cvename>
<cvename>CVE-2021-20176</cvename>
<cvename>CVE-2021-20241</cvename>
<cvename>CVE-2021-20243</cvename>
<cvename>CVE-2021-20244</cvename>
<cvename>CVE-2021-20245</cvename>
<cvename>CVE-2021-20246</cvename>
<cvename>CVE-2021-20309</cvename>
<cvename>CVE-2021-20310</cvename>
<cvename>CVE-2021-20311</cvename>
<cvename>CVE-2021-20312</cvename>
<cvename>CVE-2021-20313</cvename>
</references>
<dates>
<discovery>2020-10-27</discovery>
<entry>2021-05-13</entry>
</dates>
</vuln>
<vuln vid="f947aa26-b2f9-11eb-a5f7-a0f3c100ae18">
<topic>Pillow -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py38-pillow</name>
<range><lt>8.2.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>python-pillow reports:</p>
<blockquote cite="https://github.com/python-pillow/Pillow/pull/5377/commits/8ec027867f19633d9adfc5c8b7504d9b609fc5f1">
<p>This release fixes several vulnerabilities found with `OSS-Fuzz`.</p>
<ul>
<li>`CVE-2021-25288`: Fix OOB read in Jpeg2KDecode.
This dates to Pillow 2.4.0.</li>
<li>`CVE-2021-28675`: Fix DOS in PsdImagePlugin.
This dates to the PIL fork.</li>
<li>`CVE-2021-28676`: Fix FLI DOS.
This dates to the PIL fork.</li>
<li>`CVE-2021-28677`: Fix EPS DOS on _open.
This dates to the PIL fork.</li>
<li>`CVE-2021-28678`: Fix BLP DOS.
This dates to Pillow 5.1.0.</li>
<li>Fix memory DOS in ImageFont.
This dates to the PIL fork.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-25288</cvename>
<cvename>CVE-2021-28675</cvename>
<cvename>CVE-2021-28676</cvename>
<cvename>CVE-2021-28677</cvename>
<cvename>CVE-2021-28678</cvename>
</references>
<dates>
<discovery>2021-04-01</discovery>
<entry>2021-05-12</entry>
</dates>
</vuln>
<vuln vid="3cac007f-b27e-11eb-97a0-e09467587c17">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>90.0.4430.212</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop.html">
<p>This release contains 19 security fixes, including:</p>
<ul>
<li>[1180126] High CVE-2021-30506: Incorrect security UI in Web App
Installs. Reported by @retsew0x01 on 2021-02-19</li>
<li>[1178202] High CVE-2021-30507: Inappropriate implementation in
Offline. Reported by Alison Huffman, Microsoft Browser
Vulnerability Research on 2021-02-14</li>
<li>[1195340] High CVE-2021-30508: Heap buffer overflow in Media
Feeds. Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-04-02</li>
<li>[1196309] High CVE-2021-30509: Out of bounds write in Tab Strip.
Reported by David Erceg on 2021-04-06</li>
<li>[1197436] High CVE-2021-30510: Race in Aura. Reported by Weipeng
Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group
on 2021-04-09</li>
<li>[1197875] High CVE-2021-30511: Out of bounds read in Tab Groups.
Reported by David Erceg on 2021-04-10</li>
<li>[1200019] High CVE-2021-30512: Use after free in Notifications.
Reported by ZhanJia Song on 2021-04-17</li>
<li>[1200490] High CVE-2021-30513: Type Confusion in V8. Reported by
Man Yue Mo of GitHub Security Lab on 2021-04-19</li>
<li>[1200766] High CVE-2021-30514: Use after free in Autofill.
Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of
360 Alpha Lab on 2021-04-20</li>
<li>[1201073] High CVE-2021-30515: Use after free in File API.
Reported by Rong Jian and Guang Gong of 360 Alpha Lab on
2021-04-21</li>
<li>[1201446] High CVE-2021-30516: Heap buffer overflow in History.
Reported by ZhanJia Song on 2021-04-22</li>
<li>[1203122] High CVE-2021-30517: Type Confusion in V8. Reported by
laural on 2021-04-27</li>
<li>[1203590] High CVE-2021-30518: Heap buffer overflow in Reader
Mode. Reported by Jun Kokatsu, Microsoft Browser Vulnerability
Research on 2021-04-28</li>
<li>[1194058] Medium CVE-2021-30519: Use after free in Payments.
Reported by asnine on 2021-03-30</li>
<li>[1193362] Medium CVE-2021-30520: Use after free in Tab Strip.
Reported by Khalil Zhani on 2021-04-03</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-30506</cvename>
<cvename>CVE-2021-30507</cvename>
<cvename>CVE-2021-30508</cvename>
<cvename>CVE-2021-30509</cvename>
<cvename>CVE-2021-30510</cvename>
<cvename>CVE-2021-30511</cvename>
<cvename>CVE-2021-30512</cvename>
<cvename>CVE-2021-30513</cvename>
<cvename>CVE-2021-30514</cvename>
<cvename>CVE-2021-30515</cvename>
<cvename>CVE-2021-30516</cvename>
<cvename>CVE-2021-30517</cvename>
<cvename>CVE-2021-30518</cvename>
<cvename>CVE-2021-30519</cvename>
<cvename>CVE-2021-30520</cvename>
<url>https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2021-05-10</discovery>
<entry>2021-05-11</entry>
</dates>
</vuln>
<vuln vid="278561d7-b261-11eb-b788-901b0e934d69">
<topic>py-matrix-synapse -- malicious push rules may be used for a denial of service attack.</topic>
<affects>
<package>
<name>py36-matrix-synapse</name>
<name>py37-matrix-synapse</name>
<name>py38-matrix-synapse</name>
<name>py39-matrix-synapse</name>
<range><lt>1.33.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matrix developers report:</p>
<blockquote cite="https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85">
<p>"Push rules" can specify conditions under which they will match,
including event_match, which matches event content against a
pattern including wildcards.
Certain patterns can cause very poor performance in the matching
engine, leading to a denial-of-service when processing moderate
length events.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-29471</cvename>
<url>https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85</url>
</references>
<dates>
<discovery>2021-05-11</discovery>
<entry>2021-05-11</entry>
</dates>
</vuln>
<vuln vid="12156786-b18a-11eb-8cba-080027b00c2e">
<topic>cyrus-imapd -- Remote authenticated users could bypass intended access restrictions on certain server annotations.</topic>
<affects>
<package>
<name>cyrus-imapd34</name>
<range><ge>3.4.0</ge><lt>3.4.1</lt></range>
</package>
<package>
<name>cyrus-imapd32</name>
<range><ge>3.2.0</ge><lt>3.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cyrus IMAP 3.4.1 Release Notes states:</p>
<blockquote cite="https://www.cyrusimap.org/imap/download/release-notes/3.4/x/3.4.1.html">
<p>Fixed CVE-2021-32056: Remote authenticated users could bypass intended access restrictions on certain server annotations. Additionally, a long-standing bug in replication did not allow server annotations to be replicated. Combining these two bugs, a remote authenticated user could stall replication, requiring administrator intervention.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-32056</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32056</url>
</references>
<dates>
<discovery>2021-05-05</discovery>
<entry>2021-05-10</entry>
</dates>
</vuln>
<vuln vid="49346de2-b015-11eb-9bdf-f8b156b6dcc8">
<topic>FLAC -- out-of-bounds read</topic>
<affects>
<package>
<name>flac</name>
<range><lt>1.3.3_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oss-Fuzz reports:</p>
<blockquote cite="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17069">
<p>There is a possible out of bounds read due to a heap
buffer overflow in FLAC__bitreader_read_rice_signed_block
of bitreader.c.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17069</url>
<cvename>CVE-2020-0499</cvename>
</references>
<dates>
<discovery>2019-09-08</discovery>
<entry>2021-05-08</entry>
</dates>
</vuln>
<vuln vid="f7a00ad7-ae75-11eb-8113-08002728f74c">
<topic>Rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-actionpack52</name>
<range><lt>5.2.6</lt></range>
</package>
<package>
<name>rubygem-actionpack60</name>
<range><lt>6.0.3.7</lt></range>
</package>
<package>
<name>rubygem-actionpack61</name>
<range><lt>6.1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby on Rails blog:</p>
<blockquote cite="https://weblog.rubyonrails.org/2021/5/5/Rails-versions-6-1-3-2-6-0-3-7-5-2-4-6-and-5-2-6-have-been-released/">
<p>Rails versions 6.1.3.2, 6.0.3.7, and 5.2.6 have been released! These
releases contain important security fixes. Here is a list of the issues
fixed:</p>
<p>CVE-2021-22885: Possible Information Disclosure / Unintended Method Execution in Action Pack</p>
<p>CVE-2021-22902: Possible Denial of Service vulnerability in Action Dispatch</p>
<p>CVE-2021-22903: Possible Open Redirect Vulnerability in Action Pack</p>
<p>CVE-2021-22904: Possible DoS Vulnerability in Action Controller Token Authentication</p>
</blockquote>
</body>
</description>
<references>
<url>https://weblog.rubyonrails.org/2021/5/5/Rails-versions-6-1-3-2-6-0-3-7-5-2-4-6-and-5-2-6-have-been-released/</url>
<url>https://discuss.rubyonrails.org/t/cve-2021-22885-possible-information-disclosure-unintended-method-execution-in-action-pack/77868</url>
<url>https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866</url>
<url>https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867</url>
<url>https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869</url>
<cvename>CVE-2021-22885</cvename>
<cvename>CVE-2021-22902</cvename>
<cvename>CVE-2021-22903</cvename>
<cvename>CVE-2021-22904</cvename>
</references>
<dates>
<discovery>2021-05-05</discovery>
<entry>2021-05-07</entry>
</dates>
</vuln>
<vuln vid="7f242313-aea5-11eb-8151-67f74cf7c704">
<topic>go -- net/http: ReadRequest can stack overflow due to recursion with very large headers</topic>
<affects>
<package>
<name>go</name>
<range><lt>1.16.4,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Go project reports:</p>
<blockquote cite="https://github.com/golang/go/issues/45710">
<p>http.ReadRequest can stack overflow due to recursion when given a
request with a very large header (~8-10MB depending on the
architecture). A http.Server which overrides the default max header
of 1MB by setting Server.MaxHeaderBytes to a much larger value could
also be vulnerable in the same way.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-31525</cvename>
<url>https://github.com/golang/go/issues/45710</url>
</references>
<dates>
<discovery>2021-04-22</discovery>
<entry>2021-05-06</entry>
</dates>
</vuln>
<vuln vid="50ec3a01-ad77-11eb-8528-8c164582fbac">
<topic>Ansible -- Insecure Temporary File</topic>
<affects>
<package>
<name>py36-ansible</name>
<name>py37-ansible</name>
<name>py38-ansible</name>
<name>py39-ansible</name>
<name>py36-ansible27</name>
<range><ge>2.9.0</ge><le>2.9.9</le></range>
</package>
<package>
<name>py37-ansible27</name>
<name>py38-ansible27</name>
<name>py39-ansible27</name>
<range><ge>2.7.0</ge><le>2.7.18</le></range>
</package>
<package>
<name>py36-ansible28</name>
<name>py37-ansible28</name>
<name>py38-ansible28</name>
<name>py39-ansible28</name>
<range><ge>2.8.0</ge><le>2.8.12</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2020-10744">
<p>
An incomplete fix was found for the fix of the flaw CVE-2020-1733
ansible: insecure temporary directory when running become_user from
become directive. The provided fix is insufficient to prevent the
race condition on systems using ACLs and FUSE filesystems..
</p>
</blockquote>
</body>
</description>
<references>
<url>https://nvd.nist.gov/vuln/detail/CVE-2020-10744</url>
<cvename>CVE-2020-10744</cvename>
</references>
<dates>
<discovery>2020-05-15</discovery>
<entry>2021-05-05</entry>
</dates>
</vuln>
<vuln vid="1766359c-ad6e-11eb-b2a4-080027e50e6d">
<topic>Django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py36-django22</name>
<name>py37-django22</name>
<name>py38-django22</name>
<name>py39-django22</name>
<range><lt>2.2.21</lt></range>
</package>
<package>
<name>py36-django31</name>
<name>py37-django31</name>
<name>py38-django31</name>
<name>py39-django31</name>
<range><lt>3.1.9</lt></range>
</package>
<package>
<name>py36-django32</name>
<name>py37-django32</name>
<name>py38-django32</name>
<name>py39-django32</name>
<range><lt>3.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django Release reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2021/may/04/security-releases/">
<p>CVE-2021-31542:Potential directory-traversal via uploaded files.</p>
<p>MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal
via uploaded files with suitably crafted file names.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2021/may/04/security-releases/</url>
<cvename>CVE-2021-31542</cvename>
</references>
<dates>
<discovery>2021-04-22</discovery>
<entry>2021-05-05</entry>
</dates>
</vuln>
<vuln vid="bffa40db-ad50-11eb-86b8-080027846a02">
<topic>Python -- multiple vulnerabilities</topic>
<affects>
<package>
<name>python38</name>
<range><lt>3.8.10</lt></range>
</package>
<package>
<name>python39</name>
<range><lt>3.9.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Python reports:</p>
<blockquote cite="https://docs.python.org/3/whatsnew/changelog.html#changelog">
<p>bpo-43434: Creating a sqlite3.Connection object now also produces a
sqlite3.connect auditing event. Previously this event was only produced
by sqlite3.connect() calls. Patch by Erlend E. Aasland.</p>
<p>bpo-43882: The presence of newline or tab characters in parts of a URL
could allow some forms of attacks.Following the controlling specification
for URLs defined by WHATWG urllib.parse() now removes A SCII newlines
and tabs from URLs, preventing such attacks.</p>
<p>bpo-43472: Ensures interpreter-level audit hooks receive the cpython.
PyInterpreterState_New event when called through the _xxsubinterpreters
module.</p>
<p>bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4
address strings. Leading zeros are ambiguous and interpreted as octal
notation by some libraries. For example the legacy function socket.inet_aton()
treats leading zeros as octal notatation. glibc implementation of modern
inet_pton() does not accept any leading zeros. For a while the ipaddress
module used to accept ambiguous leading zeros.</p>
<p>bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability
in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has
quadratic worst-case complexity and it allows cause a denial of service
when identifying crafted invalid RFCs. This ReDoS issue is on the client
side and needs remote attackers to control the HTTP server.</p>
<p>bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
and generator code/frame attribute access.</p>
</blockquote>
</body>
</description>
<references>
<url>https://docs.python.org/3/whatsnew/changelog.html#changelog</url>
<url>https://docs.python.org/3.8/whatsnew/changelog.html#changelog</url>
</references>
<dates>
<discovery>2021-03-08</discovery>
<entry>2021-05-05</entry>
</dates>
</vuln>
<vuln vid="1606b03b-ac57-11eb-9bdd-8c164567ca3c">
<topic>redis -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redis</name>
<range><ge>6.0.0</ge><lt>6.0.13</lt></range>
</package>
<package>
<name>redis-devel</name>
<range><ge>6.2.0</ge><lt>6.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redis project reports:</p>
<blockquote cite="https://groups.google.com/g/redis-db/c/6GSWzTW0PR8">
<dl>
<dt>Vulnerability in the STRALGO LCS command</dt>
<dd>
An integer overflow bug in Redis version 6.0 or newer could be
exploited using the STRALGO LCS command to corrupt the heap and
potentially result with remote code execution.
</dd>
<dt>Vulnerability in the COPY command for large intsets</dt>
<dd>
An integer overflow bug in Redis 6.2 could be exploited to corrupt
the heap and potentially result with remote code execution.
The vulnerability involves changing the default set-max-intset-entries
configuration value, creating a large set key that consists of
integer values and using the COPY command to duplicate it.
The integer overflow bug exists in all versions of Redis starting
with 2.6, where it could result with a corrupted RDB or DUMP payload,
but not exploited through COPY (which did not exist before 6.2).
</dd>
</dl>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-29477</cvename>
<cvename>CVE-2021-29478</cvename>
<url>https://groups.google.com/g/redis-db/c/6GSWzTW0PR8</url>
</references>
<dates>
<discovery>2021-05-03</discovery>
<entry>2021-05-03</entry>
</dates>
</vuln>
<vuln vid="57027417-ab7f-11eb-9596-080027f515ea">
<topic>RDoc -- command injection vulnerability</topic>
<affects>
<package>
<name>rubygem-rdoc</name>
<range><lt>6.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Alexandr Savca reports:</p>
<blockquote cite="https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/">
<p>
RDoc used to call Kernel#open to open a local file. If a Ruby project
has a file whose name starts with | and ends with tags, the command
following the pipe character is executed. A malicious Ruby project
could exploit it to run an arbitrary command execution against a user
who attempts to run rdoc command.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-31799</cvename>
<url>https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/</url>
</references>
<dates>
<discovery>2021-05-02</discovery>
<entry>2021-05-02</entry>
</dates>
</vuln>
<vuln vid="0add6e6b-6883-11eb-b0cb-f8b156c2bfe9">
<topic>sympa -- Unauthorised full access via SOAP API due to illegal cookie</topic>
<affects>
<package>
<name>sympa</name>
<range><lt>6.2.60</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sympa community reports:</p>
<blockquote cite="https://github.com/sympa-community/sympa/issues/1041">
<p>Unauthorised full access via SOAP API due to illegal cookie</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-29668</cvename>
<url>https://sympa-community.github.io/security/2020-003.html</url>
</references>
<dates>
<discovery>2020-11-24</discovery>
<entry>2021-02-06</entry>
</dates>
</vuln>
<vuln vid="6f33d38b-aa18-11eb-b3f1-005056a311d1">
<topic>samba -- negative idmap cache entries vulnerability</topic>
<affects>
<package>
<name>samba412</name>
<range><lt>4.12.15</lt></range>
</package>
<package>
<name>samba413</name>
<range><lt>4.13.8</lt></range>
</package>
<package>
<name>samba414</name>
<range><lt>4.14.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba Team reports:</p>
<blockquote cite="https://www.samba.org/samba/history/security.html">
<ul>
<li>CVE-2021-20254: Negative idmap cache entries can cause incorrect
group entries in the Samba file server process token.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.samba.org/samba/security/CVE-2021-20254.html</url>
<cvename>CVE-2021-20254</cvename>
</references>
<dates>
<discovery>2021-04-29</discovery>
<entry>2021-05-01</entry>
</dates>
</vuln>
<vuln vid="518a119c-a864-11eb-8ddb-001b217b3468">
<topic>Gitlab -- Vulnerabilities</topic>
<affects>
<package>
<name>gitlab-ce</name>
<range><ge>13.11.0</ge><lt>13.11.2</lt></range>
<range><ge>13.10.0</ge><lt>13.10.4</lt></range>
<range><ge>11.6.0</ge><lt>13.9.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gitlab reports:</p>
<blockquote cite="https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/">
<p>Read API scoped tokens can execute mutations</p>
<p>Pull mirror credentials were exposed</p>
<p>Denial of Service when querying repository branches API</p>
<p>Non-owners can set system_note_timestamp when creating / updating issues</p>
<p>DeployToken will impersonate a User with the same ID when using Dependency Proxy</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/releases/2021/04/28/security-release-gitlab-13-11-2-released/</url>
<cvename>CVE-2021-22209</cvename>
<cvename>CVE-2021-22206</cvename>
<cvename>CVE-2021-22210</cvename>
<cvename>CVE-2021-22208</cvename>
<cvename>CVE-2021-22211</cvename>
</references>
<dates>
<discovery>2021-04-28</discovery>
<entry>2021-04-28</entry>
</dates>
</vuln>
<vuln vid="76a07f31-a860-11eb-8ddb-001b217b3468">
<topic>Carrierwave -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-carrierwave</name>
<range><lt>1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Community reports:</p>
<blockquote cite="https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08">
<p>Fix Code Injection vulnerability in CarrierWave::RMagick</p>
<p>Fix SSRF vulnerability in the remote file download feature</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08</url>
<cvename>CVE-2021-21288</cvename>
<cvename>CVE-2021-21305</cvename>
</references>
<dates>
<discovery>2021-02-08</discovery>
<entry>2021-04-28</entry>
</dates>
</vuln>
<vuln vid="31a7ffb1-a80a-11eb-b159-f8b156c2bfe9">
<topic>sympa -- Inappropriate use of the cookie parameter can be a security threat. This parameter may also not provide sufficient security.</topic>
<affects>
<package>
<name>sympa</name>
<range><lt>6.2.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Earlier versions of Sympa require a parameter named cookie in sympa.conf
configuration file.</p>
<blockquote cite="https://sympa-community.github.io/security/2021-001.html">
<p>This parameter was used to make some identifiers generated by the system
unpredictable. For example, it was used as following:</p>
<ul><li>To be used as a salt to encrypt passwords stored in the database by
the RC4 symmetric key algorithm.
<p>Note that RC4 is no longer considered secure enough and is not supported
in the current version of Sympa.</p></li>
<li>To prevent attackers from sending crafted messages to achieve XSS and
so on in message archives.</li></ul>
<p>There were the following problems with the use of this parameter.</p>
<ol><li>This parameter, for its purpose, should be different for each
installation, and once set, it cannot be changed. As a result, some sites
have been operating without setting this parameter. This completely
invalidates the security measures described above.</li>
<li>Even if this parameter is properly set, it may be considered not being
strong enough against brute force attacks.</li></ol>
</blockquote>
</body>
</description>
<references>
<url>https://sympa-community.github.io/security/2021-001.html</url>
</references>
<dates>
<discovery>2021-04-27</discovery>
<entry>2021-04-27</entry>
</dates>
</vuln>
<vuln vid="9fba80e0-a771-11eb-97a0-e09467587c17">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>90.0.4430.93</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_26.html">
<p>This release contains 9 security fixes, including:</p>
<ul>
<li>[1199345] High CVE-2021-21227: Insufficient data validation in
V8. Reported by Gengming Liu of Singular Security Lab on
2021-04-15</li>
<li>[1175058] High CVE-2021-21232: Use after free in Dev Tools.
Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability
Research on 2021-02-05</li>
<li>[1182937] High CVE-2021-21233: Heap buffer overflow in ANGLE.
Reported by Omair on 2021-02-26</li>
<li>[1139156] Medium CVE-2021-21228: Insufficient policy enforcement
in extensions. Reported by Rob Wu on 2020-10-16</li>
<li>[$TBD][1198165] Medium CVE-2021-21229: Incorrect security UI in
downloads. Reported by Mohit Raj (shadow2639) on 2021-04-12</li>
<li>[1198705] Medium CVE-2021-21230: Type Confusion in V8. Reported
by Manfred Paul on 2021-04-13</li>
<li>[1198696] Low CVE-2021-21231: Insufficient data validation in
V8. Reported by Sergei Glazunov of Google Project Zero on
2021-04-13</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21227</cvename>
<cvename>CVE-2021-21228</cvename>
<cvename>CVE-2021-21229</cvename>
<cvename>CVE-2021-21230</cvename>
<cvename>CVE-2021-21231</cvename>
<cvename>CVE-2021-21232</cvename>
<cvename>CVE-2021-21233</cvename>
<url>https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_26.html</url>
</references>
<dates>
<discovery>2021-04-26</discovery>
<entry>2021-04-27</entry>
</dates>
</vuln>
<vuln vid="e4403051-a667-11eb-b9c9-6cc21735f730">
<topic>sbibboleth-sp -- denial of service vulnerability</topic>
<affects>
<package>
<name>shibboleth-sp</name>
<range>
<ge>3.0.0</ge>
<lt>3.2.1_1</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Shibboleth project reports:</p>
<blockquote cite="https://shibboleth.net/community/advisories/secadv_20210426.txt">
<p>Session recovery feature contains a null pointer deference.</p>
<p>
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
</p>
<p>
This manifests as a crash in the shibd daemon/service process.
</p>
<p>
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://shibboleth.net/community/advisories/secadv_20210426.txt</url>
</references>
<dates>
<discovery>2021-04-23</discovery>
<entry>2021-04-26</entry>
</dates>
</vuln>
<vuln vid="bc83cfc9-42cf-4b00-97ad-d352ba0c5e2b">
<topic>zeek -- null-pointer dereference vulnerability</topic>
<affects>
<package>
<name>zeek</name>
<range><lt>4.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jon Siwek of Corelight reports:</p>
<blockquote cite="https://github.com/zeek/zeek/releases/tag/v4.0.1">
<p>Fix null-pointer dereference when encountering an
invalid enum name in a config/input file that tries to
read it into a set[enum]. For those that have such an
input feed whose contents may come from external/remote
sources, this is a potential DoS vulnerability. </p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/zeek/zeek/releases/tag/v4.0.1</url>
</references>
<dates>
<discovery>2021-04-01</discovery>
<entry>2021-04-21</entry>
</dates>
</vuln>
<vuln vid="efb965be-a2c0-11eb-8956-1951a8617e30">
<topic>openvpn -- deferred authentication can be bypassed in specific circumstances</topic>
<affects>
<package>
<name>openvpn</name>
<range><lt>2.5.2</lt></range>
</package>
<package>
<name>openvpn-mbedtls</name>
<range><lt>2.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gert Döring reports:</p>
<blockquote cite="https://community.openvpn.net/openvpn/wiki/CVE-2020-15078">
<p>
OpenVPN 2.5.1 and earlier versions allows a remote attackers to
bypass authentication and access control channel data on servers
configured with deferred authentication, which can be used to
potentially trigger further information leaks.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://community.openvpn.net/openvpn/wiki/CVE-2020-15078</url>
<url>https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-252</url>
<cvename>CVE-2020-15078</cvename>
</references>
<dates>
<discovery>2021-03-02</discovery>
<entry>2021-04-21</entry>
</dates>
</vuln>
<vuln vid="cb13a765-a277-11eb-97a0-e09467587c17">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>90.0.4430.85</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Reelases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html">
<p>This release includes 7 security fixes, including:</p>
<ul>
<li>1194046] High CVE-2021-21222: Heap buffer overflow in V8.
Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30</li>
<li>[1195308] High CVE-2021-21223: Integer overflow in Mojo.
Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02</li>
<li>[1195777] High CVE-2021-21224: Type Confusion in V8. Reported
by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05</li>
<li>[1195977] High CVE-2021-21225: Out of bounds memory access in
V8. Reported by Brendon Tiszka (@btiszka) supporting the EFF on
2021-04-05</li>
<li>[1197904] High CVE-2021-21226: Use after free in navigation.
Reported by Brendon Tiszka (@btiszka) supporting the EFF on
2021-04-11</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21222</cvename>
<cvename>CVE-2021-21223</cvename>
<cvename>CVE-2021-21224</cvename>
<cvename>CVE-2021-21225</cvename>
<cvename>CVE-2021-21226</cvename>
<url>https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html</url>
</references>
<dates>
<discovery>2021-04-20</discovery>
<entry>2021-04-21</entry>
</dates>
</vuln>
<vuln vid="e358b470-b37d-4e47-bc8a-2cd9adbeb63c">
<topic>jenkins -- Denial of service vulnerability in bundled Jetty</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>2.286</lt></range>
</package>
<package>
<name>jenkins-lts</name>
<range><lt>2.277.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://www.jenkins.io/security/advisory/2021-04-20/">
<h1>Description</h1>
<h5>(High) JENKINS-65280 / CVE-2021-28165</h5>
<p>Denial of service vulnerability in bundled Jetty</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.jenkins.io/security/advisory/2021-04-20/</url>
<cvename>CVE-2021-28165</cvename>
</references>
<dates>
<discovery>2021-04-20</discovery>
<entry>2021-04-20</entry>
</dates>
</vuln>
<vuln vid="56ba4513-a1be-11eb-9072-d4c9ef517024">
<topic>MySQL -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>mariadb103-server</name>
<range><lt>10.3.29</lt></range>
</package>
<package>
<name>mariadb104-server</name>
<range><lt>10.4.19</lt></range>
</package>
<package>
<name>mariadb105-server</name>
<range><lt>10.5.10</lt></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.52</lt></range>
</package>
<package>
<name>mysql57-server</name>
<range><lt>5.7.34</lt></range>
</package>
<package>
<name>mysql80-server</name>
<range><lt>8.0.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="https://www.oracle.com/security-alerts/cpuapr2021.html">
<p>This Critical Patch Update contains 49 new security patches for
Oracle MySQL. 10 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without
requiring user credentials.<br/>
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle
MySQL is 9.8.</p>
<p>MariaDB is affected by CVE-2021-2166 and CVE-2021-2154 only</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.oracle.com/security-alerts/cpuapr2021.html</url>
<url>https://mariadb.com/kb/en/mariadb-10510-release-notes/</url>
<cvename>CVE-2020-8277</cvename>
<cvename>CVE-2020-1971</cvename>
<cvename>CVE-2021-3449</cvename>
<cvename>CVE-2020-28196</cvename>
<cvename>CVE-2021-23841</cvename>
<cvename>CVE-2021-2144</cvename>
<cvename>CVE-2021-2172</cvename>
<cvename>CVE-2021-2298</cvename>
<cvename>CVE-2021-2178</cvename>
<cvename>CVE-2021-2202</cvename>
<cvename>CVE-2021-2307</cvename>
<cvename>CVE-2021-2304</cvename>
<cvename>CVE-2021-2180</cvename>
<cvename>CVE-2021-2194</cvename>
<cvename>CVE-2021-2154</cvename>
<cvename>CVE-2021-2166</cvename>
<cvename>CVE-2021-2196</cvename>
<cvename>CVE-2021-2300</cvename>
<cvename>CVE-2021-2305</cvename>
<cvename>CVE-2021-2179</cvename>
<cvename>CVE-2021-2226</cvename>
<cvename>CVE-2021-2160</cvename>
<cvename>CVE-2021-2164</cvename>
<cvename>CVE-2021-2169</cvename>
<cvename>CVE-2021-2170</cvename>
<cvename>CVE-2021-2193</cvename>
<cvename>CVE-2021-2203</cvename>
<cvename>CVE-2021-2212</cvename>
<cvename>CVE-2021-2213</cvename>
<cvename>CVE-2021-2278</cvename>
<cvename>CVE-2021-2299</cvename>
<cvename>CVE-2021-2230</cvename>
<cvename>CVE-2021-2146</cvename>
<cvename>CVE-2021-2201</cvename>
<cvename>CVE-2021-2208</cvename>
<cvename>CVE-2021-2215</cvename>
<cvename>CVE-2021-2217</cvename>
<cvename>CVE-2021-2293</cvename>
<cvename>CVE-2021-2174</cvename>
<cvename>CVE-2021-2171</cvename>
<cvename>CVE-2021-2162</cvename>
<cvename>CVE-2021-2301</cvename>
<cvename>CVE-2021-2308</cvename>
<cvename>CVE-2021-2232</cvename>
</references>
<dates>
<discovery>2021-04-20</discovery>
<entry>2021-04-20</entry>
<modified>2021-05-04</modified>
</dates>
</vuln>
<vuln vid="e87c2647-a188-11eb-8806-1c1b0d9ea7e6">
<topic>All versions of Apache OpenOffice through 4.1.9 can open non-http(s) hyperlinks. If the link is specifically crafted this could lead to untrusted code execution.</topic>
<affects>
<package>
<name>apache-openoffice</name>
<range><lt>4.1.10</lt></range>
</package>
<package>
<name>apache-openoffice-devel</name>
<range><lt>4.2.1619649022,4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Openofffice project reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30245">
<p>The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to be careful opening documents from unknown and unverified sources. The mitigation in Apache OpenOffice 4.1.10 (unreleased) assures that a security warning is displayed giving the user the option of continuing to open the hyperlink.</p>
</blockquote>
</body>
</description>
<references>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30245</url>
<cvename>CVE-2021-30245</cvename>
</references>
<dates>
<discovery>2021-01-25</discovery>
<entry>2021-04-20</entry>
</dates>
</vuln>
<vuln vid="20006b5f-a0bc-11eb-8ae6-fc4dd43e2b6a">
<topic>Apache Maven -- multiple vulnerabilities</topic>
<affects>
<package>
<name>maven</name>
<range><lt>3.8.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Maven project reports:</p>
<blockquote cite="http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291">
<p>We received a report from Jonathan Leitschuh about a vulnerability
of custom repositories in dependency POMs. We've split this up
into three separate issues:</p>
<ul>
<li>Possible Man-In-The-Middle-Attack due to custom repositories
using HTTP.
More and more repositories use HTTPS nowadays, but this
hasn't always been the case. This means that Maven Central contains
POMs with custom repositories that refer to a URL over HTTP. This
makes downloads via such repository a target for a MITM attack. At
the same time, developers are probably not aware that for some
downloads an insecure URL is being used. Because uploaded POMs to
Maven Central are immutable, a change for Maven was required. To
solve this, we extended the mirror configuration with blocked
parameter, and we added a new external:http:* mirror selector (like
existing external:*), meaning "any external URL using HTTP".
The decision was made to block such external HTTP repositories by default:
this is done by providing a mirror in the conf/settings.xml blocking
insecure HTTP external URLs.</li>
<li>Possible Domain Hijacking due to custom repositories using abandoned
domains
Sonatype has analyzed which domains were abandoned and has claimed these
domains.</li>
<li>Possible hijacking of downloads by redirecting to custom repositories
This one was the hardest to analyze and explain. The short story is:
you're safe, dependencies are only downloaded from repositories within
their context. So there are two main questions: what is the context and
what is the order? The order is described on the Repository Order page.
The first group of repositories are defined in the settings.xml (both user
and global). The second group of repositories are based on inheritence,
with ultimately the super POM containing the URL to Maven Central. The
third group is the most complex one but is important to understand the
term context: repositories from the effective POMs from the dependency
path to the artifact. So if a dependency was defined by another dependency
or by a Maven project, it will also include their repositories. In the end
this is not a bug, but a design feature.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291</url>
<cvename>CVE-2021-26291</cvename>
<cvename>CVE-2020-13956</cvename>
</references>
<dates>
<discovery>2021-04-04</discovery>
<entry>2021-04-19</entry>
</dates>
</vuln>
<vuln vid="093a6baf-9f99-11eb-b150-000c292ee6b8">
<topic>Consul -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>consul</name>
<range><lt>1.9.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hashicorp reports:</p>
<blockquote cite="https://github.com/hashicorp/consul/releases/tag/v1.9.5">
<p>Add content-type headers to raw KV responses to prevent XSS attacks
(CVE-2020-25864). audit-logging: Parse endpoint URL to prevent
requests from bypassing the audit log (CVE-2021-28156).</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/hashicorp/consul/releases/tag/v1.9.5</url>
<cvename>CVE-2020-25864</cvename>
<cvename>CVE-2021-28156</cvename>
</references>
<dates>
<discovery>2021-04-15</discovery>
<entry>2021-04-17</entry>
</dates>
</vuln>
<vuln vid="75aae50b-9e3c-11eb-9bc3-8c164582fbac">
<topic>AccountService -- Insufficient path check in user_change_icon_file_authorized_cb()</topic>
<affects>
<package>
<name>accountsservice</name>
<range><lt>0.6.50</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVD reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2018-14036">
<p>
Directory Traversal with ../ sequences occurs in AccountsService
before 0.6.50 because of an insufficient path check in
user_change_icon_file_authorized_cb() in user.c.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2018/07/02/2</url>
<url>https://nvd.nist.gov/vuln/detail/CVE-2018-14036</url>
<url>https://www.securityfocus.com/bid/104757</url>
<url>https://bugs.freedesktop.org/show_bug.cgi?id=107085</url>
<url>https://bugzilla.suse.com/show_bug.cgi?id=1099699</url>
<url>https://cgit.freedesktop.org/accountsservice/commit/?id=f9abd359f71a5bce421b9ae23432f539a067847a</url>
<cvename>CVE-2018-14036</cvename>
</references>
<dates>
<discovery>2018-07-13</discovery>
<entry>2021-04-15</entry>
</dates>
</vuln>
<vuln vid="40b481a9-9df7-11eb-9bc3-8c164582fbac">
<topic>mdbook -- XSS in mdBook's search page</topic>
<affects>
<package>
<name>mdbook</name>
<range><lt>0.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Rust Security Response Working Group reports:</p>
<blockquote cite="https://github.com/rust-lang/mdBook/security/advisories/GHSA-gx5w-rrhp-f436">
<p>
The search feature of mdBook (introduced in version 0.1.4) was
affected by a cross site scripting vulnerability that allowed an
attacker to execute arbitrary JavaScript code on an user's browser
by tricking the user into typing a malicious search query, or
tricking the user into clicking a link to the search page with the
malicious search query prefilled.
mdBook 0.4.5 fixes the vulnerability by properly escaping the search
query.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-045</url>
<url>https://github.com/rust-lang/mdBook/commit/32abeef088e98327ca0dfccdad92e84afa9d2e9b</url>
<url>https://github.com/rust-lang/mdBook/security/advisories/GHSA-gx5w-rrhp-f436</url>
<url>https://groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0?pli=1</url>
<url>https://nvd.nist.gov/vuln/detail/CVE-2020-26297</url>
<cvename>CVE-2020-26297</cvename>
</references>
<dates>
<discovery>2021-04-01</discovery>
<entry>2021-04-15</entry>
</dates>
</vuln>
<vuln vid="fb6e53ae-9df6-11eb-ba8c-001b217b3468">
<topic>Gitlab -- Vulnerabilities</topic>
<affects>
<package>
<name>gitlab-ce</name>
<range><ge>13.10.0</ge><lt>13.10.3</lt></range>
<range><ge>13.9.0</ge><lt>13.9.6</lt></range>
<range><ge>7.12</ge><lt>13.8.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SO-AND-SO reports:</p>
<blockquote cite="https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/">
<p>Remote code execution when uploading specially crafted image files</p>
<p>Update Rexml</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/</url>
<cvename>CVE-2021-28965</cvename>
</references>
<dates>
<discovery>2021-04-14</discovery>
<entry>2021-04-15</entry>
</dates>
</vuln>
<vuln vid="f3d86439-9def-11eb-97a0-e09467587c17">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>90.0.4430.72</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html">
<p>This release contains 37 security fixes, including:</p>
<ul>
<li>[1025683] High CVE-2021-21201: Use after free in permissions.
Reported by Gengming Liu, Jianyu Chen at Tencent Keen Security
Lab on 2019-11-18</li>
<li>[1188889] High CVE-2021-21202: Use after free in extensions.
Reported by David Erceg on 2021-03-16</li>
<li>[1192054] High CVE-2021-21203: Use after free in Blink.
Reported by asnine on 2021-03-24</li>
<li>[1189926] High CVE-2021-21204: Use after free in Blink.
Reported by Chelse Tsai-Simek, Jeanette Ulloa, and Emily
Voigtlander of Seesaw on 2021-03-19</li>
<li>[1165654] High CVE-2021-21205: Insufficient policy enforcement
in navigation. Reported by Alison Huffman, Microsoft Browser
Vulnerability Research on 2021-01-12</li>
<li>[1195333] High CVE-2021-21221: Insufficient validation of
untrusted input in Mojo. Reported by Guang Gong of Alpha Lab,
Qihoo 360 on 2021-04-02</li>
<li>[1185732] Medium CVE-2021-21207: Use after free in IndexedDB.
Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13)
of 360 Alpha Lab on 2021-03-08</li>
<li>[1039539] Medium CVE-2021-21208: Insufficient data validation
in QR scanner. Reported by Ahmed Elsobky (@0xsobky) on
2020-01-07</li>
<li>[1143526] Medium CVE-2021-21209: Inappropriate implementation
in storage. Reported by Tom Van Goethem (@tomvangoethem) on
2020-10-29</li>
<li>[1184562] Medium CVE-2021-21210: Inappropriate implementation
in Network. Reported by @bananabr on 2021-03-04</li>
<li>[1103119] Medium CVE-2021-21211: Inappropriate implementation
in Navigation. Reported by Akash Labade (m0ns7er) on
2020-07-08</li>
<li>[1145024] Medium CVE-2021-21212: Incorrect security UI in
Network Config UI. Reported by Hugo Hue and Sze Yiu Chau of the
Chinese University of Hong Kong on 2020-11-03</li>
<li>[1161806] Medium CVE-2021-21213: Use after free in WebMIDI.
Reported by raven (@raid_akame) on 2020-12-25</li>
<li>[1170148] Medium CVE-2021-21214: Use after free in Network API.
Reported by Anonymous on 2021-01-24</li>
<li>[1172533] Medium CVE-2021-21215: Inappropriate implementation
in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2021-01-30</li>
<li>[1173297] Medium CVE-2021-21216: Inappropriate implementation
in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2021-02-02</li>
<li>[1166462] Low CVE-2021-21217: Uninitialized Use in PDFium.
Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on
2021-01-14</li>
<li>[1166478] Low CVE-2021-21218: Uninitialized Use in PDFium.
Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on
2021-01-14</li>
<li>[1166972] Low CVE-2021-21219: Uninitialized Use in PDFium.
Reported by Zhou Aiting (@zhouat1) of Qihoo 360 Vulcan Team on
2021-01-15</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21201</cvename>
<cvename>CVE-2021-21202</cvename>
<cvename>CVE-2021-21203</cvename>
<cvename>CVE-2021-21204</cvename>
<cvename>CVE-2021-21205</cvename>
<cvename>CVE-2021-21221</cvename>
<cvename>CVE-2021-21207</cvename>
<cvename>CVE-2021-21208</cvename>
<cvename>CVE-2021-21209</cvename>
<cvename>CVE-2021-21210</cvename>
<cvename>CVE-2021-21211</cvename>
<cvename>CVE-2021-21212</cvename>
<cvename>CVE-2021-21213</cvename>
<cvename>CVE-2021-21214</cvename>
<cvename>CVE-2021-21215</cvename>
<cvename>CVE-2021-21216</cvename>
<cvename>CVE-2021-21217</cvename>
<cvename>CVE-2021-21218</cvename>
<cvename>CVE-2021-21219</cvename>
<url>https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html</url>
</references>
<dates>
<discovery>2021-04-14</discovery>
<entry>2021-04-15</entry>
</dates>
</vuln>
<vuln vid="7c0d71a9-9d48-11eb-97a0-e09467587c17">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>89.0.4389.128</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html">
<p>This release contains two security fixes:</p>
<ul>
<li>[1196781] High CVE-2021-21206: Use after free in Blink. Reported
by Anonymous on 2021-04-07</li>
<li>[1196683] High CVE-2021-21220: Insufficient validation of
untrusted input in V8 for x86_64. Reported by Bruno Keith (@bkth_)
and Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it)
via ZDI (ZDI-CAN-13569) on 2021-04-07></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21206</cvename>
<cvename>CVE-2021-21220</cvename>
<url>https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2021-04-13</discovery>
<entry>2021-04-14</entry>
</dates>
</vuln>
<vuln vid="465db5b6-9c6d-11eb-8e8a-bc542f4bd1dd">
<topic>xorg-server -- Input validation failures in X server XInput extension</topic>
<affects>
<package>
<name>xorg-server</name>
<range><lt>1.20.11,1</lt></range>
</package>
<package>
<name>xwayland</name>
<range><lt>1.20.11,1</lt></range>
</package>
<package>
<name>xwayland-devel</name>
<range><le>1.20.0.877</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>X.Org server security reports for release 1.20.11:</p>
<blockquote cite="https://lists.x.org/archives/xorg/2021-April/060678.html">
<ul>
<li>Fix XChangeFeedbackControl() request underflow</li>
</ul>
<p>.</p>
</blockquote>
</body>
</description>
<references>
<url>https://gitlab.freedesktop.org/xorg/xserver/-/tags/xorg-server-1.20.11</url>
</references>
<dates>
<discovery>2021-04-13</discovery>
<entry>2021-04-13</entry>
</dates>
</vuln>
<vuln vid="094fb2ec-9aa3-11eb-83cb-0800278d94f0">
<topic>gitea -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gitea</name>
<range><lt>1.14.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Gitea Team reports for release 1.14.0:</p>
<blockquote cite="https://blog.gitea.io/2021/04/gitea-1.14.0-is-released/">
<ul>
<li>Validate email in external authenticator registration form</li>
<li>Ensure validation occurs on clone addresses too</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/go-gitea/gitea/releases/tag/v1.14.0</url>
<freebsdpr>ports/254976</freebsdpr>
</references>
<dates>
<discovery>2021-03-11</discovery>
<entry>2021-04-11</entry>
</dates>
</vuln>
<vuln vid="9ee01e60-6045-43df-98e5-a794007e54ef">
<topic>syncthing -- crash due to malformed relay protocol message</topic>
<affects>
<package>
<name>syncthing</name>
<range><lt>1.15.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>syncthing developers report:</p>
<blockquote cite="https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h">
<p>syncthing can be caused to crash and exit if sent a malformed relay protocol
message message with a negative length field.</p>
<p>The relay server strelaysrv can be caused to crash and exit if sent a malformed
relay protocol message with a negative length field.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21404</cvename>
<url>https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h</url>
</references>
<dates>
<discovery>2021-04-06</discovery>
<entry>2021-04-12</entry>
</dates>
</vuln>
<vuln vid="f671c282-95ef-11eb-9c34-080027f515ea">
<topic>python -- Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem</topic>
<affects>
<package>
<name>python38</name>
<range><lt>3.8.9</lt></range>
</package>
<package>
<name>python39</name>
<range><lt>3.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Schwörer reports:</p>
<blockquote cite="https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html">
<p>
Remove the getfile feature of the pydoc module which could be
abused to read arbitrary files on the disk (directory traversal
vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-3426</cvename>
<url>https://pythoninsider.blogspot.com/2021/04/python-393-and-389-are-now-available.html</url>
<url>https://bugs.python.org/issue42988</url>
</references>
<dates>
<discovery>2021-01-21</discovery>
<entry>2021-04-10</entry>
</dates>
</vuln>
<vuln vid="d10fc771-958f-11eb-9c34-080027f515ea">
<topic>curl -- TLS 1.3 session ticket proxy host mixup</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.63.0</ge><lt>7.76.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel Stenberg reports:</p>
<blockquote cite="https://curl.se/docs/CVE-2021-22890.html">
<p>
Enabled by default, libcurl supports the use of TLS 1.3 session
tickets to resume previous TLS sessions to speed up subsequent
TLS handshakes.
</p>
<p>
When using a HTTPS proxy and TLS 1.3, libcurl can confuse session
tickets arriving from the HTTPS proxy but work as if they arrived
from the remote server and then wrongly "short-cut" the host
handshake. The reason for this confusion is the modified sequence
from TLS 1.2 when the session ids would provided only during the
TLS handshake, while in TLS 1.3 it happens post hand-shake and
the code was not updated to take that changed behavior into account.
</p>
<p>
When confusing the tickets, a HTTPS proxy can trick libcurl to use
the wrong session ticket resume for the host and thereby circumvent
the server TLS certificate check and make a MITM attack to be
possible to perform unnoticed.
</p>
<p>
This flaw can allow a malicious HTTPS proxy to MITM the traffic.
Such a malicious HTTPS proxy needs to provide a certificate that
curl will accept for the MITMed server for an attack to work -
unless curl has been told to ignore the server certificate check.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-22890</cvename>
<url>https://curl.se/docs/CVE-2021-22890.html</url>
</references>
<dates>
<discovery>2021-03-31</discovery>
<entry>2021-04-10</entry>
</dates>
</vuln>
<vuln vid="b1194286-958e-11eb-9c34-080027f515ea">
<topic>curl -- Automatic referer leaks credentials</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.1.1</ge><lt>7.76.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel Stenberg reports:</p>
<blockquote cite="https://curl.se/docs/CVE-2021-22876.html">
<p>
libcurl does not strip off user credentials from the URL when
automatically populating the Referer: HTTP request header field
in outgoing HTTP requests, and therefore risks leaking sensitive
data to the server that is the target of the second HTTP request.
</p>
<p>
libcurl automatically sets the Referer: HTTP request header field
in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set.
With the curl tool, it is enabled with --referer ";auto".
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-22876</cvename>
<url>https://curl.se/docs/CVE-2021-22876.html</url>
</references>
<dates>
<discovery>2021-03-31</discovery>
<entry>2021-04-10</entry>
</dates>
</vuln>
<vuln vid="8ba23a62-997d-11eb-9f0e-0800278d94f0">
<topic>gitea -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gitea</name>
<range><lt>1.13.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Gitea Team reports for release 1.13.7:</p>
<blockquote cite="https://blog.gitea.io/2021/04/gitea-1.13.7-is-released/">
<ul>
<li>Update to bluemonday-1.0.6</li>
<li>Clusterfuzz found another way</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/go-gitea/gitea/releases/tag/v1.13.7</url>
<freebsdpr>ports/254930</freebsdpr>
</references>
<dates>
<discovery>2021-04-07</discovery>
<entry>2021-04-09</entry>
</dates>
</vuln>
<vuln vid="9ae2c00f-97d0-11eb-8cd6-080027f515ea">
<topic>clamav -- Multiple vulnerabilites</topic>
<affects>
<package>
<name>clamav</name>
<range><lt>0.103.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Micah Snyder reports:</p>
<blockquote cite="https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html">
<dl>
<dt>CVE-2021-1252</dt>
<dd>Excel XLM parser infinite loop</dd>
<dt>CVE-2021-1404</dt>
<dd>PDF parser buffer over-read; possible crash. </dd>
<dt>CVE-2021-1405</dt>
<dd>Mail parser NULL-dereference crash. </dd>
</dl>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-1252</cvename>
<cvename>CVE-2021-1404</cvename>
<cvename>CVE-2021-1405</cvename>
<url>https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html</url>
</references>
<dates>
<discovery>2021-04-07</discovery>
<entry>2021-04-07</entry>
</dates>
</vuln>
<vuln vid="9595d002-edeb-4602-be2d-791cd654247e">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>2.287</lt></range>
</package>
<package>
<name>jenkins-lts</name>
<range><lt>2.277.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://www.jenkins.io/security/advisory/2021-04-07/">
<h1>Description</h1>
<h5>(Low) SECURITY-1721 / CVE-2021-21639</h5>
<p>Lack of type validation in agent related REST API</p>
<h5>(Medium) SECURITY-1871 / CVE-2021-21640</h5>
<p>View name validation bypass</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.jenkins.io/security/advisory/2021-04-07/</url>
</references>
<dates>
<discovery>2021-04-07</discovery>
<entry>2021-04-08</entry>
</dates>
</vuln>
<vuln vid="c0c1834c-9761-11eb-acfd-0022489ad614">
<topic>Node.js -- April 2021 Security Releases</topic>
<affects>
<package>
<name>node10</name>
<range><lt>10.24.1</lt></range>
</package>
<package>
<name>node12</name>
<range><lt>12.22.1</lt></range>
</package>
<package>
<name>node14</name>
<range><lt>14.16.1</lt></range>
</package>
<package>
<name>node</name>
<range><lt>15.14.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Node.js reports:</p>
<blockquote cite="https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/">
<h1>OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)</h1>
<p>This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt</p>
<h1>OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)</h1>
<p>This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt</p>
<h1>npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)</h1>
<p>This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh</p>
</blockquote>
</body>
</description>
<references>
<url>https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/</url>
<url>https://www.openssl.org/news/secadv/20210325.txt</url>
<url>https://github.com/advisories/GHSA-c4w7-xm78-47vh</url>
<cvename>CVE-2021-3450</cvename>
<cvename>CVE-2021-3449</cvename>
<cvename>CVE-2020-7774</cvename>
</references>
<dates>
<discovery>2021-04-06</discovery>
<entry>2021-04-07</entry>
</dates>
</vuln>
<vuln vid="a7b97d26-9792-11eb-b87a-901b0ef719ab">
<topic>FreeBSD -- jail escape possible by mounting over jail root</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>12.2</ge><lt>12.2_6</lt></range>
<range><ge>11.4</ge><lt>11.4_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Due to a race condition between lookup of ".." and remounting a filesystem,
a process running inside a jail might access filesystem hierarchy outside
of jail.</p>
<h1>Impact:</h1>
<p>A process with superuser privileges running inside a jail configured
with the allow.mount permission (not enabled by default) could change the root
directory outside of the jail, and thus gain full read and write access
to all files and directories in the system.</p>
</body>
</description>
<references>
<cvename>CVE-2020-25584</cvename>
<freebsdsa>SA-21:10.jail_mount</freebsdsa>
</references>
<dates>
<discovery>2021-04-06</discovery>
<entry>2021-04-07</entry>
</dates>
</vuln>
<vuln vid="f8e1e2a6-9791-11eb-b87a-901b0ef719ab">
<topic>FreeBSD -- double free in accept_filter(9) socket configuration interface</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>12.2</ge><lt>12.2_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>An unprivileged process can configure an accept filter on a listening
socket. This is done using the setsockopt(2) system call. The process
supplies the name of the accept filter which is to be attached to the
socket, as well as a string containing filter-specific information.</p>
<p>If the filter implements the accf_create callback, the socket option
handler attempts to preserve the process-supplied argument string. A
bug in the socket option handler caused this string to be freed
prematurely, leaving a dangling pointer. Additional operations on the
socket can turn this into a double free or a use-after-free.</p>
<h1>Impact:</h1>
<p>The bug may be exploited to trigger local privilege escalation or
kernel memory disclosure.</p>
</body>
</description>
<references>
<cvename>CVE-2021-29627</cvename>
<freebsdsa>SA-21:09.accept_filter</freebsdsa>
</references>
<dates>
<discovery>2021-04-06</discovery>
<entry>2021-04-07</entry>
</dates>
</vuln>
<vuln vid="13d37672-9791-11eb-b87a-901b0ef719ab">
<topic>FreeBSD -- Memory disclosure by stale virtual memory mapping</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>12.2</ge><lt>12.2_6</lt></range>
<range><ge>11.4</ge><lt>11.4_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A particular case of memory sharing is mishandled in the virtual memory
system. It is possible and legal to establish a relationship where
multiple descendant processes share a mapping which shadows memory of an
ancestor process. In this scenario, when one process modifies memory
through such a mapping, the copy-on-write logic fails to invalidate
other mappings of the source page. These stale mappings may remain even
after the mapped pages have been reused for another purpose.</p>
<h1>Impact:</h1>
<p>An unprivileged local user process can maintain a mapping of a page
after it is freed, allowing that process to read private data belonging
to other processes or the kernel.</p>
</body>
</description>
<references>
<cvename>CVE-2021-29626</cvename>
<freebsdsa>SA-21:08.vm</freebsdsa>
</references>
<dates>
<discovery>2021-04-06</discovery>
<entry>2021-04-07</entry>
</dates>
</vuln>
<vuln vid="79fa9f23-9725-11eb-b530-7085c2fb2c14">
<topic>upnp -- stack overflow vulnerability</topic>
<affects>
<package>
<name>upnp</name>
<range><lt>1.14.5,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mitre reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28302">
<p>
A stack overflow in pupnp 1.16.1 can cause the denial of service through the
Parser_parseDocument() function. ixmlNode_free() will release a child node
recursively, which will consume stack space and lead to a crash.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-28302</cvename>
<url>https://github.com/pupnp/pupnp/issues/249</url>
</references>
<dates>
<discovery>2021-03-12</discovery>
<entry>2021-04-06</entry>
</dates>
</vuln>
<vuln vid="dec7e4b6-961a-11eb-9c34-080027f515ea">
<topic>ruby -- XML round-trip vulnerability in REXML</topic>
<affects>
<package>
<name>ruby</name>
<range><ge>2.5.0,1</ge><lt>2.5.9,1</lt></range>
<range><ge>2.6.0,1</ge><lt>2.6.7,1</lt></range>
<range><ge>2.7.0,1</ge><lt>2.7.3,1</lt></range>
<range><ge>3.0.0.p1,1</ge><lt>3.0.1,1</lt></range>
</package>
<package>
<name>rubygem-rexml</name>
<range><lt>3.2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Juho Nurminen reports:</p>
<blockquote cite="https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/">
<p>
When parsing and serializing a crafted XML document, REXML gem
(including the one bundled with Ruby) can create a wrong XML
document whose structure is different from the original one.
The impact of this issue highly depends on context, but it may
lead to a vulnerability in some programs that are using REXML.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-28965</cvename>
<url>https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/</url>
</references>
<dates>
<discovery>2021-04-05</discovery>
<entry>2021-04-05</entry>
</dates>
</vuln>
<vuln vid="bddadaa4-9227-11eb-99c5-e09467587c17">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>89.0.4389.114</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_30.html">
<p>This update contains 8 security fixes, including:</p>
<ul>
<li>[1181228] High CVE-2021-21194: Use after free in screen capture.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-02-23</li>
<li>[1182647] High CVE-2021-21195: Use after free in V8.
Reported by Bohan Liu (@P4nda20371774) and Moon Liang of Tencent
Security Xuanwu Lab on 2021-02-26</li>
<li>[1175992] High CVE-2021-21196: Heap buffer overflow in
TabStrip. Reported by Khalil Zhani on 2021-02-08</li>
<li>[1173903] High CVE-2021-21197: Heap buffer overflow in
TabStrip. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2021-02-03</li>
<li>[1184399] High CVE-2021-21198: Out of bounds read in IPC.
Reported by Mark Brand of Google Project Zero on 2021-03-03</li>
<li>[1179635] High CVE-2021-21199: Use Use after free in Aura.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of
Legendsec at Qi'anxin Group and Evangelos Foutras</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21194</cvename>
<cvename>CVE-2021-21195</cvename>
<cvename>CVE-2021-21196</cvename>
<cvename>CVE-2021-21197</cvename>
<cvename>CVE-2021-21198</cvename>
<cvename>CVE-2021-21199</cvename>
<url>https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_30.html</url>
</references>
<dates>
<discovery>2021-03-31</discovery>
<entry>2021-03-31</entry>
</dates>
</vuln>
<vuln vid="56abf87b-96ad-11eb-a218-001b217b3468">
<topic>Gitlab -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>gitlab-ce</name>
<range><ge>13.10.0</ge><lt>13.10.1</lt></range>
<range><ge>13.9.0</ge><lt>13.9.5</lt></range>
<range><ge>9</ge><lt>13.8.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gitlab reports:</p>
<blockquote cite="https://about.gitlab.com/releases/2021/03/31/security-release-gitlab-13-10-1-released/">
<p>Arbitrary File Read During Project Import</p>
<p>Kroki Arbitrary File Read/Write</p>
<p>Stored Cross-Site-Scripting in merge requests</p>
<p>Access data of an internal project through a public project fork as an anonymous user</p>
<p>Incident metric images can be deleted by any user</p>
<p>Infinite Loop When a User Access a Merge Request</p>
<p>Stored XSS in scoped labels</p>
<p>Admin CSRF in System Hooks Execution Through API</p>
<p>Update OpenSSL dependency</p>
<p>Update PostgreSQL dependency</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/releases/2021/03/31/security-release-gitlab-13-10-1-released/</url>
</references>
<dates>
<discovery>2021-03-31</discovery>
<entry>2021-04-06</entry>
</dates>
</vuln>
<vuln vid="1f6d97da-8f72-11eb-b3f1-005056a311d1">
<topic>samba -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>samba411</name>
<range><le>4.11.15</le></range>
</package>
<package>
<name>samba412</name>
<range><lt>4.12.14</lt></range>
</package>
<package>
<name>samba413</name>
<range><lt>4.13.7</lt></range>
</package>
<package>
<name>samba414</name>
<range><lt>4.14.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba Team reports:</p>
<blockquote cite="https://www.samba.org/samba/history/security.html">
<ul>
<li>CVE-2020-27840: An anonymous attacker can crash the Samba AD DC
LDAP server by sending easily crafted DNs as
part of a bind request. More serious heap corruption
is likely also possible.</li>
<li>CVE-2021-20277: User-controlled LDAP filter strings against
the AD DC LDAP server may crash the LDAP server.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://www.samba.org/samba/security/CVE-2020-27840.html</url>
<url>https://www.samba.org/samba/security/CVE-2021-20277.html</url>
<cvename>CVE-2020-27840</cvename>
<cvename>CVE-2021-20277</cvename>
</references>
<dates>
<discovery>2021-03-24</discovery>
<entry>2021-03-28</entry>
</dates>
</vuln>
<vuln vid="80f9dbd3-8eec-11eb-b9e8-3525f51429a0">
<topic>nettle 3.7.2 -- fix serious ECDSA signature verify bug</topic>
<affects>
<package>
<name>nettle</name>
<range><lt>3.7.2</lt></range>
</package>
<package>
<name>linux-c7-nettle</name>
<range><lt>3.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Niels Möller reports:</p>
<blockquote cite="https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html">
<p>
I've prepared a new bug-fix release of Nettle, a low-level
cryptographics library, to fix a serious bug in the function to
verify ECDSA signatures. Implications include an assertion failure,
which could be used for denial-of-service, when verifying signatures
on the secp_224r1 and secp521_r1 curves.
</p>
<p>
Even when no assert is triggered in ecdsa_verify, ECC point
multiplication may get invalid intermediate values as input, and
produce incorrect results. [...] It appears difficult to construct
an alleged signature that makes the function misbehave in such a way
that an invalid signature is accepted as valid, but such attacks
can't be ruled out without further analysis.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009458.html</url>
</references>
<dates>
<discovery>2021-03-21</discovery>
<entry>2021-03-27</entry>
</dates>
</vuln>
<vuln vid="5a668ab3-8d86-11eb-b8d6-d4c9ef517024">
<topic>OpenSSL -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.1.1k,1</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>12.2</ge><lt>12.2_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20210325.txt">
<p>High: CA certificate check bypass with X509_V_FLAG_X509_STRICT
(CVE-2021-3450)<br/>The X509_V_FLAG_X509_STRICT flag enables
additional security checks of the certificates present in a
certificate chain. It is not set by default.</p>
<p>High: NULL pointer deref in signature_algorithms processing
(CVE-2021-3449)<br/>An OpenSSL TLS server may crash if sent a
maliciously crafted renegotiation ClientHello message from a client.
If a TLSv1.2 renegotiation ClientHello omits the
signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension
then a NULL pointer dereference will result, leading to a crash and
a denial of service attack.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.openssl.org/news/secadv/20210325.txt</url>
<cvename>CVE-2021-3449</cvename>
<cvename>CVE-2021-3450</cvename>
<freebsdsa>SA-21:07.openssl</freebsdsa>
</references>
<dates>
<discovery>2021-03-25</discovery>
<entry>2021-03-26</entry>
<modified>2021-04-07</modified>
</dates>
</vuln>
<vuln vid="ec04f3d0-8cd9-11eb-bb9f-206a8a720317">
<topic>spamassassin -- Malicious rule configuration (.cf) files can be configured to run system commands</topic>
<affects>
<package>
<name>spamassassin</name>
<range><lt>3.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache SpamAssassin project reports:</p>
<blockquote cite="https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C5b7cfd35-27b7-584b-1b39-b7ff0a55f586%40apache.org%3E">
<p>Apache SpamAssassin 3.4.5 was recently released [1], and fixes
an issue of security note where malicious rule configuration (.cf)
files can be configured to run system commands.</p>
<p>In Apache SpamAssassin before 3.4.5, exploits can be injected in
a number of scenarios. In addition to upgrading to SA 3.4.5,
users should only use update channels or 3rd party .cf files from
trusted places.</p>
</blockquote>
</body>
</description>
<references>
<url>https://spamassassin.apache.org/news.html</url>
<url>https://mail-archives.apache.org/mod_mbox/spamassassin-announce/202103.mbox/%3C5b7cfd35-27b7-584b-1b39-b7ff0a55f586%40apache.org%3E</url>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1946</url>
<cvename>CVE-2020-1946</cvename>
</references>
<dates>
<discovery>2021-03-24</discovery>
<entry>2021-03-24</entry>
</dates>
</vuln>
<vuln vid="c4d2f950-8c27-11eb-a3ae-0800278d94f0">
<topic>gitea -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gitea</name>
<range><lt>1.13.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Gitea Team reports for release 1.13.6:</p>
<blockquote cite="https://blog.gitea.io/2021/03/gitea-1.13.6-is-released/">
<ul>
<li>Fix bug on avatar middleware</li>
<li>Fix another clusterfuzz identified issue</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/go-gitea/gitea/releases/tag/v1.13.5</url>
<freebsdpr>ports/254515</freebsdpr>
</references>
<dates>
<discovery>2021-03-21</discovery>
<entry>2021-03-23</entry>
</dates>
</vuln>
<vuln vid="1431a25c-8a70-11eb-bd16-0800278d94f0">
<topic>gitea -- quoting in markdown text</topic>
<affects>
<package>
<name>gitea</name>
<range><lt>1.13.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Gitea Team reports for release 1.13.5:</p>
<blockquote cite="https://blog.gitea.io/2021/03/gitea-1.13.5-is-released/">
<ul>
<li>Update to goldmark 1.3.3</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/go-gitea/gitea/releases/tag/v1.13.5</url>
<freebsdpr>ports/254130</freebsdpr>
</references>
<dates>
<discovery>2021-03-20</discovery>
<entry>2021-03-21</entry>
</dates>
</vuln>
<vuln vid="76b5068c-8436-11eb-9469-080027f515ea">
<topic>OpenSSH -- Double-free memory corruption in ssh-agent</topic>
<affects>
<package>
<name>openssh-portable</name>
<name>openssh-portable-hpn</name>
<name>openssh-portable-gssapi</name>
<range><ge>8.2.p1,1</ge><lt>8.4.p1_4,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenBSD Project reports:</p>
<blockquote cite="https://www.openssh.com/txt/release-8.5">
<p>
ssh-agent(1): fixed a double-free memory corruption that was
introduced in OpenSSH 8.2 . We treat all such memory faults as
potentially exploitable. This bug could be reached by an attacker
with access to the agent socket.
</p>
<p>
On modern operating systems where the OS can provide information
about the user identity connected to a socket, OpenSSH ssh-agent
and sshd limit agent socket access only to the originating user
and root. Additional mitigation may be afforded by the system's
malloc(3)/free(3) implementation, if it detects double-free
conditions.
</p>
<p>
The most likely scenario for exploitation is a user forwarding an
agent either to an account shared with a malicious user or to a
host with an attacker holding root access.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-28041</cvename>
<url>https://www.openssh.com/txt/release-8.5</url>
</references>
<dates>
<discovery>2021-03-03</discovery>
<entry>2021-03-13</entry>
<modified>2021-04-20</modified>
</dates>
</vuln>
<vuln vid="50e59056-87f2-11eb-b6a2-001b217b3468">
<topic>Gitlab -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>gitlab-ce</name>
<range><ge>13.9.0</ge><lt>13.9.4</lt></range>
<range><ge>13.8.0</ge><lt>13.8.6</lt></range>
<range><ge>13.2.0</ge><lt>13.7.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gigtlab reports:</p>
<blockquote cite="https://about.gitlab.com/releases/2021/03/17/security-release-gitlab-13-9-4-released/">
<p>Remote code execution via unsafe user-controlled markdown rendering options</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/releases/2021/03/17/security-release-gitlab-13-9-4-released/</url>
</references>
<dates>
<discovery>2021-03-17</discovery>
<entry>2021-03-18</entry>
</dates>
</vuln>
<vuln vid="5b72b1ff-877c-11eb-bd4f-2f1d57dafe46">
<topic>dnsmasq -- cache poisoning vulnerability in certain configurations</topic>
<affects>
<package>
<name>dnsmasq</name>
<range><lt>2.85.r1,1</lt></range>
</package>
<package>
<name>dnsmasq-devel</name>
<range><lt>2.85.r1,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon Kelley reports:</p>
<blockquote cite="https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014835.html">
<p>
[In configurations where the forwarding server address contains an @
character for specifying a sending interface or source address, the]
random source port behavior was disabled, making cache poisoning
attacks possible.
</p>
</blockquote>
<p>
This only affects configurations of the form server=1.1.1.1@em0 or
server=1.1.1.1@192.0.2.1, i. e. those that specify an interface to
send through, or an IP address to send from, or use together with
NetworkManager.
</p>
</body>
</description>
<references>
<url>https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014835.html</url>
<cvename>CVE-2021-3448</cvename>
</references>
<dates>
<discovery>2021-03-17</discovery>
<entry>2021-03-18</entry>
</dates>
</vuln>
<vuln vid="b073677f-253a-41f9-bf2b-2d16072a25f6">
<topic>minio -- MITM attack</topic>
<affects>
<package>
<name>minio</name>
<range><lt>2021.03.17.02.33.02</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>minio developer report:</p>
<blockquote cite="https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp">
<p>
This is a security issue because it enables MITM modification of
request bodies that are meant to have integrity guaranteed by chunk
signatures.
</p>
<p>
In a PUT request using aws-chunked encoding, MinIO ordinarily
verifies signatures at the end of a chunk. This check can be skipped
if the client sends a false chunk size that is much greater than the
actual data sent: the server accepts and completes the request
without ever reaching the end of the chunk + thereby without ever
checking the chunk signature.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/minio/minio/security/advisories/GHSA-xr7r-7gpj-5pgp</url>
</references>
<dates>
<discovery>2021-03-17</discovery>
<entry>2021-03-17</entry>
</dates>
</vuln>
<vuln vid="eeca52dc-866c-11eb-b8d6-d4c9ef517024">
<topic>LibreSSL -- use-after-free</topic>
<affects>
<package>
<name>libressl</name>
<range><lt>3.2.4_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenBSD reports:</p>
<blockquote cite="https://marc.info/?l=openbsd-announce&amp;m=161582456312832&amp;w=2">
<p>A TLS client using session resumption may cause a use-after-free.</p>
</blockquote>
</body>
</description>
<references>
<url>https://marc.info/?l=openbsd-announce&amp;m=161582456312832&amp;w=2</url>
<url>https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/017_libssl.patch.sig</url>
</references>
<dates>
<discovery>2021-03-15</discovery>
<entry>2021-03-16</entry>
</dates>
</vuln>
<vuln vid="b81ad6d6-8633-11eb-99c5-e09467587c17">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>89.0.4389.90</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html">
<p>This release includes 5 security fixes, including:</p>
<ul>
<li>[1167357] High CVE-2021-21191: Use after free in WebRTC.
Reported by raven (@raid_akame) on 2021-01-15</li>
<li>[1181387] High CVE-2021-21192: Heap buffer overflow in tab
groups. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2021-02-23</li>
<li>[1186287] High CVE-2021-21193: Use after free in Blink.
Reported by Anonymous on 2021-03-09</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-11191</cvename>
<cvename>CVE-2021-11192</cvename>
<cvename>CVE-2021-11193</cvename>
<url>https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html</url>
</references>
<dates>
<discovery>2021-03-12</discovery>
<entry>2021-03-16</entry>
</dates>
</vuln>
<vuln vid="317487c6-85ca-11eb-80fa-14dae938ec40">
<topic>squashfs-tools -- Integer overflow</topic>
<affects>
<package>
<name>squashfs-tools</name>
<range><lt>4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Phillip Lougher reports:</p>
<blockquote cite="https://github.com/plougher/squashfs-tools/commit/f95864afe8833fe3ad782d714b41378e860977b1">
<p>Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2015-4645</cvename>
<url>https://nvd.nist.gov/vuln/detail/CVE-2015-4645</url>
</references>
<dates>
<discovery>2017-03-17</discovery>
<entry>2021-03-15</entry>
</dates>
</vuln>
<vuln vid="72709326-81f7-11eb-950a-00155d646401">
<topic>go -- encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader; archive/zip: panic when calling Reader.Open</topic>
<affects>
<package>
<name>go</name>
<range><lt>1.16.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Go project reports:</p>
<blockquote cite="https://github.com/golang/go/issues/44913">
<p>The Decode, DecodeElement, and Skip methods of an xml.Decoder
provided by xml.NewTokenDecoder may enter an infinite loop when
operating on a custom xml.TokenReader which returns an EOF in the
middle of an open XML element.</p>
</blockquote>
<blockquote cite="https://github.com/golang/go/issues/44916">
<p>The Reader.Open API, new in Go 1.16, will panic when used on a ZIP
archive containing files that start with "../".</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-27918</cvename>
<url>http://golang.org/issue/44913</url>
<cvename>CVE-2021-27919</cvename>
<url>http://golang.org/issue/44916</url>
</references>
<dates>
<discovery>2021-03-05</discovery>
<entry>2021-03-10</entry>
</dates>
</vuln>
<vuln vid="502ba001-7ffa-11eb-911c-0800278d94f0">
<topic>gitea -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gitea</name>
<range><lt>1.13.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Gitea Team reports for release 1.13.3:</p>
<blockquote cite="https://blog.gitea.io/2021/03/gitea-1.13.3-is-released/">
<ul>
<li>Turn default hash password algorithm back to pbkdf2 from argon2 until we find a better one </li>
</ul>
</blockquote>
<p>The Gitea Team reports for release 1.13.4:</p>
<blockquote cite="https://blog.gitea.io/2021/03/gitea-1.13.4-is-released/">
<ul>
<li>Fix issue popups</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/go-gitea/gitea/releases/tag/v1.13.3</url>
<url>https://github.com/go-gitea/gitea/releases/tag/v1.13.4</url>
<freebsdpr>ports/254130</freebsdpr>
</references>
<dates>
<discovery>2021-01-07</discovery>
<entry>2021-02-06</entry>
</dates>
</vuln>
<vuln vid="2dc8927b-54e0-11eb-9342-1c697a013f4b">
<topic>mantis -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mantis-php72</name>
<name>mantis-php73</name>
<name>mantis-php74</name>
<name>mantis-php80</name>
<range><lt>2.24.4,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mantis 2.24.4 release reports:</p>
<blockquote cite="https://mantisbt.org/bugs/changelog_page.php?project=mantisbt&amp;version=2.24.4">
<p>Security and maintenance release, addressing 6 CVEs:</p>
<ul>
<li>0027726: CVE-2020-29603: disclosure of private project name</li>
<li>0027727: CVE-2020-29605: disclosure of private issue summary</li>
<li>0027728: CVE-2020-29604: full disclosure of private issue contents, including bugnotes and attachments</li>
<li>0027361: Private category can be access/used by a non member of a private project (IDOR)</li>
<li>0027779: CVE-2020-35571: XSS in helper_ensure_confirmed() calls</li>
<li>0026794: User Account - Takeover</li>
<li>0027363: Fixed in version can be changed to a version that doesn't exist</li>
<li>0027350: When updating an issue, a Viewer user can be set as Reporter</li>
<li>0027370: CVE-2020-35849: Revisions allow viewing private bugnotes id and summary</li>
<li>0027495: CVE-2020-28413: SQL injection in the parameter "access" on the mc_project_get_users function throught the API SOAP.</li>
<li>0027444: Printing unsanitized user input in install.php</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-28413</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28413</url>
<cvename>CVE-2020-35849</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35849</url>
</references>
<dates>
<discovery>2020-11-10</discovery>
<entry>2021-03-10</entry>
</dates>
</vuln>
<vuln vid="2f3cd69e-7dee-11eb-b92e-0022489ad614">
<topic>Node.js -- February 2021 Security Releases</topic>
<affects>
<package>
<name>node10</name>
<range><lt>10.24.0</lt></range>
</package>
<package>
<name>node12</name>
<range><lt>12.21.0</lt></range>
</package>
<package>
<name>node14</name>
<range><lt>14.16.0</lt></range>
</package>
<package>
<name>node</name>
<range><lt>15.10.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Node.js reports:</p>
<blockquote cite="https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/">
<h1>HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)</h1>
<p>Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.</p>
<h1>DNS rebinding in --inspect (CVE-2021-22884)</h1>
<p>Affected Node.js versions are vulnerable to a DNS rebinding attack when the whitelist includes "localhost6". When "localhost6" is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the "localhost6" domain. As long as the attacker uses the "localhost6" domain, they can still apply the attack described in CVE-2018-7160.</p>
<h1>OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)</h1>
<p>This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt</p>
</blockquote>
</body>
</description>
<references>
<url>https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/</url>
<cvename>CVE-2021-22883</cvename>
<cvename>CVE-2021-22884</cvename>
<cvename>CVE-2021-23840</cvename>
</references>
<dates>
<discovery>2021-02-23</discovery>
<entry>2021-03-09</entry>
</dates>
</vuln>
<vuln vid="8bf856ea-7df7-11eb-9aad-001b217b3468">
<topic>Gitlab -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>gitlab-ce</name>
<range><ge>13.9.0</ge><lt>13.9.2</lt></range>
<range><ge>13.8.0</ge><lt>13.8.5</lt></range>
<range><lt>13.7.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gitlab reports:</p>
<blockquote cite="https://about.gitlab.com/releases/2021/03/04/security-release-gitlab-13-9-2-released/">
<p>JWT token leak via Workhorse</p>
<p>Stored XSS in wiki pages</p>
<p>Group Maintainers are able to use the Group CI/CD Variables API</p>
<p>Insecure storage of GitLab session keys</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/releases/2021/03/04/security-release-gitlab-13-9-2-released/</url>
<cvename>CVE-2021-22185</cvename>
<cvename>CVE-2021-22186</cvename>
</references>
<dates>
<discovery>2021-03-04</discovery>
<entry>2021-03-05</entry>
</dates>
</vuln>
<vuln vid="9e8f0766-7d21-11eb-a2be-001999f8d30b">
<topic>asterisk -- Crash when negotiating T.38 with a zero port</topic>
<affects>
<package>
<name>asterisk16</name>
<range><lt>16.16.2</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><lt>18.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/downloads/security-advisories">
<p>When Asterisk sends a re-invite initiating T.38 faxing
and the endpoint responds with a m=image line and zero
port, a crash will occur in Asterisk. This is a reoccurrence
of AST-2019-004.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2019-15297</cvename>
<url>https://downloads.asterisk.org/pub/security/AST-2021-006.html</url>
</references>
<dates>
<discovery>2021-02-20</discovery>
<entry>2021-03-04</entry>
</dates>
</vuln>
<vuln vid="f00b65d8-7ccb-11eb-b3be-e09467587c17">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>89.0.4389.72</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html">
<p>This release includes 47 security fixes, including the below.
Google is aware of reports that an exploit for CVE-2021-21166 exists
in the wild. Please see URL for details.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21159</cvename>
<cvename>CVE-2021-21160</cvename>
<cvename>CVE-2021-21161</cvename>
<cvename>CVE-2021-21162</cvename>
<cvename>CVE-2021-21163</cvename>
<cvename>CVE-2021-21164</cvename>
<cvename>CVE-2021-21165</cvename>
<cvename>CVE-2021-21166</cvename>
<cvename>CVE-2021-21167</cvename>
<cvename>CVE-2021-21168</cvename>
<cvename>CVE-2021-21169</cvename>
<cvename>CVE-2021-21170</cvename>
<cvename>CVE-2021-21171</cvename>
<cvename>CVE-2021-21172</cvename>
<cvename>CVE-2021-21173</cvename>
<cvename>CVE-2021-21174</cvename>
<cvename>CVE-2021-21175</cvename>
<cvename>CVE-2021-21176</cvename>
<cvename>CVE-2021-21177</cvename>
<cvename>CVE-2021-21178</cvename>
<cvename>CVE-2021-21179</cvename>
<cvename>CVE-2021-21180</cvename>
<cvename>CVE-2021-21181</cvename>
<cvename>CVE-2021-21182</cvename>
<cvename>CVE-2021-21183</cvename>
<cvename>CVE-2021-21184</cvename>
<cvename>CVE-2021-21185</cvename>
<cvename>CVE-2021-21186</cvename>
<cvename>CVE-2021-21187</cvename>
<cvename>CVE-2021-21188</cvename>
<cvename>CVE-2021-21189</cvename>
<cvename>CVE-2021-21190</cvename>
<cvename>CVE-2020-27844</cvename>
<url>https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2021-03-02</discovery>
<entry>2021-03-04</entry>
</dates>
</vuln>
<vuln vid="3a469cbc-7a66-11eb-bd3f-08002728f74c">
<topic>jasper -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jasper</name>
<range><lt>2.0.25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>JasPer Releases:</p>
<blockquote cite="https://github.com/jasper-software/jasper/releases">
<p>- Fix memory-related bugs in the JPEG-2000 codec resulting from
attempting to decode invalid code streams. (#264, #265)</p>
<p> This fix is associated with CVE-2021-26926 and CVE-2021-26927.</p>
<p>- Fix wrong return value under some compilers (#260)</p>
<p>- Fix CVE-2021-3272 heap buffer overflow in jp2_decode (#259)</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/jasper-software/jasper/releases</url>
<cvename>CVE-2021-26926</cvename>
<cvename>CVE-2021-26927</cvename>
<cvename>CVE-2021-3272</cvename>
</references>
<dates>
<discovery>2021-02-07</discovery>
<entry>2021-03-03</entry>
</dates>
</vuln>
<vuln vid="a1e03a3d-7be0-11eb-b392-20cf30e32f6d">
<topic>salt -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py36-salt-2019</name>
<name>py37-salt-2019</name>
<name>py38-salt-2019</name>
<name>py36-salt</name>
<name>py37-salt</name>
<name>py38-salt</name>
<name>py39-salt</name>
<range><lt>2019.2.8</lt></range>
<range><ge>3000</ge><lt>3002.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SaltStack reports multiple security vulnerabilities in Salt</p>
<blockquote cite="https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/">
<ul>
<li>CVE-2021-3197: The Salt-API.s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.</li>
<li>CVE-2021-25281: The Salt-API does not have eAuth credentials for the wheel_async client.</li>
<li>CVE-2021-25282: The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.</li>
<li>CVE-2021-25283: The jinja renderer does not protect against server-side template injection attacks.</li>
<li>CVE-2021-25284: webutils write passwords in cleartext to /var/log/salt/minion</li>
<li>CVE-2021-3148: command injection in salt.utils.thin.gen_thin()</li>
<li>CVE-2020-35662: Several places where Salt was not verifying the SSL cert by default.</li>
<li>CVE-2021-3144: eauth Token can be used once after expiration.</li>
<li>CVE-2020-28972: Code base not validating SSL/TLS certificate of the server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack</li>
<li>CVE-2020-28243: Local Privilege Escalation in the Minion.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>"https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/"</url>
<cvename>CVE-2021-3197</cvename>
<cvename>CVE-2021-25281</cvename>
<cvename>CVE-2021-25282</cvename>
<cvename>CVE-2021-25283</cvename>
<cvename>CVE-2021-25284</cvename>
<cvename>CVE-2021-3148</cvename>
<cvename>CVE-2020-35662</cvename>
<cvename>CVE-2021-3144</cvename>
<cvename>CVE-2020-28972</cvename>
<cvename>CVE-2020-28243</cvename>
</references>
<dates>
<discovery>2021-02-25</discovery>
<entry>2021-03-03</entry>
</dates>
</vuln>
<vuln vid="52bd2d59-4ab5-4bef-a599-7aac4e92238b">
<topic>vault -- unauthenticated license read</topic>
<affects>
<package>
<name>vault</name>
<range><lt>1.6.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>vault developers report:</p>
<blockquote cite="https://github.com/hashicorp/vault/releases/tag/v1.6.3">
<p>Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated reading of Vault licenses from DR Secondaries.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-27668</cvename>
<url>https://github.com/hashicorp/vault/releases/tag/v1.6.3</url>
</references>
<dates>
<discovery>2021-02-26</discovery>
<entry>2021-02-27</entry>
</dates>
</vuln>
<vuln vid="31ad2f10-7711-11eb-b87a-901b0ef719ab">
<topic>FreeBSD -- jail_remove(2) fails to kill all jailed processes</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>12.2</ge><lt>12.2_4</lt></range>
<range><ge>11.4</ge><lt>11.4_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Due to a race condition in the jail_remove(2) implementation, it
may fail to kill some of the processes.</p>
<h1>Impact:</h1>
<p>A process running inside a jail can avoid being killed during jail
termination. If a jail is subsequently started with the same root
path, a lingering jailed process may be able to exploit the window
during which a devfs filesystem is mounted but the jail's devfs
ruleset has not been applied, to access device nodes which are
ordinarily inaccessible. If the process is privileged, it may be able
to escape the jail and gain full access to the system.</p>
</body>
</description>
<references>
<cvename>CVE-2020-25581</cvename>
<freebsdsa>SA-21:04.jail_remove</freebsdsa>
</references>
<dates>
<discovery>2021-02-24</discovery>
<entry>2021-02-25</entry>
</dates>
</vuln>
<vuln vid="5b8c6e1e-770f-11eb-b87a-901b0ef719ab">
<topic>FreeBSD -- Xen grant mapping error handling issues</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>12.2</ge><lt>12.2_4</lt></range>
<range><ge>11.4</ge><lt>11.4_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Grant mapping operations often occur in batch hypercalls, where a
number of operations are done in a single hypercall, the success or
failure of each one reported to the backend driver, and the backend
driver then loops over the results, performing follow-up actions
based on the success or failure of each operation.</p>
<p>Unfortunately, when running in HVM/PVH mode, the FreeBSD backend
drivers mishandle this: Some errors are ignored, effectively implying
their success from the success of related batch elements. In other
cases, errors resulting from one batch element lead to further batch
elements not being inspected, and hence successful ones to not be
possible to properly unmap upon error recovery.</p>
<h1>Impact:</h1>
<p>A malicious or buggy frontend driver may be able to cause resource
leaks in the domain running the corresponding backend driver.</p>
</body>
</description>
<references>
<cvename>CVE-2021-26932</cvename>
<freebsdsa>SA-21:06.xen</freebsdsa>
</references>
<dates>
<discovery>2021-02-24</discovery>
<entry>2021-02-25</entry>
</dates>
</vuln>
<vuln vid="bba850fd-770e-11eb-b87a-901b0ef719ab">
<topic>FreeBSD -- jail_attach(2) relies on the caller to change the cwd</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>12.2</ge><lt>12.2_4</lt></range>
<range><ge>11.4</ge><lt>11.4_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When a process, such as jexec(8) or killall(1), calls jail_attach(2)
to enter a jail, the jailed root can attach to it using ptrace(2) before
the current working directory is changed.</p>
<h1>Impact:</h1>
<p>A process with superuser privileges running inside a jail could change
the root directory outside of the jail, thereby gaining full read and
writing access to all files and directories in the system.</p>
</body>
</description>
<references>
<cvename>CVE-2020-25582</cvename>
<freebsdsa>SA-21:05.jail_chdir</freebsdsa>
</references>
<dates>
<discovery>2021-02-24</discovery>
<entry>2021-02-25</entry>
</dates>
</vuln>
<vuln vid="a8654f1d-770d-11eb-b87a-901b0ef719ab">
<topic>FreeBSD -- login.access fails to apply rules</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>12.2</ge><lt>12.2_4</lt></range>
<range><ge>11.4</ge><lt>11.4_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A regression in the login.access(5) rule processor has the effect
of causing rules to fail to match even when they should not. This
means that rules denying access may be ignored.</p>
<h1>Impact:</h1>
<p>The configuration in login.access(5) may not be applied, permitting
login access to users even when the system is configured to deny it.</p>
</body>
</description>
<references>
<cvename>CVE-2020-25580</cvename>
<freebsdsa>SA-21:03.pam_login_access</freebsdsa>
</references>
<dates>
<discovery>2021-02-24</discovery>
<entry>2021-02-25</entry>
</dates>
</vuln>
<vuln vid="0e38b8f8-75dd-11eb-83f2-8c164567ca3c">
<topic>redis -- Integer overflow on 32-bit systems</topic>
<affects>
<package>
<name>redis-devel</name>
<range><lt>6.2.0</lt></range>
</package>
<package>
<name>redis</name>
<range><lt>6.0.11</lt></range>
</package>
<package>
<name>redis5</name>
<range><lt>5.0.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redis Development team reports:</p>
<blockquote cite="https://github.com/redis/redis/releases/tag/6.2.0">
<p>Redis 4.0 or newer uses a configurable limit for
the maximum supported bulk input size. By default,
it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a
large request from a client may trigger several
integer overflow scenarios, which would result with
buffer overflow and heap corruption.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21309</cvename>
</references>
<dates>
<discovery>2021-02-22</discovery>
<entry>2021-02-23</entry>
</dates>
</vuln>
<vuln vid="3e9624b3-e92b-4460-8a5a-93247c52c5a1">
<topic>zeek -- Remote crash vulnerability</topic>
<affects>
<package>
<name>zeek</name>
<range><lt>3.0.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jon Siwek of Corelight reports:</p>
<blockquote cite="https://github.com/zeek/zeek/releases/tag/v3.0.13">
<p>Fix ASCII Input reader's treatment of input files
containing null-bytes. An input file containing null-bytes
could lead to a buffer-over-read, crash Zeek, and be
exploited to cause Denial of Service. </p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/zeek/zeek/releases/tag/v3.0.13</url>
</references>
<dates>
<discovery>2021-02-10</discovery>
<entry>2021-02-22</entry>
</dates>
</vuln>
<vuln vid="9c03845c-7398-11eb-bc0e-2cf05d620ecc">
<topic>raptor2 -- malformed input file can lead to a segfault</topic>
<affects>
<package>
<name>raptor2</name>
<range><lt>2.0.15_17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Redland Issue Tracker reports:</p>
<blockquote cite="https://bugs.librdf.org/mantis/view.php?id=650">
<p>due to an out of bounds array access in
raptor_xml_writer_start_element_common.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.librdf.org/mantis/view.php?id=650</url>
</references>
<dates>
<discovery>2020-11-24</discovery>
<entry>2021-02-20</entry>
</dates>
</vuln>
<vuln vid="a45d945a-cc2c-4cd7-a941-fb58fdb1b01e">
<topic>jenkins -- Privilege escalation vulnerability in bundled Spring Security library</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>2.280</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://www.jenkins.io/security/advisory/2021-02-19/">
<h1>Description</h1>
<h5>(high) SECURITY-2195 / CVE-2021-22112</h5>
<p>Privilege escalation vulnerability in bundled Spring Security library</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.jenkins.io/security/advisory/2021-02-19/</url>
</references>
<dates>
<discovery>2021-02-19</discovery>
<entry>2021-02-20</entry>
</dates>
</vuln>
<vuln vid="1bb2826b-7229-11eb-8386-001999f8d30b">
<topic>asterisk -- Remote Crash Vulnerability in PJSIP channel driver</topic>
<affects>
<package>
<name>asterisk13</name>
<range><lt>13.38.2</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><lt>16.16.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><lt>18.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/downloads/security-advisories">
<p>Given a scenario where an outgoing call is placed from
Asterisk to a remote SIP server it is possible for a crash
to occur.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-26906</cvename>
<url>https://downloads.asterisk.org/pub/security/AST-2021-005.html</url>
</references>
<dates>
<discovery>2021-02-08</discovery>
<entry>2021-02-18</entry>
</dates>
</vuln>
<vuln vid="ca21f5e7-7228-11eb-8386-001999f8d30b">
<topic>asterisk -- An unsuspecting user could crash Asterisk with multiple hold/unhold requests</topic>
<affects>
<package>
<name>asterisk16</name>
<range><ge>16.16.0</ge><lt>16.16.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><ge>18.2.0</ge><lt>18.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/downloads/security-advisories">
<p>Due to a signedness comparison mismatch, an authenticated
WebRTC client could cause a stack overflow and Asterisk
crash by sending multiple hold/unhold requests in quick
succession.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-26714</cvename>
<url>https://downloads.asterisk.org/pub/security/AST-2021-004.html</url>
</references>
<dates>
<discovery>2021-02-11</discovery>
<entry>2021-02-18</entry>
</dates>
</vuln>
<vuln vid="5d8ef725-7228-11eb-8386-001999f8d30b">
<topic>asterisk -- Remote attacker could prematurely tear down SRTP calls</topic>
<affects>
<package>
<name>asterisk13</name>
<range><ge>13.38.1</ge><lt>13.38.2</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><ge>16.16.0</ge><lt>16.16.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><ge>18.2.0</ge><lt>18.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/downloads/security-advisories">
<p>An unauthenticated remote attacker could replay SRTP
packets which could cause an Asterisk instance configured
without strict RTP validation to tear down calls
prematurely.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-26712</cvename>
<url>https://downloads.asterisk.org/pub/security/AST-2021-003.html</url>
</references>
<dates>
<discovery>2021-02-18</discovery>
<entry>2021-02-18</entry>
</dates>
</vuln>
<vuln vid="e3894955-7227-11eb-8386-001999f8d30b">
<topic>asterisk -- Remote crash possible when negotiating T.38</topic>
<affects>
<package>
<name>asterisk16</name>
<range><ge>16.15.0</ge><lt>16.16.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><ge>18.1.0</ge><lt>18.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/downloads/security-advisories">
<p>When re-negotiating for T.38 if the initial remote
response was delayed just enough Asterisk would send both
audio and T.38 in the SDP. If this happened, and the
remote responded with a declined T.38 stream then Asterisk
would crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-26717</cvename>
<url>https://downloads.asterisk.org/pub/security/AST-2021-002.html</url>
</references>
<dates>
<discovery>2021-02-05</discovery>
<entry>2021-02-18</entry>
</dates>
</vuln>
<vuln vid="b330db5f-7225-11eb-8386-001999f8d30b">
<topic>asterisk -- Remote crash in res_pjsip_diversion</topic>
<affects>
<package>
<name>asterisk13</name>
<range><ge>13.38.1</ge><lt>13.38.2</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><ge>16.15.1</ge><lt>16.16.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><ge>18.1.1</ge><lt>18.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/downloads/security-advisories">
<p>If a registered user is tricked into dialing a malicious
number that sends lots of 181 responses to Asterisk, each
one will cause a 181 to be sent back to the original
caller with an increasing number of entries in the
"Supported" header. Eventually the number of entries in
the header exceeds the size of the entry array and causes
a crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-35776</cvename>
<url>https://downloads.asterisk.org/pub/security/AST-2021-001.html</url>
</references>
<dates>
<discovery>2021-01-04</discovery>
<entry>2021-02-18</entry>
</dates>
</vuln>
<vuln vid="8e670b85-706e-11eb-abb2-08002728f74c">
<topic>Rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-activerecord52</name>
<range><lt>5.2.4.5</lt></range>
</package>
<package>
<name>rubygem-actionpack60</name>
<name>rubygem-activerecord60</name>
<range><lt>6.0.3.5</lt></range>
</package>
<package>
<name>rubygem-actionpack61</name>
<name>rubygem-activerecord61</name>
<range><lt>6.1.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby on Rails blog:</p>
<blockquote cite="https://weblog.rubyonrails.org/2021/2/10/Rails-5-2-4-5-6-0-3-5-and-6-1-2-1-have-been-released/">
<p>Rails version 5.2.4.5, 6.0.3.5 and 6.1.2.1 have been released! Those
version are security releases and addresses two issues:</p>
<p>CVE-2021-22880: Possible DoS Vulnerability in Active Record PostgreSQL adapter.</p>
<p>CVE-2021-22881: Possible Open Redirect in Host Authorization Middleware.</p>
<p></p>
</blockquote>
</body>
</description>
<references>
<url>https://weblog.rubyonrails.org/2021/2/10/Rails-5-2-4-5-6-0-3-5-and-6-1-2-1-have-been-released/</url>
<url>https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129</url>
<url>https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130</url>
<cvename>CVE-2021-22880</cvename>
<cvename>CVE-2021-22881</cvename>
</references>
<dates>
<discovery>2021-02-10</discovery>
<entry>2021-02-17</entry>
</dates>
</vuln>
<vuln vid="48514901-711d-11eb-9846-e09467587c17">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>88.0.4324.182</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html">
<p>This release contains 10 security fixes, including:</p>
<ul>
<li>[1138143] High CVE-2021-21149: Stack overflow in Data Transfer.
Reported by Ryoya Tsukasaki on 2020-10-14</li>
<li>[1172192] High CVE-2021-21150: Use after free in Downloads.
Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2021-01-29</li>
<li>[1165624] High CVE-2021-21151: Use after free in Payments.
Reported by Khalil Zhani on 2021-01-12</li>
<li>[1166504] High CVE-2021-21152: Heap buffer overflow in Media.
Reported by Anonymous on 2021-01-14</li>
<li>[1155974] High CVE-2021-21153: Stack overflow in GPU Process.
Reported by Jan Ruge of ERNW GmbH on 2020-12-06</li>
<li>[1173269] High CVE-2021-21154: Heap buffer overflow in Tab
Strip. Reported by Abdulrahman Alqabandi, Microsoft Browser
Vulnerability Research on 2021-02-01</li>
<li>[1175500] High CVE-2021-21155: Heap buffer overflow in Tab
Strip. Reported by Khalil Zhani on 2021-02-07</li>
<li>[1177341] High CVE-2021-21156: Heap buffer overflow in V8.
Reported by Sergei Glazunov of Google Project Zero on
2021-02-11</li>
<li>[1170657] Medium CVE-2021-21157: Use after free in Web
Sockets. Reported by Anonymous on 2021-01-26</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21149</cvename>
<cvename>CVE-2021-21150</cvename>
<cvename>CVE-2021-21151</cvename>
<cvename>CVE-2021-21152</cvename>
<cvename>CVE-2021-21153</cvename>
<cvename>CVE-2021-21154</cvename>
<cvename>CVE-2021-21155</cvename>
<cvename>CVE-2021-21156</cvename>
<cvename>CVE-2021-21157</cvename>
<url>https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html</url>
</references>
<dates>
<discovery>2021-02-16</discovery>
<entry>2021-02-17</entry>
</dates>
</vuln>
<vuln vid="96a21236-707b-11eb-96d8-d4c9ef517024">
<topic>OpenSSL -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.1.1j,1</lt></range>
</package>
<package>
<name>openssl-devel</name>
<range><lt>3.0.0a12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL project reports:</p>
<blockquote cite="https://www.openssl.org/news/secadv/20210216.txt">
<p>Null pointer deref in X509_issuer_and_serial_hash()
CVE-2021-23841<br/>(Moderate) The OpenSSL public API function
X509_issuer_and_serial_hash() attempts to create a unique hash
value based on the issuer and serial number data contained within
an X509 certificate. However it fails to correctly handle any errors
that may occur while parsing the issuer field (which might occur if
the issuer field is maliciously constructed). This may subsequently
result in a NULL pointer deref and a crash leading to a potential
denial of service attack.</p>
<p>Integer overflow in CipherUpdate CVE-2021-23840<br/>(Low)
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
may overflow the output length argument in some cases where the
input length is close to the maximum permissable length for an
integer on the platform. In such cases the return value from the
function call will be 1 (indicating success), but the output length
value will be negative. This could cause applications to behave
incorrectly or crash.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.openssl.org/news/secadv/20210216.txt</url>
<cvename>CVE-2021-23841</cvename>
<cvename>CVE-2021-23840</cvename>
<cvename>CVE-2021-23839</cvename>
</references>
<dates>
<discovery>2021-02-16</discovery>
<entry>2021-02-16</entry>
<modified>2021-02-18</modified>
</dates>
</vuln>
<vuln vid="98044aba-6d72-11eb-aed7-1b1b8a70cc8b">
<topic>openexr, ilmbase -- security fixes related to reading corrupted input files</topic>
<affects>
<package>
<name>ilmbase</name>
<range><lt>2.5.5</lt></range>
</package>
<package>
<name>openexr</name>
<range><lt>2.5.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cary Phillips reports:</p>
<blockquote cite="https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.5">
<p>Patch release with various bug/sanitizer/security fixes, primarily related to reading corrupted input files[...].</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.5</url>
<!-- updated 2021-05-08 from https://github.com/AcademySoftwareFoundation/openexr/commit/744cdecc87ff3489cc47204411d7903ceeb80be4 -->
<url>https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v2.5.4</url>
<cvename>CVE-2021-20296</cvename>
<cvename>CVE-2021-3479</cvename>
<cvename>CVE-2021-3478</cvename>
<cvename>CVE-2021-3477</cvename>
<cvename>CVE-2021-3476</cvename>
<cvename>CVE-2021-3475</cvename>
<cvename>CVE-2021-3474</cvename>
</references>
<dates>
<discovery>2021-02-12</discovery>
<entry>2021-02-12</entry>
</dates>
</vuln>
<vuln vid="1020d401-6d2d-11eb-ab0b-001b217b3468">
<topic>Gitlab -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>gitlab-ce</name>
<range><ge>13.8.0</ge><lt>13.8.4</lt></range>
<range><ge>13.7.0</ge><lt>13.7.7</lt></range>
<range><ge>10.5</ge><lt>13.6.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gitlab reports:</p>
<blockquote cite="https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/">
<p>Improper Certificate Validation for Fortinet OTP</p>
<p>Denial of Service Attack on gitlab-shell</p>
<p>Resource exhaustion due to pending jobs</p>
<p>Confidential issue titles were exposed</p>
<p>Improper access control allowed demoted project members to access authored merge requests</p>
<p>Improper access control allowed unauthorized users to access analytic pages</p>
<p>Unauthenticated CI lint API may lead to information disclosure and SSRF</p>
<p>Prometheus integration in Gitlab may lead to SSRF</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/</url>
</references>
<dates>
<discovery>2021-02-11</discovery>
<entry>2021-02-12</entry>
</dates>
</vuln>
<vuln vid="3003ba60-6cec-11eb-8815-040e3c1b8a02">
<topic>oauth2-proxy -- domain whitelist could be used as redirect</topic>
<affects>
<package>
<name>oauth2-proxy</name>
<range><lt>7.0.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SO-AND-SO reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-21291">
<p>In OAuth2 Proxy before version 7.0.0, for users that use the
whitelist domain feature, a domain that ended in a similar way to
the intended domain could have been allowed as a redirect.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nvd.nist.gov/vuln/detail/CVE-2021-21291</url>
</references>
<dates>
<discovery>2021-02-02</discovery>
<entry>2021-02-12</entry>
</dates>
</vuln>
<vuln vid="06a5abd4-6bc2-11eb-b292-90e2baa3bafc">
<topic>mod_dav_svn -- server crash</topic>
<affects>
<package>
<name>mod_dav_svn</name>
<range><ge>1.9.0</ge><le>1.10.6</le></range>
<range><ge>1.11.0</ge><le>1.14.0</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion project reports:</p>
<blockquote cite="https://subversion.apache.org/security/CVE-2020-17525-advisory.txt">
<p>Subversion's mod_authz_svn module will crash if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile
option and a client sends a request for a non-existing repository URL.</p>
</blockquote>
</body>
</description>
<references>
<url>https://subversion.apache.org/security/CVE-2020-17525-advisory.txt</url>
</references>
<dates>
<discovery>2021-01-29</discovery>
<entry>2021-02-10</entry>
</dates>
</vuln>
<vuln vid="cdb10765-6879-11eb-a7d8-08002734b9ed">
<topic>gitea -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gitea</name>
<range><lt>1.13.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Gitea Team reports for release 1.13.2:</p>
<blockquote cite="https://blog.gitea.io/2021/02/gitea-1.13.2-is-released/">
<ul>
<li>Prevent panic on fuzzer provided string</li>
<li>Add secure/httpOnly attributes to the lang cookie</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/go-gitea/gitea/releases/tag/v1.13.2</url>
<freebsdpr>ports/253295</freebsdpr>
</references>
<dates>
<discovery>2021-01-07</discovery>
<entry>2021-02-06</entry>
</dates>
</vuln>
<vuln vid="3e01aad2-680e-11eb-83e2-e09467587c17">
<topic>chromium -- heap buffer overflow in V8</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>88.0.4324.150</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html">
<p>[1170176] High CVE-2021-21148: Heap buffer overflow in V8.
Reported by Mattias Buelens on 2021-01-24. Google is aware of
reports that an exploit for CVE-2021-21148 exists in the wild.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21148</cvename>
<url>https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html</url>
</references>
<dates>
<discovery>2021-02-04</discovery>
<entry>2021-02-05</entry>
</dates>
</vuln>
<vuln vid="479fdfda-6659-11eb-83e2-e09467587c17">
<topic>www/chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>88.0.4324.146</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html">
<p>This update include 6 security fixes:</p>
<ul>
<li>1169317] Critical CVE-2021-21142: Use after free in Payments.
Reported by Khalil Zhani on 2021-01-21</li>
<li>[1163504] High CVE-2021-21143: Heap buffer overflow in
Extensions. Reported by Allen Parker and Alex Morgan of MU on
2021-01-06</li>
<li>[1163845] High CVE-2021-21144: Heap buffer overflow in Tab
Groups. Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2021-01-07</li>
<li>[1154965] High CVE-2021-21145: Use after free in Fonts. Reported
by Anonymous on 2020-12-03</li>
<li>[1161705] High CVE-2021-21146: Use after free in Navigation.
Reported by Alison Huffman and Choongwoo Han of Microsoft Browser
Vulnerability Research on 2020-12-24</li>
<li>[1162942] Medium CVE-2021-21147: Inappropriate implementation in
Skia. Reported by Roman Starkov on 2021-01-04</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-21142</cvename>
<cvename>CVE-2021-21143</cvename>
<cvename>CVE-2021-21144</cvename>
<cvename>CVE-2021-21145</cvename>
<cvename>CVE-2021-21146</cvename>
<cvename>CVE-2021-21147</cvename>
<url>https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2021-02-02</discovery>
<entry>2021-02-03</entry>
</dates>
</vuln>
<vuln vid="66d1c277-652a-11eb-bb3f-001b217b3468">
<topic>Gitlab -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>gitlab-ce</name>
<range><ge>13.8.0</ge><lt>13.8.2</lt></range>
<range><ge>13.7.0</ge><lt>13.7.6</lt></range>
<range><ge>11.8</ge><lt>13.6.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gitlab reports:</p>
<blockquote cite="https://about.gitlab.com/blog/2021/02/01/security-release-gitlab-13-8-2-released/">
<p>Stored XSS in merge request</p>
<p>Stored XSS in epic's pages</p>
<p>Sensitive GraphQL variables exposed in structured log</p>
<p>Guest user can see tag names in private projects</p>
<p>Information disclosure via error message</p>
<p>DNS rebinding protection bypass</p>
<p>Validate existence of private project</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/blog/2021/02/01/security-release-gitlab-13-8-2-released/</url>
<cvename>CVE-2021-22172</cvename>
<cvename>CVE-2021-22169</cvename>
</references>
<dates>
<discovery>2021-02-01</discovery>
<entry>2021-02-02</entry>
</dates>
</vuln>
<vuln vid="8ec7d426-055d-46bc-8f5a-a9d73a5a71ab">
<topic>minio -- Server Side Request Forgery</topic>
<affects>
<package>
<name>minio</name>
<range><lt>2021.01.30.00.20.58</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Minio developers report:</p>
<blockquote cite="https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q">
<p>Thanks to @phith0n from our community upon a code review, discovered an SSRF (Server Side Request Forgery) in our Browser API implementation. We have not observed this report/attack in the wild or reported elsewhere in the community at large.</p>
<p>All users are advised to upgrade ASAP.</p>
<p>The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.).</p>
<p>In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/minio/minio/security/advisories/GHSA-m4qq-5f7c-693q</url>
</references>
<dates>
<discovery>2021-01-29</discovery>
<entry>2021-01-31</entry>
</dates>
</vuln>
<vuln vid="5d91370b-61fd-11eb-b87a-901b0ef719ab">
<topic>FreeBSD -- Xen guests can triger backend Out Of Memory</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>12.2</ge><lt>12.2_3</lt></range>
<range><ge>12.1</ge><lt>12.1_13</lt></range>
<range><ge>11.4</ge><lt>11.4_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Some OSes (including Linux, FreeBSD, and NetBSD) are processing watch
events using a single thread. If the events are received faster than
the thread is able to handle, they will get queued.</p>
<p>As the queue is unbound, a guest may be able to trigger a OOM in
the backend.</p>
</body>
</description>
<references>
<cvename>CVE-2020-29568</cvename>
<freebsdsa>SA-21:02.xenoom</freebsdsa>
</references>
<dates>
<discovery>2021-01-29</discovery>
<entry>2021-01-29</entry>
</dates>
</vuln>
<vuln vid="a9c6e9be-61fb-11eb-b87a-901b0ef719ab">
<topic>FreeBSD -- Uninitialized kernel stack leaks in several file systems</topic>
<affects>
<package>
<name>FreeBSD-kernel</name>
<range><ge>12.2</ge><lt>12.2_3</lt></range>
<range><ge>12.1</ge><lt>12.1_13</lt></range>
<range><ge>11.4</ge><lt>11.4_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Several file systems were not properly initializing the d_off field
of the dirent structures returned by VOP_READDIR. In particular,
tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so.
As a result, eight uninitialized kernel stack bytes may be leaked to
userspace by these file systems. This problem is not present in
FreeBSD 11.</p>
<p>Additionally, msdosfs(5) was failing to zero-fill a pair of padding
fields in the dirent structure, resulting in a leak of three
uninitialized bytes.</p>
<h1>Impact:</h1>
<p>Kernel stack disclosures may leak sensitive information which could
be used to compromise the security of the system.</p>
</body>
</description>
<references>
<cvename>CVE-2020-25578</cvename>
<cvename>CVE-2020-25579</cvename>
<freebsdsa>SA-21:01.fsdisclosure</freebsdsa>
</references>
<dates>
<discovery>2021-01-29</discovery>
<entry>2021-01-29</entry>
</dates>
</vuln>
<vuln vid="13ca36b8-6141-11eb-8a36-7085c2fb2c14">
<topic>pngcheck -- Buffer-overrun vulnerability</topic>
<affects>
<package>
<name>pngcheck</name>
<range><lt>3.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The libpng project reports:</p>
<blockquote cite="http://www.libpng.org/pub/png/apps/pngcheck.html">
<p>pngcheck versions 3.0.0 and earlier have a pair of buffer-overrun
bugs related to the sPLT and PPLT chunks (the latter is a MNG-only
chunk, but it gets noticed even in PNG files if the -s option is used).
Both bugs are fixed in version 3.0.1, released on 24 January 2021.
Again, while all known vulnerabilities are fixed in this version,
the code is quite crufty, so it would be safest to assume there are
still some problems hidden in there. As always, use at your own risk.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.libpng.org/pub/png/apps/pngcheck.html</url>
</references>
<dates>
<discovery>2021-01-24</discovery>
<entry>2021-01-28</entry>
</dates>
</vuln>
<vuln vid="f3cf4b33-6013-11eb-9a0e-206a8a720317">
<topic>sudo -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.9.5p2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd C. Miller reports:</p>
<blockquote cite="https://www.sudo.ws/stable.html#1.9.5p2">
<p>When invoked as sudoedit, the same set of command line options
are now accepted as for sudo -e. The -H and -P options are now
rejected for sudoedit and sudo -e which matches the sudo 1.7
behavior. This is part of the fix for CVE-2021-3156.</p>
<p>Fixed a potential buffer overflow when unescaping backslashes in
the command's arguments. Normally, sudo escapes special characters
when running a command via a shell (sudo -s or sudo -i). However,
it was also possible to run sudoedit with the -s or -i flags in
which case no escaping had actually been done, making a buffer
overflow possible. This fixes CVE-2021-3156.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.sudo.ws/stable.html#1.9.5p2</url>
<cvename>CVE-2021-3156</cvename>
</references>
<dates>
<discovery>2021-01-26</discovery>
<entry>2021-01-26</entry>
</dates>
</vuln>
<vuln vid="fb67567a-5d95-11eb-a955-08002728f74c">
<topic>pysaml2 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py36-pysaml2</name>
<name>py37-pysaml2</name>
<name>py38-pysaml2</name>
<name>py39-pysaml2</name>
<range><lt>6.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>pysaml2 Releases:</p>
<blockquote cite="https://github.com/IdentityPython/pysaml2/releases">
<p>Fix processing of invalid SAML XML documents - CVE-2021-21238</p>
<p>Fix unspecified xmlsec1 key-type preference - CVE-2021-21239</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/IdentityPython/pysaml2/releases</url>
<url>https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-f4g9-h89h-jgv9</url>
<url>https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62</url>
<cvename>CVE-2021-21238</cvename>
<cvename>CVE-2021-21239</cvename>
</references>
<dates>
<discovery>2021-01-20</discovery>
<entry>2021-01-26</entry>
</dates>
</vuln>
<vuln vid="425f2143-8876-4b0a-af84-e0238c5c2062">
<topic>jenkins -- Arbitrary file read vulnerability in workspace browsers</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>2.276</lt></range>
</package>
<package>
<name>jenkins-lts</name>
<range><lt>2.263.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://www.jenkins.io/security/advisory/2021-01-26/">
<h1>Description</h1>
<h5>(Medium) SECURITY-2197 / CVE-2021-21615</h5>
<p>Arbitrary file read vulnerability in workspace browsers</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.jenkins.io/security/advisory/2021-01-26/</url>
</references>
<dates>
<discovery>2021-01-26</discovery>
<entry>2021-01-26</entry>
</dates>
</vuln>
<vuln vid="387bbade-5d1d-11eb-bf20-4437e6ad11c4">
<topic>mutt -- denial of service</topic>
<affects>
<package>
<name>mutt</name>
<range><lt>2.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tavis Ormandy reports:</p>
<blockquote cite="https://gitlab.com/muttmua/mutt/-/issues/323">
<p>
rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a
denial of service (mailbox unavailability) by sending email messages
with sequences of semicolon characters in RFC822 address fields
(aka terminators of empty groups). A small email message from the
attacker can cause large memory consumption, and the victim
may then be unable to see email messages from other persons.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://gitlab.com/muttmua/mutt/-/issues/323</url>
<cvename>CVE-2021-3181</cvename>
</references>
<dates>
<discovery>2021-01-17</discovery>
<entry>2021-01-23</entry>
</dates>
</vuln>
<vuln vid="31344707-5d87-11eb-929d-d4c9ef517024">
<topic>MySQL -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>mysql56-client</name>
<range><lt>5.6.51</lt></range>
</package>
<package>
<name>mysql57-client</name>
<range><lt>5.7.33</lt></range>
</package>
<package>
<name>mysql80-client</name>
<range><lt>8.0.23</lt></range>
</package>
<package>
<name>mysql56-server</name>
<range><lt>5.6.51</lt></range>
</package>
<package>
<name>mysql57-server</name>
<range><lt>5.7.33</lt></range>
</package>
<package>
<name>mysql80-server</name>
<range><lt>8.0.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Oracle reports:</p>
<blockquote cite="https://www.oracle.com/security-alerts/cpujan2021.html#AppendixMSQL">
<p>This Critical Patch Update contains 34 new security patches for
Oracle MySQL Server and 4 for MySQL Client. </p>
<p>The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle
MySQL is 6.8.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.oracle.com/security-alerts/cpujan2021.html#AppendixMSQL</url>
<url>CVE-2021-2046</url>
<url>CVE-2021-2020</url>
<url>CVE-2021-2024</url>
<url>CVE-2021-2011</url>
<url>CVE-2021-2006</url>
<url>CVE-2021-2048</url>
<url>CVE-2021-2028</url>
<url>CVE-2021-2122</url>
<url>CVE-2021-2058</url>
<url>CVE-2021-2001</url>
<url>CVE-2021-2016</url>
<url>CVE-2021-2021</url>
<url>CVE-2021-2030</url>
<url>CVE-2021-2031</url>
<url>CVE-2021-2036</url>
<url>CVE-2021-2055</url>
<url>CVE-2021-2060</url>
<url>CVE-2021-2070</url>
<url>CVE-2021-2076</url>
<url>CVE-2021-2065</url>
<url>CVE-2021-2014</url>
<url>CVE-2021-2002</url>
<url>CVE-2021-2012</url>
<url>CVE-2021-2009</url>
<url>CVE-2021-2072</url>
<url>CVE-2021-2081</url>
<url>CVE-2021-2022</url>
<url>CVE-2021-2038</url>
<url>CVE-2021-2061</url>
<url>CVE-2021-2056</url>
<url>CVE-2021-2087</url>
<url>CVE-2021-2088</url>
<url>CVE-2021-2032</url>
<url>CVE-2021-2010</url>
<url>CVE-2021-1998</url>
<url>CVE-2021-2007</url>
<url>CVE-2021-2019</url>
<url>CVE-2021-2042</url>
</references>
<dates>
<discovery>2021-01-23</discovery>
<entry>2021-01-23</entry>
</dates>
</vuln>
<vuln vid="4ed0e43c-5cef-11eb-bafd-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>88.0.4324.96</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html">
<p>This release contains 36 security fixes, including:</p>
<ul>
<li>[1137179] Critical CVE-2021-21117: Insufficient policy
enforcement in Cryptohome. Reported by Rory McNamara on
2020-10-10</li>
<li>[1161357] High CVE-2021-21118: Insufficient data validation in
V8. Reported by Tyler Nighswander (@tylerni7) of Theori on
2020-12-23</li>
<li>[1160534] High CVE-2021-21119: Use after free in Media. Reported
by Anonymous on 2020-12-20</li>
<li>[1160602] High CVE-2021-21120: Use after free in WebSQL.
Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha
Lab on 2020-12-21</li>
<li>[1161143] High CVE-2021-21121: Use after free in Omnibox.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2020-12-22</li>
<li>[1162131] High CVE-2021-21122: Use after free in Blink. Reported
by Renata Hodovan on 2020-12-28</li>
<li>[1137247] High CVE-2021-21123: Insufficient data validation in
File System API. Reported by Maciej Pulikowski on 2020-10-11</li>
<li>[1131346] High CVE-2021-21124: Potential user after free in
Speech Recognizer. Reported by Chaoyang Ding(@V4kst1z) from
Codesafe Team of Legendsec at Qi'anxin Group on 2020-09-23</li>
<li>[1152327] High CVE-2021-21125: Insufficient policy enforcement
in File System API. Reported by Ron Masas (Imperva) on
2020-11-24</li>
<li>[1163228] High CVE-2020-16044: Use after free in WebRTC.
Reported by Ned Williamson of Project Zero on 2021-01-05</li>
<li>[1108126] Medium CVE-2021-21126: Insufficient policy enforcement
in extensions. Reported by David Erceg on 2020-07-22</li>
<li>[1115590] Medium CVE-2021-21127: Insufficient policy enforcement
in extensions. Reported by Jasminder Pal Singh, Web Services Point
WSP, Kotkapura on 2020-08-12</li>
<li>[1138877] Medium CVE-2021-21128: Heap buffer overflow in Blink.
Reported by Liang Dong on 2020-10-15</li>
<li>[1140403] Medium CVE-2021-21129: Insufficient policy enforcement
in File System API. Reported by Maciej Pulikowski on
2020-10-20</li>
<li>[1140410] Medium CVE-2021-21130: Insufficient policy enforcement
in File System API. Reported by Maciej Pulikowski on
2020-10-20</li>
<li>[1140417] Medium CVE-2021-21131: Insufficient policy enforcement
in File System API. Reported by Maciej Pulikowski on
2020-10-20</li>
<li>[1128206] Medium CVE-2021-21132: Inappropriate implementation in
DevTools. Reported by David Erceg on 2020-09-15</li>
<li>[1157743] Medium CVE-2021-21133: Insufficient policy enforcement
in Downloads. Reported by wester0x01
(https://twitter.com/wester0x01) on 2020-12-11</li>
<li>[1157800] Medium CVE-2021-21134: Incorrect security UI in Page
Info. Reported by wester0x01 (https://twitter.com/wester0x01) on
2020-12-11</li>
<li>[1157818] Medium CVE-2021-21135: Inappropriate implementation in
Performance API. Reported by ndevtk on 2020-12-11</li>
<li>[1038002] Low CVE-2021-21136: Insufficient policy enforcement in
WebView. Reported by Shiv Sahni, Movnavinothan V and Imdad
Mohammed on 2019-12-27</li>
<li>[1093791] Low CVE-2021-21137: Inappropriate implementation in
DevTools. Reported by bobblybear on 2020-06-11</li>
<li>[1122487] Low CVE-2021-21138: Use after free in DevTools.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec
at Qi'anxin Group on 2020-08-27</li>
<li>[1136327] Low CVE-2021-21140: Uninitialized Use in USB. Reported
by David Manouchehri on 2020-10-08</li>
<li>[1140435] Low CVE-2021-21141: Insufficient policy enforcement in
File System API. Reported by Maciej Pulikowski on 2020-10-20</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-16044</cvename>
<cvename>CVE-2021-21117</cvename>
<cvename>CVE-2021-21118</cvename>
<cvename>CVE-2021-21119</cvename>
<cvename>CVE-2021-21120</cvename>
<cvename>CVE-2021-21121</cvename>
<cvename>CVE-2021-21122</cvename>
<cvename>CVE-2021-21123</cvename>
<cvename>CVE-2021-21124</cvename>
<cvename>CVE-2021-21125</cvename>
<cvename>CVE-2021-21126</cvename>
<cvename>CVE-2021-21127</cvename>
<cvename>CVE-2021-21128</cvename>
<cvename>CVE-2021-21129</cvename>
<cvename>CVE-2021-21130</cvename>
<cvename>CVE-2021-21131</cvename>
<cvename>CVE-2021-21132</cvename>
<cvename>CVE-2021-21133</cvename>
<cvename>CVE-2021-21134</cvename>
<cvename>CVE-2021-21135</cvename>
<cvename>CVE-2021-21136</cvename>
<cvename>CVE-2021-21137</cvename>
<cvename>CVE-2021-21138</cvename>
<cvename>CVE-2021-21139</cvename>
<cvename>CVE-2021-21140</cvename>
<cvename>CVE-2021-21141</cvename>
<url>https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html</url>
</references>
<dates>
<discovery>2021-01-19</discovery>
<entry>2021-01-22</entry>
</dates>
</vuln>
<vuln vid="35aef72c-5c8e-11eb-8309-4ccc6adda413">
<topic>chocolate-doom -- Arbitrary code execution</topic>
<affects>
<package>
<name>chocolate-doom</name>
<range><lt>3.0.1</lt></range>
</package>
<package>
<name>crispy-doom</name>
<range><lt>5.9.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michal Dardas from LogicalTrust reports:</p>
<blockquote cite="https://github.com/chocolate-doom/chocolate-doom/issues/1293">
<p>
The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't validate
the user-controlled num_players value, leading to a buffer overflow. A
malicious user can overwrite the server's stack.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/chocolate-doom/chocolate-doom/issues/1293</url>
<cvename>CVE-2020-14983</cvename>
</references>
<dates>
<discovery>2020-06-22</discovery>
<entry>2021-01-22</entry>
</dates>
</vuln>
<vuln vid="13c54e6d-5c45-11eb-b4e2-001b217b3468">
<topic>nokogiri -- Security vulnerability</topic>
<affects>
<package>
<name>rubygem-nokogiri</name>
<name>rubygem-nokogiri18</name>
<range><lt>1.11.0.rc3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nokogiri reports:</p>
<blockquote cite="https://nokogiri.org/CHANGELOG.html">
<p>In Nokogiri versions &lt;= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nokogiri.org/CHANGELOG.html</url>
<cvename>CVE-2020-26247</cvename>
</references>
<dates>
<discovery>2021-01-22</discovery>
<entry>2021-01-22</entry>
</dates>
</vuln>
<vuln vid="5b5cf6e5-5b51-11eb-95ac-7f9491278677">
<topic>dnsmasq -- DNS cache poisoning, and DNSSEC buffer overflow, vulnerabilities</topic>
<affects>
<package>
<name>dnsmasq</name>
<range><lt>2.83</lt></range>
</package>
<package> <!-- not currently active, but in case that someone had a stale package -->
<name>dnsmasq-devel</name>
<range><lt>2.83</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon Kelley reports:</p>
<blockquote cite="http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html">
<p>
There are broadly two sets of problems. The first is subtle errors
in dnsmasq's protections against the chronic weakness of the DNS
protocol to cache-poisoning attacks; the Birthday attack, Kaminsky,
etc.[...]
</p>
<p>
the second set of errors is a good old fashioned buffer overflow in
dnsmasq's DNSSEC code. If DNSSEC validation is enabled, an
installation is at risk.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014599.html</url>
<url>https://www.jsof-tech.com/disclosures/dnspooq/</url>
<cvename>CVE-2020-25684</cvename>
<cvename>CVE-2020-25685</cvename>
<cvename>CVE-2020-25686</cvename>
<cvename>CVE-2020-25681</cvename>
<cvename>CVE-2020-25682</cvename>
<cvename>CVE-2020-25683</cvename>
<cvename>CVE-2020-25687</cvename>
</references>
<dates>
<discovery>2020-09-16</discovery> <!-- CVE creation date, vuln apparently known since August to JSOF? -->
<entry>2021-01-20</entry>
</dates>
</vuln>
<vuln vid="6a4805d5-5aaf-11eb-a21d-79f5bc5ef6a9">
<topic>go -- cmd/go: packages using cgo can cause arbitrary code execution at build time; crypto/elliptic: incorrect operations on the P-224 curve</topic>
<affects>
<package>
<name>go</name>
<range><lt>1.15.7,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Go project reports:</p>
<blockquote cite="https://github.com/golang/go/issues/43783">
<p>The go command may execute arbitrary code at build time when cgo is
in use on Windows. This may occur when running "go get", or
any other command that builds code. Only users who build untrusted
code (and don't execute it) are affected. In addition to Windows
users, this can also affect Unix users who have "." listed
explicitly in their PATH and are running "go get" or build
commands outside of a module or with module mode disabled.</p>
</blockquote>
<blockquote cite="https://github.com/golang/go/issues/43786">
<p>The P224() Curve implementation can in rare circumstances generate
incorrect outputs, including returning invalid points from
ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not
crypto/tls) packages support P-224 ECDSA keys, but they are not
supported by publicly trusted certificate authorities. No other
standard library or golang.org/x/crypto package supports or uses the
P-224 curve.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2021-3115</cvename>
<url>http://golang.org/issue/43783</url>
<cvename>CVE-2021-3114</cvename>
<url>http://golang.org/issue/43786</url>
</references>
<dates>
<discovery>2021-01-13</discovery>
<entry>2021-01-19</entry>
</dates>
</vuln>
<vuln vid="8899298f-5a92-11eb-8558-3085a9a47796">
<topic>cloud-init -- Wrong access permissions of authorized keys</topic>
<affects>
<package>
<name>cloud-init</name>
<range><ge>20.4</ge><lt>20.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cloud-init reports:</p>
<blockquote cite="https://bugs.launchpad.net/cloud-init/+bug/1911680">
<p>cloud-init release 20.4.1 is now available. This is a hotfix
release, that contains a single patch to address a security issue in
cloud-init 20.4.</p>
<p>Briefly, for users who provide more than one unique SSH key to
cloud-init and have a shared AuthorizedKeysFile configured in
sshd_config, cloud-init 20.4 started writing all of these keys to such a
file, granting all such keys SSH access as root.</p>
<p>It's worth restating this implication: if you are using the default
AuthorizedKeysFile setting in /etc/ssh/sshd_config, as most will be,
then you are _not_ affected by this issue.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.launchpad.net/cloud-init/+bug/1911680</url>
</references>
<dates>
<discovery>2021-01-14</discovery>
<entry>2021-01-19</entry>
</dates>
</vuln>
<vuln vid="abed4ff0-7da1-4236-880d-de33e4895315">
<topic>moinmoin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.9.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MoinMoin reports:</p>
<blockquote cite="https://github.com/moinwiki/moin-1.9/blob/1.9.11/docs/CHANGES#L13">
<ul>
<li><p>Security fix for CVE-2020-25074: fix remote code execution via cache action</p></li>
<li><p>Security fix for CVE-2020-15275: fix malicious SVG attachment causing stored XSS vulnerability</p></li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/moinwiki/moin-1.9/blob/1.9.11/docs/CHANGES#L13</url>
<cvename>CVE-2020-25074</cvename>
<cvename>CVE-2020-15275</cvename>
</references>
<dates>
<discovery>2020-11-08</discovery>
<entry>2021-01-18</entry>
</dates>
</vuln>
<vuln vid="62642942-590f-11eb-a0dc-8c164582fbac">
<topic>Ghostscript -- SAFER Sandbox Breakout</topic>
<affects>
<package>
<name>ghostscript9-agpl-base</name>
<range><ge>9.50</ge><lt>9.52_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SO-AND-SO reports:</p>
<blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2020-15900">
<p>A memory corruption issue was found in Artifex
Ghostscript 9.50 and 9.52. Use of a non-standard
PostScript operator can allow overriding of file access
controls. The 'rsearch' calculation for the 'post' size
resulted in a size that was too large, and could underflow
to max uint32_t. This was fixed in commit
5d499272b95a6b890a1397e11d20937de000d31b.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nvd.nist.gov/vuln/detail/CVE-2020-15900</url>
</references>
<dates>
<discovery>2020-07-28</discovery>
<entry>2021-01-17</entry>
</dates>
</vuln>
<vuln vid="08b553ed-537a-11eb-be6e-0022489ad614">
<topic>Node.js -- January 2021 Security Releases</topic>
<affects>
<package>
<name>node10</name>
<range><lt>10.23.1</lt></range>
</package>
<package>
<name>node12</name>
<range><lt>12.20.1</lt></range>
</package>
<package>
<name>node14</name>
<range><lt>14.15.4</lt></range>
</package>
<package>
<name>node</name>
<range><lt>15.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Node.js reports:</p>
<blockquote cite="https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/">
<h1>use-after-free in TLSWrap (High) (CVE-2020-8265)</h1>
<p>Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.</p>
<h1>HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)</h1>
<p>Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.</p>
<h1>OpenSSL - EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)</h1>
<p>iThis is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt.</p>
</blockquote>
</body>
</description>
<references>
<url>https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/</url>
<url>https://www.openssl.org/news/secadv/20201208.txt</url>
<cvename>CVE-2020-8265</cvename>
<cvename>CVE-2020-8287</cvename>
<cvename>CVE-2020-1971</cvename>
</references>
<dates>
<discovery>2021-01-04</discovery>
<entry>2021-01-14</entry>
</dates>
</vuln>
<vuln vid="0a8ebf4a-5660-11eb-b4e2-001b217b3468">
<topic>Gitlab -- vulnerability</topic>
<affects>
<package>
<name>gitlab-ce</name>
<range><ge>13.7.0</ge><lt>13.7.4</lt></range>
<range><ge>13.6.0</ge><lt>13.6.5</lt></range>
<range><ge>12.2</ge><lt>13.5.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SO-AND-SO reports:</p>
<blockquote cite="https://about.gitlab.com/releases/2021/01/14/critical-security-release-gitlab-13-7-4-released/">
<p>Ability to steal a user's API access token through GitLab Pages</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/releases/2021/01/14/critical-security-release-gitlab-13-7-4-released/</url>
</references>
<dates>
<discovery>2021-01-14</discovery>
<entry>2021-01-14</entry>
</dates>
</vuln>
<vuln vid="6d554d6e-5638-11eb-9d36-5404a68ad561">
<topic>wavpack -- integer overflow in pack_utils.c</topic>
<affects>
<package>
<name>wavpack</name>
<range><lt>5.4.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The wavpack project reports:</p>
<blockquote cite="https://github.com/dbry/WavPack/blob/733616993d53cc1f9a7ffb88a858447ba51eb0ee/ChangeLog">
<p>src/pack_utils.c
- issue #91: fix integer overflows resulting in buffer overruns (CVE-2020-35738)
- sanitize configuration parameters better (improves clarity and aids debugging)</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/dbry/WavPack/blob/733616993d53cc1f9a7ffb88a858447ba51eb0ee/ChangeLog</url>
<cvename>CVE-2020-35738</cvename>
</references>
<dates>
<discovery>2020-12-29</discovery>
<entry>2021-01-14</entry>
</dates>
</vuln>
<vuln vid="d6f76976-e86d-4f9a-9362-76c849b10db2">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>2.275</lt></range>
</package>
<package>
<name>jenkins-lts</name>
<range><lt>2.263.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory:</p>
<blockquote cite="https://www.jenkins.io/security/advisory/2021-01-13/">
<h1>Description</h1>
<h5>(Medium) SECURITY-1452 / CVE-2021-21602</h5>
<p>Arbitrary file read vulnerability in workspace browsers</p>
<h5>(High) SECURITY-1889 / CVE-2021-21603</h5>
<p>XSS vulnerability in notification bar</p>
<h5>(High) SECURITY-1923 / CVE-2021-21604</h5>
<p>Improper handling of REST API XML deserialization errors</p>
<h5>(High) SECURITY-2021 / CVE-2021-21605</h5>
<p>Path traversal vulnerability in agent names</p>
<h5>(Medium) SECURITY-2023 / CVE-2021-21606</h5>
<p>Arbitrary file existence check in file fingerprints</p>
<h5>(Medium) SECURITY-2025 / CVE-2021-21607</h5>
<p>Excessive memory allocation in graph URLs leads to denial of service</p>
<h5>(High) SECURITY-2035 / CVE-2021-21608</h5>
<p>Stored XSS vulnerability in button labels</p>
<h5>(Low) SECURITY-2047 / CVE-2021-21609</h5>
<p>Missing permission check for paths with specific prefix</p>
<h5>(High) SECURITY-2153 / CVE-2021-21610</h5>
<p>Reflected XSS vulnerability in markup formatter preview</p>
<h5>(High) SECURITY-2171 / CVE-2021-21611</h5>
<p>Stored XSS vulnerability on new item page</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.jenkins.io/security/advisory/2021-01-13/</url>
</references>
<dates>
<discovery>2021-01-13</discovery>
<entry>2021-01-13</entry>
</dates>
</vuln>
<vuln vid="1f655433-551b-11eb-9cda-589cfc0f81b0">
<topic>phpmyfaq -- XSS vulnerability</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><le>3.0.6</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpmyfaq developers report:</p>
<blockquote cite="https://www.phpmyfaq.de/security/advisory-2020-12-23">
<p> phpMyFAQ does not implement sufficient checks to avoid XSS
injection for displaying tags. </p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyfaq.de/security/advisory-2020-12-23</url>
</references>
<dates>
<discovery>2020-12-23</discovery>
<entry>2021-01-12</entry>
</dates>
</vuln>
<vuln vid="6193b3f6-548c-11eb-ba01-206a8a720317">
<topic>sudo -- Potential information leak in sudoedit</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.9.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd C. Miller reports:</p>
<blockquote cite="https://www.sudo.ws/stable.html#1.9.5">
<p>A potential information leak in sudoedit that could be used to
test for the existence of directories not normally accessible to
the user in certain circumstances. When creating a new file,
sudoedit checks to make sure the parent directory of the new file
exists before running the editor. However, a race condition exists
if the invoking user can replace (or create) the parent directory.
If a symbolic link is created in place of the parent directory,
sudoedit will run the editor as long as the target of the link
exists.If the target of the link does not exist, an error message
will be displayed. The race condition can be used to test for the
existence of an arbitrary directory. However, it _cannot_ be used
to write to an arbitrary location.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.sudo.ws/stable.html#1.9.5</url>
<cvename>CVE-2021-23239</cvename>
</references>
<dates>
<discovery>2021-01-11</discovery>
<entry>2021-01-11</entry>
</dates>
</vuln>
<vuln vid="a3cef1e6-51d8-11eb-9b8d-08002728f74c">
<topic>CairoSVG -- Regular Expression Denial of Service vulnerability</topic>
<affects>
<package>
<name>py36-cairosvg</name>
<name>py37-cairosvg</name>
<name>py38-cairosvg</name>
<name>py39-cairosvg</name>
<range><ge>2.0.0</ge><lt>2.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CairoSVG security advisories:</p>
<blockquote cite="https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf">
<p>When processing SVG files, the python package CairoSVG uses two regular
expressions which are vulnerable to Regular Expression Denial of Service
(REDoS).</p>
<p>If an attacker provides a malicious SVG, it can make cairosvg get stuck
processing the file for a very long time.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf</url>
</references>
<dates>
<discovery>2020-12-30</discovery>
<entry>2021-01-10</entry>
</dates>
</vuln>
<vuln vid="a2a2b34d-52b4-11eb-87cb-001b217b3468">
<topic>Gitlab -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gitlab-ce</name>
<range><ge>13.7.0</ge><lt>13.7.2</lt></range>
<range><ge>13.6.0</ge><lt>13.6.4</lt></range>
<range><ge>12.2</ge><lt>13.5.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gitlab reports:</p>
<blockquote cite="https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/">
<p>Ability to steal a user's API access token through GitLab Pages</p>
<p>Prometheus denial of service via HTTP request with custom method</p>
<p>Unauthorized user is able to access private repository information under specific conditions</p>
<p>Regular expression denial of service in NuGet API</p>
<p>Regular expression denial of service in package uploads</p>
<p>Update curl dependency</p>
<p>CVE-2019-3881 mitigation</p>
</blockquote>
</body>
</description>
<references>
<url>https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/</url>
<cvename>CVE-2021-22166</cvename>
<cvename>CVE-2020-26414</cvename>
<cvename>CVE-2019-3881</cvename>
</references>
<dates>
<discovery>2021-01-07</discovery>
<entry>2021-01-09</entry>
</dates>
</vuln>
<vuln vid="d153c4d2-50f8-11eb-8046-3065ec8fd3ec">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>87.0.4280.141</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chrome Releases reports:</p>
<blockquote cite="https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html">
<p>This release includes 16 security fixes, including:</p>
<ul>
<li>[1148749] High CVE-2021-21106: Use after free in autofill.
Reported by Weipeng Jiang (@Krace) from Codesafe Team of
Legendsec at Qi'anxin Group on 2020-11-13</li>
<li>[1153595] High CVE-2021-21107: Use after free in drag and
drop. Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2020-11-30</li>
<li>[1155426] High CVE-2021-21108: Use after free in media.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2020-12-04</li>
<li>[1152334] High CVE-2021-21109: Use after free in payments.
Reported by Rong Jian and Guang Gong of 360 Alpha Lab on
2020-11-24</li>
<li>[1152451] High CVE-2021-21110: Use after free in safe
browsing. Reported by Anonymous on 2020-11-24</li>
<li>[1149125] High CVE-2021-21111: Insufficient policy enforcement
in WebUI. Reported by Alesandro Ortiz on 2020-11-15</li>
<li>[1151298] High CVE-2021-21112: Use after free in Blink.
Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on
2020-11-20</li>
<li>[1155178] High CVE-2021-21113: Heap buffer overflow in Skia.
Reported by tsubmunu on 2020-12-03</li>
<li>[1148309] High CVE-2020-16043: Insufficient data validation in
networking. Reported by Samy Kamkar, Ben Seri at Armis, Gregory
Vishnepolsky at Armis on 2020-11-12</li>
<li>[1150065] High CVE-2021-21114: Use after free in audio.
Reported by Man Yue Mo of GitHub Security Lab on 2020-11-17</li>
<li>[1157790] High CVE-2020-15995: Out of bounds write in V8.
Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu
Lab on 2020-12-11</li>
<li>[1157814] High CVE-2021-21115: Use after free in safe browsing.
Reported by Leecraso and Guang Gong of 360 Alpha Lab on
2020-12-11</li>
<li>[1151069] Medium CVE-2021-21116: Heap buffer overflow in audio.
Reported by Alison Huffman, Microsoft Browser Vulnerability
Research on 2020-11-19</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2020-15995</cvename>
<cvename>CVE-2020-16043</cvename>
<cvename>CVE-2021-21106</cvename>
<cvename>CVE-2021-21107</cvename>
<cvename>CVE-2021-21108</cvename>
<cvename>CVE-2021-21109</cvename>
<cvename>CVE-2021-21110</cvename>
<cvename>CVE-2021-21111</cvename>
<cvename>CVE-2021-21112</cvename>
<cvename>CVE-2021-21113</cvename>
<cvename>CVE-2021-21114</cvename>
<cvename>CVE-2021-21115</cvename>
<cvename>CVE-2021-21116</cvename>
<url>https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html</url>
</references>
<dates>
<discovery>2021-01-06</discovery>
<entry>2021-01-07</entry>
</dates>
</vuln>
<vuln vid="bd98066d-4ea4-11eb-b412-e86a64caca56">
<topic>mail/dovecot -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dovecot</name>
<range><lt>2.3.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Aki Tuomi reports:</p>
<blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-January/000450.html">
<p>When imap hibernation is active, an attacker can cause Dovecot to
discover file system directory structure and access other users'
emails using specially crafted command.
The attacker must have valid credentials to access the
mail server.</p>
</blockquote>
<blockquote cite="https://dovecot.org/pipermail/dovecot-news/2021-January/000451.html">
<p>Mail delivery / parsing crashed when the 10 000th MIME part was
message/rfc822 (or if parent was multipart/digest). This happened
due to earlier MIME parsing changes for CVE-2020-12100.</p>
</blockquote>
</body>
</description>
<references>
<url>https://dovecot.org/pipermail/dovecot-news/2021-January/000448.html</url>
<cvename>CVE-2020-24386</cvename>
<cvename>CVE-2020-25275</cvename>
</references>
<dates>
<discovery>2020-08-17</discovery>
<entry>2021-01-04</entry>
</dates>
</vuln>