Packages

Severity: high

Versions affected:
1.6.0 through 1.7.0
Potentially, all earlier versions too, but there is no known way to
trigger this before 1.6.0

Mitigation:
upgrade to 1.7.1

Description:
ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming
from the network, allowing a non-admin user to escalate privilege,
inject rogue values into znc.conf, and gain shell access.

Upstream patches:
https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d

—

Severity: medium

Versions affected:
0.045 through 1.7.0

Mitigation:
upgrade to 1.7.1, or disable HTTP via `/msg *status AddPort`, `/msg
*status DelPort` commands.

Description:
ZNC before 1.7.1-rc1 is prone to a path traversal flaw. A non-admin user
can set web skin name to ../ to access files outside of the intended
skins directories and to cause DoS.

Upstream patch:
https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773

The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable via Loading specially-crafted saved games, networked games, replays, and player content.

https://security-tracker.debian.org/tracker/CVE-2018-1999023

Upstream patch: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318

With latest iceweasel-uxp, I can’t connect to some HTTPS websites :

For example :

https://pkgs.fedoraproject.org/ is an example

SEC_ERROR_UNKNOWN_ISSUER

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

https://security-tracker.debian.org/tracker/CVE-2018-15473

Patch: https://salsa.debian.org/ssh-team/openssh/commit/4641c58a3279f6b118f9562babaa0ee050a38619

Technical analysis: https://blog.nviso.be/2018/08/21/openssh-user-enumeration-vulnerability-a-close-look/

User enumeration in Dropbear 2018.76 and earlier
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html

Patch: https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription.

https://security-tracker.debian.org/tracker/CVE-2018-14354

Description:

NoScript zero-day allows script execution even with scripts blocked by default.

https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/

https://twitter.com/ma1/status/1039163003034324992

Additional info:
* package version(s) < 5.1.8.7

Steps to reproduce:
Set the Content-Type of your html/js page to “text/html;json” and enjoy full JS pwnage”

Description:
In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.

https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/

Description:

• Remove Schrödinger in Hyperbola because it’s unmaintained and unsupportable. [0] [1]

• Note: It requires [ffmpeg], [ffmpeg2.8] and [gst-plugins-bad] rebuilding

Additional info:

• schroedinger 1.0.11-3

$ pacman -Si schroedinger
Repository      : extra
Name            : schroedinger
Version         : 1.0.11-3
Description     : An implemenation of the Dirac video codec in ANSI C code
Architecture    : x86_64
URL             : https://launchpad.net/schroedinger
Licenses        : GPL2  LGPL2.1  MPL  MIT
Groups          : None
Provides        : None
Depends On      : orc  gcc-libs
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 331.64 KiB
Installed Size  : 1676.00 KiB
Packager        : Evangelos Foutras <evangelos@foutrelis.com>
Build Date      : Sat 05 Dec 2015 12:28:01 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

• Contains security holes.

Description:

• In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.

Additional info:
* package version(s)

• 2.2.6-1.hyperbola1

* config and/or log files etc.

• None

Steps to reproduce:

• Run VLC

Description:

• VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

Additional info:
* package version(s)

• 2.2.6-1.hyperbola1

* config and/or log files etc.

• None

Steps to reproduce:

• Run VLC

Octopi 0.9.0 is uploading system logs to ptpb.pw without confirmation through :

Tools
→ SysInfo → ptpb.pw

I think it should be either disabled or add at least a patch to ask for a confirmation.
An other way could be to patch this :

src/globals.cpp
240: * Generates SysInfo file and paste it to ptpb site
255:  QString ptpb = UnixCommand::getCommandOutput("curl -F c=@- https://ptpb.pw/?u=1", tempFile->fileName());
256:  return ptpb;

to :

src/globals.cpp
240: * Generates SysInfo file and paste it to ptpb site
255:  QString ptpb = UnixCommand::getCommandOutput("curl -F c=@- **https://ptpb.pw/", tempFile->fileName());
256:  return ptpb;

This way, you can at least ask for log deletion with the help of log uuid as explained here : https://ptpb.pw/#id10

Description:
As stated on the home page of the project (https://qtpass.org/):
<quote>
All passwords generated with QtPass’ built-in password generator prior to 1.2.1 are possibly predictable and enumerable by hackers.
</quote>

Description:

A memory leak bug was discovered in Toxcore that can be triggered remotely to exhaust one’s system memory, resulting in a denial of service attack... As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained. In fact, irungentoo’s toxcore is neither being developed nor maintained for some time now, aside from merging only the most critical fixes from TokTok c-toxcore from time to time, missing all other important fixes.

Additional info:
* package version(s): < 2.8

https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/

Description:
https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/

The bug is fixed in TokTok c-toxcore v0.2.8. The bug is also fixed in the master branch of irungentoo’s toxcore, in commit bf69b54f64003d160d759068f4816b2d9b2e1e21. As a general reminder, if you are still using irungentoo’s toxcore, we strongly encourage you to switch to using TokTok c-toxcore instead as it’s a lot more actively developed and maintained.

Description:
libssh versions 0.6 and above have an authentication bypass vulnerability in
the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message
in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect
to initiate authentication, the attacker could successfully authentciate
without any credentials.

Additional info:
* package version(s) : extra/libssh 0.7.5-1

CVE

Description:
Changelog

2.4.46 is fixing a huge quantity of issues (TLS related & memory leak)

Additional info:
* package version(s) : 2.4.44

Description:

PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.

Additional info:
* package version(s)

$ pacman -Si php
Repositorio               : extra
Nombre                    : php
Versión                   : 7.1.4-3.hyperbola3
Descripción               : A general-purpose scripting language that is especially suited to web development, without systemd support
Arquitectura              : x86_64
URL                       : http://www.php.net
Licencias                 : PHP
Grupos                    : Nada
Provee                    : php-ldap=7.1.4
Depende de                : libxml2  curl  libzip  pcre
Dependencias opcionales   : Nada
En conflicto con          : php-ldap
Remplaza a                : php-ldap
Tamaño de la descarga     : 3,02 MiB
Tamaño de la instalación  : 15,94 MiB
Encargado                 : André Silva <emulatorman@hyperbola.info>
Fecha de creación         : mié 27 dic 2017 19:15:03 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

* config and/or log files etc.

Last update of php be v7.1.x is v7.1.23:

- https://secure.php.net/ChangeLog-7.php#7.1.23

Patch availabble from v7.1.5
https://bugs.php.net/bug.php?id=74544

Steps to reproduce:

- Install php

Our current dokuwiki 20170219_b-1 has two serious CVE.

Error message attached after the first installation

A huge number of CVEs have been fixed on 4.3.1 :

CVE-2018-20552
CVE-2018-20553
CVE-2018-18408
CVE-2018-18407
CVE-2018-17974
CVE-2018-17580
CVE-2018-17582
CVE-2018-13112

Current Hyperbola version is 4.2.6

Description: There’s an active, ongoing campaign exploiting a widespread vulnerability in linux email servers. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.

https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability

https://www.openwall.com/lists/oss-security/2019/06/06/1

https://www.zdnet.com/article/libarchive-vulnerability-can-lead-to-code-execution-on-linux-freebsd-netbsd/

https://security-tracker.debian.org/tracker/CVE-2019-18408

In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation

https://security-tracker.debian.org/tracker/CVE-2019-2201

Patch: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388

https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/

[Critical] https://security-tracker.debian.org/tracker/CVE-2019-18934

These two options could be enabled :

Kernel hacking → [*] Filter access to /dev/mem
[*] Filter I/O access to /dev/mem

Security options → [*] Restrict unprivileged access to the kernel syslog