The Samba Team reports:
+++ ++
+- CVE-2021-43566: Malicious client using an SMB1 or NFS race to allow + a directory to be created in an area of the server file system not + exported under the share definition.
+- CVE-2021-44141: Information leak via symlinks of existance of files + or directories outside of the exported share.
+- CVE-2021-44142: Out-of-bounds heap read/write vulnerability + in VFS module vfs_fruit allows code execution.
+- CVE-2022-0336: Samba AD users with permission to write to + an account can impersonate arbitrary services.
+
SO-AND-SO reports:
The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete.
Varnish Cache Project reports:
A request smuggling attack can be performed on HTTP/1 connections on Varnish Cache servers. The smuggled request would be treated as an additional request by the Varnish server, go through normal VCL processing, and injected as a spurious response on the client connection.
Cary Phillips reports:
[OpenEXR Version 3.1.4 is a] patch release that [...] addresses one public security vulnerability: CVE-2021-45942 Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute [and several] specific OSS-fuzz issues [...].
The OpenSSL project reports:
BN_mod_exp may produce incorrect results on MIPS (Moderate)
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.
huntr.dev reports:
In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strict_callables is true when section value is controllable.
Qualys reports:
We discovered a Local Privilege Escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.
Strongswan Release Notes reports:
Fixed a vulnerability in the EAP client implementation that was caused by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. This vulnerability has been registered as CVE-2021-45079.
Strongswan Release Notes reports:
Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
David Bouman reports:
AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.
Aide uses a fixed size (16k bytes) for the return buffer in encode_base64/decode_base64 functions. This results in a segfault if aide processes a file with too large extended attribute value or ACL.
Chrome Releases reports:
This release contains 26 security fixes, including:
- [1284367] Critical CVE-2022-0289: Use after free in Safe browsing. Reported by Sergei Glazunov of Google Project Zero on 2022-01-05
- [1260134][1260007] High CVE-2022-0290: Use after free in Site isolation. Reported by Brendon Tiszka and Sergei Glazunov of Google Project Zero on 2021-10-15
- [1281084] High CVE-2022-0291: Inappropriate implementation in Storage. Reported by Anonymous on 2021-12-19
- [1270358] High CVE-2022-0292: Inappropriate implementation in Fenced Frames. Reported by Brendon Tiszka on 2021-11-16
- [1283371] High CVE-2022-0293: Use after free in Web packaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-30
- [1273017] High CVE-2022-0294: Inappropriate implementation in Push messaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-11-23
- [1278180] High CVE-2022-0295: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-09
- [1283375] High CVE-2022-0296: Use after free in Printing. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-30
- [1274316] High CVE-2022-0297: Use after free in Vulkan. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
- [1212957] High CVE-2022-0298: Use after free in Scheduling. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-25
- [1275438] High CVE-2022-0300: Use after free in Text Input Method Editor. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-01
- [1276331] High CVE-2022-0301: Heap buffer overflow in DevTools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-12-03
- [1278613] High CVE-2022-0302: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-10
- [1281979] High CVE-2022-0303: Race in GPU Watchdog. Reported by Yigit Can YILMAZ (@yilmazcanyigit) on 2021-12-22
- [1282118] High CVE-2022-0304: Use after free in Bookmarks. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-22
- [1282354] High CVE-2022-0305: Inappropriate implementation in Service Worker API. Reported by @uwu7586 on 2021-12-23
- [1283198] High CVE-2022-0306: Heap buffer overflow in PDFium. Reported by Sergei Glazunov of Google Project Zero on 2021-12-29
- [1281881] Medium CVE-2022-0307: Use after free in Optimization Guide. Reported by Samet Bekmezci @sametbekmezci on 2021-12-21
- [1282480] Medium CVE-2022-0308: Use after free in Data Transfer. Reported by @ginggilBesel on 2021-12-24
- [1240472] Medium CVE-2022-0309: Inappropriate implementation in Autofill. Reported by Alesandro Ortiz on 2021-08-17
- [1283805] Medium CVE-2022-0310: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
- [1283807] Medium CVE-2022-0311: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
Oracle reports:
This Critical Patch Update contains 78 new security patches for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 7.4
The Prosody teaM reports:
It was discovered that an internal Prosody library to load XML based on does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
The WordPress project reports:
- Issue with stored XSS through post slugs
- Issue with Object injection in some multisite installations
- SQL injection vulnerability in WP_Query
- SQL injection vulnerability in WP_Meta_Query
Laurent Delosieres reports:
Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
CL_SCAN_GENERAL_COLLECT_METADATAscan option (theclamscan --gen-jsonoption) is enabled.
Jenkins Security Advisory:
Description
(Medium) SECURITY-2558 / CVE-2022-20612
CSRF vulnerability in build triggers
Gitlab reports:
Arbitrary file read via group import feature
Stored XSS in notes
Lack of state parameter on GitHub import project OAuth
Vulnerability related fields are available to unauthorized users on GraphQL API
Deleting packages may cause table locks
IP restriction bypass via GraphQL
Repository content spoofing using Git replacement references
Users can import members from projects that they are not a maintainer on through API
Possibility to direct user to malicious site through Slack integration
Bypassing file size limits to the NPM package repository
User with expired password can still access sensitive information
Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port
Upstream project reports:
Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner* functions where the text range in .hostText would not be duped using malloc but remain unchanged (and hence "not owned") for URIs with an IPv4 or IPv6 address hostname; depending on how an application uses uriparser, this could lead the application into a use-after-free situation. As the second half, fix uriFreeUriMembers* functions that would not free .hostText memory for URIs with an IPv4 or IPv6 address host; also, calling uriFreeUriMembers* multiple times on a URI of this very nature would result in trying to free pointers to stack (rather than heap) memory. Fix functions uriNormalizeSyntax* for out-of-memory situations (i.e. malloc returning NULL) for URIs containing empty segments (any of user info, host text, query, or fragment) where previously pointers to stack (rather than heap) memory were freed.
Django Release reports:
CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator.
CVE-2021-45116: Potential information disclosure in dictsort template filter.
CVE-2021-45452: Potential directory-traversal via Storage.save().
nlnetlabs reports:
Release 0.10.2 contains fixes for the following issues:
- Medium CVE-2021-43172: Infinite length chain of RRDP repositories. Credit: Koen van Hove. Date: 2021-11-09
- Medium CVE-2021-43173: Hanging RRDP request. Credit: Koen van Hove. Date: 2021-11-09
- Medium CVE-2021-43174: gzip transfer encoding caused out-of-memory crash. Credit Koen van Hove. Date: 2021-11-09
Chrome Releases reports:
This release contains 37 security fixes, including:
- [$TBD][1275020] Critical CVE-2022-0096: Use after free in Storage. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-11-30
- [1117173] High CVE-2022-0097: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-08-17
- [1273609] High CVE-2022-0098: Use after free in Screen Capture. Reported by @ginggilBesel on 2021-11-24
- [1245629] High CVE-2022-0099: Use after free in Sign-in. Reported by Rox on 2021-09-01
- [1238209] High CVE-2022-0100: Heap buffer overflow in Media streams API. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-08-10
- [1249426] High CVE-2022-0101: Heap buffer overflow in Bookmarks. Reported by raven (@raid_akame) on 2021-09-14
- [1260129] High CVE-2022-0102: Type Confusion in V8 . Reported by Brendon Tiszka on 2021-10-14
- [1272266] High CVE-2022-0103: Use after free in SwiftShader. Reported by Abraruddin Khan and Omair on 2021-11-21
- [1273661] High CVE-2022-0104: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-25
- [1274376] High CVE-2022-0105: Use after free in PDF. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
- [1278960] High CVE-2022-0106: Use after free in Autofill. Reported by Khalil Zhani on 2021-12-10
- [1248438] Medium CVE-2022-0107: Use after free in File Manager API. Reported by raven (@raid_akame) on 2021-09-10
- [1248444] Medium CVE-2022-0108: Inappropriate implementation in Navigation. Reported by Luan Herrera (@lbherrera_) on 2021-09-10
- [1261689] Medium CVE-2022-0109: Inappropriate implementation in Autofill. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2021-10-20
- [1237310] Medium CVE-2022-0110: Incorrect security UI in Autofill. Reported by Alesandro Ortiz on 2021-08-06
- [1241188] Medium CVE-2022-0111: Inappropriate implementation in Navigation. Reported by garygreen on 2021-08-18
- [1255713] Medium CVE-2022-0112: Incorrect security UI in Browser UI. Reported by Thomas Orlita on 2021-10-04
- [1039885] Medium CVE-2022-0113: Inappropriate implementation in Blink. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
- [1267627] Medium CVE-2022-0114: Out of bounds memory access in Web Serial. Reported by Looben Yang on 2021-11-06
- [1268903] Medium CVE-2022-0115: Uninitialized Use in File API. Reported by Mark Brand of Google Project Zero on 2021-11-10
- [1272250] Medium CVE-2022-0116: Inappropriate implementation in Compositing. Reported by Irvan Kurniawan (sourc7) on 2021-11-20
- [1115847] Low CVE-2022-0117: Policy bypass in Service Workers. Reported by Dongsung Kim (@kid1ng) on 2020-08-13
- [1238631] Low CVE-2022-0118: Inappropriate implementation in WebShare. Reported by Alesandro Ortiz on 2021-08-11
- [1262953] Low CVE-2022-0120: Inappropriate implementation in Passwords. Reported by CHAKRAVARTHI (Ruler96) on 2021-10-25