From foxboron at archlinux.org Mon Jun 1 22:21:06 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Mon, 1 Jun 2020 22:21:06 +0200 Subject: [manjaro-security] [ASA-202005-13] bind: denial of service Message-ID: <20200601202106.adjoulhcesg5bj66@anathema> Arch Linux Security Advisory ASA-202005-13 ========================================== Severity: High Date : 2020-05-20 CVE-ID : CVE-2020-8616 CVE-2020-8617 Package : bind Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1165 Summary ======= The package bind before version 9.16.3-1 is vulnerable to denial of service. Resolution ========== Upgrade to 9.16.3-1. # pacman -Syu "bind>=9.16.3-1" The problems have been fixed upstream in version 9.16.3. Workaround ========== None. Description =========== - CVE-2020-8616 (denial of service) An issue has been found in bind before 9.16.3, which does not sufficiently limit the number of fetches which may be performed while processing a referral response. A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: the performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and the attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. - CVE-2020-8617 (denial of service) An error in bind before 9.16.3 in the code which checks the validity of messages containing TSIG resource records can be exploited by an attacker to trigger an assertion failure in tsig.c, resulting in denial of service to clients. Impact ====== A remote attacker can use the recursor has an amplification vector to cause a denial of service via a crafted reply. In addition, a remote attacker can crash the application by guessing the TSIG key name. References ========== https://kb.isc.org/docs/cve-2020-8616 https://kb.isc.org/docs/cve-2020-8617 https://kb.isc.org/docs/cve-2020-8617-faq-and-supplemental-information http://www.nxnsattack.com/ https://security.archlinux.org/CVE-2020-8616 https://security.archlinux.org/CVE-2020-8617 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Mon Jun 1 22:21:23 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Mon, 1 Jun 2020 22:21:23 +0200 Subject: [manjaro-security] [ASA-202005-15] ant: arbitrary command execution Message-ID: <20200601202123.ih7jmfsf7oqnve4v@anathema> Arch Linux Security Advisory ASA-202005-15 ========================================== Severity: Medium Date : 2020-05-20 CVE-ID : CVE-2020-1945 Package : ant Type : arbitrary command execution Remote : No Link : https://security.archlinux.org/AVG-1159 Summary ======= The package ant before version 1.10.8-1 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 1.10.8-1. # pacman -Syu "ant>=1.10.8-1" The problem has been fixed upstream in version 1.10.8. Workaround ========== None. Description =========== Apache Ant uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. Impact ====== A local malicious user can inject code into the ant build process. References ========== https://lists.apache.org/thread.html/r8e592bbfc016a5dbe2a8c0e81ff99682b9c78c453621b82c14e7b75e%40%3Cdev.ant.apache.org%3E https://security.archlinux.org/CVE-2020-1945 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Mon Jun 1 22:21:15 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Mon, 1 Jun 2020 22:21:15 +0200 Subject: [manjaro-security] [ASA-202005-14] unbound: denial of service Message-ID: <20200601202115.wvw2rkzcn2gnxoiu@anathema> Arch Linux Security Advisory ASA-202005-14 ========================================== Severity: High Date : 2020-05-20 CVE-ID : CVE-2020-12662 CVE-2020-12663 Package : unbound Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1164 Summary ======= The package unbound before version 1.10.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.10.1-1. # pacman -Syu "unbound>=1.10.1-1" The problems have been fixed upstream in version 1.10.1. Workaround ========== None. Description =========== - CVE-2020-12662 (denial of service) An issue has been found in unbound before 1.10.1, that makes it possible to have a single incoming query result in a large number of outgoing queries. This amplification makes it possible for Unbound to be used in a denial of service attack. The researchers discovering this called this attack the NXNSattack.This attack makes use of cache bypassing using random subdomains in the NSDNAME in NS records. When these delegation records are received during iteration, and the answer does not contain glue records, a resolver has to send out a query to the get the IP address for one of the names. When this query fails (for example because the random name does not exist) a resolver will try the next one. A large set of NS records with random names can result in a large number of outgoing queries going to the same target. - CVE-2020-12663 (denial of service) A security issue has been found in Unbound before 1.1.0.1, in the parser of received answers. Malformed answers received from upstream servers can result in Unbound entering an infinite loop and thereby becoming unresponsive. Impact ====== A remote attacker can use the recursor has an amplification vector to cause a denial of service via a crafted reply. In addition, a remote attacker can crash the application via a crafted request. References ========== https://nlnetlabs.nl/projects/unbound/security-advisories/ https://nlnetlabs.nl/downloads/unbound/patch_cve_2020-12662_2020-12663.diff http://www.nxnsattack.com/ https://security.archlinux.org/CVE-2020-12662 https://security.archlinux.org/CVE-2020-12663 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Mon Jun 1 22:21:36 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Mon, 1 Jun 2020 22:21:36 +0200 Subject: [manjaro-security] [ASA-202005-16] freerdp: information disclosure Message-ID: <20200601202136.eu4w3gif4kfplx67@anathema> Arch Linux Security Advisory ASA-202005-16 ========================================== Severity: High Date : 2020-05-23 CVE-ID : CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 Package : freerdp Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-1172 Summary ======= The package freerdp before version 2:2.1.1-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 2:2.1.1-1. # pacman -Syu "freerdp>=2:2.1.1-1" The problems have been fixed upstream in version 2.1.1. Workaround ========== None. Description =========== - CVE-2020-13396 (information disclosure) An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in ntlm_read_ChallengeMessage in winpr/libwinpr/sspi/NTLM/ntlm_message.c. - CVE-2020-13397 (information disclosure) An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in security_fips_decrypt in libfreerdp/core/security.c due to an uninitialized value. - CVE-2020-13398 (information disclosure) An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) write vulnerability has been detected in crypto_rsa_common in libfreerdp/crypto/crypto.c. Impact ====== A local malicious user can send crafted network traffic and leak information from the host. References ========== https://github.com/FreeRDP/FreeRDP/commit/48361c411e50826cb602c7aab773a8a20e1da6bc https://github.com/FreeRDP/FreeRDP/commit/8fb6336a4072abcee8ce5bd6ae91104628c7bb69 https://github.com/FreeRDP/FreeRDP/commit/d6cd14059b257318f176c0ba3ee0a348826a9ef8 https://github.com/FreeRDP/FreeRDP/commit/8305349a943c68b1bc8c158f431dc607655aadea https://security.archlinux.org/CVE-2020-13396 https://security.archlinux.org/CVE-2020-13397 https://security.archlinux.org/CVE-2020-13398 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 9 19:42:07 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 9 Jun 2020 19:42:07 +0200 Subject: [manjaro-security] [ASA-202006-1] firefox: multiple issues Message-ID: <20200609174207.s5y7wtmpw7vnk2ga@anathema> Arch Linux Security Advisory ASA-202006-1 ========================================= Severity: High Date : 2020-06-02 CVE-ID : CVE-2020-12399 CVE-2020-12405 CVE-2020-12406 CVE-2020-12407 CVE-2020-12408 CVE-2020-12409 CVE-2020-12410 CVE-2020-12411 Package : firefox Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1173 Summary ======= The package firefox before version 77.0-1 is vulnerable to multiple issues including arbitrary code execution, denial of service, private key recovery and content spoofing. Resolution ========== Upgrade to 77.0-1. # pacman -Syu "firefox>=77.0-1" The problems have been fixed upstream in version 77.0. Workaround ========== None. Description =========== - CVE-2020-12399 (private key recovery) NSS before 3.52.1, as used in Firefox before 77.0 and Thunderbird before 68.9.0, has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. - CVE-2020-12405 (denial of service) When browsing a malicious page in Firefox before 77.0 and Thunderbird before 68.9.0, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. - CVE-2020-12406 (arbitrary code execution) Mozilla Developer Iain Ireland discovered a missing type check in Firefox before 77.0 and Thunderbird before 68.9.0 during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. - CVE-2020-12407 (denial of service) Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content was visible to the user, but not observable from web content. - CVE-2020-12408 (content spoofing) When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar. - CVE-2020-12409 (content spoofing) When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL. - CVE-2020-12410 (arbitrary code execution) Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox 76, Firefox ESR 68.8 and Thunderbird before 68.9.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could have been exploited to run arbitrary code. - CVE-2020-12411 (arbitrary code execution) Mozilla developers :Gijs (he/him), Randell Jesup reported memory safety bugs present in Firefox 76. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Impact ====== A remote attacker might be able to recover private keys, spoof content, execute arbitrary code or crash the application. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/ https://bugzilla.mozilla.org/show_bug.cgi?id=1631576 https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e https://bugzilla.mozilla.org/show_bug.cgi?id=1631618 https://bugzilla.mozilla.org/show_bug.cgi?id=1639590 https://bugzilla.mozilla.org/show_bug.cgi?id=1637112 https://bugzilla.mozilla.org/show_bug.cgi?id=1623888 https://bugzilla.mozilla.org/show_bug.cgi?id=1629506 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1619305%2C1632717 https://bugzilla.mozilla.org/show_bug.cgi?id=1506173 https://security.archlinux.org/CVE-2020-12399 https://security.archlinux.org/CVE-2020-12405 https://security.archlinux.org/CVE-2020-12406 https://security.archlinux.org/CVE-2020-12407 https://security.archlinux.org/CVE-2020-12408 https://security.archlinux.org/CVE-2020-12409 https://security.archlinux.org/CVE-2020-12410 https://security.archlinux.org/CVE-2020-12411 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 9 19:44:12 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 9 Jun 2020 19:44:12 +0200 Subject: [manjaro-security] [ASA-202006-7] tomcat9: arbitrary code execution Message-ID: <20200609174412.luu6chzun4jietla@anathema> Arch Linux Security Advisory ASA-202006-7 ========================================= Severity: High Date : 2020-06-06 CVE-ID : CVE-2020-9484 Package : tomcat9 Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1171 Summary ======= The package tomcat9 before version 9.0.35-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 9.0.35-1. # pacman -Syu "tomcat9>=9.0.35-1" The problem has been fixed upstream in version 9.0.35. Workaround ========== None. Description =========== When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if: a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. Impact ====== A remote attacker can execute code on the affected host if they control the file content and know the path. References ========== https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E https://security.archlinux.org/CVE-2020-9484 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 9 19:43:34 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 9 Jun 2020 19:43:34 +0200 Subject: [manjaro-security] [ASA-202006-5] tomcat8: arbitrary code execution Message-ID: <20200609174334.v77ee7eerd525ob6@anathema> Arch Linux Security Advisory ASA-202006-5 ========================================= Severity: High Date : 2020-06-06 CVE-ID : CVE-2020-9484 Package : tomcat8 Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1170 Summary ======= The package tomcat8 before version 8.5.55-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 8.5.55-1. # pacman -Syu "tomcat8>=8.5.55-1" The problem has been fixed upstream in version 8.5.55. Workaround ========== None. Description =========== When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if: a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. Impact ====== A remote attacker can execute code on the affected host if they control the file content and know the path. References ========== https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E https://security.archlinux.org/CVE-2020-9484 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 9 19:43:44 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 9 Jun 2020 19:43:44 +0200 Subject: [manjaro-security] [ASA-202006-6] tomcat7: arbitrary code execution Message-ID: <20200609174344.nykfskykpuqei5mq@anathema> Arch Linux Security Advisory ASA-202006-6 ========================================= Severity: High Date : 2020-06-06 CVE-ID : CVE-2020-9484 Package : tomcat7 Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1169 Summary ======= The package tomcat7 before version 7.0.104-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 7.0.104-1. # pacman -Syu "tomcat7>=7.0.104-1" The problem has been fixed upstream in version 7.0.104. Workaround ========== None. Description =========== When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if: a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. Impact ====== A remote attacker can execute code on the affected host if they control the file content and know the path. References ========== https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E https://security.archlinux.org/CVE-2020-9484 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 9 19:44:20 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 9 Jun 2020 19:44:20 +0200 Subject: [manjaro-security] [ASA-202006-8] python-django: multiple issues Message-ID: <20200609174420.sbbnk7737sliiarl@anathema> Arch Linux Security Advisory ASA-202006-8 ========================================= Severity: Medium Date : 2020-06-06 CVE-ID : CVE-2020-13254 CVE-2020-13596 Package : python-django Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1176 Summary ======= The package python-django before version 3.0.7-1 is vulnerable to multiple issues including cross-site scripting and information disclosure. Resolution ========== Upgrade to 3.0.7-1. # pacman -Syu "python-django>=3.0.7-1" The problems have been fixed upstream in version 3.0.7. Workaround ========== None. Description =========== - CVE-2020-13254 (information disclosure) An information disclosure issue has been found in Django before 3.0.7, via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends. - CVE-2020-13596 (cross-site scripting) A possible XSS has been found in Django before 3.0.7, via admin ForeignKeyRawIdWidget. Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. Impact ====== A remote attacker can leak data through malformed cache keys. An authenticated user could execute javascript through an admin widget. References ========== https://www.djangoproject.com/weblog/2020/jun/03/security-releases/ https://github.com/django/django/commit/84b2da5552e100ae3294f564f6c862fef8d0e693 https://github.com/django/django/commit/1f2dd37f6fcefdd10ed44cb233b2e62b520afb38 https://security.archlinux.org/CVE-2020-13254 https://security.archlinux.org/CVE-2020-13596 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 9 19:43:15 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 9 Jun 2020 19:43:15 +0200 Subject: [manjaro-security] [ASA-202006-4] thunderbird: multiple issues Message-ID: <20200609174315.dnfv7xqpiou2fuwu@anathema> Arch Linux Security Advisory ASA-202006-4 ========================================= Severity: High Date : 2020-06-06 CVE-ID : CVE-2020-12398 CVE-2020-12399 CVE-2020-12405 CVE-2020-12406 CVE-2020-12410 Package : thunderbird Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1179 Summary ======= The package thunderbird before version 68.9.0-1 is vulnerable to multiple issues including arbitrary code execution, denial of service, man-in-the-middle and private key recovery. Resolution ========== Upgrade to 68.9.0-1. # pacman -Syu "thunderbird>=68.9.0-1" The problems have been fixed upstream in version 68.9.0. Workaround ========== None. Description =========== - CVE-2020-12398 (man-in-the-middle) A security downgrade issue has been found in Thunderbird before 68.9.0. If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. - CVE-2020-12399 (private key recovery) NSS before 3.52.1, as used in Firefox before 77.0 and Thunderbird before 68.9.0, has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. - CVE-2020-12405 (denial of service) When browsing a malicious page in Firefox before 77.0 and Thunderbird before 68.9.0, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. - CVE-2020-12406 (arbitrary code execution) Mozilla Developer Iain Ireland discovered a missing type check in Firefox before 77.0 and Thunderbird before 68.9.0 during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. - CVE-2020-12410 (arbitrary code execution) Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox 76, Firefox ESR 68.8 and Thunderbird before 68.9.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could have been exploited to run arbitrary code. Impact ====== A remote attacker might be able to recover private keys, downgrade an encrypted connection, execute arbitrary code or crash the application. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12398 https://bugzilla.mozilla.org/show_bug.cgi?id=1613623 https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/ https://bugzilla.mozilla.org/show_bug.cgi?id=1631576 https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e https://bugzilla.mozilla.org/show_bug.cgi?id=1631618 https://bugzilla.mozilla.org/show_bug.cgi?id=1639590 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1619305%2C1632717 https://security.archlinux.org/CVE-2020-12398 https://security.archlinux.org/CVE-2020-12399 https://security.archlinux.org/CVE-2020-12405 https://security.archlinux.org/CVE-2020-12406 https://security.archlinux.org/CVE-2020-12410 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 9 19:43:05 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 9 Jun 2020 19:43:05 +0200 Subject: [manjaro-security] [ASA-202006-3] chromium: multiple issues Message-ID: <20200609174305.n5x4qt2harjanxum@anathema> Arch Linux Security Advisory ASA-202006-3 ========================================= Severity: High Date : 2020-06-06 CVE-ID : CVE-2020-6493 CVE-2020-6494 CVE-2020-6495 CVE-2020-6496 Package : chromium Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1178 Summary ======= The package chromium before version 83.0.4103.97-1 is vulnerable to multiple issues including access restriction bypass, arbitrary code execution and content spoofing. Resolution ========== Upgrade to 83.0.4103.97-1. # pacman -Syu "chromium>=83.0.4103.97-1" The problems have been fixed upstream in version 83.0.4103.97. Workaround ========== None. Description =========== - CVE-2020-6493 (arbitrary code execution) A use-after-free security issue has been found in the WebAuthentication component of the chromium browser before 83.0.4103.97. - CVE-2020-6494 (content spoofing) An incorrect security UI security issue has been found in the payments component of the chromium browser before 83.0.4103.97 - CVE-2020-6495 (access restriction bypass) An insufficient policy enforcement security issue has been found in the developer tools component of the chromium browser before 83.0.4103.97. - CVE-2020-6496 (arbitrary code execution) A use-after-free security issue has been found in the payments component of the chromium browser before 83.0.4103.97. Impact ====== A remote attacker might be able to spoof content, bypass security restrictions or validations checks, or execute arbitrary code on the affected host. References ========== https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop.html https://crbug.com/1082105 https://crbug.com/1083972 https://crbug.com/1072116 https://crbug.com/1085990 https://security.archlinux.org/CVE-2020-6493 https://security.archlinux.org/CVE-2020-6494 https://security.archlinux.org/CVE-2020-6495 https://security.archlinux.org/CVE-2020-6496 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 9 19:42:57 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 9 Jun 2020 19:42:57 +0200 Subject: [manjaro-security] [ASA-202006-2] gnutls: man-in-the-middle Message-ID: <20200609174257.bofnrohwiazsopwp@anathema> Arch Linux Security Advisory ASA-202006-2 ========================================= Severity: High Date : 2020-06-06 CVE-ID : CVE-2020-13777 Package : gnutls Type : man-in-the-middle Remote : Yes Link : https://security.archlinux.org/AVG-1177 Summary ======= The package gnutls before version 3.6.14-1 is vulnerable to man-in-the- middle. Resolution ========== Upgrade to 3.6.14-1. # pacman -Syu "gnutls>=3.6.14-1" The problem has been fixed upstream in version 3.6.14. Workaround ========== None. Description =========== GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. Impact ====== A remote attacker can man-in-the-middle a connection to bypass authentication in TLS 1.3, and recover previous conversations in TLS 1.2. References ========== https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03 https://gitlab.com/gnutls/gnutls/-/issues/1011 https://gitlab.com/gnutls/gnutls/-/commit/c2646aeee94e71cb15c90a3147cf3b5b0ca158ca?merge_request_iid=1275 https://security.archlinux.org/CVE-2020-13777 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From rgacogne at archlinux.org Tue Jun 16 18:34:23 2020 From: rgacogne at archlinux.org (Remi Gacogne) Date: Tue, 16 Jun 2020 18:34:23 +0200 Subject: [manjaro-security] [ASA-202006-9] dbus: denial of service Message-ID: <0c627095-2538-cd9c-01a3-9939cd0cfc9a@archlinux.org> Arch Linux Security Advisory ASA-202006-9 ========================================= Severity: Low Date : 2020-06-13 CVE-ID : CVE-2020-12049 Package : dbus Type : denial of service Remote : No Link : https://security.archlinux.org/AVG-1183 Summary ======= The package dbus before version 1.12.18-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.12.18-1. # pacman -Syu "dbus>=1.12.18-1" The problem has been fixed upstream in version 1.12.18. Workaround ========== None. Description =========== An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. Impact ====== A local attacker might be able to cause a denial of service via crafted DBUS messages. References ========== https://www.openwall.com/lists/oss-security/2020/06/04/3 https://gitlab.freedesktop.org/dbus/dbus/-/issues/294 https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63 https://security.archlinux.org/CVE-2020-12049 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rgacogne at archlinux.org Tue Jun 16 18:35:16 2020 From: rgacogne at archlinux.org (Remi Gacogne) Date: Tue, 16 Jun 2020 18:35:16 +0200 Subject: [manjaro-security] [ASA-202006-10] intel-ucode: information disclosure Message-ID: Arch Linux Security Advisory ASA-202006-10 ========================================== Severity: High Date : 2020-06-13 CVE-ID : CVE-2020-0543 CVE-2020-0548 CVE-2020-0549 Package : intel-ucode Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-1187 Summary ======= The package intel-ucode before version 20200609-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 20200609-1. # pacman -Syu "intel-ucode>=20200609-1" The problems have been fixed upstream in version 20200609. Workaround ========== None. Description =========== - CVE-2020-0543 (information disclosure) A new domain bypass transient execution attack known as Special Register Buffer Data Sampling (SRBDS) has been found. This flaw allows data values from special internal registers to be leaked by an attacker able to execute code on any core of the CPU. An unprivileged, local attacker can use this flaw to infer values returned by affected instructions known to be commonly used during cryptographic operations that rely on uniqueness, secrecy, or both. - CVE-2020-0548 (information disclosure) A flaw was found in Intel processors where a local attacker is able to gain information about registers used for vector calculations by observing register states from other processes running on the system. This results in a race condition where store buffers, which were not cleared, could be read by another process or a CPU sibling. The highest threat from this vulnerability is data confidentiality where an attacker could read arbitrary data as it passes through the processor. - CVE-2020-0549 (information disclosure) A microarchitectural timing flaw was found on some Intel processors. A corner case exists where data in-flight during the eviction process can end up in the “fill buffers” and not properly cleared by the MDS mitigations. The fill buffer contents (which were expected to be blank) can be inferred using MDS or TAA style attack methods to allow a local attacker to infer fill buffer values. Impact ====== A local unprivileged attacker with access to an affected CPU can read protected memory through a shared buffer on an SGX enclave or CPU core. References ========== https://software.intel.com/security-software-guidance/insights/deep-dive-special-register-buffer-data-sampling https://blogs.intel.com/technology/2020/06/ipas-security-advisories-for-june-2020/#gs.6uyhri https://cacheoutattack.com/CacheOut.pdf https://software.intel.com/security-software-guidance/software-guidance/l1d-eviction-sampling https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/ https://access.redhat.com/solutions/l1d-cache-eviction-and-vector-register-sampling https://security.archlinux.org/CVE-2020-0543 https://security.archlinux.org/CVE-2020-0548 https://security.archlinux.org/CVE-2020-0549 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From foxboron at archlinux.org Tue Jun 30 22:32:26 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 30 Jun 2020 22:32:26 +0200 Subject: [manjaro-security] [ASA-202006-11] sqlite: arbitrary code execution Message-ID: <20200630203226.z2mtlnyx2mp42xji@anathema> Arch Linux Security Advisory ASA-202006-11 ========================================== Severity: High Date : 2020-06-28 CVE-ID : CVE-2020-13871 Package : sqlite Type : arbitrary code execution Remote : No Link : https://security.archlinux.org/AVG-1182 Summary ======= The package sqlite before version 3.32.3-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 3.32.3-1. # pacman -Syu "sqlite>=3.32.3-1" The problem has been fixed upstream in version 3.32.3. Workaround ========== None. Description =========== SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late. Impact ====== An attacker might be able to crash the application or execute arbitrary code by running a crafted query. References ========== https://www.sqlite.org/src/info/c8d3b9f0a750a529 https://www.sqlite.org/src/info/cd708fa84d2aaaea https://www.sqlite.org/src/info/44a58d6cb135a104 https://security.archlinux.org/CVE-2020-13871 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 30 22:32:49 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 30 Jun 2020 22:32:49 +0200 Subject: [manjaro-security] [ASA-202006-14] imagemagick: information disclosure Message-ID: <20200630203249.6sz3zbb4dut3sz6g@anathema> Arch Linux Security Advisory ASA-202006-14 ========================================== Severity: Medium Date : 2020-06-28 CVE-ID : CVE-2020-13902 Package : imagemagick Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1181 Summary ======= The package imagemagick before version 7.0.10.20-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 7.0.10.20-1. # pacman -Syu "imagemagick>=7.0.10.20-1" The problem has been fixed upstream in version 7.0.10.20. Workaround ========== None. Description =========== An out-of-bounds read has been found in the TIFF image decoding part of imagemagick <= 7.0.10-17, in BlobToStringInfo in MagickCore/string.c. Impact ====== A remote attacker might be able to access sensitive information or crash the application via a crafted TIFF file. References ========== https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20920 https://github.com/ImageMagick/ImageMagick/discussions/2132 https://github.com/ImageMagick/ImageMagick/commit/824f344ceb823e156ad6e85314d79c087933c2a0 https://security.archlinux.org/CVE-2020-13902 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 30 22:33:13 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 30 Jun 2020 22:33:13 +0200 Subject: [manjaro-security] [ASA-202006-16] tomcat8: denial of service Message-ID: <20200630203313.4rwsgqf6zqnmsxk6@anathema> Arch Linux Security Advisory ASA-202006-16 ========================================== Severity: Medium Date : 2020-06-28 CVE-ID : CVE-2020-11996 Package : tomcat8 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1197 Summary ======= The package tomcat8 before version 8.5.56-1 is vulnerable to denial of service. Resolution ========== Upgrade to 8.5.56-1. # pacman -Syu "tomcat8>=8.5.56-1" The problem has been fixed upstream in version 8.5.56. Workaround ========== None. Description =========== A denial of service has been found in Apache Tomcat before 9.0.36 and 8.5.56, where a specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. Impact ====== A remote attacker might be able to cause a denial of service via a specially crafted sequence of HTTP/2 requests. References ========== https://www.openwall.com/lists/oss-security/2020/06/25/6 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36 https://github.com/apache/tomcat/commit/9a0231683a77e2957cea0fdee88b193b30b0c976 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.56 https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552 https://security.archlinux.org/CVE-2020-11996 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 30 22:32:41 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 30 Jun 2020 22:32:41 +0200 Subject: [manjaro-security] [ASA-202006-13] bind: denial of service Message-ID: <20200630203241.vfzqdfvl46r7ca2n@anathema> Arch Linux Security Advisory ASA-202006-13 ========================================== Severity: Medium Date : 2020-06-28 CVE-ID : CVE-2020-8618 CVE-2020-8619 Package : bind Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1191 Summary ======= The package bind before version 9.16.4-1 is vulnerable to denial of service. Resolution ========== Upgrade to 9.16.4-1. # pacman -Syu "bind>=9.16.4-1" The problems have been fixed upstream in version 9.16.4. Workaround ========== None. Description =========== - CVE-2020-8618 (denial of service) An assertion check in BIND before 9.16.4 (that is meant to prevent going beyond the end of a buffer when processing incoming data) can be incorrectly triggered by a large response during zone transfer. An attacker who is permitted to send zone data to a server via zone transfer can exploit this to intentionally trigger the assertion failure with a specially constructed zone, denying service to clients. - CVE-2020-8619 (denial of service) An issue has been found in Bind before 9.16.4, where an asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c. The asterisk character ("*") is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a terminal node. A problem can occur when an asterisk is present in an empty non- terminal location within the DNS graph. If such a node exists, after a series of queries, named can reach an inconsistent state that results in the failure of an assertion check in rbtdb.c, followed by the program exiting due to the assertion failure. Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable. Impact ====== A remote attacker with enough privileges to update a zone might be able to crash a server via a crafted zone transfer or by inserting an asterisk at a terminal node of a zone. References ========== https://downloads.isc.org/isc/bind9/9.16.4/doc/arm/html/notes.html#notes-for-bind-9-16-4 https://kb.isc.org/docs/cve-2020-8618 https://gitlab.isc.org/isc-projects/bind9/-/issues/1850 https://kb.isc.org/docs/cve-2020-8619 https://gitlab.isc.org/isc-projects/bind9/-/issues/1718 https://gitlab.isc.org/isc-projects/bind9/-/commit/569cc155b8680d8ed12db1fabbe20947db24a0f9 https://security.archlinux.org/CVE-2020-8618 https://security.archlinux.org/CVE-2020-8619 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 30 22:32:33 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 30 Jun 2020 22:32:33 +0200 Subject: [manjaro-security] [ASA-202006-12] chromium: arbitrary code execution Message-ID: <20200630203233.6zdf7tsy3nucdvsr@anathema> Arch Linux Security Advisory ASA-202006-12 ========================================== Severity: High Date : 2020-06-28 CVE-ID : CVE-2020-6509 Package : chromium Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1192 Summary ======= The package chromium before version 83.0.4103.116-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 83.0.4103.116-1. # pacman -Syu "chromium>=83.0.4103.116-1" The problem has been fixed upstream in version 83.0.4103.116. Workaround ========== None. Description =========== A use-after-free vulnerability has been found in the extensions component of chromium before 83.0.4103.116. Impact ====== A remote attacker can execute arbitrary code on the affected host. References ========== https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_22.html https://crbug.com/1092308 https://security.archlinux.org/CVE-2020-6509 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From foxboron at archlinux.org Tue Jun 30 22:33:02 2020 From: foxboron at archlinux.org (Morten Linderud) Date: Tue, 30 Jun 2020 22:33:02 +0200 Subject: [manjaro-security] [ASA-202006-15] freerdp: multiple issues Message-ID: <20200630203302.ysze65ieu24yg4wb@anathema> Arch Linux Security Advisory ASA-202006-15 ========================================== Severity: High Date : 2020-06-28 CVE-ID : CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 Package : freerdp Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1193 Summary ======= The package freerdp before version 2:2.1.2-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 2:2.1.2-1. # pacman -Syu "freerdp>=2:2.1.2-1" The problems have been fixed upstream in version 2.1.2. Workaround ========== None. Description =========== - CVE-2020-4030 (information disclosure) An out-of-bounds read has been found in FreeRDP before 2.1.2, where logging might bypass string length checks due to an integer overflow. - CVE-2020-4031 (arbitrary code execution) A use-after-free vulnerability has been found in FreeRDP before 2.1.2, in gdi_SelectObject(). Clients using compatibility mode enabled with /relax-order-checks are affected. - CVE-2020-4032 (information disclosure) An integer casting vulnerability leading to an out-of-bounds read has been found in FreeRDP before 2.1.2, in update_recv_secondary_order(), on clients with +glyph-cache or /relax-order-checks options enabled. - CVE-2020-4033 (information disclosure) An out-of-bounds read of up to 4 bytes has been found in FreeRDP before 2.1.2, affecting all FreeRDP based clients with sessions with color depth < 32. - CVE-2020-11095 (information disclosure) A global out-of-bounds read has been found in FreeRDP before 2.1.2, in update_recv_primary_order. - CVE-2020-11096 (information disclosure) An out-of-bounds read has been found in FreeRDP before 2.1.2, in update_read_cache_bitmap_v3_order(). - CVE-2020-11097 (information disclosure) An out-of-bounds read has been found in FreeRDP before 2.1.2, in ntlm_av_pair_get(). - CVE-2020-11098 (information disclosure) An out-of-bounds read has been found in FreeRDP before 2.1.2, in glyph_cache_put. This issue only exists when glyph-cache is enabled, which is not the case by default. - CVE-2020-11099 (information disclosure) An out-of-bounds read has been found in FreeRDP before 2.1.2, in license_read_new_or_upgrade_license_packet(). Impact ====== A remote attacker might be able to access sensitive information or crash the application via a crafted RDP session. A malicious server, or an attacker in position of man-in-the-middle might be able to execute arbitrary code on the affected host. References ========== http://www.freerdp.com/2020/06/22/2_1_2-released https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fjr5-97f5-qq98 https://github.com/FreeRDP/FreeRDP/commit/05cd9ea2290d23931f615c1b004d4b2e69074e27 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gwcq-hpq2-m74g https://github.com/FreeRDP/FreeRDP/commit/6d86e20e1e7caaab4f0c7f89e36d32914dbccc52 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3898-mc89-x2vc https://github.com/FreeRDP/FreeRDP/commit/e7bffa64ef5ed70bac94f823e2b95262642f5296 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rhj-856w-82p8 https://github.com/FreeRDP/FreeRDP/commit/0a98c450c58ec150e44781c89aa6f8e7e0f571f5 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-563r-pvh7-4fw2 https://github.com/FreeRDP/FreeRDP/commit/733ee3208306b1ea32697b356c0215180fc3f049 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mjw7-3mq2-996x https://github.com/FreeRDP/FreeRDP/commit/b8beb55913471952f92770c90c372139d78c16c0 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c8x2-c3c9-9r3f https://github.com/FreeRDP/FreeRDP/commit/58a3122250d54de3a944c487776bcd4d1da4721e https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv https://github.com/FreeRDP/FreeRDP/commit/c0fd449ec0870b050d350d6d844b1ea6dad4bc7d https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-977w-866x-4v5h https://github.com/FreeRDP/FreeRDP/commit/6ade7b4cbfd71c54b3d724e8f2d6ac76a58e879a https://security.archlinux.org/CVE-2020-4030 https://security.archlinux.org/CVE-2020-4031 https://security.archlinux.org/CVE-2020-4032 https://security.archlinux.org/CVE-2020-4033 https://security.archlinux.org/CVE-2020-11095 https://security.archlinux.org/CVE-2020-11096 https://security.archlinux.org/CVE-2020-11097 https://security.archlinux.org/CVE-2020-11098 https://security.archlinux.org/CVE-2020-11099 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: