Download
| Alert*
oval:org.secpod.oval:def:52076
apport: automatically generate crash reports for debugging Details: USN-3480-2 fixed regressions in Apport. The update introduced a new regression in the container support. This update addresses the problem. We apologize for the inconvenience. Original advisory USN-3480-2 introduced regressions in A ... oval:org.secpod.oval:def:51937 apport: automatically generate crash reports for debugging Details: USN-3480-1 fixed vulnerabilities in Apport. The fix for CVE-2017-14177 introduced a regression in the ability to handle crashes for users that configured their systems to use the Upstart init system in Linux Mint 18.x LTS. The fix f ... oval:org.secpod.oval:def:51993 firefox: Mozilla Open Source web browser Details: USN-3544-1 fixed vulnerabilities in Firefox. The update caused a web compatibility regression and a tab crash during printing in some circumstances. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-3544-1 cause ... oval:org.secpod.oval:def:704163 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors Deta ... oval:org.secpod.oval:def:51075 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors Deta ... oval:org.secpod.oval:def:1600858 Weak ElGamal key parameters in PublicKey/ElGamal.py allow attackers to obtain sensitive information by reading ciphertext:lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data ... oval:org.secpod.oval:def:1600885 Malicious patch files cause ed to execute arbitrary commandsGNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation can result in code execution. This attack appear to be exploitable via a patch file processed via th ... oval:org.secpod.oval:def:54107 gpac: GPAC Project on Advanced Content GPAC could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:1502089 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:115202 The kernel meta package oval:org.secpod.oval:def:1800992 Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume vulnerability in the UDP support of the memcached server that can result in denial of service via network flood . This attack appear to be exploitable via network connectivity to port 11211 UDP. Fixed In Version:&par ... oval:org.secpod.oval:def:1800996 Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume vulnerability in the UDP support of the memcached server that can result in denial of service via network flood . This attack appear to be exploitable via network connectivity to port 11211 UDP. Fixed In Version:&par ... oval:org.secpod.oval:def:1800997 Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume vulnerability in the UDP support of the memcached server that can result in denial of service via network flood . This attack appear to be exploitable via network connectivity to port 11211 UDP. Fixed In Version:&par ... oval:org.secpod.oval:def:1800203 CVE-2018-5205: When using incomplete escape codes, Irssi may access data beyond the end of the string. Affected Versions: All Irssi versions. Fixed In: Irssi 1.0.6 oval:org.secpod.oval:def:1800299 An error within the "LibRaw::xtrans_interpolate" function can be exploited to cause an invalid read memory access and subsequently cause a crash via a specially crafted TIFF image. Fixed In Version:¶ LibRaw 0.18.6 oval:org.secpod.oval:def:1801080 CVE-2018-14349: Heap Overflow in imap/command.c¶ Fixed In Version:¶ mutt 1.10.1 oval:org.secpod.oval:def:1801082 CVE-2018-14349: Heap Overflow in imap/command.c¶ Fixed In Version:¶ mutt 1.10.1 oval:org.secpod.oval:def:1801083 CVE-2018-14349: Heap Overflow in imap/command.c¶ Fixed In Version:¶ mutt 1.10.1 oval:org.secpod.oval:def:1801084 CVE-2018-14349: Heap Overflow in imap/command.c¶ Fixed In Version:¶ mutt 1.10.1 oval:org.secpod.oval:def:1600860 Heap-based buffer overflow in mspack/lzxd.cmspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CHM file. Out-of-bounds access in the PDF parser A VMSF_DELTA memory corruption was ... oval:org.secpod.oval:def:1800969 CVE-2018-0202: Out-of-bounds access in the PDF parser¶ Fixed In Version:¶ clamav 0.99.4 oval:org.secpod.oval:def:1800970 CVE-2018-0202: Out-of-bounds access in the PDF parser¶ Fixed In Version:¶ clamav 0.99.4 oval:org.secpod.oval:def:1800973 CVE-2018-0202: Out-of-bounds access in the PDF parser¶ Fixed In Version:¶ clamav 0.99.4 oval:org.secpod.oval:def:1800967 CVE-2018-0202: Out-of-bounds access in the PDF parser¶ Fixed In Version:¶ clamav 0.99.4 oval:org.secpod.oval:def:1600989 do_bid_note in readelf.c in libmagic.a has a stack-based buffer over-read, related to file_printf and file_vprintf. do_core_note in readelf.c in libmagic.a has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360 . do_core_note in readelf.c in libm ... oval:org.secpod.oval:def:1801178 CVE-2017-15232: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. oval:org.secpod.oval:def:1801180 CVE-2017-15232: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. oval:org.secpod.oval:def:1801181 CVE-2017-15232: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. oval:org.secpod.oval:def:1801182 CVE-2018-1152: libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image. oval:org.secpod.oval:def:1600975 _XcursorThemeInherits in library.c in libXcursor allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow oval:org.secpod.oval:def:54589 python-gnupg: Python wrapper for the GNU Privacy Guard Several security issues were fixed in python-gnupg oval:org.secpod.oval:def:1601054 It was discovered that zsh does not properly validate the shebang of input files and it truncates it to the first 64 bytes. A local attacker may use this flaw to make zsh execute a different binary than what is expected, named with a substring of the shebang one. oval:org.secpod.oval:def:1600951 There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h. A crafted input will lead to a remote denial of service attack.The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler allows remote attackers to cause a denial of service via a crafted PDF file, a ... oval:org.secpod.oval:def:1600922 A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the applicati ... oval:org.secpod.oval:def:51142 texlive-bin: TeX Live: path search library for TeX Several security issues were fixed in Tex Live. oval:org.secpod.oval:def:704346 texlive-bin: TeX Live: path search library for TeX Several security issues were fixed in Tex Live. oval:org.secpod.oval:def:1600881 Null pointer dereference due to mishandling of ldap_get_dn return value allows denial-of-service by malicious LDAP server or man-in-the-middle attackerAn issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP se ... oval:org.secpod.oval:def:1600863 Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response allows denial of serviceIn PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing ... oval:org.secpod.oval:def:1600861 Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response allows denial of service:In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsin ... oval:org.secpod.oval:def:54584 It was discovered that a buffer overflow in the RTSP parser of the GStreamer media framework may result in the execution of arbitrary code if a malformed RSTP stream is opened. oval:org.secpod.oval:def:1801298 spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial-of-service, or, in the worst case, code-execution by unauthenticated attackers. Fixed In Version:¶ spice 0.14.2 oval:org.secpod.oval:def:1801353 spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial-of-service, or, in the worst case, code-execution by unauthenticated attackers. Fixed In Version:¶ spice 0.14.2 oval:org.secpod.oval:def:1801304 spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial-of-service, or, in the worst case, code-execution by unauthenticated attackers. Fixed In Version:¶ spice 0.14.2 oval:org.secpod.oval:def:1801305 spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial-of-service, or, in the worst case, code-execution by unauthenticated attackers. Fixed In Version:¶ spice 0.14.2 oval:org.secpod.oval:def:1801262 CVE-2018-12900: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service¶ Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service or possibly have unspecifi ... oval:org.secpod.oval:def:1801264 CVE-2018-12900: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service¶ Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service or possibly have unspecifi ... oval:org.secpod.oval:def:1801265 CVE-2018-12900: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service¶ Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service or possibly have unspecifi ... oval:org.secpod.oval:def:1600956 An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one chara ... oval:org.secpod.oval:def:1600964 nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module if the 'http2' option of the 'listen' directive is used in a configuration f ... oval:org.secpod.oval:def:1801253 CVE-2018-16843: Excessive memory consumption via flaw in HTTP/2 implementation¶ Affected Versions:¶ nginx 1.9.5 - 1.15.5. Fixed In Version:¶ nginx 1.15.6, nginx 1.14.1 oval:org.secpod.oval:def:1801255 CVE-2018-16843: Excessive memory consumption via flaw in HTTP/2 implementation¶ Affected Versions:¶ nginx 1.9.5 - 1.15.5. Fixed In Version:¶ nginx 1.15.6, nginx 1.14.1 oval:org.secpod.oval:def:1801104 CVE-2017-9935: In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_fre ... oval:org.secpod.oval:def:1801105 CVE-2017-9935: In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_fre ... oval:org.secpod.oval:def:1801106 CVE-2017-9935: In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_fre ... oval:org.secpod.oval:def:1801107 CVE-2017-9935: In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_fre ... oval:org.secpod.oval:def:1800959 In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against ... oval:org.secpod.oval:def:1800956 In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against ... oval:org.secpod.oval:def:1800957 In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against ... oval:org.secpod.oval:def:43620 The host is missing a critical security update according to Mozilla advisory, MFSA2018-03. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:43778 The host is missing a critical security update according to Mozilla advisory, MFSA2018-04. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:1600848 Buffer overflow in b64decode function, possibly leading to remote code execution:An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely oval:org.secpod.oval:def:1600840 Infinite loop issue triggered by invalid OPEN message allows denial-of-serviceAn infinite loop vulnerability was discovered in Quagga. A BGP peer could send specially crafted packets that would cause the daemon to enter an infinite loop, denying service and consuming CPU until it is restarted.Double ... oval:org.secpod.oval:def:1600930 The Squid Software Foundation Squid HTTP Caching Proxy contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an ... oval:org.secpod.oval:def:1800289 CVE-2018-1000024: Incorrect pointer handling when processing ESI Responses can lead to denial of service. Due to incorrect pointer handling, Squid versions 3.x and 4.x are vulnerable to a denial of service attack when processing ESI responses. This problem allows a remote server delivering certain ... oval:org.secpod.oval:def:1800865 CVE-2018-1000024: Incorrect pointer handling when processing ESI Responses can lead to denial of service¶ Due to incorrect pointer handling, Squid versions 3.x and 4.x are vulnerable to a denial of service attack when processing ESI responses. This problem allows a remote server delivering ce ... oval:org.secpod.oval:def:1600868 Buffer overflow in dhclient possibly allowing code execution triggered by malicious serverAn out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client mach ... oval:org.secpod.oval:def:43070 The host is installed with Google Chrome before 63.0.3239.84 and is prone to a integer overflow vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:1600864 Vorbis audio processing out of bounds write:An out of bounds write flaw was found in the processing of vorbis audio data. A maliciously crafted file or audio stream could cause the application to crash or, potentially, execute arbitrary code oval:org.secpod.oval:def:1600893 A cookie injection flaw was found in wget. An attacker can create a malicious website which, when accessed, overrides cookies belonging to arbitrary domains. oval:org.secpod.oval:def:1800980 CVE-2018-5150: Memory safety bugs CVE-2018-5154: Use-after-free with SVG animations and clip paths CVE-2018-5155: Use-after-free with SVG animations and text paths CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files CVE-2018-5158: Malicious PDF can inject JavaScript into PDF ... oval:org.secpod.oval:def:1801011 GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures. oval:org.secpod.oval:def:1801014 GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures. oval:org.secpod.oval:def:1801009 GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures. oval:org.secpod.oval:def:1800700 CVE-2017-9147: LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service via a crafted TIFF file. Reference: Patch: CVE-2017-9403: In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDir ... oval:org.secpod.oval:def:1800068 CVE-2017-9936: In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c. A crafted TIFF document can lead to a memory leak resulting in a remote denial of service attack. Reference:¶ Patch:¶ CVE-2017-10688: In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectoryTagCheckedLong8 ... oval:org.secpod.oval:def:1600822 Use-after-free in processing SMB1 requestsA use-after-free flaw was found in the way samba servers handled certain SMB1 requests. An unauthenticated attacker could send specially-crafted SMB1 requests to cause the server to crash or execute arbitrary code. Server heap-memory disclosureA memory discl ... oval:org.secpod.oval:def:603190 Adam Collard discovered that Bazaar, an easy to use distributed version control system, did not correctly handle maliciously constructed bzr+ssh URLs, allowing a remote attackers to run an arbitrary shell command. oval:org.secpod.oval:def:1800690 Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname Fixed In Version:¶ bzr 3.0 oval:org.secpod.oval:def:53199 Adam Collard discovered that Bazaar, an easy to use distributed version control system, did not correctly handle maliciously constructed bzr+ssh URLs, allowing a remote attackers to run an arbitrary shell command. oval:org.secpod.oval:def:1800148 It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes4 bytes. Properly chosen values ... oval:org.secpod.oval:def:1800759 It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes4 bytes. Properly chosen values ... oval:org.secpod.oval:def:43076 The host is missing a critical severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:1800926 CVE-2018-1050: Denial of Service Attack on external print server. Affected Versions All versions of Samba from 4.0.0 onwards. Fixed In Version Samba 4.7.6, 4.6.14 and 4.5.16. oval:org.secpod.oval:def:1800962 CVE-2018-1050: Denial of Service Attack on external print server. Affected Versions:¶ All versions of Samba from 4.0.0 onwards. Fixed In Version:¶ Samba 4.7.6, 4.6.14 and 4.5.16. oval:org.secpod.oval:def:1800963 CVE-2018-1050: Denial of Service Attack on external print server. Affected Versions:¶ All versions of Samba from 4.0.0 onwards. Fixed In Version:¶ Samba 4.7.6, 4.6.14 and 4.5.16. oval:org.secpod.oval:def:1800964 CVE-2018-1050: Denial of Service Attack on external print server. Affected Versions:¶ All versions of Samba from 4.0.0 onwards. Fixed In Version:¶ Samba 4.7.6, 4.6.14 and 4.5.16. oval:org.secpod.oval:def:1600843 Out-of-bounds read in code handling HTTP/2 trailers:libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTT ... oval:org.secpod.oval:def:1600871 FTP path trickery leads to NIL byte out of bounds write:It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, re ... oval:org.secpod.oval:def:1801159 The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On sy ... oval:org.secpod.oval:def:1801174 The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On sy ... oval:org.secpod.oval:def:1801175 The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On sy ... oval:org.secpod.oval:def:1801161 The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On sy ... oval:org.secpod.oval:def:1600950 curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently ... oval:org.secpod.oval:def:1800928 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write¶ Affected versions:¶ curl 7.12.3 to and including curl 7.58.0 Not affected versions:¶ curl = 7.59.0 oval:org.secpod.oval:def:1800930 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write¶ Affected versions:¶ curl 7.12.3 to and including curl 7.58.0 Not affected versions:¶ curl = 7.59.0 oval:org.secpod.oval:def:1800931 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write¶ Affected versions:¶ curl 7.12.3 to and including curl 7.58.0 Not affected versions:¶ curl = 7.59.0 oval:org.secpod.oval:def:1800947 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write¶ Affected versions curl 7.12.3 to and including curl 7.58.0 Not affected versions curl = 7.59.0 oval:org.secpod.oval:def:1800161 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read. Affected versions: libcurl 7.49.0 to and including 7.57.0 Not affected versions: libcurl = 7.58.0 oval:org.secpod.oval:def:1800705 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read¶ Affected versions:¶ libcurl 7.49.0 to and including 7.57.0 Not affected versions:¶ libcurl = 7.58.0 oval:org.secpod.oval:def:49674 perl: Practical Extraction and Report Language Several security issues were fixed in Perl. oval:org.secpod.oval:def:49782 linux: Linux kernel - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:702991 linux-lts-utopic: Linux hardware enablement kernel from Utopic Several security issues were fixed in the kernel. oval:org.secpod.oval:def:702997 linux-lts-utopic: Linux hardware enablement kernel from Utopic for Trusty Details: USN-2909-1 fixed vulnerabilities in the Ubuntu 14.10 Linux kernel backported to Ubuntu 14.04 LTS. An incorrect locking fix caused a regression that broke graphics displays for Ubuntu 14.04 LTS guests running the Ubunt ... oval:org.secpod.oval:def:702999 linux: Linux kernel Details: USN-2908-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10. An incorrect locking fix caused a regression that broke graphics displays for Ubuntu 15.10 guests running within VMWare virtual machines. This update fixes the problem. We apologize for the inconvenie ... oval:org.secpod.oval:def:702998 linux-lts-vivid: Linux hardware enablement kernel from Vivid for Trusty Details: USN-2910-1 fixed vulnerabilities in the Ubuntu 15.04 Linux kernel backported to Ubuntu 14.04 LTS. An incorrect locking fix caused a regression that broke graphics displays for Ubuntu 14.04 LTS guests running the Ubuntu ... oval:org.secpod.oval:def:49022 nginx: small, powerful, scalable web/proxy server Several security issues were fixed in nginx. oval:org.secpod.oval:def:53954 php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:703690 libgcrypt20: LGPL Crypto library - libgcrypt11: LGPL Crypto library Several security issues were fixed in Libgcrypt. oval:org.secpod.oval:def:49284 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:49255 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * It was discovered that the ghostscript /invalidaccess checks fail under certain condition ... oval:org.secpod.oval:def:49217 The host is installed with Artifex Ghostscript before 9.26 and is prone to a type confusion vulnerability. A flaw is present in the application, which fails to properly handle psi/zicc.c component. Successful exploitation could allow attackers to bypass intended access restrictions because of a setc ... oval:org.secpod.oval:def:49218 The host is installed with Artifex Ghostscript before 9.26 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle psi/zdevice2.c component. Successful exploitation could allow attackers to bypass intended access restrictions because avai ... oval:org.secpod.oval:def:49215 The host is installed with Artifex Ghostscript before 9.26 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle LockSafetyParams device parameter. Successful exploitation could allow attackers to bypass security restrictions on the sys ... oval:org.secpod.oval:def:49216 The host is installed with Artifex Ghostscript before 9.26 and is prone to a type confusion vulnerability. A flaw is present in the application, which fails to properly handle psi/zfjbig2.c component. Successful exploitation could allow attackers to bypass intended access restrictions because of a J ... oval:org.secpod.oval:def:204731 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.2. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204706 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A use-after-free flaw was found in the way samba servers handled c ... oval:org.secpod.oval:def:204770 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Buffer overflow manipulating SVG animatedPathSegList * Mozilla: Out-of-bounds write with malformed IP ... oval:org.secpod.oval:def:204774 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Memory safety bugs fixed in Firefox ESR 52.7 * Mozilla: Vorbis audio processing out o ... oval:org.secpod.oval:def:204772 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.2 ESR. Security Fix: * Mozilla: Vorbis audio processing out of bounds write For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:204763 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: Cross-site scripting vulnerability in web UI For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References secti ... oval:org.secpod.oval:def:204760 The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector. Security Fix: * quagga: Double free v ... oval:org.secpod.oval:def:204767 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:204751 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204755 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204754 The gcab package contains a utility for managing the Cabinet archives. It can list, extract, and create Microsoft cabinet files. Security Fix: * gcab: Extracting malformed .cab files causes stack smashing potentially leading to arbitrary code execution For more details about the security issue, in ... oval:org.secpod.oval:def:204745 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:204743 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.6.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:48097 libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully auth ... oval:org.secpod.oval:def:48009 libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully auth ... oval:org.secpod.oval:def:204850 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow usin ... oval:org.secpod.oval:def:204855 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.9.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow using computed size of canvas element * Mozilla: Use ... oval:org.secpod.oval:def:703000 linux-lts-wily: Linux hardware enablement kernel from Wily for Trusty Details: USN-2908-2 fixed vulnerabilities in the Ubuntu 15.10 Linux kernel backported to Ubuntu 14.04 LTS. An incorrect locking fix caused a regression that broke graphics displays for Ubuntu 14.04 LTS guests running the Ubuntu 15 ... oval:org.secpod.oval:def:204821 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix: * libvncserver: Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c For more details about the security issue, including the impact, a CVSS score, and other re ... oval:org.secpod.oval:def:204820 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix: * Mozilla: Vorbis audio processing out of bounds ... oval:org.secpod.oval:def:204825 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.8.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Ski ... oval:org.secpod.oval:def:204891 The SpamAssassin tool provides a way to reduce unsolicited commercial email from incoming email. Security Fix: * spamassassin: Certain unclosed tags in crafted emails allow for scan timeouts and result in denial of service * spamassassin: Local user code injection in the meta rule syntax For more ... oval:org.secpod.oval:def:204890 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * It was discovered that the ghostscript /invalidaccess checks fail under certain condition ... oval:org.secpod.oval:def:204886 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.1 ESR. Security Fix: * Mozilla: Crash in TransportSecurityInfo due to cached data * Mozilla: Setting a master password post-Firefox 58 does no ... oval:org.secpod.oval:def:204871 PostgreSQL is an advanced object-relational database management system . The following packages have been upgraded to a later upstream version: postgresql . Security Fix: * postgresql: Certain host connection parameters defeat client-side security defenses For more details about the security issue ... oval:org.secpod.oval:def:204875 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozi ... oval:org.secpod.oval:def:204868 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix: * mutt: Remote code injection vulnerability to an IMAP mailbox * mutt: Remote Code Execu ... oval:org.secpod.oval:def:703883 postgresql-common: PostgreSQL database-cluster manager postgresql-common could be made to overwrite files as the administrator. oval:org.secpod.oval:def:204814 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.8.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Skia * Mozilla: Use-after-free with SVG animations ... oval:org.secpod.oval:def:204813 The procps-ng packages contain a set of system utilities that provide system information, including ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx. Security Fix: * procps-ng, procps: Integer overflows leading to heap overflow in file2strvec * procps-ng, procps: ... oval:org.secpod.oval:def:204819 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.3 ESR. Security Fix: * firefox: Use-after-free in compositor potentially allows code execution For more details about the security issue, incl ... oval:org.secpod.oval:def:204818 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:48182 The host is installed with Artifex Ghostscript through 9.25 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle vectors involving the 1policy operator. Successful exploitation could allow attackers to bypass a sandbox protection mecha ... oval:org.secpod.oval:def:204574 The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 , and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. S ... oval:org.secpod.oval:def:204563 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, exec ... oval:org.secpod.oval:def:33125 The host is installed with Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65 or 8.x before 8.0.27 and is prone to a directory traversal vulnerability. A flaw is present in RequestUtil.java, which fails to handle a /.. (slash dot dot) in a pathname used by a web application in a getResource, getReso ... oval:org.secpod.oval:def:703110 samba: SMB/CIFS file, print, and login server for Unix Details: USN-2950-1 fixed vulnerabilities in Samba. The backported fixes introduced in Ubuntu 12.04 LTS caused interoperability issues. This update fixes compatibility with certain NAS devices, and allows connecting to Samba 3.6 servers by relax ... oval:org.secpod.oval:def:703974 squid3: Web proxy cache server Several security issues were fixed in Squid. oval:org.secpod.oval:def:49637 The host is installed with Google Chrome before 71.0.3578.80 and is prone to a use after free vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:49638 The host is installed with Google Chrome before 71.0.3578.80 and is prone to a use after free vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:49646 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:49645 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:703245 libidn: implementation of IETF IDN specifications Several security issues were fixed in Libidn. oval:org.secpod.oval:def:1801090 In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. oval:org.secpod.oval:def:1801091 In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. oval:org.secpod.oval:def:1801087 In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. oval:org.secpod.oval:def:1801089 In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. oval:org.secpod.oval:def:1600971 An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite.An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER macro for CHM decom ... oval:org.secpod.oval:def:1600941 Paramiko contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity. This issue does not affect instances where only the ssh client functionality of the paramiko library is used. oval:org.secpod.oval:def:1801333 Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code. Fixed In Version:¶ python-paramiko 2 ... oval:org.secpod.oval:def:1801336 Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code. Fixed In Version:¶ python-paramiko 2 ... oval:org.secpod.oval:def:1801329 Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code. Fixed In Version:¶ python-paramiko 2 ... oval:org.secpod.oval:def:1800125 Parsing the Rich Text Format character style index was insufficiently checked for validity. Documents can be constructed which dereference an iterator to the first entry of an empty STL container. Fixed In: libreoffice 5.1.4, libreoffice 5.2.0 oval:org.secpod.oval:def:42353 The host is missing an important security update 4041681 oval:org.secpod.oval:def:42357 The host is missing an important security update KB4041690 oval:org.secpod.oval:def:42359 The host is missing an important security update KB4041687 oval:org.secpod.oval:def:42361 The host is missing an important security update KB4041693 oval:org.secpod.oval:def:42364 The host is missing an important security update 4041678 oval:org.secpod.oval:def:42363 The host is missing an important security update 4041679 oval:org.secpod.oval:def:1600903 The fs/ext4/inline.c:ext4_read_inline_data function in the Linux kernel performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. The unbound copy can cause memory corruption or ... oval:org.secpod.oval:def:42417 A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or inject forged Wi-Fi packets by manipulating cryptograhpic handshakes used by the WPA2 protocol. oval:org.secpod.oval:def:42416 A new exploitation technique called key reinstallation attacks (KRACKs) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a group ... oval:org.secpod.oval:def:42415 A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or inject forged Wi-Fi packets by manipulating cryptograhpic handshakes used by the WPA2 protocol. oval:org.secpod.oval:def:42414 A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or inject forged Wi-Fi packets by manipulating cryptograhpic handshakes used by the WPA2 protocol. oval:org.secpod.oval:def:42419 A new exploitation technique called key reinstallation attacks (KRACKs) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used integrity group key (IGTK) dur ... oval:org.secpod.oval:def:42418 A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or inject forged Wi-Fi packets by manipulating cryptograhpic handshakes used by the WPA2 protocol. oval:org.secpod.oval:def:42420 A new exploitation technique called key reinstallation attacks (KRACKs) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit this attack to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by reinstalling a previously used group key (GTK) during a Wirel ... oval:org.secpod.oval:def:43010 The host is installed with Apple Mac OS X 10.11.6 or 10.12.6 or before 10.13.1 and is prone to a key reinstallation vulnerability. A flaw is present in the application, which fails to properly handle a logic issue existing in the handling of state. Successful exploitation could allow attackers to fo ... oval:org.secpod.oval:def:43014 The host is installed with Apple Mac OS X 10.11.6 or 10.12.6 or before 10.13.1 and is prone to a key reinstallation vulnerability. A flaw is present in the application, which fails to properly handle a logic issue existing in the handling of state. Successful exploitation could allow attackers to fo ... oval:org.secpod.oval:def:43012 The host is installed with Apple Mac OS X 10.11.6 or 10.12.6 or before 10.13.1 and is prone to a key reinstallation vulnerability. A flaw is present in the application, which fails to properly handle a logic issue existing in the handling of state. Successful exploitation could allow attackers to fo ... oval:org.secpod.oval:def:43011 The host is installed with Apple Mac OS X 10.11.6 or 10.12.6 or before 10.13.1 and is prone to a key reinstallation vulnerability. A flaw is present in the application, which fails to properly handle a logic issue existing in the handling of state. Successful exploitation could allow attackers to fo ... oval:org.secpod.oval:def:1600916 exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP 7.2.x before 7.2.8 allows remote attackers to cause a denial of service via a crafted JPEG file.exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free because it closes a stream that it ... oval:org.secpod.oval:def:1600913 exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, and 7.1.x before 7.1.20, allows remote attackers to cause a denial of service via a crafted JPEG file.An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, and 7.1.x before 7.1.20. An Integer Ov ... oval:org.secpod.oval:def:54515 php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:1600927 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1600960 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1600914 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.60 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability ... oval:org.secpod.oval:def:1600889 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of ... oval:org.secpod.oval:def:1600887 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromis ... oval:org.secpod.oval:def:204867 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * mysql: Client programs unspecified vulnerability * mysql: Server: DML unspecified vulnerability * my ... oval:org.secpod.oval:def:1600900 A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have ... oval:org.secpod.oval:def:204851 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification For more details abou ... oval:org.secpod.oval:def:1600890 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of ... oval:org.secpod.oval:def:1600869 Uncontrolled search path element in pg_dump and other client applicationsA flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database oval:org.secpod.oval:def:1600982 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of ... oval:org.secpod.oval:def:1600991 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:502544 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: incomplete fix for CVE-2018-16509 For more details about the security issue ... oval:org.secpod.oval:def:1502399 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:204790 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: realpath buffer underflow w ... oval:org.secpod.oval:def:703528 glibc: GNU C Library - eglibc: GNU C Library Several security issues were fixed in the GNU C Library. oval:org.secpod.oval:def:110610 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:110588 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:110368 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:110338 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:110318 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:110310 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:1600920 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1600929 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1600948 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:116923 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fai ... oval:org.secpod.oval:def:116921 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fai ... oval:org.secpod.oval:def:1601055 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information d ... oval:org.secpod.oval:def:53040 The host is missing a critical security update according to Mozilla advisory, MFSA2019-08. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:54108 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:54509 libxslt: XSLT processing library Libxslt could be made to expose sensitive information if it received a specially crafted file. oval:org.secpod.oval:def:49185 systemd: system and service manager Details: USN-3816-1 fixed several vulnerabilities in systemd. However, the fix for CVE-2018-6954 was not sufficient. This update provides the remaining fixes. We apologize for the inconvenience. Original advisory systemd-tmpfiles could be made to change ownership ... oval:org.secpod.oval:def:49174 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:49175 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:114286 The kernel meta package oval:org.secpod.oval:def:114809 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:54406 lua5.3: Simple, extensible, embeddable programming language Lua could be made to crash if it received a specially crafted script. oval:org.secpod.oval:def:57799 lua5.3: Simple, extensible, embeddable programming language Lua could be made to crash if it received a specially crafted script. oval:org.secpod.oval:def:1801422 Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships. oval:org.secpod.oval:def:1801423 Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships. oval:org.secpod.oval:def:1801424 Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships. oval:org.secpod.oval:def:57784 lua5.3: Simple, extensible, embeddable programming language Lua could be made to crash if it received a specially crafted script. oval:org.secpod.oval:def:1801417 Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships. oval:org.secpod.oval:def:116048 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:116061 The file command is used to identify a particular file according to the type of data contained by the file. File can identify many different file types, including ELF binaries, system libraries, RPM packages, and different graphics formats. oval:org.secpod.oval:def:116108 The file command is used to identify a particular file according to the type of data contained by the file. File can identify many different file types, including ELF binaries, system libraries, RPM packages, and different graphics formats. oval:org.secpod.oval:def:204575 The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 , and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. S ... oval:org.secpod.oval:def:204565 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, exec ... oval:org.secpod.oval:def:204732 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.2. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204711 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * A use-after-free flaw was found in the way samba servers handled certain SMB1 requests. A ... oval:org.secpod.oval:def:204771 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.2 ESR. Security Fix: * Mozilla: Vorbis audio processing out of bounds write For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:204778 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:204776 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix: * Mozilla: Vorbis audio processing out of bounds ... oval:org.secpod.oval:def:204775 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Memory safety bugs fixed in Firefox ESR 52.7 * Mozilla: Vorbis audio processing out o ... oval:org.secpod.oval:def:204779 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.3 ESR. Security Fix: * firefox: Use-after-free in compositor potentially allows code execution For more details about the security issue, incl ... oval:org.secpod.oval:def:204766 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: Cross-site scripting vulnerability in web UI For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References secti ... oval:org.secpod.oval:def:204764 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204769 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Buffer overflow manipulating SVG animatedPathSegList * Mozilla: Out-of-bounds write with malformed IP ... oval:org.secpod.oval:def:204750 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204756 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:204742 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.6.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204853 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow usin ... oval:org.secpod.oval:def:204858 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.9.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow using computed size of canvas element * Mozilla: Use ... oval:org.secpod.oval:def:204840 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:204843 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: Null pointer indirection in printer server process For mor ... oval:org.secpod.oval:def:204846 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * samba: Null pointer indirection in printer server process For more details about the sec ... oval:org.secpod.oval:def:204849 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification For more details abou ... oval:org.secpod.oval:def:204833 The procps packages contain a set of system utilities that provide system information. The procps packages include the following utilities: ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, pwdx, sysctl, pmap, and slabtop. Security Fix: * procps-ng, procps: Integer overflow ... oval:org.secpod.oval:def:204898 The python-paramiko package provides a Python module that implements the SSH2 protocol for encrypted and authenticated connections to remote machines. Unlike SSL, the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. The protocol also includes the abili ... oval:org.secpod.oval:def:204897 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.2.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozilla: Use-after-free in IndexedDB * Mozilla: Prox ... oval:org.secpod.oval:def:204884 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.1 ESR. Security Fix: * Mozilla: Crash in TransportSecurityInfo due to cached data * Mozilla: Setting a master password post-Firefox 58 does no ... oval:org.secpod.oval:def:204874 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozi ... oval:org.secpod.oval:def:204869 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix: * mutt: Remote code injection vulnerability to an IMAP mailbox * mutt: Remote Code Execu ... oval:org.secpod.oval:def:204812 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.8.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Skia * Mozilla: Use-after-free with SVG animations ... oval:org.secpod.oval:def:204801 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.8.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Ski ... oval:org.secpod.oval:def:42413 The host is missing a security update KB4042723 oval:org.secpod.oval:def:54585 pacemaker: Cluster resource manager Several security issues were fixed in Pacemaker. oval:org.secpod.oval:def:54581 pacemaker: Cluster resource manager Several security issues were fixed in Pacemaker. oval:org.secpod.oval:def:502596 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:205153 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:1801349 CVE-2018-18500: Use-after-free parsing HTML5 stream CVE-2018-18501: Memory safety bugs CVE-2018-18505: Privilege escalation through IPC channel messages Fixed In Version:¶ Firefox ESR 60.5 oval:org.secpod.oval:def:1901437 QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host. oval:org.secpod.oval:def:116981 MariaDB is a community developed branch of MySQL - a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs and generic ... oval:org.secpod.oval:def:116551 Pacemaker is an advanced, scalable High-Availability cluster resource manager for Corosync, CMAN and/or Linux-HA. It supports more than 16 node clusters with significant capabilities for managing resources and dependencies. It will run scripts at initialization, when machines go up or down, when rel ... oval:org.secpod.oval:def:116552 Pacemaker is an advanced, scalable High-Availability cluster resource manager. It supports more than 16 node clusters with significant capabilities for managing resources and dependencies. It will run scripts at initialization, when machines go up or down, when related resources fail and can be conf ... oval:org.secpod.oval:def:1801392 libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. oval:org.secpod.oval:def:1801396 libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. oval:org.secpod.oval:def:1801398 libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. oval:org.secpod.oval:def:1801385 libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. oval:org.secpod.oval:def:116161 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:116101 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:116022 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:117136 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:116172 Python 3.5 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.5, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:116166 Python 3.5 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.5, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:116220 poppler is a PDF rendering library. oval:org.secpod.oval:def:116212 poppler is a PDF rendering library. oval:org.secpod.oval:def:117138 The OpenSSL toolkit provides support for secure communications between machines. This version of OpenSSL package contains only the libraries and is provided for compatibility with previous releases and software that does not support compilation with OpenSSL-1.1. oval:org.secpod.oval:def:116132 This package provides Django in version 1.11 LTS, the last release to support Python 2. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. oval:org.secpod.oval:def:116126 This package provides Django in version 1.11 LTS, the last release to support Python 2. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. oval:org.secpod.oval:def:116059 Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. oval:org.secpod.oval:def:116056 Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. oval:org.secpod.oval:def:1801363 A vulnerability was found in Django before versions 2.2b1, 2.1.6, 2.0.11, 1.11.19. If django.utils.numberformat.format, used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters, received a Decimal with a large number of digits or a large exponent, it could ... oval:org.secpod.oval:def:1801335 A vulnerability was found in Django before versions 2.2b1, 2.1.6, 2.0.11, 1.11.19. If django.utils.numberformat.format, used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters, received a Decimal with a large number of digits or a large exponent, it could ... oval:org.secpod.oval:def:1801338 A vulnerability was found in Django before versions 2.2b1, 2.1.6, 2.0.11, 1.11.19. If django.utils.numberformat.format, used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters, received a Decimal with a large number of digits or a large exponent, it could ... oval:org.secpod.oval:def:1801327 A vulnerability was found in Django before versions 2.2b1, 2.1.6, 2.0.11, 1.11.19. If django.utils.numberformat.format, used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters, received a Decimal with a large number of digits or a large exponent, it could ... oval:org.secpod.oval:def:116154 Libarchive is a programming library that can create and read several different streaming archive formats, including most popular tar variants, several cpio formats, and both BSD and GNU ar variants. It can also write shar archives and read ISO9660 CDROM images and ZIP archives. oval:org.secpod.oval:def:116228 Libarchive is a programming library that can create and read several different streaming archive formats, including most popular tar variants, several cpio formats, and both BSD and GNU ar variants. It can also write shar archives and read ISO9660 CDROM images and ZIP archives. oval:org.secpod.oval:def:116197 poppler is a PDF rendering library. oval:org.secpod.oval:def:116120 MinGW Windows Poppler library. oval:org.secpod.oval:def:116116 MinGW Windows Poppler library. oval:org.secpod.oval:def:116027 poppler is a PDF rendering library. oval:org.secpod.oval:def:116443 SSH is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the sec ... oval:org.secpod.oval:def:1801356 CVE-2018-20685: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. oval:org.secpod.oval:def:1801334 CVE-2018-20685: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. oval:org.secpod.oval:def:1801326 CVE-2018-20685: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. oval:org.secpod.oval:def:1801328 CVE-2018-20685: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. oval:org.secpod.oval:def:1600984 The GD Graphics Library has a double free in the gdImage*Ptr functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE: PHP is unaffected oval:org.secpod.oval:def:1801183 CVE-2018-4246 Processing maliciously crafted web content may lead to arbitrary code execution. A type confusion issue was addressed with improved memory handling. Versions affected: WebKitGTK+ before 2.20.4 CVE-2018-4261 Processing maliciously crafted web content may lead to arbitrary code execution ... oval:org.secpod.oval:def:1801319 Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found view. Fixed In Version: ... oval:org.secpod.oval:def:1801325 Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found view. Fixed In Version: ... oval:org.secpod.oval:def:1901301 QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked . oval:org.secpod.oval:def:2000326 A flaw was found in qemu Media Transfer Protocol . The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn"t consider that the underlying filesystem may have changed since the time lstat was called in usb_mtp_object_alloc, a classic ... oval:org.secpod.oval:def:704851 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:1901101 hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled. oval:org.secpod.oval:def:1900087 A flaw was found in qemu Media Transfer Protocol . The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn"t consider that the underlying file system may have changed since the time lstat was called in usb_mtp_object_alloc, a classi ... oval:org.secpod.oval:def:1801260 CVE-2018-18311: Integer overflow leading to buffer overflow¶ A flaw was found in Perl versions 5.8.0 through 5.28. An Integer overflow leading to buffer overflow in Perl_my_setenv function in util.c Fixed In Version:¶ perl 5.29.1, perl 5.26.3 oval:org.secpod.oval:def:1801258 CVE-2018-18311: Integer overflow leading to buffer overflow¶ A flaw was found in Perl versions 5.8.0 through 5.28. An Integer overflow leading to buffer overflow in Perl_my_setenv function in util.c Fixed In Version:¶ perl 5.29.1, perl 5.26.3 oval:org.secpod.oval:def:1801259 CVE-2018-18311: Integer overflow leading to buffer overflow¶ A flaw was found in Perl versions 5.8.0 through 5.28. An Integer overflow leading to buffer overflow in Perl_my_setenv function in util.c Fixed In Version:¶ perl 5.29.1, perl 5.26.3 oval:org.secpod.oval:def:116250 WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. Although the technology is loosely based on previous versions of WavPack, the new version 4 format has been designed from the ground up to offer unparalleled performanc ... oval:org.secpod.oval:def:1801351 CVE-2018-19840: The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero. oval:org.secpod.oval:def:1801314 CVE-2018-19840: The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero. oval:org.secpod.oval:def:1801306 CVE-2018-19840: The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero. oval:org.secpod.oval:def:1801308 CVE-2018-19840: The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPack through 5.1.0 allows attackers to cause a denial-of-service via a crafted wav audio file because WavpackSetConfiguration64 mishandles a sample rate of zero. oval:org.secpod.oval:def:116204 A third-party plugin for the Pidgin multi-protocol instant messenger. It implements the extended version of SIP/SIMPLE used by various products: * Skype for Business * Microsoft Office 365 * Microsoft Business Productivity Online Suite * Microsoft Lync Server * Microsoft Office Communications Serve ... oval:org.secpod.oval:def:116201 gnome-boxes lets you easily create, setup, access, and use: * remote machines * remote virtual machines * local virtual machines * When technology permits, set up access for applications on local virtual machines oval:org.secpod.oval:def:116227 Remmina is a remote desktop client written in GTK+, aiming to be useful for system administrators and travelers, who need to work with lots of remote computers in front of either large monitors or tiny net-books. Remmina supports multiple network protocols in an integrated and consistent user interf ... oval:org.secpod.oval:def:116233 The xfreerdp & wlfreerdp Remote Desktop Protocol clients from the FreeRDP project. xfreerdp & wlfreerdp can connect to RDP servers such as Microsoft Windows machines, xrdp and VirtualBox. oval:org.secpod.oval:def:116065 gnome-boxes lets you easily create, setup, access, and use: * remote machines * remote virtual machines * local virtual machines * When technology permits, set up access for applications on local virtual machines oval:org.secpod.oval:def:116058 The xfreerdp & wlfreerdp Remote Desktop Protocol clients from the FreeRDP project. xfreerdp & wlfreerdp can connect to RDP servers such as Microsoft Windows machines, xrdp and VirtualBox. oval:org.secpod.oval:def:116050 Remmina is a remote desktop client written in GTK+, aiming to be useful for system administrators and travelers, who need to work with lots of remote computers in front of either large monitors or tiny net-books. Remmina supports multiple network protocols in an integrated and consistent user interf ... oval:org.secpod.oval:def:116072 A third-party plugin for the Pidgin multi-protocol instant messenger. It implements the extended version of SIP/SIMPLE used by various products: * Skype for Business * Microsoft Office 365 * Microsoft Business Productivity Online Suite * Microsoft Lync Server * Microsoft Office Communications Serve ... oval:org.secpod.oval:def:1801394 CVE-2018-8786: FreeRDP prior to version 2.0.0-rc4 contains an Integer Truncation that leads to a Heap-Based Buffer Overflow in function update_read_bitmap_update and results in a memory corruption and probably even a remote code execution. oval:org.secpod.oval:def:1801261 CVE-2018-19409: An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. Fixed In Version:¶ ghostscript 9.26 oval:org.secpod.oval:def:1801263 CVE-2018-19409: An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. Fixed In Version:¶ ghostscript 9.26 oval:org.secpod.oval:def:1801266 CVE-2018-19409: An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. Fixed In Version:¶ ghostscript 9.26 oval:org.secpod.oval:def:114193 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:1600974 A heap use-after-free flaw was found in curl related to closing an easy handle. When closing and cleaning up an #039;easy#039; handle in the `Curl_close` function, the library code first frees a struct and might then subsequently erroneously write to a struct field within that already freed struct. ... oval:org.secpod.oval:def:1801193 The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted certificate, the vulnerability was introduced with the patch that fixes CVE-2018-16151/2. oval:org.secpod.oval:def:1801196 The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted certificate, the vulnerability was introduced with the patch that fixes CVE-2018-16151/2. oval:org.secpod.oval:def:1801197 The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted certificate, the vulnerability was introduced with the patch that fixes CVE-2018-16151/2. oval:org.secpod.oval:def:1801189 The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted certificate, the vulnerability was introduced with the patch that fixes CVE-2018-16151/2. oval:org.secpod.oval:def:1801187 CVE-2018-16151: In verify_emsa_pkcs1_signature in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data after the encoded algorithm OID during PKCS#1 v1.5 signature verification. Similar to the flaw in the same ... oval:org.secpod.oval:def:1600943 Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, ... oval:org.secpod.oval:def:1600967 Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, ... oval:org.secpod.oval:def:1600937 A flaw was found in the way a local user on the SpamAssassin server could inject code in the meta rule syntax. This could cause the arbitrary code execution on the server when these rules are being processed.A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin ... oval:org.secpod.oval:def:1801559 An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restoration of privilege" checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. This is due to an incomplete fix fo ... oval:org.secpod.oval:def:1801533 An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restoration of privilege" checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. This is due to an incomplete fix fo ... oval:org.secpod.oval:def:1502317 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600969 It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document. oval:org.secpod.oval:def:1801158 CVE-2018-10194: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact ... oval:org.secpod.oval:def:1801173 CVE-2018-10194: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact ... oval:org.secpod.oval:def:1801162 CVE-2018-10194: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact ... oval:org.secpod.oval:def:1801168 CVE-2018-10194: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact ... oval:org.secpod.oval:def:1801199 CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c¶ An issue was discovered in ListExt.c:XListExtensions and GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL ... oval:org.secpod.oval:def:1801204 CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c¶ An issue was discovered in ListExt.c:XListExtensions and GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL ... oval:org.secpod.oval:def:1801205 CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c¶ An issue was discovered in ListExt.c:XListExtensions and GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL ... oval:org.secpod.oval:def:1801206 CVE-2018-14598: Crash on invalid reply in XListExtensions in ListExt.c¶ An issue was discovered in ListExt.c:XListExtensions and GetFPath.c:XGetFontPath in libX11 through version 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL ... oval:org.secpod.oval:def:1801184 Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac1 ... oval:org.secpod.oval:def:1801185 Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac1 ... oval:org.secpod.oval:def:1801186 Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac1 ... oval:org.secpod.oval:def:1801188 Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac1 ... oval:org.secpod.oval:def:1600904 Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue and tcp_prune_ofo_queue for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessi ... oval:org.secpod.oval:def:1800171 - Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see &lt; [CVE-2017-7526] Looks like libgcrypt needs to be fixed in stable branches. oval:org.secpod.oval:def:1600877 DOS via regular expression catastrophic backtracking in apop method in pop3libA flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop method. An attacker could use this flaw to cause denial of service. DOS via regular expression backtracking in diff ... oval:org.secpod.oval:def:1600952 A flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop method. An attacker could use this flaw to cause denial of service.A flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacke ... oval:org.secpod.oval:def:1801021 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. ... oval:org.secpod.oval:def:1801022 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. ... oval:org.secpod.oval:def:1801019 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. ... oval:org.secpod.oval:def:1801005 A flaw was found in strongSwan VPN"s charon server prior to version 5.6.3. In stroke_socket.c, a missing packet length check could allow a integer underflow, which may lead to resource exhaustion and denial of service while reading from the socket. A remote attacker with local user credentials may ... oval:org.secpod.oval:def:114969 PostgreSQL is an advanced Object-Relational database management system . The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as t ... oval:org.secpod.oval:def:1600955 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1600947 A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do a symbolic link resolution in the aforementioned path. If the user affected is p ... oval:org.secpod.oval:def:1600918 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security cl ... oval:org.secpod.oval:def:1600915 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.7.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability ca ... oval:org.secpod.oval:def:1600912 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.40 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can ... oval:org.secpod.oval:def:1600954 Libgcrypt allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacke ... oval:org.secpod.oval:def:1600862 Cross-site scripting vulnerability in web UIA cross-site scripting flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user's side and force the victim to perform unintended actions. CSRF protection missing in t ... oval:org.secpod.oval:def:1600880 Fragmentation attacks possible when EDNS0 is enabledThe DNS stub resolver in the GNU C Library before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.Buffer overflow in glob ... oval:org.secpod.oval:def:1800920 - Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see &lt; [CVE-2017-7526] Looks like libgcrypt needs to be fixed in stable branches. oval:org.secpod.oval:def:1800802 - Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see &lt; [CVE-2017-7526] Looks like libgcrypt needs to be fixed in stable branches. oval:org.secpod.oval:def:1501965 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:113857 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:43116 The host is missing a critical severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:43115 The host is missing a critical severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:43136 The host is missing a critical severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:114033 Qt5 - QtWebEngine components. oval:org.secpod.oval:def:114053 Qt5 - QtWebEngine components. oval:org.secpod.oval:def:115365 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:115437 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:115234 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:49590 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:53475 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-17480 Guang Gong discovered an out-of-bounds write issue in the v8 javascript library. CVE-2018-17481 Several use-after-free issues were discovered in the pdfium library. CVE-2018-18335 A buffer overflow issue was dis ... oval:org.secpod.oval:def:503199 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: nfs: use-after-free in svc_process_common * kernel: insufficient input validation in kernel mode driver in Intel i915 graphics leads to privilege escalation * kernel: nfs: NULL pointer der ... oval:org.secpod.oval:def:44802 The host is missing a security update according to Apple advisory, APPLE-SA-2018-3-29-8. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly perform input validation. Successful exploitation could allow attackers to disclose sensi ... oval:org.secpod.oval:def:603586 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-17480 Guang Gong discovered an out-of-bounds write issue in the v8 javascript library. CVE-2018-17481 Several use-after-free issues were discovered in the pdfium library. CVE-2018-18335 A buffer overflow issue was dis ... oval:org.secpod.oval:def:1900675 hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation , which allows attackers to cause a denial of service . oval:org.secpod.oval:def:1901552 A flaw was found in qemu Media Transfer Protocol before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead d ... oval:org.secpod.oval:def:114224 The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. oval:org.secpod.oval:def:114223 The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. oval:org.secpod.oval:def:114546 The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets ... oval:org.secpod.oval:def:115085 The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets ... oval:org.secpod.oval:def:113555 Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-all ... oval:org.secpod.oval:def:49586 The host is installed with Google Chrome before 71.0.3578.80, Thunderbird before 60.5.1, Firefox before 65.0.1 or Firefox ESR before 60.5.1 and is prone to a use after free vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows ... oval:org.secpod.oval:def:45895 The host is missing a security update according to Apple advisory, APPLE-SA-2018-06-01-3. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary ... oval:org.secpod.oval:def:45896 The host is missing a security update according to Apple advisory, APPLE-SA-2018-06-01-3. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary ... oval:org.secpod.oval:def:45944 The host is missing a security update according to Apple advisory, APPLE-SA-2018-06-01-2. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly perform input validation. Successful exploitation could allow attackers to cause arbitra ... oval:org.secpod.oval:def:205146 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * libsoup: Crash in soup_cookie_jar.c:get_cookies on empty hostnames * poppler: Infinite recursion in fofi/FoFiType1C.cc:FoFiType1C::cvtGlyph function allows denial of service * libgxps: heap based buffer over read ... oval:org.secpod.oval:def:43640 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- Mozilla developers and community members reported memory safety bugs present in Firefox, Firefox ESR and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort th ... oval:org.secpod.oval:def:43641 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 :- A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43642 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 8 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially e ... oval:org.secpod.oval:def:43643 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potentially exploitab ... oval:org.secpod.oval:def:43644 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when form input elements, focus, and selections are manipulated by script content. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43645 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when the widget listener is holding strong references to browser objects that have previously been freed, resulting in a potentially exploitable crash when these references a ... oval:org.secpod.oval:def:43646 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when manipulating HTML media elements with media streams, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43647 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during mouse event handling due to issues with multiprocess support. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43648 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during font face manipulation when a font face is freed while still in use, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43649 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displ ... oval:org.secpod.oval:def:43651 Mozilla Firefox before 58.0 :- Mozilla developers and community members reported memory safety bugs present in Firefox. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. oval:org.secpod.oval:def:43652 Mozilla Firefox before 58.0 :- A use-after-free vulnerability can occur when the thread for a Web Worker is freed from memory prematurely instead of from memory in the main thread while cancelling fetch operations. oval:org.secpod.oval:def:43653 Mozilla Firefox before 58.0 :- A heap buffer overflow vulnerability may occur in WebAssembly during Memory/Table resizing, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43654 Mozilla Firefox before 58.0 :- A heap buffer overflow vulnerability may occur in WebAssembly when shrinkElements is called followed by garbage collection on memory that is now uninitialized. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43655 Mozilla Firefox before 58.0 :- A use-after-free vulnerability can occur when arguments passed to the IsPotentiallyScrollable function are freed while still in use by scripts. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43656 Mozilla Firefox before 58.0 :- A use-after-free vulnerability can occur when manipulating floating first-letter style elements, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43657 Mozilla Firefox before 58.0 :- WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent. oval:org.secpod.oval:def:43658 Mozilla Firefox before 58.0 :- Style editor traffic in the Developer Tools can be routed through a service worker hosted on a third party website if a user selects error links when these tools are open. This can allow style editor information used within Developer Tools to leak cross-origin. oval:org.secpod.oval:def:43659 Mozilla Firefox before 58.0 :- The printing process can bypass local access protections to read files available through symlinks, bypassing local file restrictions. The printing process requires files in a specific format so arbitrary data cannot be read but it is possible that some local file infor ... oval:org.secpod.oval:def:43660 Mozilla Firefox before 58.0 :- A Blob URL can violate origin attribute segregation, allowing it to be accessed from a private browsing tab and for data to be passed between the private browsing tab and a normal tab. This could allow for the leaking of private information specific to the private brow ... oval:org.secpod.oval:def:43661 Mozilla Firefox before 58.0 :- An audio capture session can started under an incorrect origin from the site making the capture request. Users are still prompted to allow the request but the prompt can display the wrong origin, leading to user confusion about which site is making the request to captu ... oval:org.secpod.oval:def:43662 Mozilla Firefox before 58.0 :- A potential integer overflow in the DoCrypt function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. oval:org.secpod.oval:def:43663 Mozilla Firefox before 58.0 :- When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. This allows for phishing attacks where a malicious page can spoof the identify of another site. oval:org.secpod.oval:def:43664 Mozilla Firefox before 58.0 :- Development Tools panels of an extension are required to load URLs for the panels as relative URLs from the extension manifest file but this requirement was not enforced in all instances. This could allow the development tools panel for the extension to load a URL that ... oval:org.secpod.oval:def:43665 Mozilla Firefox before 58.0 :- The browser.identity.launchWebAuthFlow function of WebExtensions is only allowed to load content over https: but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. oval:org.secpod.oval:def:43666 Mozilla Firefox before 58.0 :- If an existing cookie is changed to be HttpOnly while a document is open, the original value remains accessible through script until that document is closed. Network requests correctly use the changed HttpOnly cookie. oval:org.secpod.oval:def:43667 Mozilla Firefox before 58.0 :- If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Although the prompt contains the real domain making the request, this can result in user confusion about t ... oval:org.secpod.oval:def:43668 Mozilla Firefox before 58.0 :- WebExtensions with the ActiveTab permission are able to access frames hosted within the active tab even if the frames are cross-origin. Malicious extensions can inject frames from arbitrary origins into the loaded page and then interact with them, bypassing same-origin ... oval:org.secpod.oval:def:43669 Mozilla Firefox before 58.0 :- The screenshot images displayed in the Activity Stream page displayed when a new tab is opened is created from the meta tags of websites. An issue was discovered where the page could attempt to create these images through file: URLs from the local file system. This loa ... oval:org.secpod.oval:def:43670 Mozilla Firefox before 58.0 :- The reader view will display cross-origin content when CORS headers are set to prohibit the loading of cross-origin content by a site. This could allow access to content that should be restricted in reader view. oval:org.secpod.oval:def:43673 The host is missing a critical security update according to Mozilla advisory, MFSA2018-02. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:43674 The host is missing a critical security update according to Mozilla advisory, MFSA2018-03. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:43779 The host is missing a critical security update according to Mozilla advisory, MFSA2018-04. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:1502308 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502357 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozi ... oval:org.secpod.oval:def:502356 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozi ... oval:org.secpod.oval:def:115584 SNMP is a protocol used for network management. The NET-SNMP project includes various SNMP tools: an extensible agent, an SNMP library, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a ... oval:org.secpod.oval:def:1801282 CVE-2018-1000807: Use-after-free in X509 object handling¶ Python Cryptographic Authority pyopenssl version before 17.5.0 has a use-after-free vulnerability in X509 object handling. This can result in a denial of service or potentially even code execution. oval:org.secpod.oval:def:1801284 CVE-2018-1000807: Use-after-free in X509 object handling¶ Python Cryptographic Authority pyopenssl version before 17.5.0 has a use-after-free vulnerability in X509 object handling. This can result in a denial of service or potentially even code execution. oval:org.secpod.oval:def:1801288 CVE-2018-1000807: Use-after-free in X509 object handling¶ Python Cryptographic Authority pyopenssl version before 17.5.0 has a use-after-free vulnerability in X509 object handling. This can result in a denial of service or potentially even code execution. oval:org.secpod.oval:def:1600837 SingleEntryRegistry incorrect setup of deserialization filter It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass intended deserialization restrict ... oval:org.secpod.oval:def:1600857 DerValue unbounded memory allocation:It was discovered that the Libraries component of OpenJDK failed to sufficiently limit the amount of memory allocated when reading DER encoded input. A remote attacker could possibly use this flaw to make a Java application use an excessive amount of memory if it ... oval:org.secpod.oval:def:204733 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * Multiple flaws were found in the Hotspot and AWT components of OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java ... oval:org.secpod.oval:def:204735 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * Multiple flaws were found in the Hotspot and AWT components of OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java ... oval:org.secpod.oval:def:204752 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * A flaw was found in the AWT component of OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ... oval:org.secpod.oval:def:204753 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * A flaw was found in the AWT component of OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ... oval:org.secpod.oval:def:1600884 Unbounded memory allocation during deserialization in NamedNodeMapImpl Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE . Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerabi ... oval:org.secpod.oval:def:1600876 Unbounded memory allocation during deserialization in Container Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE . Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerabi ... oval:org.secpod.oval:def:204781 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:204782 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:204824 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:204829 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:603587 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: The EXIF module was susceptible to denial of service/information disclosure when parsing malformed images, the Apache module allowed cross-site-scripting via the body of a Transfer-Encoding: chu ... oval:org.secpod.oval:def:702982 linux-lts-wily: Linux hardware enablement kernel from Wily Several security issues were fixed in the kernel. oval:org.secpod.oval:def:702986 linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the kernel. oval:org.secpod.oval:def:702984 linux: Linux kernel Several security issues were fixed in the kernel. oval:org.secpod.oval:def:702989 linux-lts-vivid: Linux hardware enablement kernel from Vivid Several security issues were fixed in the kernel. oval:org.secpod.oval:def:702987 linux: Linux kernel Several security issues were fixed in the kernel. oval:org.secpod.oval:def:703349 linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise Several security issues were fixed in the kernel. oval:org.secpod.oval:def:703347 linux: Linux kernel Several security issues were fixed in the kernel. oval:org.secpod.oval:def:703321 linux: Linux kernel The system could be made to run programs as an administrator. oval:org.secpod.oval:def:703320 linux: Linux kernel The system could be made to run programs as an administrator. oval:org.secpod.oval:def:203891 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A protocol flaw, publicly referred to as Badlock, was found in the ... oval:org.secpod.oval:def:703325 linux-raspi2: Linux kernel for Raspberry Pi 2 The system could be made to run programs as an administrator. oval:org.secpod.oval:def:703315 linux: Linux kernel The system could be made to run programs as an administrator. oval:org.secpod.oval:def:703314 linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty The system could be made to run programs as an administrator. oval:org.secpod.oval:def:703319 linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise The system could be made to run programs as an administrator. oval:org.secpod.oval:def:703317 linux-ti-omap4: Linux kernel for OMAP4 The system could be made to run programs as an administrator. oval:org.secpod.oval:def:203904 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * Multiple flaws were found in Samba"s DCE/RPC protocol implementation. A remote, authentic ... oval:org.secpod.oval:def:702990 linux-lts-trusty: Linux hardware enablement kernel from Trusty Several security issues were fixed in the kernel. oval:org.secpod.oval:def:110394 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:110395 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:400809 Samba was updated to the 4.2.x codestream, bringing some new features and security fixes . These security issues were fixed: - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks . - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication . - CVE-2 ... oval:org.secpod.oval:def:1800190 CVE-2016-4962, XSA-175: Unsanitised guest input in libxl device handling code. CVE-2016-4480, XSA-176: x86 software guest page walk PS bit handling flaw. CVE-2016-4963, XSA-178: Unsanitised driver domain input in libxl device handling. CVE-2016-3710 CVE-2016-3712, XSA-179: QEMU: Banked access to VGA ... oval:org.secpod.oval:def:703053 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:110561 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:110577 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:1800268 CVE-2016-3157, XSA-171: I/O port access privilege escalation in x86-64 Linux IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 , to compensate for this the context switching of EFLAGS.IOPL requires the gue ... oval:org.secpod.oval:def:110542 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:110505 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:400699 samba was updated to fix seven security issues. These security issues were fixed: - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks . - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication . - CVE-2016-2111: Domain controller netlogon member ... oval:org.secpod.oval:def:703159 linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the kernel. oval:org.secpod.oval:def:400672 qemu was updated to fix 37 security issues. These security issues were fixed: - CVE-2016-4439: Avoid OOB access in 53C9X emulation - CVE-2016-4441: Avoid OOB access in 53C9X emulation - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI emulation - CVE-2015-8817: Avoid OOB access in PCI DMA I/O - ... oval:org.secpod.oval:def:400637 qemu was updated to fix 29 security issues. These security issues were fixed: - CVE-2016-4439: Avoid OOB access in 53C9X emulation - CVE-2016-4441: Avoid OOB access in 53C9X emulation - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI emulation - CVE-2015-8817: Avoid OOB access in PCI dma I/O - ... oval:org.secpod.oval:def:400618 This update for xen to version 4.5.3 fixes the several issues. These security issues were fixed: - CVE-2016-6258: Potential privilege escalation in PV guests . - CVE-2016-6259: Missing SMAP whitelisting in 32-bit exception / event delivery . - CVE-2016-5337: The megasas_ctrl_get_info function allo ... oval:org.secpod.oval:def:703230 linux-ti-omap4: Linux kernel for OMAP4 Several security issues were fixed in the kernel. oval:org.secpod.oval:def:703233 linux: Linux kernel Several security issues were fixed in the kernel. oval:org.secpod.oval:def:1600909 The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. The ... oval:org.secpod.oval:def:116193 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:1600945 When the default servlet in Apache Tomcat versions 7.0.23 to 7.0.90 returned a redirect to a directory a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. oval:org.secpod.oval:def:1600906 The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. The ... oval:org.secpod.oval:def:204892 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: A bug in the UTF-8 decoder can lead to DoS For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed ... oval:org.secpod.oval:def:1800937 CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters¶ The django.utils.html.urlize function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions . The urlize function is used to implement the ... oval:org.secpod.oval:def:1800938 CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters¶ The django.utils.html.urlize function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions . The urlize function is used to implement the ... oval:org.secpod.oval:def:1800944 CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters¶ The django.utils.html.urlize function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions . The urlize function is used to implement the ... oval:org.secpod.oval:def:1800952 CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters¶ The django.utils.html.urlize function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions . The urlize function is used to implement the ... oval:org.secpod.oval:def:602436 Multiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation. oval:org.secpod.oval:def:400782 This update for tomcat fixes the following issues: Tomcat 8 was updated from 8.0.23 to 8.0.32, to fix bugs and security issues. Fixed security issues: * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat allowed remote authenticated users to bypass intended Securit ... oval:org.secpod.oval:def:1600343 A directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths cal ... oval:org.secpod.oval:def:1600336 ResourceLinkFactory.setGlobalContext is a public method and was discovered to be accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applicati ... oval:org.secpod.oval:def:1600351 A directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths cal ... oval:org.secpod.oval:def:1600357 ResourceLinkFactory.setGlobalContext is a public method and was discovered to be accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applicati ... oval:org.secpod.oval:def:1600384 A directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths cal ... oval:org.secpod.oval:def:602469 Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections and bypass of the SecurityManager. oval:org.secpod.oval:def:33121 The host is installed with Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31 or 9.x before 9.0.0.M3 and is prone to a security bypass vulnerability. A flaw is present in the setGlobalContext method, which does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized. Success ... oval:org.secpod.oval:def:33120 The host is installed with Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31 or 9.x before 9.0.0.M2 and is prone to a security bypass vulnerability. A flaw is present in the application, which does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catal ... oval:org.secpod.oval:def:33119 The host is installed with Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31 or 9.x before 9.0.0.M2 and is prone to a security bypass vulnerability. A flaw is present in the session-persistence implementation, which mishandles session attributes. Successful exploitation allows re ... oval:org.secpod.oval:def:400638 This update for tomcat fixes the following security issues. Tomcat has been updated from 7.0.55 to 7.0.68. * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat allowed remote authenticated users to bypass intended SecurityManager restrictions and list a parent dire ... oval:org.secpod.oval:def:110343 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:1501600 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application dep ... oval:org.secpod.oval:def:33123 The host is installed with Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30 or 9.x before 9.0.0.M2 and is prone to a session fixation vulnerability. A flaw is present in the session-persistence implementation, which fails to handle different session settings used for deployments of multiple versio ... oval:org.secpod.oval:def:33122 The host is installed with Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31 or 9.x before 9.0.0.M2 and is prone to a security bypass vulnerability. A flaw is present in the Manager and Host Manager applications, which establish sessions and send CSRF tokens for arbitrary new requests. Successful e ... oval:org.secpod.oval:def:33124 The host is installed with Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30 or 9.x before 9.0.0.M2 and is prone to an information disclosure vulnerability. A flaw is present in the Mapper component, which processes redirects before considering security constraints and Filters. S ... oval:org.secpod.oval:def:1700134 An improper input validation was found in function __zzip_fetch_disk_trailer of ZZIPlib, up to 0.13.68, that could lead to a crash in __zzip_parse_root_directory function of zzip/ip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file.A memory lea ... oval:org.secpod.oval:def:115244 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:704925 python-gnupg: Python wrapper for the GNU Privacy Guard Several security issues were fixed in python-gnupg oval:org.secpod.oval:def:1901892 A use-after-free defect was discovered in pacemaker that can possibly lead to unsolicited information disclosure in the log outputs. oval:org.secpod.oval:def:704909 pacemaker: Cluster resource manager Several security issues were fixed in Pacemaker. oval:org.secpod.oval:def:502736 The Pacemaker cluster resource manager is a collection of technologies working together to maintain data integrity and application availability in the event of failures. Security Fix: * pacemaker: Insufficient local IPC client-server authentication on the client"s side can lead to local privesc * p ... oval:org.secpod.oval:def:39490 glibc: GNU C Library - eglibc: GNU C Library Several security issues were fixed in the GNU C Library. oval:org.secpod.oval:def:113977 Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS l ... oval:org.secpod.oval:def:603164 It was discovered that the pg_ctlcluster, pg_createcluster and pg_upgradecluster commands handled symbolic links insecurely which could result in local denial of service by overwriting arbitrary files. oval:org.secpod.oval:def:1800593 CVE-2016-6263: Crash when given invalid UTF-8 data on input CVE-2015-8948: Out-of-bounds read due to use of fgets with fixed-size buffer CVE-2016-6262: Out-of-bounds read when reading zero byte as input CVE-2016-6261: Out of bounds stack read in idna_to_ascii_4i Fixed In Version: libidn 1.33 oval:org.secpod.oval:def:1800542 An attacker who learns the EdDSA session key from side-channel observation during the signing process, can easily recover the long-term secret key. Storing the session key in secure memory ensures that constant time point operations are used in the MPI library. Fixed In Version: libgcrypt 1.7.7 Refe ... oval:org.secpod.oval:def:1800562 An attacker who learns the EdDSA session key from side-channel observation during the signing process, can easily recover the long-term secret key. Storing the session key in secure memory ensures that constant time point operations are used in the MPI library. Fixed In Version libgcrypt 1.7.7 Refer ... oval:org.secpod.oval:def:603278 Several vulnerabilities have been discovered in Squid3, a fully featured web proxy cache. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-1000024 Louis Dion-Marcil discovered that Squid does not properly handle processing of certain ESI responses. A remote ... oval:org.secpod.oval:def:1800667 CVE-2018-1000024: Incorrect pointer handling when processing ESI Responses can lead to denial of service Due to incorrect pointer handling, Squid versions 3.x and 4.x are vulnerable to a denial of service attack when processing ESI responses. This problem allows a remote server delivering certain ... oval:org.secpod.oval:def:704079 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:704073 php7.2: HTML-embedded scripting language interpreter - php7.1: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:704051 perl: Practical Extraction and Report Language Several security issues were fixed in Perl. oval:org.secpod.oval:def:1800399 CVE-2018-1000024: Incorrect pointer handling when processing ESI Responses can lead to denial of service; Due to incorrect pointer handling, Squid versions 3.x and 4.x are vulnerable to a denial of service attack when processing ESI responses. This problem allows a remote server delivering certain ... oval:org.secpod.oval:def:45546 php7.2: HTML-embedded scripting language interpreter - php7.1: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:53176 It was discovered that the pg_ctlcluster, pg_createcluster and pg_upgradecluster commands handled symbolic links insecurely which could result in local denial of service by overwriting arbitrary files. oval:org.secpod.oval:def:603399 OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer library, could be tricked into reading data beyond the end of a heap based buffer when parsing invalid headers in an RTSP response. oval:org.secpod.oval:def:41167 libgcrypt20: LGPL Crypto library - libgcrypt11: LGPL Crypto library Several security issues were fixed in Libgcrypt. oval:org.secpod.oval:def:43822 squid3: Web proxy cache server Several security issues were fixed in Squid. oval:org.secpod.oval:def:603445 Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language: CVE-2018-7584 Buffer underread in parsing HTTP responses CVE-2018-10545 Dumpable FPM child processes allowed the bypass of opcache access controls CVE-2018-10546 Denial of service via infinite lo ... oval:org.secpod.oval:def:45660 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:53257 Several vulnerabilities have been discovered in Squid3, a fully featured web proxy cache. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-1000024 Louis Dion-Marcil discovered that Squid does not properly handle processing of certain ESI responses. A remote ... oval:org.secpod.oval:def:53329 OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer library, could be tricked into reading data beyond the end of a heap based buffer when parsing invalid headers in an RTSP response. oval:org.secpod.oval:def:51532 postgresql-common: PostgreSQL database-cluster manager postgresql-common could be made to overwrite files as the administrator. oval:org.secpod.oval:def:51534 squid3: Web proxy cache server Several security issues were fixed in Squid. oval:org.secpod.oval:def:51537 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:51524 libgcrypt20: LGPL Crypto library - libgcrypt11: LGPL Crypto library Several security issues were fixed in Libgcrypt. oval:org.secpod.oval:def:52912 squid3: Web proxy cache server Several security issues were fixed in Squid. oval:org.secpod.oval:def:52922 perl: Practical Extraction and Report Language Several security issues were fixed in Perl. oval:org.secpod.oval:def:36851 libidn: implementation of IETF IDN specifications Several security issues were fixed in Libidn. oval:org.secpod.oval:def:43225 postgresql-common: PostgreSQL database-cluster manager postgresql-common could be made to overwrite files as the administrator. oval:org.secpod.oval:def:1700054 Curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.Curl version cu ... oval:org.secpod.oval:def:114538 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:51040 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:113356 The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets ... oval:org.secpod.oval:def:602603 Hanno Boeck discovered multiple vulnerabilities in libidn, the GNU library for Internationalized Domain Names, allowing a remote attacker to cause a denial of service against an application using the libidn library . oval:org.secpod.oval:def:115699 MinGW Windows Poppler library. oval:org.secpod.oval:def:51165 python2.7: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language - python3.4: An interactive high-level object-oriented language Several security issues were fixed in Python. oval:org.secpod.oval:def:51176 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:115605 Python 3.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.6, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:2000180 slirp: heap buffer overflow in tcp_emu oval:org.secpod.oval:def:1502480 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502422 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:49675 perl: Practical Extraction and Report Language Several security issues were fixed in Perl. oval:org.secpod.oval:def:34611 qemu: Machine emulator and virtualizer - qemu-kvm: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:1700156 FreeRDP prior to version 2.0.0-rc4 contains an Out-Of-Bounds Write of up to 4 bytes in function nsc_rle_decode that results in a memory corruption and possibly even a remote code execution.FreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that leads to a Heap-Based Buffer Overflow in f ... oval:org.secpod.oval:def:2000279 v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service because of a race condition during file renaming. oval:org.secpod.oval:def:2000224 hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to a use-after-free outcome. oval:org.secpod.oval:def:1700104 Python#039;s elementtree C accelerator failed to initialise Expat#039;s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat#039;s internal data structures, co ... oval:org.secpod.oval:def:502637 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. Security Fix: * freerdp: Integer truncation leading to heap-based buffer overflow in update_re ... oval:org.secpod.oval:def:47236 postgresql-10: object-relational SQL database - postgresql-9.5: Object-relational SQL database - postgresql-9.3: Object-relational SQL database Several security issues were fixed in PostgreSQL. oval:org.secpod.oval:def:115448 Python 3.7 package for developers. This package exists to allow developers to test their code against a newer version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.7, update your Fedora to a newer version once Python 3.7 is stable. oval:org.secpod.oval:def:54426 pacemaker: Cluster resource manager Several security issues were fixed in Pacemaker. oval:org.secpod.oval:def:115460 Python 3.3 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.3, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:115412 Python 3.5 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.5, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:115400 Python 2.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 2.6, see other distributions that support it, such as CentOS or RHEL 6. oval:org.secpod.oval:def:1901884 A flaw was found in the way pacemaker"s client-server authentication was implemented. A local attacker could use this flaw and combine it with other IPC weaknesses, to achieve local privilege escalation. oval:org.secpod.oval:def:2000382 Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote attackers to cause a denial of service via a crafted image file, a different vulnerability than CVE-2018-10999. oval:org.secpod.oval:def:114956 PostgreSQL is an advanced Object-Relational database management system . The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as t ... oval:org.secpod.oval:def:1901881 A flaw was found in pacemaker. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS oval:org.secpod.oval:def:503195 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: slirp: heap buffer overflow in tcp_emu For more details about the security ... oval:org.secpod.oval:def:47263 The host is installed with PostgreSQL 10.x before 10.5, 9.6.x before 9.6.10, 9.5.x before 9.5.14, 9.4.x before 9.4.19, and 9.3.x before 9.3.24 and is prone to a security bypass vulnerability. The flaw present in the application's libpq component where it fails to properly reset its internal state be ... oval:org.secpod.oval:def:47262 The host is installed with PostgreSQL 10.x before 10.5, 9.6.x before 9.6.10, 9.5.x before 9.5.14, 9.4.x before 9.4.19, and 9.3.x before 9.3.24 and is prone to a security bypass vulnerability. The flaw present in the application's libpq component where it fails to properly reset its internal state be ... oval:org.secpod.oval:def:114974 Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:48685 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:115576 Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:49184 systemd: system and service manager Details: USN-3816-1 fixed several vulnerabilities in systemd. However, the fix for CVE-2018-6954 was not sufficient. This update provides the remaining fixes. We apologize for the inconvenience. Original advisory systemd-tmpfiles could be made to change ownership ... oval:org.secpod.oval:def:115566 Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the "python3" executable: the ... oval:org.secpod.oval:def:50186 The host is installed with python before versions 2.7.15 or 3.4.9 and is prone to a denial-of-service vulnerability. The flaw is present in the application, which fails to properly handle catastrophic backtracking in difflib.IS_LINE_JUNK method. Successful exploitation allow context-dependent attack ... oval:org.secpod.oval:def:114269 The python3-docs package contains documentation on the Python 3 programming language and interpreter. Install the python3-docs package if you'd like to use the documentation for the Python 3 language. oval:org.secpod.oval:def:114264 The python3-docs package contains documentation on the Python 3 programming language and interpreter. Install the python3-docs package if you'd like to use the documentation for the Python 3 language. oval:org.secpod.oval:def:50187 The host is installed with python 2.7.0 is prone to a denial-of-service vulnerability. The flaw is present in the application, which fails to properly handle the passage of unfiltered user input to the function. Successful exploitation allow attackers to cause a denial of service, information gain v ... oval:org.secpod.oval:def:114260 pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index . pip is a recursive acronym that can stand for either "Pip Installs Packages" or "Pip Installs Python". oval:org.secpod.oval:def:115585 Perl is a high-level programming language with roots in C, sed, awk and shell scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most comm ... oval:org.secpod.oval:def:49173 python2.7: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language - python3.4: An interactive high-level object-oriented language Several security issues were fixed in Python. oval:org.secpod.oval:def:603432 Two vulnerabilities were discovered in strongSwan, an IKE/IPsec suite. CVE-2018-5388 The stroke plugin did not verify the message length when reading from its control socket. This vulnerability could lead to denial of service. On Debian write access to the socket requires root permission on default ... oval:org.secpod.oval:def:502000 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * An integer overflow flaw and an out-of-bounds read flaw were found in the way QEM ... oval:org.secpod.oval:def:114271 Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to v ... oval:org.secpod.oval:def:114270 It uses mostly the same techniques for finding packages, so packages that were made easy_installable should be pip-installable as well. oval:org.secpod.oval:def:114272 Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readibility. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the "python3" executable: the ... oval:org.secpod.oval:def:205241 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: slirp: heap buffer overflow in tcp_emu For more details about the security ... oval:org.secpod.oval:def:53353 Two vulnerabilities were discovered in strongSwan, an IKE/IPsec suite. CVE-2018-5388 The stroke plugin did not verify the message length when reading from its control socket. This vulnerability could lead to denial of service. On Debian write access to the socket requires root permission on default ... oval:org.secpod.oval:def:51541 python2.7: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language - python3.4: An interactive high-level object-oriented language Several security issues were fixed in Python. oval:org.secpod.oval:def:51544 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:49256 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:704285 postgresql-10: object-relational SQL database - postgresql-9.5: Object-relational SQL database - postgresql-9.3: Object-relational SQL database Several security issues were fixed in PostgreSQL. oval:org.secpod.oval:def:603530 Sze Yiu Chau and his team from Purdue University and The University of Iowa found several issues in the gmp plugin for strongSwan, an IKE/IPsec suite. Problems in the parsing and verification of RSA signatures could lead to a Bleichenbacher-style low-exponent signature forgery in certificates and du ... oval:org.secpod.oval:def:603531 Multiple security issues were discovered in Python: ElementTree failed to initialise Expat"s hash salt, two denial of service issues were found in difflib and poplib and the shutil module was affected by a command injection vulnerability. oval:org.secpod.oval:def:603567 Two vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-16839 Harry Sintonen discovered that, on systems with a 32 bit size_t, an integer overflow would be triggered when a SASL user name longer than 2GB is used. This would in turn cause a very small buffer to be allocated ins ... oval:org.secpod.oval:def:603581 Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-18311 Jayakrishna Menon and Christophe Hauser discovered an integer overflow vulnerability in Perl_my_setenv l ... oval:org.secpod.oval:def:47530 php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:115296 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:115255 Python 2 is an old version of the language that is incompatible with the 3.x line of releases. The language is mostly the same, but many details, especially how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed ... oval:org.secpod.oval:def:115252 Python 2 is an old version of the language that is incompatible with the 3.x line of releases. The language is mostly the same, but many details, especially how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed ... oval:org.secpod.oval:def:115243 The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. oval:org.secpod.oval:def:115241 The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. oval:org.secpod.oval:def:115275 Python 2.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 2.6, see other distributions that support it, such as CentOS or RHEL 6. oval:org.secpod.oval:def:115271 Python 3.5 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.5, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:502178 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A protocol flaw, publicly referred to as Badlock, was found in the ... oval:org.secpod.oval:def:1501428 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:1501429 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:115359 Python 2 is an old version of the language that is incompatible with the 3.x line of releases. The language is mostly the same, but many details, especially how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed ... oval:org.secpod.oval:def:1501430 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:1501431 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:1501432 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a newer upstream version: Samba . Ref ... oval:org.secpod.oval:def:115306 Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the "python3" executable: the ... oval:org.secpod.oval:def:115308 The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. oval:org.secpod.oval:def:53429 Multiple security issues were discovered in Python: ElementTree failed to initialise Expat"s hash salt, two denial of service issues were found in difflib and poplib and the shutil module was affected by a command injection vulnerability. oval:org.secpod.oval:def:48010 libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully auth ... oval:org.secpod.oval:def:703086 samba: SMB/CIFS file, print, and login server for Unix Details: USN-2950-1 fixed vulnerabilities in Samba. The fixes introduced in Samba 4.3.8 caused certain regressions and interoperability issues. This update resolves some of these issues by updating to Samba 4.3.9 in Ubuntu 14.04 LTS, Ubuntu 15.1 ... oval:org.secpod.oval:def:703085 samba: SMB/CIFS file, print, and login server for Unix Details: USN-2950-1 fixed vulnerabilities in Samba. The fixes introduced in Samba 4.3.8 caused certain regressions and interoperability issues. This update resolves some of these issues by updating to Samba 4.3.9 in Ubuntu 14.04 LTS, Ubuntu 15.1 ... oval:org.secpod.oval:def:703066 libsoup2.4: HTTP client/server library for GNOME Details: USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packages introduced a compatibility issue with NTLM authentication in libsoup. This update fixes the problem. We apologize for the inconvenience. Original advisory This update fixes ... oval:org.secpod.oval:def:703069 libtasn1-6: Library to manage ASN.1 structures Details: USN-2957-1 fixed a vulnerability in Libtasn1. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory Libtasn1 could be made to hang if it processed specially crafted data. oval:org.secpod.oval:def:704387 python2.7: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language - python3.4: An interactive high-level object-oriented language Several security issues were fixed in Python. oval:org.secpod.oval:def:52960 freerdp2: RDP client for Windows Terminal Services - freerdp: RDP client for Windows Terminal Services Several security issues were fixed in FreeRDP. oval:org.secpod.oval:def:47604 strongswan: IPsec VPN solution Several security issues were fixed in strongSwan. oval:org.secpod.oval:def:1600365 Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server or, possibly, execute arbitrary code with the permissions of the user running Samba . This flaw could also be used ... oval:org.secpod.oval:def:115380 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:1501778 Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potent ... oval:org.secpod.oval:def:114595 The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. oval:org.secpod.oval:def:114563 The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. oval:org.secpod.oval:def:1501736 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700079 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with quot;hostquot; or quot;hostaddrquot; connection parameters from untrusted input, attackers could bypas ... oval:org.secpod.oval:def:501805 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * Multiple flaws were found in Samba"s DCE/RPC protocol implementati ... oval:org.secpod.oval:def:501821 KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. Security Fix: * An out-of-bounds read/write access flaw was found in the way QEMU"s VGA emulation with VESA BIOS Extensions ... oval:org.secpod.oval:def:602527 The upgrade to Samba 4.2 issued as DSA-3548-1 introduced several upstream regressions and as well a packaging regression causing errors on upgrading the packages. Updated packages are now available to address these problems. oval:org.secpod.oval:def:602468 Several vulnerabilities have been discovered in the chromium web browser. CVE-2016-1651 An out-of-bounds read issue was discovered in the pdfium library. CVE-2016-1652 A cross-site scripting issue was discovered in extension bindings. CVE-2016-1653 Choongwoo Han discovered an out-of-bounds write iss ... oval:org.secpod.oval:def:602466 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2015-5370 Jouni Knuutinen from Synopsys discovered flaws in the Samba DCE-RPC code which can lead to denial ... oval:org.secpod.oval:def:602497 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2016-3710 Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds read and write flaw in the QEMU VGA module. A privileged guest user could use this flaw to execute arbitrary code on the host with the privile ... oval:org.secpod.oval:def:703107 qemu: Machine emulator and virtualizer - qemu-kvm: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:704426 freerdp2: RDP client for Windows Terminal Services - freerdp: RDP client for Windows Terminal Services Several security issues were fixed in FreeRDP. oval:org.secpod.oval:def:1502299 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704414 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:502353 PostgreSQL is an advanced object-relational database management system . The following packages have been upgraded to a later upstream version: postgresql . Security Fix: * postgresql: Certain host connection parameters defeat client-side security defenses For more details about the security issue ... oval:org.secpod.oval:def:205144 Perl is a high-level programming language that is commonly used for system administration utilities and web programming. Security Fix: * perl: Integer overflow leading to buffer overflow in Perl_my_setenv For more details about the security issue, including the impact, a CVSS score, and other relat ... oval:org.secpod.oval:def:51021 strongswan: IPsec VPN solution Several security issues were fixed in strongSwan. oval:org.secpod.oval:def:205185 FreeRDP is a free implementation of the Remote Desktop Protocol , released under the Apache license. The xfreerdp client can connect to RDP servers such as Microsoft Windows machines, xrdp, and VirtualBox. Security Fix: * freerdp: Integer truncation leading to heap-based buffer overflow in update_re ... oval:org.secpod.oval:def:114642 The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. oval:org.secpod.oval:def:501983 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * Quick emulator built with the Cirrus CLGD 54xx VGA emulator support is vulnerabl ... oval:org.secpod.oval:def:115133 Python 2 is an old version of the language that is incompatible with the 3.x line of releases. The language is mostly the same, but many details, especially how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed ... oval:org.secpod.oval:def:115158 Python 2 is an old version of the language that is incompatible with the 3.x line of releases. The language is mostly the same, but many details, especially how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed ... oval:org.secpod.oval:def:1800506 CVE-2016-9013: User with hardcoded password created when running tests on Oracle. When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn"t manually specified in the database settings TEST dictionary, a hardcoded password is used. Th ... oval:org.secpod.oval:def:602724 Peter Wu discovered that a use-after-free in the pscd PC/SC daemon of PCSC-Lite might result in denial of service or potentially privilege escalation. oval:org.secpod.oval:def:703369 python-cryptography: Cryptography Python library python-cryptography could generate incorrect keys. oval:org.secpod.oval:def:703337 python-django: High-level Python web development framework Several security issues were fixed in Django. oval:org.secpod.oval:def:703323 linux: Linux kernel The system could be made to run programs as an administrator. oval:org.secpod.oval:def:703316 linux-snapdragon: Linux kernel for Snapdragon Processors The system could be made to run programs as an administrator. oval:org.secpod.oval:def:703318 linux-raspi2: Linux kernel for Raspberry Pi 2 The system could be made to run programs as an administrator. oval:org.secpod.oval:def:602859 Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9013 Marti Raudsepp reported that a user with a hardcoded password is created when running tests with an Orac ... oval:org.secpod.oval:def:703435 pcsc-lite: Middleware to access a smart card using PC/SC PCSC-Lite could be made to crash or run programs as an administrator if it received specially crafted input. oval:org.secpod.oval:def:1501599 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application dep ... oval:org.secpod.oval:def:1600403 The Linux kernel did not properly suppress hugetlbfs support in x86 PV guests, which could allow local PV guest users to cause a denial of service by attempting to access a hugetlbfs mapped area. A flaw was found in the way the Linux kernel's ASN.1 DER decoder processed certain certificate fil ... oval:org.secpod.oval:def:703171 haproxy: fast and reliable load balancing reverse proxy HAProxy could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:602547 Aleksandar Nikolic discovered that missing input sanitising in the RTF parser in Libreoffice may result in the execution of arbitrary code if a malformed documented is opened. oval:org.secpod.oval:def:703166 linux: Linux kernel Several security issues were fixed in the kernel. oval:org.secpod.oval:def:703154 linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the kernel. oval:org.secpod.oval:def:501881 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicio ... oval:org.secpod.oval:def:501887 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A race condition was found in the way the Linux kernel"s memory subsystem handled the copy-on-write breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to ... oval:org.secpod.oval:def:703130 samba: SMB/CIFS file, print, and login server for Unix Details: USN-2950-1 fixed vulnerabilities in Samba. USN-2950-3 updated Samba to version 4.3.9, which introduced a regression when using the ntlm_auth tool. This update fixes the problem. Original advisory USN-2950-1 introduced a regression in Sa ... oval:org.secpod.oval:def:602602 Hanno Boeck and Marcin Noga discovered multiple vulnerabilities in libarchive; processing malformed archives may result in denial of service or the execution of arbitrary code. oval:org.secpod.oval:def:602648 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-8956 It was discovered that missing input sanitising in RFCOMM Bluetooth socket handling may result in denial of service or information leak. CVE ... oval:org.secpod.oval:def:602593 Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of Technology discovered a flaw in the mixing functions of GnuPG"s random number generator. An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. A first analysis on the impact of this bug for ... oval:org.secpod.oval:def:602592 Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of Technology discovered a flaw in the mixing functions of Libgcrypt"s random number generator. An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. A first analysis on the impact of this bug ... oval:org.secpod.oval:def:703240 libgcrypt20: LGPL Crypto library - libgcrypt11: LGPL Crypto library Libgcrypt incorrectly generated random numbers. oval:org.secpod.oval:def:703238 gnupg: GNU privacy guard - a free PGP replacement GnuPG incorrectly generated random numbers. oval:org.secpod.oval:def:114363 GNU Wget is a file retrieval utility which can use either the HTTP or FTP protocols. Wget features include the ability to work in the background while you are logged out, recursive retrieval of directories, file name wildcard matching, remote file timestamp storage and comparison, use of Rest with F ... oval:org.secpod.oval:def:114364 GNU Wget is a file retrieval utility which can use either the HTTP or FTP protocols. Wget features include the ability to work in the background while you are logged out, recursive retrieval of directories, file name wildcard matching, remote file timestamp storage and comparison, use of Rest with F ... oval:org.secpod.oval:def:114336 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:114331 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:51970 irssi: terminal based IRC client Several security issues were fixed in Irssi. oval:org.secpod.oval:def:51981 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:51980 gcab: Microsoft Cabinet file manipulation tool gcab could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:51984 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:51992 exim4: Exim is a mail transport agent Exim could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:51994 advancecomp: collection of recompression utilities AdvanceCOMP could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:51995 quagga: BGP/OSPF/RIP routing daemon Several security issues were fixed in Quagga. oval:org.secpod.oval:def:113951 gcab is a tool to manipulate Cabinet archive. oval:org.secpod.oval:def:113939 The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets ... oval:org.secpod.oval:def:113910 Irssi is a modular IRC client with Perl scripting. Only text-mode frontend is currently supported. The GTK/GNOME frontend is no longer being maintained. oval:org.secpod.oval:def:113909 Irssi is a modular IRC client with Perl scripting. Only text-mode frontend is currently supported. The GTK/GNOME frontend is no longer being maintained. oval:org.secpod.oval:def:113932 The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets ... oval:org.secpod.oval:def:603116 Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron Bowes and Gynvael Coldwind of the Google Security Team discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, which may result in denial of service, information leak or the execution of arbit ... oval:org.secpod.oval:def:1800581 CVE-2017-14746: Use-after-free vulnerability. Affected Versions: All versions of Samba from 4.0.0 onwards. Fixed In: Samba 4.7.3, 4.6.11 and 4.5.15 oval:org.secpod.oval:def:603131 Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered multiple vulnerabilities in the WPA protocol, used for authentication in wireless networks. Those vulnerabilities applies to both the access point and the station . An attacker exploiting the vulnerabilities could force the ... oval:org.secpod.oval:def:603183 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-14746 Yihan Lian and Zhibin Hu of Qihoo 360 GearTeam discovered a use-after-free vulnerability allowing ... oval:org.secpod.oval:def:113156 A library for reading and converting Windows MetaFile vector graphics . oval:org.secpod.oval:def:1501894 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:113104 CVS is a version control system that can record the history of your files . CVS only stores the differences between versions, instead of every version of every file you have ever created. CVS also keeps a log of who, when, and why changes occurred. CVS is very helpful for managing releases and cont ... oval:org.secpod.oval:def:113100 CVS is a version control system that can record the history of your files . CVS only stores the differences between versions, instead of every version of every file you have ever created. CVS also keeps a log of who, when, and why changes occurred. CVS is very helpful for managing releases and cont ... oval:org.secpod.oval:def:602873 Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted login shell for Git-only SSH access, allows a user to run an interactive pager by causing it to spawn "git upload-pack --help". oval:org.secpod.oval:def:44095 quagga: BGP/OSPF/RIP routing daemon Several security issues were fixed in Quagga. oval:org.secpod.oval:def:1600711 Escape out of git-shellA flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command laun ... oval:org.secpod.oval:def:603225 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service, information disclosure or spoofing of sender"s email addresses. oval:org.secpod.oval:def:1600780 Information leak in the DHCPv6 relay codeAn information leak was found in dnsmasq in the DHCPv6 relay code. An attacker on the local network could send crafted DHCPv6 packets to dnsmasq causing it to forward the contents of process memory, potentially leaking sensitive data. Memory exhaustion vulner ... oval:org.secpod.oval:def:603248 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, integer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service or URL spoofing. oval:org.secpod.oval:def:603249 It was discovered that gcab, a Microsoft Cabinet file manipulation tool, is prone to a stack-based buffer overflow vulnerability when extracting .cab files. An attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of ... oval:org.secpod.oval:def:603267 Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message. oval:org.secpod.oval:def:603255 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or URL spoofing. oval:org.secpod.oval:def:603272 Several vulnerabilities have been discovered in Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-5378 It was discovered that the Quagga BGP daemon, bgpd, does not properly bounds check data sent with a NOTIFY to a peer, if an attrib ... oval:org.secpod.oval:def:113679 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:112363 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:113645 A library for reading and converting Windows MetaFile vector graphics . oval:org.secpod.oval:def:703599 git: fast, scalable, distributed revision control system Git could be made to expose sensitive information over the network. oval:org.secpod.oval:def:603342 Multiple vulnerabilities have been discovered in Irssi, a terminal-based IRC client which can result in denial of service. oval:org.secpod.oval:def:53194 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-14746 Yihan Lian and Zhibin Hu of Qihoo 360 GearTeam discovered a use-after-free vulnerability allowing ... oval:org.secpod.oval:def:53114 It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command. oval:org.secpod.oval:def:53126 A double-free vulnerability was discovered in the gdImagePngPtr function in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a specially crafted file is processed. oval:org.secpod.oval:def:53145 Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron Bowes and Gynvael Coldwind of the Google Security Team discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, which may result in denial of service, information leak or the execution of arbit ... oval:org.secpod.oval:def:53155 Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered multiple vulnerabilities in the WPA protocol, used for authentication in wireless networks. Those vulnerabilities applies to both the access point and the station . An attacker exploiting the vulnerabilities could force the ... oval:org.secpod.oval:def:114173 This is a Cross Compiled version of the GNU C Library, which can be used to compile and link binaries for the arm-linux-gnu platform, instead of for the native platform. oval:org.secpod.oval:def:114170 This is a Cross Compiled version of the GNU C Library, which can be used to compile and link binaries for the arm-linux-gnu platform, instead of for the native platform. oval:org.secpod.oval:def:53220 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service, information disclosure or spoofing of sender"s email addresses. oval:org.secpod.oval:def:115542 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:112423 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:1800460 CVE-2017-14746: Use-after-free vulnerability. Affected Versions All versions of Samba from 4.0.0 onwards. Fixed In Samba 4.7.3, 4.6.11 and 4.5.15 oval:org.secpod.oval:def:1800466 CVE-2017-14746: Use-after-free vulnerability. Affected Versions: All versions of Samba from 4.0.0 onwards. Fixed In: Samba 4.7.3, 4.6.11 and 4.5.15 oval:org.secpod.oval:def:53294 Multiple vulnerabilities have been discovered in Irssi, a terminal-based IRC client which can result in denial of service. oval:org.secpod.oval:def:1800458 A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir","fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue with special files such as /dev/watchdog. ... oval:org.secpod.oval:def:1800474 In Exim 4.90 and earlier, there is a buffer overflow in an utility function, if some pre-conditions are met. Using a handcrafted message, remote code execution seems to be possible. oval:org.secpod.oval:def:53235 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, integer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service or URL spoofing. oval:org.secpod.oval:def:53236 It was discovered that gcab, a Microsoft Cabinet file manipulation tool, is prone to a stack-based buffer overflow vulnerability when extracting .cab files. An attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of ... oval:org.secpod.oval:def:53253 Several vulnerabilities have been discovered in Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-5378 It was discovered that the Quagga BGP daemon, bgpd, does not properly bounds check data sent with a NOTIFY to a peer, if an attrib ... oval:org.secpod.oval:def:53249 Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message. oval:org.secpod.oval:def:703828 dnsmasq: Small caching DNS proxy and DHCP/TFTP server Several security issues were fixed in Dnsmasq. oval:org.secpod.oval:def:703814 libgd2: GD Graphics Library GD library could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:113422 hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS authentication server. hostapd is designed to be a "daemon" program that runs in the back-ground and acts as the ... oval:org.secpod.oval:def:1502012 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:113418 hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS authentication server. hostapd is designed to be a "daemon" program that runs in the back-ground and acts as the ... oval:org.secpod.oval:def:1502067 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502070 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502020 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502038 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502037 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603571 Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.1.37. Please see the MariaDB 10.1 Release Notes for further details: https://mariadb.com/kb/en/mariadb/mariadb-10127-release-notes/ https://mariad ... oval:org.secpod.oval:def:703775 cvs: Concurrent Versions System cvs could be made run programs as your login if it opened a specially crafted cvs repository. oval:org.secpod.oval:def:703955 glibc: GNU C Library - eglibc: GNU C Library Several security issues were fixed in the GNU C library. oval:org.secpod.oval:def:703946 irssi: terminal based IRC client Several security issues were fixed in Irssi. oval:org.secpod.oval:def:502196 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A use-after-free flaw was found in the way samba servers handled c ... oval:org.secpod.oval:def:53464 Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.1.37. Please see the MariaDB 10.1 Release Notes for further details: https://mariadb.com/kb/en/mariadb/mariadb-10127-release-notes/ https://mariad ... oval:org.secpod.oval:def:703918 linux-firmware: Firmware for Linux kernel drivers Several security issues were fixed in linux-firmware. oval:org.secpod.oval:def:703910 libxcursor: X11 cursor management library libxcursor could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:703913 libxfont: X11 font rasterisation library - libxfont1: X11 font rasterisation library - libxfont2: X11 font rasterisation library libXfont could be made to access arbitrary files, including special device files. oval:org.secpod.oval:def:502144 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, exec ... oval:org.secpod.oval:def:502143 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, exec ... oval:org.secpod.oval:def:502151 The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 , and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. S ... oval:org.secpod.oval:def:502152 The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 , and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. S ... oval:org.secpod.oval:def:113572 wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 . Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association ... oval:org.secpod.oval:def:113525 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:113604 Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-all ... oval:org.secpod.oval:def:113605 hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS authentication server. hostapd is designed to be a "daemon" program that runs in the back-ground and acts as the ... oval:org.secpod.oval:def:114084 X.Org X11 libXfont2 runtime library oval:org.secpod.oval:def:114082 Quagga is free software that operates TCP/IP-based routing protocols. It takes a multi-server and multi-threaded approach to resolving the current complexity of the Internet. Quagga supports Babel, BGP4, BGP4+, BGP4-, IS-IS , OSPFv2, OSPFv3, RIPv1, RIPv2, RIPng, PIM-SSM and NHRP. Quagga is intended ... oval:org.secpod.oval:def:114081 X.Org X11 libXfont2 runtime library oval:org.secpod.oval:def:502219 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.2. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:114077 Quagga is free software that operates TCP/IP-based routing protocols. It takes a multi-server and multi-threaded approach to resolving the current complexity of the Internet. Quagga supports Babel, BGP4, BGP4+, BGP4-, IS-IS , OSPFv2, OSPFv3, RIPv1, RIPv2, RIPng, PIM-SSM and NHRP. Quagga is intended ... oval:org.secpod.oval:def:703891 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:703890 apport: automatically generate crash reports for debugging Details: USN-3480-1 fixed vulnerabilities in Apport. The fix for CVE-2017-14177 introduced a regression in the ability to handle crashes for users that configured their systems to use the Upstart init system in Ubuntu 16.04 LTS and Ubuntu 17 ... oval:org.secpod.oval:def:502234 The gcab package contains a utility for managing the Cabinet archives. It can list, extract, and create Microsoft cabinet files. Security Fix: * gcab: Extracting malformed .cab files causes stack smashing potentially leading to arbitrary code execution For more details about the security issue, in ... oval:org.secpod.oval:def:502233 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:502237 The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector. Security Fix: * quagga: Double free v ... oval:org.secpod.oval:def:114093 X.Org X11 libXfont runtime library oval:org.secpod.oval:def:114092 X.Org X11 libXfont runtime library oval:org.secpod.oval:def:703887 apport: automatically generate crash reports for debugging Apport could be tricked into creating files as an administrator, resulting in denial of service or privilege escalation. oval:org.secpod.oval:def:114047 Exim is a message transfer agent developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of fle ... oval:org.secpod.oval:def:114046 Exim is a message transfer agent developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of fle ... oval:org.secpod.oval:def:703860 wpa: client support for WPA and WPA2 Several security issues were fixed in wpa_supplicant. oval:org.secpod.oval:def:114062 gcab is a tool to manipulate Cabinet archive. oval:org.secpod.oval:def:502200 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * A use-after-free flaw was found in the way samba servers handled certain SMB1 requests. A ... oval:org.secpod.oval:def:113295 Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-all ... oval:org.secpod.oval:def:502266 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: realpath buffer underflow w ... oval:org.secpod.oval:def:1700076 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.57 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability c ... oval:org.secpod.oval:def:113247 A library for reading and converting Windows MetaFile vector graphics . oval:org.secpod.oval:def:114534 LibRaw is a library for reading RAW files obtained from digital photo cameras . LibRaw is based on the source codes of the dcraw utility, where part of drawbacks have already been eliminated and part will be fixed in future. oval:org.secpod.oval:def:1900922 Memory safety bugs were reported in Firefox 57 and Firefox ESR 52.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, an ... oval:org.secpod.oval:def:1502294 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:43359 The host is installed with Mozilla Thunderbird before 52.5.2 and is prone to an address spoofing vulnerability. A flaw is present in the application, which fails to properly handle null character. Successful exploitation could allow attackers to modify the message body. oval:org.secpod.oval:def:43360 The host is missing a security update according to Mozilla advisory, MFSA 2017-30. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle to crafted data. Successful exploitation could allow attackers to disclose sensitive information, ... oval:org.secpod.oval:def:502349 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * mysql: Client programs unspecified vulnerability * mysql: Server: DML unspecified vulnerability * my ... oval:org.secpod.oval:def:115062 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:703982 firefox: Mozilla Open Source web browser Details: USN-3544-1 fixed vulnerabilities in Firefox. The update caused a web compatibility regression and a tab crash during printing in some circumstances. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-3544-1 cause ... oval:org.secpod.oval:def:703980 exim4: Exim is a mail transport agent Exim could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:703986 quagga: BGP/OSPF/RIP routing daemon Several security issues were fixed in Quagga. oval:org.secpod.oval:def:703984 advancecomp: collection of recompression utilities AdvanceCOMP could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:703970 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:703965 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:703964 gcab: Microsoft Cabinet file manipulation tool gcab could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:43355 The host is missing a security update according to Mozilla advisory, MFSA 2017-30. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle to crafted data. Successful exploitation could allow attackers to disclose sensitive information, ... oval:org.secpod.oval:def:43354 The host is installed with Mozilla Thunderbird before 52.5.2 and is prone to an address spoofing vulnerability. A flaw is present in the application, which fails to properly handle null character. Successful exploitation could allow attackers to modify the message body. oval:org.secpod.oval:def:113341 Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-all ... oval:org.secpod.oval:def:113319 wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 . Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association ... oval:org.secpod.oval:def:1502100 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502101 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:113323 wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 . Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association ... oval:org.secpod.oval:def:1502130 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502131 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:51882 cvs: Concurrent Versions System cvs could be made run programs as your login if it opened a specially crafted cvs repository. oval:org.secpod.oval:def:51934 apport: automatically generate crash reports for debugging Apport could be tricked into creating files as an administrator, resulting in denial of service or privilege escalation. oval:org.secpod.oval:def:51938 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:51954 linux-firmware: Firmware for Linux kernel drivers Several security issues were fixed in linux-firmware. oval:org.secpod.oval:def:1502141 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:51908 dnsmasq: Small caching DNS proxy and DHCP/TFTP server Several security issues were fixed in Dnsmasq. oval:org.secpod.oval:def:51902 libgd2: GD Graphics Library GD library could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:51919 wpa: client support for WPA and WPA2 Several security issues were fixed in wpa_supplicant. oval:org.secpod.oval:def:1502176 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603048 It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command. oval:org.secpod.oval:def:115193 Liblouis is an open-source braille translator and back-translator named in honor of Louis Braille. It features support for computer and literary braille, supports contracted and uncontracted translation for many languages and has support for hyphenation. New languages can easily be added through tab ... oval:org.secpod.oval:def:603085 A double-free vulnerability was discovered in the gdImagePngPtr function in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a specially crafted file is processed. oval:org.secpod.oval:def:115691 MinGW Windows Poppler library. oval:org.secpod.oval:def:2001407 An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. watchOS before 4.3 is affected. The issue involves the fetch API in the "WebKit" component. It allows ... oval:org.secpod.oval:def:113047 Contains backends, filters, and other software that was once part of the core CUPS distribution but is no longer maintained by Apple Inc. In addition it contains additional filters developed independently of Apple, especially filters for the PDF-centric printing workflow introduced by OpenPrinting. oval:org.secpod.oval:def:113048 QPDF is a command-line program that does structural, content-preserving transformations on PDF files. It could have been called something like pdf-to-pdf. It includes support for merging and splitting PDFs and to manipulate the list of pages in a PDF file. It is not a PDF viewer or a program capable ... oval:org.secpod.oval:def:114379 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:114373 DHCP oval:org.secpod.oval:def:114375 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:114372 LibRaw is a library for reading RAW files obtained from digital photo cameras . LibRaw is based on the source codes of the dcraw utility, where part of drawbacks have already been eliminated and part will be fixed in future. oval:org.secpod.oval:def:1800517 CVE-2017-9147: LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service via a crafted TIFF file. Reference Patch CVE-2017-9403: In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDirEn ... oval:org.secpod.oval:def:44801 The host is installed with Apple iCloud before 7.4, Apple iTunes before 12.7.4 or Google Chrome before 68.0.3440.75 and is prone to a cross-origin information disclosure vulnerability. A flaw is present in the application, which fails to properly perform input validation. Successful exploitation cou ... oval:org.secpod.oval:def:114327 memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. oval:org.secpod.oval:def:114326 LibreOffice is an Open Source, community-developed, office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editor and drawing program, with a user interface and feature set similar to other office suites. Sophisticate ... oval:org.secpod.oval:def:44800 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly perform input validation. Successful exploitation could allow attackers to crash the service. oval:org.secpod.oval:def:114323 QPDF is a command-line program that does structural, content-preserving transformations on PDF files. It could have been called something like pdf-to-pdf. It includes support for merging and splitting PDFs and to manipulate the list of pages in a PDF file. It is not a PDF viewer or a program capable ... oval:org.secpod.oval:def:44812 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44813 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44814 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44815 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44811 The host is installed with Apple Safari before 11.1 and is prone to a memory corrupution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44817 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44818 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44819 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44823 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44824 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44825 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44826 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44820 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:44821 The host is installed with Apple Safari before 11.1 and is prone to a memory corrpution vulnerability. A flaw is present in the applications, which fails to properly handle a malicious website. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:114344 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:44827 The host is installed with Apple Safari before 11.1 and is prone to an unspecified vulnerability. An array indexing issue existed in the handling of a function in javascript core. Successful exploitation may lead to an ASSERT failure. oval:org.secpod.oval:def:44829 The host is installed with Apple Safari before 11.1 and is prone to a memory corruption vulnerability. A flaw is present in the applications, which fails to properly handle a maliciously crafted web content. Successful exploitation may lead to a denial of service. oval:org.secpod.oval:def:51112 mozjs52: SpiderMonkey JavaScript library Several security issues were fixed in Spidermonkey. oval:org.secpod.oval:def:44830 The host is installed with Apple Safari before 11.1 or Google Chrome before 68.0.3440.75 and is prone to a memory corruption vulnerability. A flaw is present in the applications, which fails to properly handle a maliciously crafted web content. Successful exploitation may lead to a denial of service ... oval:org.secpod.oval:def:44831 The host is missing a security update according to Apple advisory, APPLE-SA-2018-3-29-6. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly perform input validation. Successful exploitation could allow attackers to disclose sensi ... oval:org.secpod.oval:def:2000168 An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" compone ... oval:org.secpod.oval:def:2000156 An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" compone ... oval:org.secpod.oval:def:114303 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:1900721 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Su ... oval:org.secpod.oval:def:1900737 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromis ... oval:org.secpod.oval:def:2000129 An issue was discovered in Exempi through 2.4.4. XMPFiles/source/FormatSupport/WEBP_Support.cpp does not check whether a bitstream has a NULL value, leading to a NULL pointer dereference in the WEBP::VP8XChunk class. oval:org.secpod.oval:def:2000127 An issue was discovered in Exempi through 2.4.4. There is a stack-based buffer over-read in the PostScript_MetaHandler::ParsePSFile function in XMPFiles/source/FileHandlers/PostScript_Handler.cpp. oval:org.secpod.oval:def:2001473 An issue was discovered in ZZIPlib 0.13.68. There is a bus error caused by the __zzip_parse_root_directory function of zip.c. Attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. oval:org.secpod.oval:def:2001476 In ImageMagick 7.0.6-10 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allow remote attackers to cause a denial of service via a crafted file. oval:org.secpod.oval:def:1900795 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:2001460 An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" compone ... oval:org.secpod.oval:def:2000109 libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service via a crafted PDF document, related to releaseResolved functions, aka qpdf-infiniteloop1. oval:org.secpod.oval:def:51999 libreoffice: Office productivity suite LibreOffice would allow unintended access to files over the network. oval:org.secpod.oval:def:2000106 An issue was discovered in ZZIPlib 0.13.68. An invalid memory address dereference was discovered in zzip_disk_fread in mmapped.c. The vulnerability causes an application crash, which leads to denial of service. oval:org.secpod.oval:def:2000105 ImageMagick 7.0.7-22 Q16 has memory leaks in the ReadDCMImage function in coders/dcm.c. oval:org.secpod.oval:def:2001434 An issue was discovered in Exempi through 2.4.4. A certain case of a 0xffffffff length is mishandled in XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp, leading to a heap-based buffer over-read in the PSD_MetaHandler::CacheFileData function. oval:org.secpod.oval:def:113957 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:113962 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:2000194 An error within the "LibRaw::unpack" function in LibRaw versions prior to 0.18.7 can be exploited to trigger a NULL pointer dereference. oval:org.secpod.oval:def:2000190 lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data . The Decisional Diffie-Hellman assumption does not hold for PyCrypto"s ElGamal implementation. oval:org.secpod.oval:def:1901165 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of t ... oval:org.secpod.oval:def:113073 QPDF is a command-line program that does structural, content-preserving transformations on PDF files. It could have been called something like pdf-to-pdf. It includes support for merging and splitting PDFs and to manipulate the list of pages in a PDF file. It is not a PDF viewer or a program capable ... oval:org.secpod.oval:def:113065 Contains backends, filters, and other software that was once part of the core CUPS distribution but is no longer maintained by Apple Inc. In addition it contains additional filters developed independently of Apple, especially filters for the PDF-centric printing workflow introduced by OpenPrinting. oval:org.secpod.oval:def:114485 LibRaw is a library for reading RAW files obtained from digital photo cameras . LibRaw is based on the source codes of the dcraw utility, where part of drawbacks have already been eliminated and part will be fixed in future. oval:org.secpod.oval:def:114482 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:2000204 An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers t ... oval:org.secpod.oval:def:2001542 Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in the shell autocomplete functionality. A local unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use autocomplete to traverse the before mentioned ... oval:org.secpod.oval:def:114437 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:114431 MinGW Windows LibRaw library. oval:org.secpod.oval:def:114469 MinGW Windows LibRaw library. oval:org.secpod.oval:def:1901337 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Su ... oval:org.secpod.oval:def:115784 Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed audio format for audio and music at fixed and variable bitrates from 16 to 128 kbps/channel. This package contains the MinGW Windows cross compiled libvorbis library. oval:org.secpod.oval:def:2000295 In ImageMagick 7.0.7-12 Q16, there are memory leaks in MontageImageCommand in MagickWand/montage.c. oval:org.secpod.oval:def:1502343 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502344 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:2000271 An error within the "LibRaw::xtrans_interpolate" function in LibRaw versions prior to 0.18.6 can be exploited to cause an invalid read memory access and subsequently a Denial of Service condition. oval:org.secpod.oval:def:2000269 zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd function. A local attacker could exploit this to cause a denial of service. oval:org.secpod.oval:def:2000282 An error within the "kodak_radc_load_raw" function related to the "buf" variable in LibRaw versions prior to 0.18.7 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. oval:org.secpod.oval:def:114411 WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKit2 based WebKitGTK+ for GTK+ 3. oval:org.secpod.oval:def:2001592 In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a crash in the __zzip_parse_root_directory function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. oval:org.secpod.oval:def:2001597 The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable "supportsCredentials" for all origins. It is expected that users of the CORS filter will have configured it appropriately for their en ... oval:org.secpod.oval:def:1700124 The nss-pem package provides the PEM file reader for Network Security Services implemented as a PKCS#11 module. This update contains fixes related to CURL security updates, specifically updating an object ID when reusing a certificate oval:org.secpod.oval:def:1502323 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700107 A null pointer dereference flaw was found in Samba RPC external printer service. An attacker could use this flaw to cause the printer spooler service to crash.A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server coul ... oval:org.secpod.oval:def:603205 It was discovered that libXcursor, a X cursor management library, is prone to several heap overflows when parsing malicious files. An attacker can take advantage of these flaws for arbitrary code execution, if a user is tricked into processing a specially crafted cursor file. oval:org.secpod.oval:def:53092 Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code. oval:org.secpod.oval:def:1901277 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of ... oval:org.secpod.oval:def:603268 Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that missing restrictions in the implementation of the WEBSERVICE function in LibreOffice could result in the disclosure of arbitrary files readable by the user who opens a malformed document. oval:org.secpod.oval:def:603269 Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that missing restrictions in the implementation of the WEBSERVICE function in LibreOffice could result in the disclosure of arbitrary files readable by the user who opens a malformed document. oval:org.secpod.oval:def:603266 Calum Hutton and the Mailman team discovered a cross site scripting and information leak vulnerability in the user options page. A remote attacker could use a crafted URL to steal cookie information or to fish for whether a user is subscribed to a list with a private roster. oval:org.secpod.oval:def:1800697 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read; Affected versions: libcurl 7.49.0 to and including 7.57.0 Not affected versions: libcurl = 7.58.0 oval:org.secpod.oval:def:603251 Two vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-1000005 Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn"t affect the oldstable distribution . CVE-2018-1000007 Craig de Stigter discovered that authentication data mi ... oval:org.secpod.oval:def:603252 Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code. oval:org.secpod.oval:def:1901263 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of ... oval:org.secpod.oval:def:46785 The host is installed with Google Chrome before 68.0.3440.75 and is prone to a cross origin information leak vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to disclose sensitive information. oval:org.secpod.oval:def:46780 The host is installed with Google Chrome before 68.0.3440.75 and is prone to a cross origin information leak vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:603296 Several vulnerabilities have been discovered in the Dovecot email server. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-14461 Aleksandar Nikolic of Cisco Talos and "flxflndy" discovered that Dovecot does not properly parse invalid email addresses, which m ... oval:org.secpod.oval:def:1800670 CVE-2017-9147: LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service via a crafted TIFF file. CVE-2017-9403: In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDirEntryLong8Array i ... oval:org.secpod.oval:def:114117 Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers . The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared li ... oval:org.secpod.oval:def:115441 Python 3.3 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.3, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:114112 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fai ... oval:org.secpod.oval:def:2000335 libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image. oval:org.secpod.oval:def:114144 Mailman is software to help manage email discussion lists, much like Majordomo and Smartmail. Unlike most similar products, Mailman gives each mailing list a webpage, and allows users to subscribe, unsubscribe, etc. over the Web. Even the list manager can administer his or her list entirely from the ... oval:org.secpod.oval:def:46817 The host is installed with Google Chrome before 68.0.3440.75 and is prone to a cross origin information leak vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to disclose sensitive information. oval:org.secpod.oval:def:114138 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:114134 An extensible library that implements an LDAP like API to access remote LDAP servers, or use local tdb databases. oval:org.secpod.oval:def:114106 This is a simple library designed to help locate and load cursors. Cursors can be loaded from files or memory. A library of common cursors exists which map to the standard X cursor names.Cursors can exist in several sizes and the library automatically picks the best size. oval:org.secpod.oval:def:2001604 An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" com ... oval:org.secpod.oval:def:114102 This is a simple library designed to help locate and load cursors. Cursors can be loaded from files or memory. A library of common cursors exists which map to the standard X cursor names.Cursors can exist in several sizes and the library automatically picks the best size. oval:org.secpod.oval:def:704099 python-oslo.middleware: WSGI middleware components for OpenStack Applications using Oslo middleware could be made to expose sensitive information. oval:org.secpod.oval:def:704095 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704091 procps: /proc file system utilities Several security issues were fixed in procps-ng. oval:org.secpod.oval:def:704071 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704072 openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK 8. oval:org.secpod.oval:def:114990 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:1901839 An error within the "LibRaw::xtrans_interpolate" function in LibRaw versions prior to 0.18.6 can be exploited to cause an invalid read memory access and subsequently a Denial of Service condition. oval:org.secpod.oval:def:704068 webkit2gtk: Web content engine library for GTK+ A security issue was fixed in WebKitGTK+. oval:org.secpod.oval:def:704066 qpdf: tools for transforming and inspecting PDF files Several security issues were fixed in QPDF. oval:org.secpod.oval:def:704062 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK+. oval:org.secpod.oval:def:704063 mysql-5.7: MySQL database Details: USN-3629-1 fixed vulnerabilities in MySQL. This update provides the corresponding updates for Ubuntu 18.04 LTS. Original advisory Several security issues were fixed in MySQL. oval:org.secpod.oval:def:2000389 An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" compone ... oval:org.secpod.oval:def:704053 mysql-5.7: MySQL database - mysql-5.5: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:602980 Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code. oval:org.secpod.oval:def:704048 wayland: Wayland compositor infrastructure Wayland could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:704035 openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK 8. oval:org.secpod.oval:def:704036 openjdk-7: Open Source Java implementation Several security issues were fixed in OpenJDK 7. oval:org.secpod.oval:def:704037 libraw: raw image decoder library LibRaw could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:704031 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704032 openssl: Secure Socket Layer cryptographic library and tools OpenSSL could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:704034 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704039 python-crypto: cryptographic algorithms and protocols for Python Python Crypto could expose sensitive information. oval:org.secpod.oval:def:704024 libvorbis: The Vorbis General Audio Compression Codec libvorbis could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:603404 The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-1122 top read its configuration from the current working directory ... oval:org.secpod.oval:def:704027 screen-resolution-extra: Extension for the GNOME screen resolution applet Screen Resolution Extra could be tricked into bypassing PolicyKit authorizations. oval:org.secpod.oval:def:704020 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:603408 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails. oval:org.secpod.oval:def:603409 Gabriel Corona discovered that xdg-utils, a set of tools for desktop environment integration, is vulnerable to argument injection attacks. If the environment variable BROWSER in the victim host has a "%s" and the victim opens a link crafted by an attacker with xdg-open, the malicious party ... oval:org.secpod.oval:def:704029 icu: International Components for Unicode library ICU could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:704013 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704015 memcached: high-performance memory object caching system Memcached could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:114976 Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:704012 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:704003 dovecot: IMAP and POP3 email server Several security issues were fixed in Dovecot. oval:org.secpod.oval:def:603308 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-1050 It was discovered that Samba is prone to a denial of service attack when the RPC spoolss service i ... oval:org.secpod.oval:def:704004 python-django: High-level Python web development framework Several security issues were fixed in Django. oval:org.secpod.oval:def:704000 isc-dhcp: DHCP server and client Several security issues were fixed in DHCP. oval:org.secpod.oval:def:704001 memcached: high-performance memory object caching system Several security issues were fixed in Memcached. oval:org.secpod.oval:def:603302 Several vulnerabilities have been discovered in the ISC DHCP client, relay and server. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3144 It was discovered that the DHCP server does not properly clean up closed OMAPI connections, which can lead to exhaust ... oval:org.secpod.oval:def:603309 Multiple vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-1000120 Duy Phan Thanh discovered that curl could be fooled into writing a zero byte out of bounds when curl is told to work on an FTP URL with the setting to only issue a single CWD command, if the directory part of ... oval:org.secpod.oval:def:704006 clamav: Anti-virus utility for Unix Several security issues were fixed in ClamAV. oval:org.secpod.oval:def:704008 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:704009 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:603329 It was discovered that an integer overflow in the International Components for Unicode library could result in denial of service and potentially the execution of arbitrary code. oval:org.secpod.oval:def:603317 Richard Zhu and Huzaifa Sidhpurwala discovered that an out-of-bounds memory write when playing Vorbis media files could result in the execution of arbitrary code. oval:org.secpod.oval:def:603315 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code, incorrect LDAP/GSS authentication, insecure use of cryptography or bypass of deserialisation restrictions. oval:org.secpod.oval:def:603312 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service or information disclosure. oval:org.secpod.oval:def:603313 Richard Zhu discovered that an out-of-bounds memory write in the codeboook parsing code of the Libvorbis multimedia library could result in the execution of arbitrary code. oval:org.secpod.oval:def:603341 James Davis discovered two issues in Django, a high-level Python web development framework, that can lead to a denial-of-service attack. An attacker with control on the input of the django.utils.html.urlize function or django.utils.text.Truncator"s chars and words methods could craft a string that m ... oval:org.secpod.oval:def:603338 Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3738 David Benjamin of Google reported an overflow bug in the AVX2 Montgomery multiplication procedure used in exponent ... oval:org.secpod.oval:def:603337 It was discovered that constructed ASN.1 types with a recursive definition could exceed the stack, potentially leading to a denial of service. Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20180327.txt oval:org.secpod.oval:def:603335 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or information disclosure. oval:org.secpod.oval:def:603333 It was discovered that a use-after-free in the compositor of Firefox can result in the execution of arbitrary code. oval:org.secpod.oval:def:603353 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code, incorrect LDAP/GSS authentication, insecure use of cryptography or bypass of deserialisation restrictions. oval:org.secpod.oval:def:45541 The host is missing a critical security update according to Mozilla advisory, MFSA2018-11. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:45542 The host is missing a critical security update according to Mozilla advisory, MFSA2018-12. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:603377 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation. oval:org.secpod.oval:def:603370 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.60, which includes additional changes oval:org.secpod.oval:def:603394 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:46823 The host is installed with Google Chrome before 68.0.3440.75 and is prone to a cross origin information leak vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:114165 Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed audio format for audio and music at fixed and variable bitrates. The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis. oval:org.secpod.oval:def:114167 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:114161 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:114150 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:114152 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:45516 Mozilla Firefox before 60.0 or Firefox ESR before 52.8 : Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party w ... oval:org.secpod.oval:def:45517 Mozilla Firefox before 60.0 or Firefox ESR before 52.8 : The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. oval:org.secpod.oval:def:45518 >Mozilla Firefox before 60.0, Firefox, Thunderbird or ESR before 52.8 : An integer overflow can occur in the Skia library due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable ... oval:org.secpod.oval:def:45513 The host is missing a critical security update according to Mozilla advisory, MFSA2018-12. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:114186 Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed audio format for audio and music at fixed and variable bitrates. The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis. oval:org.secpod.oval:def:1800316 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read Affected versions libcurl 7.49.0 to and including 7.57.0 Not affected versions libcurl = 7.58.0 oval:org.secpod.oval:def:2000464 An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. The issue involves the "WebKit" component. It allows remote attackers t ... oval:org.secpod.oval:def:46916 The host is missing a security update according to Mozilla advisory, MFSA2018-19. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle the crafted data. Successful exploitation could allow attackers to disclose sensitive information, ... oval:org.secpod.oval:def:114239 Exempi provides a library for easy parsing of XMP metadata. It is a port of Adobe XMP SDK to work on UNIX and to be build with GNU automake. It includes XMPCore and XMPFiles. oval:org.secpod.oval:def:46917 The host is missing a critical security update according to Mozilla advisory, MFSA2018-19. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:53204 It was discovered that libXcursor, a X cursor management library, is prone to several heap overflows when parsing malicious files. An attacker can take advantage of these flaws for arbitrary code execution, if a user is tricked into processing a specially crafted cursor file. oval:org.secpod.oval:def:114263 The OpenSSL toolkit provides support for secure communications between machines. This version of OpenSSL package contains only the libraries and is provided for compatibility with previous releases and software that does not support compilation with OpenSSL-1.1. oval:org.secpod.oval:def:114262 The OpenSSL toolkit provides support for secure communications between machines. This version of OpenSSL package contains only the libraries and is provided for compatibility with previous releases and software that does not support compilation with OpenSSL-1.1. oval:org.secpod.oval:def:114208 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:2000406 An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" compone ... oval:org.secpod.oval:def:114228 Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages. oval:org.secpod.oval:def:704199 xdg-utils: desktop integration utilities from freedesktop.org xdg-utils could be made to run arbitrary code if it received a specially crafted input. oval:org.secpod.oval:def:704192 liblouis: Braille translation library - utilities Several security issues were fixed in Liblouis. oval:org.secpod.oval:def:704190 libraw: raw image decoder library Several security issues were fixed in LibRaw. oval:org.secpod.oval:def:704191 apport: automatically generate crash reports for debugging Details: USN-3480-2 fixed regressions in Apport. The update introduced a new regression in the container support. This update addresses the problem. We apologize for the inconvenience. Original advisory USN-3480-2 introduced regressions in A ... oval:org.secpod.oval:def:704177 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:704173 libarchive-zip-perl: Perl module for manipulation of ZIP archives Archive Zip module could be made to expose sensitive information if it received a specially crafted input. oval:org.secpod.oval:def:704167 zsh: shell with lots of features Several security issues were fixed in Zsh. oval:org.secpod.oval:def:704164 clamav: Anti-virus utility for Unix ClamAV could be made to hang if it opened a specially crafted file. oval:org.secpod.oval:def:704166 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:704158 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704145 zziplib: library providing read access on ZIP-archives - library zziplib could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:704147 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:603516 Multiple security issues have been found in Thunderbird: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service. Debian follows the Thunderbird upstream releases. Support for the 52.x series has ended, so starting with this update we"re now ... oval:org.secpod.oval:def:704133 openjdk-7: Open Source Java implementation Several security issues were fixed in OpenJDK 7. oval:org.secpod.oval:def:603428 Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive. oval:org.secpod.oval:def:704124 gnupg2: GNU privacy guard - a free PGP replacement Details: USN-3675-1 fixed a vulnerability in GnuPG 2 for Ubuntu 18.04 LTS and Ubuntu 17.10. This update provides the corresponding update for GnuPG 2 in Ubuntu 16.04 LTS and Ubuntu 14.04 LTS. Original advisory GnuPG 2 could be made to present validi ... oval:org.secpod.oval:def:603424 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/00 ... oval:org.secpod.oval:def:603425 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation. oval:org.secpod.oval:def:46109 The host is missing a critical security update according to Mozilla advisory, MFSA2018-16. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:603423 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/00 ... oval:org.secpod.oval:def:603420 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/00 ... oval:org.secpod.oval:def:704127 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK+. oval:org.secpod.oval:def:46110 The host is missing a critical security update according to Mozilla advisory, MFSA2018-17. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:704128 mozjs52: SpiderMonkey JavaScript library Several security issues were fixed in Spidermonkey. oval:org.secpod.oval:def:603418 Several vulnerabilities were discovered in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-9951 Daniel Shapira reported a heap-based buffer over-read in memcached triggered by specially crafted ... oval:org.secpod.oval:def:704111 gnupg2: GNU privacy guard - a free PGP replacement - gnupg: GNU privacy guard - a free PGP replacement Several security issues were fixed in GnuPG. oval:org.secpod.oval:def:704101 exempi: library to parse XMP metadata Exempi could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:46129 The host is missing a critical security update according to Mozilla advisory, MFSA2018-15. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:46130 The host is missing a critical security update according to Mozilla advisory, MFSA2018-16. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:603440 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service, cross-site request forgery or information disclosure. oval:org.secpod.oval:def:46131 The host is missing a critical security update according to Mozilla advisory, MFSA2018-17. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:46134 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A use-after-free vulnerability can occur when deleting an code input/code element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash. oval:org.secpod.oval:def:46133 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A buffer overflow can occur when rendering canvas content while adjusting the height and width of the 'canvas' element dynamically, causing data to be written outside of the currently computed boundaries. This results i ... oval:org.secpod.oval:def:46139 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. oval:org.secpod.oval:def:46148 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety ... oval:org.secpod.oval:def:46145 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occuring. This can result in stream data being cast to the wrong type causing a potentially exploitable cra ... oval:org.secpod.oval:def:1800498 An error within the "LibRaw::xtrans_interpolate" function can be exploited to cause an invalid read memory access and subsequently cause a crash via a specially crafted TIFF image. Fixed In Version: LibRaw 0.18.6 oval:org.secpod.oval:def:603451 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails. oval:org.secpod.oval:def:44398 The host is installed with LibreOffice before 5.4.5 or 6.x before 6.0.1 and is prone to an arbitrary file read vulnerability. A flaw is present in the application, which fails to properly handle =WEBSERVICE calls in a document. Successful exploitation could allow remote attackers to read arbitrary f ... oval:org.secpod.oval:def:44394 The host is installed with LibreOffice before 5.4.5 or 6.0 before 6.0.1 and is prone to an arbitrary file read vulnerability. A flaw is present in the application, which fails to properly handle =WEBSERVICE calls in a document. Successful exploitation could allow remote attackers to read arbitrary f ... oval:org.secpod.oval:def:113809 LibRaw is a library for reading RAW files obtained from digital photo cameras . LibRaw is based on the source codes of the dcraw utility, where part of drawbacks have already been eliminated and part will be fixed in future. oval:org.secpod.oval:def:53281 Richard Zhu and Huzaifa Sidhpurwala discovered that an out-of-bounds memory write when playing Vorbis media files could result in the execution of arbitrary code. oval:org.secpod.oval:def:53285 It was discovered that an integer overflow in the International Components for Unicode library could result in denial of service and potentially the execution of arbitrary code. oval:org.secpod.oval:def:53288 It was discovered that a use-after-free in the compositor of Firefox can result in the execution of arbitrary code. oval:org.secpod.oval:def:53279 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code, incorrect LDAP/GSS authentication, insecure use of cryptography or bypass of deserialisation restrictions. oval:org.secpod.oval:def:1800465 It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes4 bytes. Properly chosen values ... oval:org.secpod.oval:def:1901048 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:53291 It was discovered that constructed ASN.1 types with a recursive definition could exceed the stack, potentially leading to a denial of service. Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20180327.txt oval:org.secpod.oval:def:45668 The host is missing a critical security update according to Mozilla advisory, MFSA2018-13. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:53292 Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3738 David Benjamin of Google reported an overflow bug in the AVX2 Montgomery multiplication procedure used in exponent ... oval:org.secpod.oval:def:53289 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or information disclosure. oval:org.secpod.oval:def:45680 The host is missing a critical security update according to Mozilla advisory, MFSA2018-13. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:53239 Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code. oval:org.secpod.oval:def:53238 Two vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-1000005 Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn"t affect the oldstable distribution . CVE-2018-1000007 Craig de Stigter discovered that authentication data mi ... oval:org.secpod.oval:def:1800421 LibreOffice Calc supports a WEBSERVICE function to obtain data by URL. Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL which can be used to inject local files into the spreadsheet without warning the user. Subsequent formulas can operate on that inserted data and constr ... oval:org.secpod.oval:def:53250 Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that missing restrictions in the implementation of the WEBSERVICE function in LibreOffice could result in the disclosure of arbitrary files readable by the user who opens a malformed document. oval:org.secpod.oval:def:53248 Calum Hutton and the Mailman team discovered a cross site scripting and information leak vulnerability in the user options page. A remote attacker could use a crafted URL to steal cookie information or to fish for whether a user is subscribed to a list with a private roster. oval:org.secpod.oval:def:1901066 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Succ ... oval:org.secpod.oval:def:53270 Several vulnerabilities have been discovered in the ISC DHCP client, relay and server. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3144 It was discovered that the DHCP server does not properly clean up closed OMAPI connections, which can lead to exhaust ... oval:org.secpod.oval:def:53273 Multiple vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-1000120 Duy Phan Thanh discovered that curl could be fooled into writing a zero byte out of bounds when curl is told to work on an FTP URL with the setting to only issue a single CWD command, if the directory part of ... oval:org.secpod.oval:def:53272 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-1050 It was discovered that Samba is prone to a denial of service attack when the RPC spoolss service i ... oval:org.secpod.oval:def:53277 Richard Zhu discovered that an out-of-bounds memory write in the codeboook parsing code of the Libvorbis multimedia library could result in the execution of arbitrary code. oval:org.secpod.oval:def:53276 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service or information disclosure. oval:org.secpod.oval:def:114292 memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. oval:org.secpod.oval:def:2000570 In ZZIPlib 0.13.67, there is a bus error caused by loading of a misaligned address in __zzip_fetch_disk_trailer . Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. oval:org.secpod.oval:def:53311 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation. oval:org.secpod.oval:def:53332 The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-1122 top read its configuration from the current working directory ... oval:org.secpod.oval:def:53324 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:52010 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:52012 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:52003 isc-dhcp: DHCP server and client Several security issues were fixed in DHCP. oval:org.secpod.oval:def:52004 memcached: high-performance memory object caching system Several security issues were fixed in Memcached. oval:org.secpod.oval:def:53335 Gabriel Corona discovered that xdg-utils, a set of tools for desktop environment integration, is vulnerable to argument injection attacks. If the environment variable BROWSER in the victim host has a "%s" and the victim opens a link crafted by an attacker with xdg-open, the malicious party ... oval:org.secpod.oval:def:52007 python-django: High-level Python web development framework Several security issues were fixed in Django. oval:org.secpod.oval:def:52006 dovecot: IMAP and POP3 email server Several security issues were fixed in Dovecot. oval:org.secpod.oval:def:52009 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:52008 clamav: Anti-virus utility for Unix Several security issues were fixed in ClamAV. oval:org.secpod.oval:def:53350 Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive. oval:org.secpod.oval:def:52021 icu: International Components for Unicode library ICU could be made to crash if it received specially crafted input. oval:org.secpod.oval:def:52020 screen-resolution-extra: Extension for the GNOME screen resolution applet Screen Resolution Extra could be tricked into bypassing PolicyKit authorizations. oval:org.secpod.oval:def:52023 openssl: Secure Socket Layer cryptographic library and tools OpenSSL could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:52022 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:52013 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:53344 Several vulnerabilities were discovered in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-9951 Daniel Shapira reported a heap-based buffer over-read in memcached triggered by specially crafted ... oval:org.secpod.oval:def:52016 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:53346 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/00 ... oval:org.secpod.oval:def:52015 memcached: high-performance memory object caching system Memcached could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:52018 libvorbis: The Vorbis General Audio Compression Codec libvorbis could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:53349 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/00 ... oval:org.secpod.oval:def:2000555 In ImageMagick 7.0.7-17 Q16, there is a Memory Leak in ReadPWPImage in coders/pwp.c. oval:org.secpod.oval:def:2000518 An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" compone ... oval:org.secpod.oval:def:114769 The libjpeg-turbo package contains a library of functions for manipulating JPEG images. oval:org.secpod.oval:def:114752 GnuPG is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of ... oval:org.secpod.oval:def:704295 mozjs52: SpiderMonkey JavaScript library Several security issues were fixed in Spidermonkey. oval:org.secpod.oval:def:114726 This package contains dcraw, a command line tool to decode raw image data downloaded from digital cameras. oval:org.secpod.oval:def:114728 WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. oval:org.secpod.oval:def:46158 The host is missing a critical security update according to Mozilla advisory, MFSA2018-18. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:46154 The host is missing a security update according to Mozilla advisory, MFSA2018-18. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle the crafted data. Successful exploitation could allow attackers to disclose sensitive information, ... oval:org.secpod.oval:def:603532 Multiple security issues were discovered in Python: ElementTree failed to initialise Expat"s hash salt, two denial of service issues were found in difflib and poplib and a buffer overflow in PyString_DecodeEscape. oval:org.secpod.oval:def:52919 openjdk-7: Open Source Java implementation Several security issues were fixed in OpenJDK 7. oval:org.secpod.oval:def:704223 irssi: terminal based IRC client Several security issues were fixed in Irssi. oval:org.secpod.oval:def:114823 A comprehensive, modular and portable cryptographic toolkit that provides developers with a vast array of well known published block ciphers, one-way hash functions, chaining modes, pseudo-random number generators, public key cryptography and a plethora of other routines. Designed from the ground up ... oval:org.secpod.oval:def:704211 postgresql-9.6: Object-relational SQL database - postgresql-9.5: Object-relational SQL database - postgresql-9.3: Object-relational SQL database PostgreSQL could be made to expose sensitive information. oval:org.secpod.oval:def:704213 mailman: Powerful, web-based mailing list manager Mailman could be made to run arbitrary code. oval:org.secpod.oval:def:114816 The Archive::Zip module allows a Perl program to create, manipulate, read, and write Zip archive files. Zip archives can be created, or you can read from existing zip files. Once created, they can be written to files, streams, or strings. Members can be added, removed, extracted, replaced, rearrange ... oval:org.secpod.oval:def:114812 The Archive::Zip module allows a Perl program to create, manipulate, read, and write Zip archive files. Zip archives can be created, or you can read from existing zip files. Once created, they can be written to files, streams, or strings. Members can be added, removed, extracted, replaced, rearrange ... oval:org.secpod.oval:def:52930 openjdk-7: Open Source Java implementation Several security issues were fixed in OpenJDK 7. oval:org.secpod.oval:def:704209 patch: Apply a diff file to an original Several security issues were fixed in Patch. oval:org.secpod.oval:def:603583 Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. oval:org.secpod.oval:def:704204 perl: Practical Extraction and Report Language Perl could be made to overwrite arbitrary files if it received a specially crafted archive file. oval:org.secpod.oval:def:52069 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:2000606 In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allow remote attackers to cause a denial of service via a crafted file. oval:org.secpod.oval:def:52087 postgresql-9.6: Object-relational SQL database - postgresql-9.5: Object-relational SQL database - postgresql-9.3: Object-relational SQL database PostgreSQL could be made to expose sensitive information. oval:org.secpod.oval:def:52086 patch: Apply a diff file to an original Several security issues were fixed in Patch. oval:org.secpod.oval:def:52089 mailman: Powerful, web-based mailing list manager Mailman could be made to run arbitrary code. oval:org.secpod.oval:def:2000617 libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of service via a crafted PDF document, related to unparse functions, aka qpdf-infiniteloop3. oval:org.secpod.oval:def:43130 The host is installed with Google Chrome before 63.0.3239.84 and is prone to an integer overflow vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:52095 irssi: terminal based IRC client Several security issues were fixed in Irssi. oval:org.secpod.oval:def:115257 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:53360 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service, cross-site request forgery or information disclosure. oval:org.secpod.oval:def:52033 wayland: Wayland compositor infrastructure Wayland could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:52025 openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK 8. oval:org.secpod.oval:def:52024 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:52027 python-crypto: cryptographic algorithms and protocols for Python Python Crypto could expose sensitive information. oval:org.secpod.oval:def:52026 libraw: raw image decoder library LibRaw could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:115246 Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers . The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared li ... oval:org.secpod.oval:def:52041 qpdf: tools for transforming and inspecting PDF files Several security issues were fixed in QPDF. oval:org.secpod.oval:def:52040 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK+. oval:org.secpod.oval:def:52042 openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK 8. oval:org.secpod.oval:def:52035 mysql-5.7: MySQL database - mysql-5.5: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:53368 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails. oval:org.secpod.oval:def:45753 The host is installed with Apache Tomcat 9.x before 9.0.9, 7.0.41 before 7.0.89, 8.x before 8.0.53 or 8.5.x before 8.5.32 and is prone to a security bypass vulnerability. A flaw is present in application, which fails to properly handle CORS filter settings issue. Successful exploitation allow attack ... oval:org.secpod.oval:def:52052 gnupg2: GNU privacy guard - a free PGP replacement Details: This update provides the corresponding update for GnuPG 2 in Linux Mint 18.x LTS and Linux Mint 17.x LTS. Original advisory GnuPG 2 could be made to present validity information incorrectly. oval:org.secpod.oval:def:115272 Python 3.5 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.5, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:115274 Python 2.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 2.6, see other distributions that support it, such as CentOS or RHEL 6. oval:org.secpod.oval:def:52048 exempi: library to parse XMP metadata Exempi could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:43104 The host is installed with Google Chrome before 63.0.3239.84 and is prone to an integer overflow vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:43103 The host is installed with Google Chrome before 63.0.3239.84 and is prone to an integer overflow vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:52061 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:52062 zsh: shell with lots of features Several security issues were fixed in Zsh. oval:org.secpod.oval:def:114005 LibreOffice is an Open Source, community-developed, office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editor and drawing program, with a user interface and feature set similar to other office suites. Sophisticate ... oval:org.secpod.oval:def:114022 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:114016 The zziplib library is intentionally lightweight, it offers the ability to easily extract data from files archived in a single zip file. Applications can bundle files into a single zip archive and access them. The implementation is based only on the subset of compression with the zlib algorithm whi ... oval:org.secpod.oval:def:53472 Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. oval:org.secpod.oval:def:53404 Several issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak. oval:org.secpod.oval:def:53430 Multiple security issues were discovered in Python: ElementTree failed to initialise Expat"s hash salt, two denial of service issues were found in difflib and poplib and a buffer overflow in PyString_DecodeEscape. oval:org.secpod.oval:def:2001121 In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff. oval:org.secpod.oval:def:114841 This package contains dcraw, a command line tool to decode raw image data downloaded from digital cameras. oval:org.secpod.oval:def:114860 The zziplib library is intentionally lightweight, it offers the ability to easily extract data from files archived in a single zip file. Applications can bundle files into a single zip archive and access them. The implementation is based only on the subset of compression with the zlib algorithm whi ... oval:org.secpod.oval:def:114931 poppler is a PDF rendering library. oval:org.secpod.oval:def:114080 PyCrypto is a collection of both secure hash functions , and various encryption algorithms . oval:org.secpod.oval:def:114079 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fai ... oval:org.secpod.oval:def:502222 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * Multiple flaws were found in the Hotspot and AWT components of OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java ... oval:org.secpod.oval:def:502229 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:502235 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * A flaw was found in the AWT component of OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ... oval:org.secpod.oval:def:502239 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:502243 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:502242 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:502245 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:502244 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: Cross-site scripting vulnerability in web UI For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References secti ... oval:org.secpod.oval:def:114097 Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers . The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared li ... oval:org.secpod.oval:def:502246 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: Cross-site scripting vulnerability in web UI For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References secti ... oval:org.secpod.oval:def:45857 The host is installed with PostgreSQL 10.x before 10.2, 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11 or 9.6.x before 9.6.7 and is prone to an information disclosure vulnerability. The flaw present in the application fails to handle issues in pg_upgrade function. Successful exploitat ... oval:org.secpod.oval:def:114039 Irssi is a modular IRC client with Perl scripting. Only text-mode frontend is currently supported. The GTK/GNOME frontend is no longer being maintained. oval:org.secpod.oval:def:114038 Irssi is a modular IRC client with Perl scripting. Only text-mode frontend is currently supported. The GTK/GNOME frontend is no longer being maintained. oval:org.secpod.oval:def:114052 PyCrypto is a collection of both secure hash functions , and various encryption algorithms . oval:org.secpod.oval:def:45890 The host is installed with Apple iCloud before 7.5 or Apple iTunes before 12.7.5 and is prone to an arbitrary code execution vulnerability. A flaw is present in the application, which fails to properly handle maliciously crafted web content. Successful exploitation could allow attackers to execute a ... oval:org.secpod.oval:def:502293 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.8.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Ski ... oval:org.secpod.oval:def:45942 The host is installed with Apple Safari before 11.1.1 and is prone to an arbitrary code execution vulnerability. A flaw is present in the applications, which fails to properly handle memory issues. Successful exploitation may lead to arbitrary code execution. oval:org.secpod.oval:def:53567 The host is installed with Apple Mac OS X 10.12.6, 10.13.6 or 10.14.3 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to properly handle an issue in perl. Successful exploitation allows an attacker to cause unspecified impact. oval:org.secpod.oval:def:1700092 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. oval:org.secpod.oval:def:502250 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Buffer overflow manipulating SVG animatedPathSegList * Mozilla: Out-of-bounds write with malformed IP ... oval:org.secpod.oval:def:502252 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.2 ESR. Security Fix: * Mozilla: Vorbis audio processing out of bounds write For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:502251 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Buffer overflow manipulating SVG animatedPathSegList * Mozilla: Out-of-bounds write with malformed IP ... oval:org.secpod.oval:def:502258 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix: * Mozilla: Vorbis audio processing out of bounds ... oval:org.secpod.oval:def:502257 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Memory safety bugs fixed in Firefox ESR 52.7 * Mozilla: Vorbis audio processing out o ... oval:org.secpod.oval:def:502259 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Memory safety bugs fixed in Firefox ESR 52.7 * Mozilla: Vorbis audio processing out o ... oval:org.secpod.oval:def:45901 The host is installed with Apple Mac OS X 10.13.4 and is prone to a stack buffer overflow vulnerability. A flaw is present in the application, which fails to properly handle php version less than 7.1.16. Successful exploitation allows attackers to execute arbitrary code in the context of the affecte ... oval:org.secpod.oval:def:114553 The xdg-utils package is a set of simple scripts that provide basic desktop integration functions for any Free Desktop, such as Linux. They are intended to provide a set of defacto standards. This means that: * Third party software developers can rely on these xdg-utils for all of their simple integ ... oval:org.secpod.oval:def:502261 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.3 ESR. Security Fix: * firefox: Use-after-free in compositor potentially allows code execution For more details about the security issue, incl ... oval:org.secpod.oval:def:114550 The procps package contains a set of system utilities that provide system information. Procps includes ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch and pwdx. The ps command displays a snapshot of running processes. The top command provides a repetitive update of the sta ... oval:org.secpod.oval:def:502263 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.3 ESR. Security Fix: * firefox: Use-after-free in compositor potentially allows code execution For more details about the security issue, incl ... oval:org.secpod.oval:def:502269 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix: * Mozilla: Vorbis audio processing out of bounds ... oval:org.secpod.oval:def:502276 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:502278 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:52201 php7.1: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:502277 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:502279 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:1700072 Use-after-free when appending DOM nodes Use-after-free using focus Compromised IPC child process can list local filenames Buffer overflow using computed size of canvas element Using form to exfiltrate encrypted mail part by pressing enter in form field S/MIME plaintext can be leaked through HTML rep ... oval:org.secpod.oval:def:502285 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:502284 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:502289 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.8.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Ski ... oval:org.secpod.oval:def:1700066 A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have ... oval:org.secpod.oval:def:114529 The xdg-utils package is a set of simple scripts that provide basic desktop integration functions for any Free Desktop, such as Linux. They are intended to provide a set of defacto standards. This means that: * Third party software developers can rely on these xdg-utils for all of their simple integ ... oval:org.secpod.oval:def:114528 The xdg-utils package is a set of simple scripts that provide basic desktop integration functions for any Free Desktop, such as Linux. They are intended to provide a set of defacto standards. This means that: * Third party software developers can rely on these xdg-utils for all of their simple integ ... oval:org.secpod.oval:def:1700050 Multiple integer overflows leading to heap corruption flaws were discovered in file2strvec. These vulnerabilities can lead to privilege escalation for a local attacker who can create entries in procfs by starting processes, which will lead to crashes or arbitrary code execution in proc utilities run ... oval:org.secpod.oval:def:1502232 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502237 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502234 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502235 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700046 The following CVEs are fixed in the updated thunderbird package:CVE-2018-5161 : Hang via malformed headersCVE-2018-5162 : Encrypted mail leaks plaintext through src attributeCVE-2018-5183 : Backport critical security fixes in SkiaCVE-2018-5155 : Use-after-free with SVG animations and text pathsCVE-2 ... oval:org.secpod.oval:def:114543 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:114541 WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. oval:org.secpod.oval:def:1700037 Malicious patch files cause ed to execute arbitrary commandsGNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation can result in code execution. This attack appear to be exploitable via a patch file processed via th ... oval:org.secpod.oval:def:1700036 1553531: Stack-based buffer overflow in exec.c:hashcmdzsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd function. A local attacker could exploit this to cause a denial of service.Stack-based buffer overflow in gen_matches_files at compctl.cA buffer overfl ... oval:org.secpod.oval:def:1700030 Unbounded memory allocation during deserialization in Container Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE . Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerabi ... oval:org.secpod.oval:def:1700034 Unbounded memory allocation during deserialization in NamedNodeMapImpl Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE . Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerabi ... oval:org.secpod.oval:def:114539 The procps package contains a set of system utilities that provide system information. Procps includes ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch and pwdx. The ps command displays a snapshot of running processes. The top command provides a repetitive update of the sta ... oval:org.secpod.oval:def:1502253 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502259 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700024 FTP path trickery leads to NIL byte out of bounds write:It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, re ... oval:org.secpod.oval:def:1700021 Buffer overflow in dhclient possibly allowing code execution triggered by malicious serverAn out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client mach ... oval:org.secpod.oval:def:1700015 Vorbis audio processing out of bounds write :An out of bounds write flaw was found in the processing of vorbis audio data. A maliciously crafted file or audio stream could cause the application to crash or, potentially, execute arbitrary code oval:org.secpod.oval:def:1700018 Cross-site scripting vulnerability in web UIA cross-site scripting flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user#039;s side and force the victim to perform unintended actions oval:org.secpod.oval:def:1700010 Omapi code doesn"t free socket descriptors when empty message is received allowing denial-of-serviceIt was found that the DHCP daemon did not properly clean up closed OMAPI connections in certain cases. A remote attacker able to connect to the OMAPI port could use this flaw to exhaust file descripto ... oval:org.secpod.oval:def:1700005 SingleEntryRegistry incorrect setup of deserialization filter It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass intended deserialization restrict ... oval:org.secpod.oval:def:1700004 HTTP authentication leak in redirectslibcurl might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response ... oval:org.secpod.oval:def:1502211 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502212 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:115092 The zziplib library is intentionally lightweight, it offers the ability to easily extract data from files archived in a single zip file. Applications can bundle files into a single zip archive and access them. The implementation is based only on the subset of compression with the zlib algorithm whi ... oval:org.secpod.oval:def:1502264 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1900953 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:1502272 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502273 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502278 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502279 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1900934 Vulnerability in the MySQL Server component of Oracle MySQL. Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of th ... oval:org.secpod.oval:def:502331 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow usin ... oval:org.secpod.oval:def:502330 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow usin ... oval:org.secpod.oval:def:115054 Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures and an interpreter for Portable Document Format files. Ghostscript translates PostScript code into many common, bitmapped formats, like those understood by your printer or screen. Ghostscript is normally ... oval:org.secpod.oval:def:502335 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification For more details abou ... oval:org.secpod.oval:def:502334 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification For more details abou ... oval:org.secpod.oval:def:502339 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.9.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow using computed size of canvas element * Mozilla: Use ... oval:org.secpod.oval:def:502340 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.9.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow using computed size of canvas element * Mozilla: Use ... oval:org.secpod.oval:def:115074 Tools and utilities for developing with icu. oval:org.secpod.oval:def:115060 Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures and an interpreter for Portable Document Format files. Ghostscript translates PostScript code into many common, bitmapped formats, like those understood by your printer or screen. Ghostscript is normally ... oval:org.secpod.oval:def:703990 libreoffice: Office productivity suite LibreOffice would allow unintended access to files over the network. oval:org.secpod.oval:def:502306 The procps-ng packages contain a set of system utilities that provide system information, including ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx. Security Fix: * procps-ng, procps: Integer overflows leading to heap overflow in file2strvec * procps-ng, procps: ... oval:org.secpod.oval:def:502308 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.8.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Skia * Mozilla: Use-after-free with SVG animations ... oval:org.secpod.oval:def:502307 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.8.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Skia * Mozilla: Use-after-free with SVG animations ... oval:org.secpod.oval:def:502311 The procps packages contain a set of system utilities that provide system information. The procps packages include the following utilities: ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, pwdx, sysctl, pmap, and slabtop. Security Fix: * procps-ng, procps: Integer overflow ... oval:org.secpod.oval:def:502318 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: Null pointer indirection in printer server process For mor ... oval:org.secpod.oval:def:115028 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:502320 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * samba: Null pointer indirection in printer server process For more details about the sec ... oval:org.secpod.oval:def:44720 Mozilla Firefox before 59.0 : A use-after-free vulnerability can occur when manipulating elements, events, and selection ranges during editor operations. This results in a potentially exploitable crash. oval:org.secpod.oval:def:44721 Mozilla Firefox ESR before 52.7 or Thunderbird before 52.7 : An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. oval:org.secpod.oval:def:44722 Mozilla Firefox ESR before 52.7 or Thunderbird before 52.7 : Mozilla developers reported memory safety bugs present in Firefox ESR. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. oval:org.secpod.oval:def:44733 The host is missing a critical security update according to Mozilla advisory, MFSA2018-07. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:44734 The host is missing a critical security update according to Mozilla advisory, MFSA2018-06. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:44739 php7.1: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:205139 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:51044 procps: /proc file system utilities Several security issues were fixed in procps-ng. oval:org.secpod.oval:def:51035 mysql-5.7: MySQL database Details: USN-3629-1 fixed vulnerabilities in MySQL. This update provides the corresponding updates for Linux Mint 19.x LTS. Original advisory Several security issues were fixed in MySQL. oval:org.secpod.oval:def:51039 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:115103 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:51050 gnupg2: GNU privacy guard - a free PGP replacement - gnupg: GNU privacy guard - a free PGP replacement Several security issues were fixed in GnuPG. oval:org.secpod.oval:def:51045 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:502373 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * It was discovered that the ghostscript /invalidaccess checks fail under certain condition ... oval:org.secpod.oval:def:502374 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: A bug in the UTF-8 decoder can lead to DoS For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed ... oval:org.secpod.oval:def:44700 Mozilla Firefox ESR before 52.7 or Thunderbird before 52.7 : An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. oval:org.secpod.oval:def:44701 Mozilla Firefox ESR before 52.7 or Thunderbird before 52.7 : Mozilla developers reported memory safety bugs present in Firefox ESR. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. oval:org.secpod.oval:def:44714 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : Mozilla developers and community members reported memory safety bugs present in Firefox and Firefox ESR. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these ... oval:org.secpod.oval:def:44715 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : A buffer overflow can occur when manipulating the SVG animatedPathSegList through script. This results in a potentially exploitable crash. oval:org.secpod.oval:def:44716 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process. oval:org.secpod.oval:def:44712 The host is missing a critical security update according to Mozilla advisory, MFSA2018-07. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:44717 Mozilla Firefox before 59.0 or Firefox ESR before 52.7 : When packets with a mismatched RTP payload type are sent in WebRTC connections, in some circumstances a potentially exploitable crash is triggered. oval:org.secpod.oval:def:44718 Mozilla Firefox before 59.0 or Firefox ESR before 52.7 : Under certain circumstances the fetch() API can return transient local copies of resources that were sent with a no-store or no-cache cache header instead of downloading a copy from the network as it should. This can result in previously store ... oval:org.secpod.oval:def:44719 Mozilla Firefox before 59.0 : Mozilla developers and community members reported memory safety bugs present in Firefox. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. oval:org.secpod.oval:def:114649 WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKit2 based WebKitGTK+ for GTK+ 3. oval:org.secpod.oval:def:114641 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:1502108 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114639 GnuPG is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of ... oval:org.secpod.oval:def:1502111 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114667 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:114669 GnuPG is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of ... oval:org.secpod.oval:def:114666 GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440 and the S/MIME standard as describe ... oval:org.secpod.oval:def:114665 Archive::Tar provides an object oriented mechanism for handling tar files. It provides class methods for quick and easy files handling while also allowing for the creation of tar file objects for custom manipulation. If you have the IO::Zlib module installed, Archive::Tar will also support compresse ... oval:org.secpod.oval:def:114660 GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440 and the S/MIME standard as describe ... oval:org.secpod.oval:def:114662 This is a library that defines common error values for all GnuPG components. Among these are GPG, GPGSM, GPGME, GPG-Agent, libgcrypt, pinentry, SmartCard Daemon and possibly more in the future. oval:org.secpod.oval:def:114657 This is a library that defines common error values for all GnuPG components. Among these are GPG, GPGSM, GPGME, GPG-Agent, libgcrypt, pinentry, SmartCard Daemon and possibly more in the future. oval:org.secpod.oval:def:114659 Archive::Tar provides an object oriented mechanism for handling tar files. It provides class methods for quick and easy files handling while also allowing for the creation of tar file objects for custom manipulation. If you have the IO::Zlib module installed, Archive::Tar will also support compresse ... oval:org.secpod.oval:def:1502135 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502139 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:45188 The host is installed with Oracle MySQL Server through 5.5.59, 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Replication. Successful exploitation allows attackers to affect Confidentiality, Integr ... oval:org.secpod.oval:def:2000022 An issue was discovered in GNU patch through 2.7.6. There is a segmentation fault, associated with a NULL pointer dereference, leading to a denial of service in the intuit_diff_type function in pch.c, aka a "mangled rename" issue. oval:org.secpod.oval:def:45193 The host is installed with Oracle MySQL Server through 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45195 The host is installed with Oracle MySQL Server through 5.5.59, 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Locking. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45191 The host is installed with Oracle MySQL Server through 5.5.59, 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Client programs. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:1901503 Memory safety bugs were reported in Firefox 58 and Firefox ESR 52.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, an ... oval:org.secpod.oval:def:114609 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:1502181 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502184 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502185 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:112976 QPDF is a command-line program that does structural, content-preserving transformations on PDF files. It could have been called something like pdf-to-pdf. It includes support for merging and splitting PDFs and to manipulate the list of pages in a PDF file. It is not a PDF viewer or a program capable ... oval:org.secpod.oval:def:1502194 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502198 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:51948 libxcursor: X11 cursor management library libxcursor could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:114705 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:45299 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:45298 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:45215 The host is installed with Oracle MySQL Server through 5.5.59, 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:1502145 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502148 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502149 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502146 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502147 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502151 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502152 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502155 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502153 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502154 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502159 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502162 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502163 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502160 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502166 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502164 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502179 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:45203 The host is installed with Oracle MySQL Server through 5.5.59, 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Optimizer. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45204 The host is installed with Oracle MySQL Server through 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45205 The host is installed with Oracle MySQL Server through 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45207 The host is installed with Oracle MySQL Server through 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Integrity and Availability. oval:org.secpod.oval:def:45211 The host is installed with Oracle MySQL Server through 5.5.59, 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: DDL. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:45213 The host is installed with Oracle MySQL Server through 5.5.59, 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: DDL. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:44769 The host is missing a critical security update according to Mozilla advisory, MFSA2018-09. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:44764 Mozilla Firefox before 59.0.1 or Firefox ESR before 52.7.2 : An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. oval:org.secpod.oval:def:44765 The host is missing a critical security update according to Mozilla advisory, MFSA2018-08. The update is required to fix out-of-bound memory write vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the se ... oval:org.secpod.oval:def:51060 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK+. oval:org.secpod.oval:def:51061 mozjs52: SpiderMonkey JavaScript library Several security issues were fixed in Spidermonkey. oval:org.secpod.oval:def:51066 zziplib: library providing read access on ZIP-archives - library zziplib could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:44770 The host is missing a critical security update according to Mozilla advisory, MFSA2018-09. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:44776 Mozilla Firefox before 59.0.2 or Firefox ESR before 52.7.3 : A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash. oval:org.secpod.oval:def:44777 The host is missing a important security update according to Mozilla advisory, MFSA2018-10. The update is required to fix use-after-free vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the service. oval:org.secpod.oval:def:51074 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:51068 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:44783 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44784 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44785 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44786 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44787 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44789 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:51086 xdg-utils: desktop integration utilities from freedesktop.org xdg-utils could be made to run arbitrary code if it received a specially crafted input. oval:org.secpod.oval:def:51088 perl: Practical Extraction and Report Language Perl could be made to overwrite arbitrary files if it received a specially crafted archive file. oval:org.secpod.oval:def:44793 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44795 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44796 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44790 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44791 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44792 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44797 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44798 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:44799 The host is installed with Apple iCloud before 7.4 or Apple iTunes before 12.7.4 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle a function in javascript core. Successful exploitation could allow attackers to cause an ASSERT fai ... oval:org.secpod.oval:def:51143 clamav: Anti-virus utility for Unix ClamAV could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:51133 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:51137 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:51150 mysql-5.7: MySQL database - mysql-5.5: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:51154 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:51145 net-snmp: SNMP server and applications Net-SNMP could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:51144 requests: elegant and simple HTTP library for Python Requests could be made to expose sensitive information if it received a specially crafted HTTP header. oval:org.secpod.oval:def:51147 moin: Collaborative hypertext environment MoinMoin could be made to expose sensitive information if it received a specially crafted input. oval:org.secpod.oval:def:51146 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:51149 paramiko: Python SSH2 library Paramiko could allow unintended access to network services. oval:org.secpod.oval:def:51148 libssh: A tiny C SSH library libssh could allow unintended access to network services. oval:org.secpod.oval:def:51160 spamassassin: Perl-based spam filter using text analysis Several security issues were fixed in SpamAssassin. oval:org.secpod.oval:def:51163 libmspack: library for Microsoft compression formats Several security issues were fixed in libmspack. oval:org.secpod.oval:def:51162 nginx: small, powerful, scalable web/proxy server Several security issues were fixed in nginx. oval:org.secpod.oval:def:51164 gettext: GNU Internationalization utilities gettext could be made to execute arbitrary code if it received a specially crafted message. oval:org.secpod.oval:def:51155 network-manager: Network connection manager NetworkManager could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:51158 libxkbcommon: library interface to the XKB compiler - development files Details: USN-3786-1 fixed several vulnerabilities in libxkbcommon. This update provides the corresponding update for Linux Mint 19.x LTS. Original advisory Several security issues were fixed in libxkbcommon. oval:org.secpod.oval:def:51157 systemd: system and service manager systemd-networkd could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:1502409 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:51170 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:51174 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:51168 systemd: system and service manager Details: USN-3816-1 fixed several vulnerabilities in systemd. However, the fix for CVE-2018-6954 was not sufficient. This update provides the remaining fixes. We apologize for the inconvenience. Original advisory systemd-tmpfiles could be made to change ownership ... oval:org.secpod.oval:def:51100 libmspack: library for Microsoft compression formats Several security issues were fixed in libmspack. oval:org.secpod.oval:def:51107 wpa: client support for WPA and WPA2 wpa_supplicant and hostapd could be made to expose sensitive information if it received a crafted message. oval:org.secpod.oval:def:51120 zsh: shell with lots of features Zsh could be made to execute arbitrary code if it received a specially crafted script. oval:org.secpod.oval:def:51114 libgd2: GD Graphics Library Several security issues were fixed in GD. oval:org.secpod.oval:def:51116 poppler: PDF rendering library poppler could be made to crash if it received specially crafted PDF file. oval:org.secpod.oval:def:51118 libtirpc: transport-independent RPC library - development files Several security issues were fixed in libtirpc. oval:org.secpod.oval:def:51117 libx11: X11 client-side library Several security issues were fixed in libx11. oval:org.secpod.oval:def:51119 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:115664 lxml is a Pythonic, mature binding for the libxml2 and libxslt libraries. It provides safe and convenient access to these libraries using the ElementTree It extends the ElementTree API significantly to offer support for XPath, RelaxNG, XML Schema, XSLT, C14N and much more.To contact the project, go ... oval:org.secpod.oval:def:51132 strongswan: IPsec VPN solution strongSwan could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:51125 curl: HTTP, HTTPS, and FTP client and client libraries curl could be made to run arbitrary code if it received a specially crafted input. oval:org.secpod.oval:def:51128 glib2.0: GLib Input, Output and Streaming Library Several security issues were fixed in GLib. oval:org.secpod.oval:def:1900717 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:2001466 An error within the "rollei_load_raw" function in LibRaw versions prior to 0.18.9 can be exploited to cause a heap-based buffer overflow and subsequently cause a crash. oval:org.secpod.oval:def:2000126 An integer overflow error within the "parse_qt" function in LibRaw versions prior to 0.18.12 can be exploited to trigger an infinite loop via a specially crafted Apple QuickTime file. oval:org.secpod.oval:def:2000112 Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash the xkbcommon parser by supplying a crafted keymap file, because the XkbFile for an xkb_geometry section was mishandled. oval:org.secpod.oval:def:112559 Libgcrypt is a general purpose crypto library based on the code used in GNU Privacy Guard. This is a development version. oval:org.secpod.oval:def:2001440 An error within the "nikon_coolscan_load_raw" function in LibRaw versions prior to 0.18.9 can be exploited to trigger a NULL pointer dereference. oval:org.secpod.oval:def:112621 Libgcrypt is a general purpose crypto library based on the code used in GNU Privacy Guard. This is a development version. oval:org.secpod.oval:def:46696 The host is installed with Oracle MySQL Server through 5.5.60 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Security: Privileges. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:46699 The host is installed with Oracle MySQL Server through 5.5.60, 5.6.40 or 5.7.22 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Options. Successful exploitation allows attackers to affect Confidentiality and Integri ... oval:org.secpod.oval:def:46692 The host is installed with Oracle MySQL Server through 5.5.60, 5.6.40 or 5.7.22 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to MyISAM. Successful exploitation allows attackers to affect Integrity. oval:org.secpod.oval:def:502586 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: Incorrect free logic in pagedevice replacement * ghostscript: Incorrect &q ... oval:org.secpod.oval:def:502590 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:51180 wavpack: audio codec - encoder and decoder Several security issues were fixed in WavPack. oval:org.secpod.oval:def:51187 python-django: High-level Python web development framework Django could be made to expose spoofed information over the network. oval:org.secpod.oval:def:51186 nss: Network Security Service library Several security issues were fixed in NSS. oval:org.secpod.oval:def:51177 libraw: raw image decoder library LibRaw could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:502534 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.2.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozilla: Use-after-free in IndexedDB * Mozilla: Prox ... oval:org.secpod.oval:def:502539 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:51191 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:502540 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: .tempfile file permission issues * ghostscript: shading_param incomplete t ... oval:org.secpod.oval:def:502543 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: * ruby: OpenSSL::X509::Name equality check does not work correctly For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:502545 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: * ruby: OpenSSL::X509::Name equality check does not work correctly For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:2001509 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. oval:org.secpod.oval:def:1900037 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.41 and prior, 5.7.23and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succes ... oval:org.secpod.oval:def:114432 GNU Wget is a file retrieval utility which can use either the HTTP or FTP protocols. Wget features include the ability to work in the background while you are logged out, recursive retrieval of directories, file name wildcard matching, remote file timestamp storage and comparison, use of Rest with F ... oval:org.secpod.oval:def:1700180 An off-by-one error has been discovered in libX11 in functions XGetFontPath, XListExtensions, and XListFonts. An attacker who can either configure a malicious X server or modify the data coming from one could use this flaw to make the program crash or have other unspecified effects, caused by the me ... oval:org.secpod.oval:def:115740 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:2000247 An error within the "parse_minolta" function in LibRaw versions prior to 0.18.11 can be exploited to trigger an infinite loop via a specially crafted file. oval:org.secpod.oval:def:1700126 Large syslogd messages sent to journald can cause stack corruption, causing journald to crash. The version of systemd on Amazon Linux 2 is not vulnerable to privilege escalation in this case. Large native messages to journald can cause stack corruption, leading to possible local privilege escalation ... oval:org.secpod.oval:def:1700112 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate privileges.It was disc ... oval:org.secpod.oval:def:1700111 curl is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over t ... oval:org.secpod.oval:def:2001554 A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and includ ... oval:org.secpod.oval:def:1502330 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700101 An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6. Under certain conditions, the integrity of EAPOL-Key messages is not checked, leading to a decryption oracle. An attacker within range of the Access Point and client can abuse the vulnerability to recover sensitive informat ... oval:org.secpod.oval:def:502624 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Open redirect in default servlet For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page ... oval:org.secpod.oval:def:53090 Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that Libgcrypt is prone to a local side-channel attack allowing full key recovery for RSA-1024. See https://eprint.iacr.org/2017/627 for deta ... oval:org.secpod.oval:def:1502393 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502391 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502397 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502398 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603290 Joonun Jang discovered several problems in wavpack, an audio compression format suite. Incorrect processing of input resulted in several heap- and stack-based buffer overflows, leading to application crash or potential code execution. oval:org.secpod.oval:def:115451 The purpose of libmspack is to provide both compression and decompression of some loosely related file formats used by Microsoft. oval:org.secpod.oval:def:115454 cabextract is a program which can extract files from cabinet archives. oval:org.secpod.oval:def:114118 WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. Although the technology is loosely based on previous versions of WavPack, the new version 4 format has been designed from the ground up to offer unparalleled performanc ... oval:org.secpod.oval:def:115477 cabextract is a program which can extract files from cabinet archives. oval:org.secpod.oval:def:115479 The purpose of libmspack is to provide both compression and decompression of some loosely related file formats used by Microsoft. oval:org.secpod.oval:def:115461 Most existing Python modules for sending HTTP requests are extremely verbose and cumbersome. Pythons built-in urllib2 module provides most of the HTTP capabilities you should need, but the API is thoroughly broken. This library is designed to make HTTP requests easy for developers. oval:org.secpod.oval:def:2000311 The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. oval:org.secpod.oval:def:115416 Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks . It is simple, straight-forward, and extensible. oval:org.secpod.oval:def:50000 The host is installed with Artifex Ghostscript through 9.25 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle vectors involving errorhandler setup. Successful exploitation could allow attackers to bypass a sandbox protection mechani ... oval:org.secpod.oval:def:50001 The host is installed with Artifex Ghostscript through 9.25 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle exposure of system operators in the saved execution stack in an error object. Successful exploitation could allow attacker ... oval:org.secpod.oval:def:1901004 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Su ... oval:org.secpod.oval:def:115438 The GNU gettext package provides a set of tools and documentation for producing multi-lingual messages in programs. Tools include a set of conventions about how programs should be written to support message catalogs, a directory and file naming organization for the message catalogs, a runtime librar ... oval:org.secpod.oval:def:114107 WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. Although the technology is loosely based on previous versions of WavPack, the new version 4 format has been designed from the ground up to offer unparalleled performanc ... oval:org.secpod.oval:def:602975 Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that Libgcrypt is prone to a local side-channel attack allowing full key recovery for RSA-1024. See https://eprint.iacr.org/2017/627 for deta ... oval:org.secpod.oval:def:2000392 Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on th ... oval:org.secpod.oval:def:47256 libxml2: GNOME XML library Several security issues were fixed in libxml2. oval:org.secpod.oval:def:47269 The host is installed with Artifex Ghostscript before 9.23 and is prone to a type confusion vulnerability. A flaw is present in the application, which fails to properly handle the .shfill operator. Successful exploitation could allow attackers to supply crafted postScript files to crash the interpre ... oval:org.secpod.oval:def:47268 The host is installed with Artifex Ghostscript before 9.23 and is prone to a type confusion vulnerability. A flaw is present in the application, which fails to properly handle the LockDistillerParams parameter. Successful exploitation could allow attackers to crash the interpreter or execute code. oval:org.secpod.oval:def:2000347 Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upo ... oval:org.secpod.oval:def:47267 The host is installed with Artifex Ghostscript before 9.23 and is prone to an arbitrary code execution vulnerability. A flaw is present in the application, which fails to properly handle the uninitialized memory access in the aesdecode operator. Successful exploitation could allow attackers to crash ... oval:org.secpod.oval:def:2000364 In GNOME GLib 2.56.1, g_markup_parse_context_end_parse in gmarkup.c has a NULL pointer dereference. oval:org.secpod.oval:def:114975 wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 . Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association ... oval:org.secpod.oval:def:47270 The host is installed with Artifex Ghostscript before 9.23 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle .tempfile restrictions and write files. Successful exploitation could allow attackers to supply malicious postScript files ... oval:org.secpod.oval:def:603354 A buffer-overflow vulnerability was discovered in Sharutils, a set of utilities handle Shell Archives. An attacker with control on the input of the unshar command, could crash the application or execute arbitrary code in the its context. oval:org.secpod.oval:def:603395 Harry Sintonen discovered that wget, a network utility to retrieve files from the web, does not properly handle "\r\n" from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replac ... oval:org.secpod.oval:def:50175 In systemd before 240-1, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems. oval:org.secpod.oval:def:50167 An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. oval:org.secpod.oval:def:50168 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. oval:org.secpod.oval:def:50169 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-jou ... oval:org.secpod.oval:def:50176 In systemd before 240-1, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems. oval:org.secpod.oval:def:50177 In systemd before 240-1, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems. oval:org.secpod.oval:def:2000431 GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse in gmarkup.c, related to utf8_str. oval:org.secpod.oval:def:115595 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:503286 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * mysql: MyISAM unspecified vulnerability * mysql: Server: Security: Privileges unspecified vulnerabilit ... oval:org.secpod.oval:def:115591 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:115528 Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. oval:org.secpod.oval:def:115548 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:115546 The GNU gettext package provides a set of tools and documentation for producing multi-lingual messages in programs. Tools include a set of conventions about how programs should be written to support message catalogs, a directory and file naming organization for the message catalogs, a runtime librar ... oval:org.secpod.oval:def:503255 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:704178 mutt: text-based mailreader supporting MIME, GPG, PGP and threading Several security issues were fixed in Mutt. oval:org.secpod.oval:def:2000496 ImageMagick 7.0.8-5 has a memory leak vulnerability in the function ReadOneJNGImage in coders/png.c. oval:org.secpod.oval:def:47379 Mozilla Firefox 62 : Mozilla developers and community members Christian Holler, Looben Yang, Jesse Ruderman, Sebastian Hengst, Nicolas Grunbaum, and Gary Kwong reported memory safety bugs present in Firefox 61. Some of these bugs showed evidence of memory corruption and we presume that with enough e ... oval:org.secpod.oval:def:47382 Mozilla Firefox 62, Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. oval:org.secpod.oval:def:47381 Mozilla Firefox 62, Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. oval:org.secpod.oval:def:47384 Mozilla Firefox 62, Mozilla Firefox ESR 60.2.1, Mozilla Thunderbird 60.2.1 : If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was ... oval:org.secpod.oval:def:47380 Mozilla Firefox 62Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : Mozilla developers and community members Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, and Andrei C ... oval:org.secpod.oval:def:603515 Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in the execution of arbitrary code if a malformed Postscript file is processed . oval:org.secpod.oval:def:47397 The host is installed with Artifex Ghostscript before 9.24 and is prone to a use-after-free vulnerability. A flaw is present in the application, which fails to properly handle the builtin PDF14 converter. Successful exploitation could allow attackers to supply crafted postScript files to crash the i ... oval:org.secpod.oval:def:47396 The host is installed with Artifex Ghostscript before 9.24 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle .tempfile restrictions and write files. Successful exploitation could allow attackers to supply malicious postScript files ... oval:org.secpod.oval:def:47399 The host is installed with Artifex Ghostscript before 9.24 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to handle the stack-size checking during error handling. Successful exploitation could allow attackers to supply crafted postScript files to ... oval:org.secpod.oval:def:2000477 Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF fil ... oval:org.secpod.oval:def:47398 The host is installed with Artifex Ghostscript before 9.24 and is prone to a denial of service vulnerability. A flaw is present in the application, which uses incorrect free logic in pagedevice. Successful exploitation could allow attackers to supply crafted postScript files to crash the interpreter ... oval:org.secpod.oval:def:704129 libgcrypt20: LGPL Crypto library - libgcrypt11: LGPL Crypto library Libgcrypt could be made to expose sensitive information. oval:org.secpod.oval:def:1901095 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:603433 It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys. oval:org.secpod.oval:def:47400 The host is installed with Artifex Ghostscript before 9.24 and is prone to a type confusion vulnerability. A flaw is present in the application, which uses gssetresolution and gsgetresolution parameters. Successful exploitation could allow attackers to supply crafted postScript files to crash the in ... oval:org.secpod.oval:def:47403 The host is installed with Artifex Ghostscript before 9.24 and is prone to a type confusion vulnerability. A flaw is present in the application, which fails to properly handle the ztype parameter. Successful exploitation could allow attackers to supply crafted postScript files to crash the interpret ... oval:org.secpod.oval:def:47402 The host is installed with Artifex Ghostscript before 9.24 and is prone to a denial of service vulnerability. A flaw is present in the application, which uses incorrect exec stack handling in the "CS" and "SC" PDF primitives. Successful exploitation could allow attackers to supply crafted postScript ... oval:org.secpod.oval:def:47404 The host is installed with Artifex Ghostscript before 9.24 and is prone to a type confusion vulnerability. A flaw is present in the application, which fails to properly handle the setcolor function. Successful exploitation could allow attackers to supply crafted postScript files to crash the interpr ... oval:org.secpod.oval:def:53299 A buffer-overflow vulnerability was discovered in Sharutils, a set of utilities handle Shell Archives. An attacker with control on the input of the unshar command, could crash the application or execute arbitrary code in the its context. oval:org.secpod.oval:def:53261 Joonun Jang discovered several problems in wavpack, an audio compression format suite. Incorrect processing of input resulted in several heap- and stack-based buffer overflows, leading to application crash or potential code execution. oval:org.secpod.oval:def:115201 Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers . The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared li ... oval:org.secpod.oval:def:53325 Harry Sintonen discovered that wget, a network utility to retrieve files from the web, does not properly handle "\r\n" from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replac ... oval:org.secpod.oval:def:115232 Paramiko is a module for python 2.3 or greater that implements the SSH2 protocol for secure connections to remote machines. Unlike SSL , the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced telnet and r ... oval:org.secpod.oval:def:53354 It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys. oval:org.secpod.oval:def:2000520 An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line. oval:org.secpod.oval:def:2000536 In Safari before 11.1.2, iTunes before 12.8 for Windows, iOS before 11.4.1, tvOS before 11.4.1, iCloud for Windows before 7.6, multiple memory corruption issues were addressed with improved memory handling. oval:org.secpod.oval:def:2000535 Unchecked NULL pointer usage in ResolveStateAndPredicate in xkbcomp/compat.c in xkbcommon before 0.8.2 could be used by local attackers to crash the xkbcommon parser by supplying a crafted keymap file with a no-op modmask expression. oval:org.secpod.oval:def:2000519 An infinite loop when reaching EOL unexpectedly in compose/parser.c in xkbcommon before 0.8.1 could be used by local attackers to cause a denial of service during parsing of crafted keymap files. oval:org.secpod.oval:def:114765 Botan is a BSD-licensed crypto library written in C++. It provides a wide variety of basic cryptographic algorithms, X.509 certificates and CRLs, PKCS \#10 certificate requests, a filter/pipe message processing system, and a wide variety of other features, all written in portable C++. The API refere ... oval:org.secpod.oval:def:52869 libgcrypt20: LGPL Crypto library - libgcrypt11: LGPL Crypto library Several security issues were fixed in Libgcrypt. oval:org.secpod.oval:def:114753 Libsoup is an HTTP library implementation in C. It was originally part of a SOAP implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications. This enables GNOME application ... oval:org.secpod.oval:def:51542 systemd: system and service manager Details: USN-3816-1 fixed several vulnerabilities in systemd. However, the fix for CVE-2018-6954 was not sufficient. This update provides the remaining fixes. We apologize for the inconvenience. Original advisory systemd-tmpfiles could be made to change ownership ... oval:org.secpod.oval:def:603605 The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled allocas and an out-of-bounds read flaw leading to an information leak , could allow an attacker to cause a denial of service or the execution of arbitrary code. Fur ... oval:org.secpod.oval:def:603602 It was discovered that malformed URLs could spoof the content of the default 404 page of Django, a Python web development framework. oval:org.secpod.oval:def:114771 Botan is a BSD-licensed crypto library written in C++. It provides a wide variety of basic cryptographic algorithms, X.509 certificates and CRLs, PKCS \#10 certificate requests, a filter/pipe message processing system, and a wide variety of other features, all written in portable C++. The API refere ... oval:org.secpod.oval:def:704288 wpa: client support for WPA and WPA2 wpa_supplicant and hostapd could be made to expose sensitive information if it received a crafted message. oval:org.secpod.oval:def:704284 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK+. oval:org.secpod.oval:def:704282 libxml2: GNOME XML library Several security issues were fixed in libxml2. oval:org.secpod.oval:def:704272 - gnupg: GNU privacy guard - a free PGP replacement GnuPG could be made to expose sensitive information. oval:org.secpod.oval:def:114748 Libsoup is an HTTP library implementation in C. It was originally part of a SOAP implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications. This enables GNOME application ... oval:org.secpod.oval:def:704250 libxcursor: X11 cursor management library libxcursor could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:704244 mysql-5.7: MySQL database - mysql-5.5: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:603547 Nitin Venkatesh discovered a cross-site scripting vulnerability in moin, a Python clone of WikiWiki. A remote attacker can conduct cross-site scripting attacks via the GUI editor"s link dialogue. This only affects installations which have set up fckeditor . oval:org.secpod.oval:def:704247 libmspack: library for Microsoft compression formats Several security issues were fixed in libmspack. oval:org.secpod.oval:def:603542 Magnus Klaaborg Stubman discovered a NULL pointer dereference bug in net-snmp, a suite of Simple Network Management Protocol applications, allowing a remote, authenticated attacker to crash the snmpd process . oval:org.secpod.oval:def:47565 The host is installed with Artifex Ghostscript before 9.25 and is prone to an arbitrary code execution vulnerability. A flaw is present in the application, which fails to properly handle crafted postscript. Successful exploitation could allow attackers to potentially overwrite or replace error handl ... oval:org.secpod.oval:def:704249 clamav: Anti-virus utility for Unix Details: USN-3728-1 fixed several vulnerabilities in libmspack. In Ubuntu 14.04 libmspack is included into ClamAV. This update provides the corresponding update for Ubuntu 14.04 LTS. Original advisory Several security issues were fixed in ClamAV. oval:org.secpod.oval:def:704233 sharutils: shar, unshar, uuencode, uudecode Sharutils could be made to execute arbitrary code if it opened a specially crafted file. oval:org.secpod.oval:def:603538 Two security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code inside the sandboxed content process. oval:org.secpod.oval:def:603537 Google"s OSS-Fuzz revealed an exploitable bug in the gmp plugin caused by the patch that fixes CVE-2018-16151 and CVE-2018-16151 . An attacker could trigger it using crafted certificates with RSA keys with very small moduli. Verifying signatures with such keys would cause an integer underflow and su ... oval:org.secpod.oval:def:704237 evolution-data-server: Evolution suite data server Evolution Data Server could be made to expose sensitive information over the network. oval:org.secpod.oval:def:704238 clamav: Anti-virus utility for Unix Details: USN-3722-1 fixed vulnerabilities in ClamAV. The updated ClamAV version removed some configuration options which caused the daemon to fail to start in environments where the ClamAV configuration file was manually edited. This update fixes the problem. We a ... oval:org.secpod.oval:def:704224 wavpack: audio codec - encoder and decoder WavPack could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:704225 libsoup2.4: HTTP client/server library for GNOME libsoup could be made to crash if it received a specially crafted input. oval:org.secpod.oval:def:603568 Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service, disclosure of existence and size of arbitrary files, or the execution of arbitrary code if a malformed Postscript file is processed . This update rebases ghostscript for ... oval:org.secpod.oval:def:603565 Three vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could in denial of service in processing HTTP/2 or server memory disclosure in the ngx_http_mp4_module module . oval:org.secpod.oval:def:603562 Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-16395 Tyler Eckstein reported that the equality check of OpenSSL::X509::Name could return true for non-equal objects. If ... oval:org.secpod.oval:def:704229 liblouis: Braille translation library - utilities Several security issues were fixed in Liblouis. oval:org.secpod.oval:def:603554 Multiple security issues have been found in Thunderbird: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:603550 Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH library, contains an authentication bypass vulnerability in the server code. An attacker can take advantage of this flaw to successfully authenticate without any credentials by presenting the server an SSH2_MSG_USERAUTH_SUCCESS mes ... oval:org.secpod.oval:def:704216 wget: retrieves files from the web Wget could be made to inject arbitrary cookie values. oval:org.secpod.oval:def:704217 postgresql-9.6: Object-relational SQL database - postgresql-9.5: Object-relational SQL database - postgresql-9.3: Object-relational SQL database PostgreSQL could be made to execute arbitrary code. oval:org.secpod.oval:def:47518 The host is installed with Artifex Ghostscript before 9.25 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to properly handle an exception during incorrect "restoration of privilege" checking when running out of stack. Successful exploitation c ... oval:org.secpod.oval:def:603576 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-14629 Florian Stuelpner discovered that Samba is vulnerable to infinite query recursion caused by CNAME ... oval:org.secpod.oval:def:603575 Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed . This update rebases ghostscript for stretch to the upstream version 9.26 which includes a ... oval:org.secpod.oval:def:115295 NetworkManager is a system service that manages network interfaces and connections based on user or automatic configuration. It supports Ethernet, Bridge, Bond, VLAN, Team, InfiniBand, Wi-Fi, mobile broadband , PPPoE and other devices, and supports a variety of different VPN services. oval:org.secpod.oval:def:115287 Most existing Python modules for sending HTTP requests are extremely verbose and cumbersome. Pythons built-in urllib2 module provides most of the HTTP capabilities you should need, but the API is thoroughly broken. This library is designed to make HTTP requests easy for developers. oval:org.secpod.oval:def:115289 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:2000614 A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnera ... oval:org.secpod.oval:def:2000612 Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash the xkbcommon parser by supplying a crafted keymap file that triggers an xkb_intern_atom failure. oval:org.secpod.oval:def:52091 postgresql-9.6: Object-relational SQL database - postgresql-9.5: Object-relational SQL database - postgresql-9.3: Object-relational SQL database PostgreSQL could be made to execute arbitrary code. oval:org.secpod.oval:def:52096 wavpack: audio codec - encoder and decoder WavPack could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:115256 Paramiko is a module for python 2.3 or greater that implements the SSH2 protocol for secure connections to remote machines. Unlike SSL , the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced telnet and r ... oval:org.secpod.oval:def:115261 The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote prog ... oval:org.secpod.oval:def:115260 The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote prog ... oval:org.secpod.oval:def:52111 libxml2: GNOME XML library Several security issues were fixed in libxml2. oval:org.secpod.oval:def:52101 sharutils: shar, unshar, uuencode, uudecode Sharutils could be made to execute arbitrary code if it opened a specially crafted file. oval:org.secpod.oval:def:52106 - gnupg: GNU privacy guard - a free PGP replacement GnuPG could be made to expose sensitive information. oval:org.secpod.oval:def:115327 The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote prog ... oval:org.secpod.oval:def:115323 Most existing Python modules for sending HTTP requests are extremely verbose and cumbersome. Pythons built-in urllib2 module provides most of the HTTP capabilities you should need, but the API is thoroughly broken. This library is designed to make HTTP requests easy for developers. oval:org.secpod.oval:def:52120 libxkbcommon: library interface to the XKB compiler - development files Several security issues were fixed in libxkbcommon. oval:org.secpod.oval:def:52121 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine Tomcat could be made to redirect to arbitrary locations. oval:org.secpod.oval:def:52124 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:52123 pyopenssl: Python wrapper around the OpenSSL library Several security issues were fixed in pyOpenSSL. oval:org.secpod.oval:def:115346 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:53468 Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed . This update rebases ghostscript for stretch to the upstream version 9.26 which includes a ... oval:org.secpod.oval:def:53417 Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in the execution of arbitrary code if a malformed Postscript file is processed . oval:org.secpod.oval:def:114899 This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream o ... oval:org.secpod.oval:def:52943 clamav: Anti-virus utility for Unix Details: USN-3728-1 fixed several vulnerabilities in libmspack. In Linux Mint 17.x libmspack is included into ClamAV. This update provides the corresponding update for Linux Mint 17.x LTS. Original advisory Several security issues were fixed in ClamAV. oval:org.secpod.oval:def:704396 systemd: system and service manager Details: USN-3816-1 fixed several vulnerabilities in systemd. However, the fix for CVE-2018-6954 was not sufficient. This update provides the remaining fixes. We apologize for the inconvenience. Original advisory systemd-tmpfiles could be made to change ownership ... oval:org.secpod.oval:def:52955 clamav: Anti-virus utility for Unix Details: USN-3814-1 fixed several vulnerabilities in libmspack. In Linux Mint 17.x libmspack is included into ClamAV. This update provides the corresponding update for Linux Mint 17.x LTS. Original advisory Several security issues were fixed in ClamAV. oval:org.secpod.oval:def:704388 clamav: Anti-virus utility for Unix Details: USN-3814-1 fixed several vulnerabilities in libmspack. In Ubuntu 14.04 libmspack is included into ClamAV. This update provides the corresponding update for Ubuntu 14.04 LTS. Original advisory Several security issues were fixed in ClamAV. oval:org.secpod.oval:def:704383 libmspack: library for Microsoft compression formats Several security issues were fixed in libmspack. oval:org.secpod.oval:def:704384 gettext: GNU Internationalization utilities gettext could be made to execute arbitrary code if it received a specially crafted message. oval:org.secpod.oval:def:704385 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:114867 poppler is a PDF rendering library. oval:org.secpod.oval:def:114862 Mutt is a small but very powerful text-based MIME mail client. Mutt is highly configurable, and is well suited to the mail power user with advanced features like key bindings, keyboard macros, mail threading, regular expression searches and a powerful pattern matching language for selecting groups o ... oval:org.secpod.oval:def:704381 nginx: small, powerful, scalable web/proxy server Several security issues were fixed in nginx. oval:org.secpod.oval:def:704382 pyopenssl: Python wrapper around the OpenSSL library Several security issues were fixed in pyOpenSSL. oval:org.secpod.oval:def:46294 The host is installed with Apple iCloud before 7.6 or Apple iTunes before 12.8 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle crafted content. Successful exploitation could allow attackers to crash the service. oval:org.secpod.oval:def:205321 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * mysql: MyISAM unspecified vulnerability * mysql: Server: Security: Privileges unspecified vulnerabilit ... oval:org.secpod.oval:def:46290 The host is installed with Apple iCloud before 7.6 or Apple iTunes before 12.8 and is prone to a cross-origin data bypass vulnerability. A flaw is present in the application, which fails to properly perform audio taint tracking. Successful exploitation could allow attackers to exfiltrate audio data ... oval:org.secpod.oval:def:114859 Mutt is a small but very powerful text-based MIME mail client. Mutt is highly configurable, and is well suited to the mail power user with advanced features like key bindings, keyboard macros, mail threading, regular expression searches and a powerful pattern matching language for selecting groups o ... oval:org.secpod.oval:def:704376 spamassassin: Perl-based spam filter using text analysis Several security issues were fixed in SpamAssassin. oval:org.secpod.oval:def:704372 ruby2.5: Interpreter of object-oriented scripting language Ruby - ruby2.3: Object-oriented scripting language - ruby1.9.1: Object-oriented scripting language - ruby2.0: Object-oriented scripting language Several security issues were fixed in Ruby. oval:org.secpod.oval:def:704373 systemd: system and service manager systemd-networkd could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:704374 libxkbcommon: library interface to the XKB compiler - development files Details: USN-3786-1 fixed several vulnerabilities in libxkbcommon. This update provides the corresponding update for Ubuntu 18.04 LTS. Original advisory Several security issues were fixed in libxkbcommon. oval:org.secpod.oval:def:704371 network-manager: Network connection manager NetworkManager could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:205312 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:704365 libssh: A tiny C SSH library Details: USN-3795-1 fixed a vulnerability in libssh. This update provides the corresponding update for Ubuntu 18.10. Original advisory libssh could allow unintended access to network services. oval:org.secpod.oval:def:704366 requests: elegant and simple HTTP library for Python Details: USN-3790-1 fixed vulnerabilities in Requests. This update provides the corresponding update for Ubuntu 18.10 Original advisory Requests could be made to expose sensitive information if it received a specially crafted HTTP header. oval:org.secpod.oval:def:114924 The purpose of libmspack is to provide both compression and decompression of some loosely related file formats used by Microsoft. oval:org.secpod.oval:def:704367 paramiko: Python SSH2 library Details: USN-3796-1 fixed a vulnerability in Paramiko. This update provides the corresponding update for Ubuntu 18.10. Original advisory Paramiko could allow unintended access to network services. oval:org.secpod.oval:def:704362 texlive-bin: TeX Live: path search library for TeX Details: USN-3788-1 fixed vulnerabilities in Tex Live. This update provides the corresponding update for Ubuntu 18.10 Original advisory Several security issues were fixed in Tex Live. oval:org.secpod.oval:def:704364 net-snmp: SNMP server and applications Details: USN-3792-1 fixed a vulnerability in Net-SNMP. This update provides the corresponding update for Ubuntu 18.10. Original advisory Net-SNMP could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:704369 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:114914 This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream o ... oval:org.secpod.oval:def:704356 mysql-5.7: MySQL database - mysql-5.5: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:704350 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704351 moin: Collaborative hypertext environment MoinMoin could be made to expose sensitive information if it received a specially crafted input. oval:org.secpod.oval:def:704352 libssh: A tiny C SSH library libssh could allow unintended access to network services. oval:org.secpod.oval:def:704353 paramiko: Python SSH2 library Paramiko could allow unintended access to network services. oval:org.secpod.oval:def:704344 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine Tomcat could be made to redirect to arbitrary locations. oval:org.secpod.oval:def:114948 MinGW Windows LibRaw library. oval:org.secpod.oval:def:704340 libxkbcommon: library interface to the XKB compiler - development files Several security issues were fixed in libxkbcommon. oval:org.secpod.oval:def:704347 clamav: Anti-virus utility for Unix ClamAV could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:704348 requests: elegant and simple HTTP library for Python Requests could be made to expose sensitive information if it received a specially crafted HTTP header. oval:org.secpod.oval:def:704349 net-snmp: SNMP server and applications Net-SNMP could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:704335 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:114933 MinGW Windows LibRaw library. oval:org.secpod.oval:def:46304 The host is missing a security update according to Apple advisory, APPLE-SA-2018-7-9-5. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle a malicious website. Successful exploitation could allow attackers to spoof address bars or ... oval:org.secpod.oval:def:46307 The host is installed with Apple Safari before 11.1.2 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to properly handle a malicious website. Successful exploitation allows attackers to exfiltrate cross-origin the sound fetched through audio elements. oval:org.secpod.oval:def:704320 glib2.0: GLib Input, Output and Streaming Library Several security issues were fixed in GLib. oval:org.secpod.oval:def:46311 The host is installed with Apple Safari before 11.1.2 and is prone to an arbitrary code execution vulnerability. A flaw is present in the application, which fails to properly handle multiple memory corruption issues. Successful exploitation allows attackers to lead to arbitrary code execution. oval:org.secpod.oval:def:704326 mutt: text-based mailreader supporting MIME, GPG, PGP and threading Details: USN-3719-1 fixed vulnerabilities in Mutt. Unfortunately, the fixes were not correctly applied to the packaging for Mutt in Ubuntu 16.04 LTS. This update corrects the oversight. We apologize for the inconvenience. Original a ... oval:org.secpod.oval:def:704327 strongswan: IPsec VPN solution strongSwan could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:704328 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:704310 transfig: Utilities for converting XFig figure files transfig could be made to execute arbitrary code if it received a specially crafted FIG file. oval:org.secpod.oval:def:704311 zsh: shell with lots of features Zsh could be made to execute arbitrary code if it received a specially crafted script. oval:org.secpod.oval:def:704318 php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:704316 curl: HTTP, HTTPS, and FTP client and client libraries curl could be made to run arbitrary code if it received a specially crafted input. oval:org.secpod.oval:def:704307 libx11: X11 client-side library Several security issues were fixed in libx11. oval:org.secpod.oval:def:704308 libtirpc: transport-independent RPC library - development files Several security issues were fixed in libtirpc. oval:org.secpod.oval:def:704309 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704304 libgd2: GD Graphics Library Several security issues were fixed in GD. oval:org.secpod.oval:def:704306 poppler: PDF rendering library poppler could be made to crash if it received specially crafted PDF file. oval:org.secpod.oval:def:114088 WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. Although the technology is loosely based on previous versions of WavPack, the new version 4 format has been designed from the ground up to offer unparalleled performanc ... oval:org.secpod.oval:def:47606 The host is missing a moderate security update according to Mozilla advisory, MFSA2018-23. The update is required to fix a denial of service vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:47623 The host is missing a moderate security update according to Mozilla advisory, MFSA2018-23. The update is required to fix a denial of service vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:47622 The host is missing a moderate security update according to Mozilla advisory, MFSA2018-22. The update is required to fix a denial of service vulnerability. A flaw is present in the application, which fails to handle the TransportSecurityInfo used for SSL. Successful exploitation allows attackers to ... oval:org.secpod.oval:def:47624 Mozilla Firefox 62.0.2, Mozilla Firefox ESR 60.2.1, Mozilla Thunderbird 60.2.1 : A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerab ... oval:org.secpod.oval:def:46303 The host is missing a security update according to Apple advisory, APPLE-SA-2018-7-9-7. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary co ... oval:org.secpod.oval:def:46302 The host is missing a security update according to Apple advisory, APPLE-SA-2018-7-9-6. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary co ... oval:org.secpod.oval:def:45859 The host is installed with PostgreSQL 9.3 through 10 and is prone to a privilege escalation vulnerability. The flaw present in the application fails to prevent a user from modifying the behavior of a query for other users.. Successful exploitation allows attackers to execute code with the permission ... oval:org.secpod.oval:def:115374 NetworkManager is a system service that manages network interfaces and connections based on user or automatic configuration. It supports Ethernet, Bridge, Bond, VLAN, Team, InfiniBand, Wi-Fi, mobile broadband , PPPoE and other devices, and supports a variety of different VPN services. oval:org.secpod.oval:def:53491 The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled allocas and an out-of-bounds read flaw leading to an information leak , could allow an attacker to cause a denial of service or the execution of arbitrary code. Fur ... oval:org.secpod.oval:def:53488 It was discovered that malformed URLs could spoof the content of the default 404 page of Django, a Python web development framework. oval:org.secpod.oval:def:114061 WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. Although the technology is loosely based on previous versions of WavPack, the new version 4 format has been designed from the ground up to offer unparalleled performanc ... oval:org.secpod.oval:def:115385 Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers . The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared li ... oval:org.secpod.oval:def:115383 Paramiko is a module for python 2.3 or greater that implements the SSH2 protocol for secure connections to remote machines. Unlike SSL , the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced telnet and r ... oval:org.secpod.oval:def:1900116 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.41 and prior, 5.7.23and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succes ... oval:org.secpod.oval:def:1700090 A flaw was found in the way SpamAssassin processes HTML email containing unclosed HTML tags. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a large number of these messages are sent, a denial of service could occur potentially delaying or preventing th ... oval:org.secpod.oval:def:1700098 A cookie injection flaw was found in wget. An attacker can create a malicious website which, when accessed, overrides cookies belonging to arbitrary domains. oval:org.secpod.oval:def:1901486 Vulnerability in the MySQL Client component of Oracle MySQL . Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromis ... oval:org.secpod.oval:def:114552 WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. Although the technology is loosely based on previous versions of WavPack, the new version 4 format has been designed from the ground up to offer unparalleled performanc ... oval:org.secpod.oval:def:1700084 An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line.It was discovered that zsh does not properly validate the shebang of input files and it truncates it to the first 64 bytes. A local ... oval:org.secpod.oval:def:52202 nginx: small, powerful, scalable web/proxy server Several security issues were fixed in nginx. oval:org.secpod.oval:def:1700075 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c does not forbid characters that may have unsafe interaction with message-cache pathnames, as demonstrated by a #039;/#039; character.An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They al ... oval:org.secpod.oval:def:1502257 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:115098 The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or JPEG file. This is particularly useful in Web applications, where PNG and JPEG are two of the fo ... oval:org.secpod.oval:def:115097 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:704432 nss: Network Security Service library Several security issues were fixed in NSS. oval:org.secpod.oval:def:704433 python-django: High-level Python web development framework Django could be made to expose spoofed information over the network. oval:org.secpod.oval:def:704437 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:704422 lxml: pythonic binding for the libxml2 and libxslt libraries lxml could allow cross-site scripting attacks. oval:org.secpod.oval:def:1502298 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502297 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704419 wavpack: audio codec - encoder and decoder Several security issues were fixed in WavPack. oval:org.secpod.oval:def:704416 libraw: raw image decoder library LibRaw could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:704400 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:1900063 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server exe ... oval:org.secpod.oval:def:1900066 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.61and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise M ... oval:org.secpod.oval:def:115059 The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or JPEG file. This is particularly useful in Web applications, where PNG and JPEG are two of the fo ... oval:org.secpod.oval:def:704407 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:115047 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:115041 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:115078 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:502352 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix: * mutt: Remote code injection vulnerability to an IMAP mailbox * mutt: Remote Code Execu ... oval:org.secpod.oval:def:502368 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.1 ESR. Security Fix: * Mozilla: Crash in TransportSecurityInfo due to cached data * Mozilla: Setting a master password post-Firefox 58 does no ... oval:org.secpod.oval:def:502367 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.1 ESR. Security Fix: * Mozilla: Crash in TransportSecurityInfo due to cached data * Mozilla: Setting a master password post-Firefox 58 does no ... oval:org.secpod.oval:def:115061 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:115011 wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 . Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association ... oval:org.secpod.oval:def:2000801 An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one. oval:org.secpod.oval:def:502316 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:1900096 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.41 and prior, 5.7.23and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succes ... oval:org.secpod.oval:def:115027 libxkbcommon is the X.Org library for compiling XKB maps into formats usable by the X Server or other display servers. oval:org.secpod.oval:def:205142 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:51019 libxml2: GNOME XML library Several security issues were fixed in libxml2. oval:org.secpod.oval:def:205132 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: * ruby: OpenSSL::X509::Name equality check does not work correctly For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:205133 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: .tempfile file permission issues * ghostscript: shading_param incomplete t ... oval:org.secpod.oval:def:51025 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:205135 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: Incorrect free logic in pagedevice replacement * ghostscript: Incorrect &q ... oval:org.secpod.oval:def:205120 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:115117 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:205127 The python-paramiko package provides a Python module that implements the SSH2 protocol for encrypted and authenticated connections to remote machines. Unlike SSL, the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. The protocol also includes the abili ... oval:org.secpod.oval:def:115106 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:115100 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:115102 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:502372 The SpamAssassin tool provides a way to reduce unsolicited commercial email from incoming email. Security Fix: * spamassassin: Certain unclosed tags in crafted emails allow for scan timeouts and result in denial of service * spamassassin: Local user code injection in the meta rule syntax For more ... oval:org.secpod.oval:def:205171 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Open redirect in default servlet For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page ... oval:org.secpod.oval:def:114663 Libgcrypt is a general purpose crypto library based on the code used in GNU Privacy Guard. This is a development version. oval:org.secpod.oval:def:114655 Libgcrypt is a general purpose crypto library based on the code used in GNU Privacy Guard. This is a development version. oval:org.secpod.oval:def:115930 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:115925 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:115956 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:115952 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:1901496 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. oval:org.secpod.oval:def:47869 The host is missing a critical security update according to Mozilla advisory, MFSA2018-24. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:47874 The host is missing a critical security update according to Mozilla advisory, MFSA2018-25. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:47876 The host is missing a critical security update according to Mozilla advisory, MFSA2018-25. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:47875 The host is installed with Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 or 7.0.23 to 7.0.90 and is prone to an open redirection vulnerability. A flaw is present in the application which fails to handle the issue in default servlet which returned a redirect to a directory. Successful ex ... oval:org.secpod.oval:def:47870 Mozilla Firefox 62.0.3, Mozilla Firefox ESR 60.2.2 : A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as ... oval:org.secpod.oval:def:51062 libgcrypt20: LGPL Crypto library - libgcrypt11: LGPL Crypto library Libgcrypt could be made to expose sensitive information. oval:org.secpod.oval:def:115126 SpamAssassin provides you with a way to reduce if not completely eliminate Unsolicited Commercial Email from your incoming email. It can be invoked by a MDA such as sendmail or postfix, or can be called from a procmail script, .forward file, etc. It uses a genetic-algorithm evolved scoring system t ... oval:org.secpod.oval:def:115157 SpamAssassin provides you with a way to reduce if not completely eliminate Unsolicited Commercial Email from your incoming email. It can be invoked by a MDA such as sendmail or postfix, or can be called from a procmail script, .forward file, etc. It uses a genetic-algorithm evolved scoring system t ... oval:org.secpod.oval:def:115156 libxkbcommon is the X.Org library for compiling XKB maps into formats usable by the X Server or other display servers. oval:org.secpod.oval:def:603087 Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that GnuPG is prone to a local side-channel attack allowing full key recovery for RSA-1024. oval:org.secpod.oval:def:51092 wget: retrieves files from the web Wget could be made to inject arbitrary cookie values. oval:org.secpod.oval:def:1502408 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:51175 linux-aws: Linux kernel for Amazon Web Services systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:51101 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:1502467 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502466 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:2000186 GPAC version 0.7.2 and earlier has a Buffer Overflow vulnerability in the gf_sm_load_init function in scene_manager.c in libgpac_static.a. oval:org.secpod.oval:def:1900757 An issue was discovered in MP4Box in GPAC 0.7.1. There is a heap-based buffer over-read in the isomedia/box_dump.c function hdlr_dump. oval:org.secpod.oval:def:1502475 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502476 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1900725 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:2000163 libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes that can result in a crash . This attack appears to be exploitable via the victim opening a special ... oval:org.secpod.oval:def:1502428 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:2001456 An issue was discovered in MP4Box in GPAC 0.7.1. There is a heap-based buffer over-read in the isomedia/box_dump.c function hdlr_dump. oval:org.secpod.oval:def:1502429 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502436 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502437 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502445 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502444 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502449 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502447 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1900776 do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. oval:org.secpod.oval:def:704660 libgd2: GD Graphics Library Several security issues were fixed in GD. oval:org.secpod.oval:def:704653 gnome-keyring: GNOME keyring services GNOME Keyring could be made to expose sensitive information. oval:org.secpod.oval:def:704654 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704655 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704657 openssl1.0: Secure Socket Layer cryptographic library and tools - openssl: Secure Socket Layer cryptographic library and tools OpenSSL could be made to expose sensitive information over the network. oval:org.secpod.oval:def:45313 The host is installed with LibreOffice before 5.4.6.1 or 6.x before 6.0.2001 and is prone to a heap-based buffer overflow vulnerability. A flaw is present in the application, which fails to properly validate a customizations index. Successful exploitation could allow remote attackers to crash the se ... oval:org.secpod.oval:def:1901135 do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused. oval:org.secpod.oval:def:45314 The host is installed with LibreOffice before 5.4.5 or 6.x before 6.0.1 and is prone to an use-after-free vulnerability. A flaw is present in the application, which fails to properly handle an incorrect integer data type in the StgSmallStrm class. Successful exploitation could allow remote attackers ... oval:org.secpod.oval:def:502599 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.0 ESR. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * ... oval:org.secpod.oval:def:51194 libcaca: text mode graphics utilities Several security issues were fixed in libcaca. oval:org.secpod.oval:def:51196 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:51195 libarchive: Library to read/write archive files Several security issues were fixed in libarchive. oval:org.secpod.oval:def:51197 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:51199 ghostscript: PostScript and PDF interpreter Ghostscript could be made to crash, access files, or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:1901181 do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf. oval:org.secpod.oval:def:704805 openssh: secure shell for secure access to remote machines Details: USN-3885-1 fixed vulnerabilities in OpenSSH. It was discovered that the fix for CVE-2019-6111 turned out to be incomplete. This update fixes the problem. Original advisory One of the fixes in USN-3885-1 was incomplete. oval:org.secpod.oval:def:1900026 The GD Graphics Library 2.2.5 has a double free in thegdImage*Ptr functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE:PHP is unaffected. oval:org.secpod.oval:def:51215 libarchive: Library to read/write archive files Several security issues were fixed in libarchive. oval:org.secpod.oval:def:51214 openssh: secure shell for secure access to remote machines Several security issues were fixed in OpenSSH. oval:org.secpod.oval:def:51217 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:51218 python-django: High-level Python web development framework Django could be made to consume resources if it received specially crafted network traffic. oval:org.secpod.oval:def:51222 systemd: system and service manager systemd could be made to crash if it received specially a crafted D-Bus message. oval:org.secpod.oval:def:51228 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:51227 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:51229 openssl1.0: Secure Socket Layer cryptographic library and tools - openssl: Secure Socket Layer cryptographic library and tools OpenSSL could be made to expose sensitive information over the network. oval:org.secpod.oval:def:1900007 The libtiff-toolsFdOpen function in tif_unix.c in Liblibtiff-tools 4.0.10 has a memory leak,as demonstrated by pal2rgb. oval:org.secpod.oval:def:115794 poppler is a PDF rendering library. oval:org.secpod.oval:def:1700178 An issue was discovered in OpenSSH. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned . A malicious scp server can overwrite arbitrary fil ... oval:org.secpod.oval:def:1700163 When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manual ... oval:org.secpod.oval:def:2000288 There is an illegal WRITE memory access at common-image.c in libcaca-dev 0.99.beta19 for 4bpp data. oval:org.secpod.oval:def:51200 mysql-5.7: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:1700148 Spice, versions 0.5.2 through 0.14.0, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers. oval:org.secpod.oval:def:51204 spice: SPICE protocol client and server library Spice could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:51207 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:51209 avahi: Avahi IPv4LL network address configuration daemon Several security issues were fixed in Avahi. oval:org.secpod.oval:def:1700139 It was found that bus_process_object in bus-objects.c allocates a buffer on the stack large enough to temporarily store the object path specified in the incoming message. A malicious unprivileged local user to send a message which results in the stack pointer moving outside of the bounds of the curr ... oval:org.secpod.oval:def:2001594 In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the user"s password is kept in a session-child process spawned from the LightDM daemon. This can expose the credential in cleartext. oval:org.secpod.oval:def:2000261 A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class in pdfdetach. oval:org.secpod.oval:def:1502313 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502312 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700115 The GD Graphics Library 2.2.5 has a double free in the gdImage*Ptr functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE: PHP is unaffected. oval:org.secpod.oval:def:2000239 An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. oval:org.secpod.oval:def:502612 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.1 ESR. Security Fix: * chromium-browser, mozilla: Use after free in Skia * mozilla: Integer overflow in Skia For more details about the secur ... oval:org.secpod.oval:def:502614 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.1 ESR. Security Fix: * chromium-browser, mozilla: Use after free in Skia * mozilla: Integer overflow in Skia For more details about the secur ... oval:org.secpod.oval:def:502613 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:502617 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: MIDI driver race condition leads to a double-free For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the ... oval:org.secpod.oval:def:502629 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM ... oval:org.secpod.oval:def:502628 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM ... oval:org.secpod.oval:def:502634 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrect ... oval:org.secpod.oval:def:502636 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrect ... oval:org.secpod.oval:def:1900823 GPAC version 0.7.2 and earlier has a Buffer Overflow vulnerability in the gf_sm_load_init function in scene_manager.c in libgpac_static.a. oval:org.secpod.oval:def:50800 The host is missing a high security update according to Mozilla advisory, MFSA2019-05. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50803 The host is missing a high security update according to Mozilla advisory, MFSA2019-04. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:50804 The host is missing a high security update according to Mozilla advisory, MFSA2019-05. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:1900827 In GPAC 0.7.2, gf_text_get_utf8_line in media_tools/text_import.c in libgpac_static.a allows an out-of-bounds write because a certain -1 return value is mishandled. oval:org.secpod.oval:def:502601 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine arch ... oval:org.secpod.oval:def:502600 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.0 ESR. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * ... oval:org.secpod.oval:def:502602 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: use-after-free in copydevice handling * ghostscript: access bypass in psi/ ... oval:org.secpod.oval:def:502607 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.5.0. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * Mozilla: Privilege escalation through IPC channel ... oval:org.secpod.oval:def:502606 The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtu ... oval:org.secpod.oval:def:502608 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.5.0. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * Mozilla: Privilege escalation through IPC channel ... oval:org.secpod.oval:def:502690 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:502692 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: superexec operator is available * ghostscript: forceput in DefineResource ... oval:org.secpod.oval:def:53065 The host is installed with Artifex Ghostscript through 9.26 and is prone to a remote code execution vulnerability. A flaw is present in the application, which fails to properly handle the system operators. Successful exploitation could allow attackers to perform remote code execution. oval:org.secpod.oval:def:502655 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.1 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DO ... oval:org.secpod.oval:def:53010 linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:53007 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel The system could be made unavailable if it received specially crafted network traffic. oval:org.secpod.oval:def:53020 The host is missing a critical security update according to Mozilla advisory, MFSA2019-08. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:53018 file: Tool to determine file types Several security issues were fixed in file. oval:org.secpod.oval:def:2000309 There is an illegal WRITE memory access at caca/file.c in libcaca-dev 0.99.beta19. oval:org.secpod.oval:def:2001615 do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service or possibly have unspecified other impact. oval:org.secpod.oval:def:50880 The host is missing a high security update according to Mozilla advisory, MFSA2019-06. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the service. oval:org.secpod.oval:def:1901854 libxslt1-dev through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. oval:org.secpod.oval:def:2000345 avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service and may cause information leakage by obtaining potentially sensitive information from the responding dev ... oval:org.secpod.oval:def:502707 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrec ... oval:org.secpod.oval:def:50953 The host is missing a high security update according to Mozilla advisory, MFSA2019-06. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the service. oval:org.secpod.oval:def:704899 libxslt: XSLT processing library Libxslt could be made to expose sensitive information if it received a specially crafted file. oval:org.secpod.oval:def:704880 lua5.3: Simple, extensible, embeddable programming language Lua could be made to crash if it received a specially crafted script. oval:org.secpod.oval:def:603372 Two vulnerabilities were discovered in LibreOffice"s code to parse MS Word and Structured Storage files, which could result in denial of service and potentially the execution of arbitrary code if a malformed file is opened. oval:org.secpod.oval:def:704853 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704856 gpac: GPAC Project on Advanced Content GPAC could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:704846 php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:704827 file: Tool to determine file types Several security issues were fixed in file. oval:org.secpod.oval:def:1900685 An issue was discovered in MP4Box in GPAC 0.7.1. The function urn_Read in isomedia/box_code_base.c has a heap-based buffer over-read. oval:org.secpod.oval:def:50195 The host is installed with OpenSSH through 7.9p1 or WinSCP through 5.13 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle an issue in the scp client utility. Successful exploitation could allow a malicious scp server to write arbitr ... oval:org.secpod.oval:def:50199 CVE-2019-6111 openssh: Improper validation of object names allows malicious server to overwrite files via scp client oval:org.secpod.oval:def:1901120 0-byte record padding oracle oval:org.secpod.oval:def:115526 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:115525 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:1502595 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:2000482 The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb. oval:org.secpod.oval:def:503314 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: 0-byte record padding oracle For more details about the security issue, including the impact, a CVSS scor ... oval:org.secpod.oval:def:1901079 GPAC version 0.7.2 and earlier has a buffer overflow vulnerability in the cat_multiple_files function in applications/mp4box/fileimport.c when MP4Box is used for a local directory containing crafted filenames. oval:org.secpod.oval:def:2000574 In GPAC through 0.7.2, gf_text_get_utf8_line in media_tools/text_import.c in libgpac_static.a allows an out-of-bounds write because of missing szLineConv bounds checking. oval:org.secpod.oval:def:1901676 GPAC MP4Box version 0.7.1 and earlier contains a Buffer Overflow vulnerability in src/isomedia/avc_ext.c lines 2417 to 2420 that can result in Heap chunks being modified, this could lead to RCE. This attack appear to be exploitable via an attacker supplied MP4 file that when run by the victim may re ... oval:org.secpod.oval:def:1901684 GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps function in media_tools/av_parsers.c, a different vulnerability than CVE-2018-1000100. oval:org.secpod.oval:def:1901688 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF. oval:org.secpod.oval:def:205247 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: 0-byte record padding oracle For more details about the security issue, including the impact, a CVSS scor ... oval:org.secpod.oval:def:2000546 There is an illegal WRITE memory access at common-image.c in libcaca-dev 0.99.beta19 for 1bpp data. oval:org.secpod.oval:def:2000554 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Succ ... oval:org.secpod.oval:def:1901698 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len. oval:org.secpod.oval:def:50268 scp client missing received object name validation oval:org.secpod.oval:def:53308 Two vulnerabilities were discovered in LibreOffice"s code to parse MS Word and Structured Storage files, which could result in denial of service and potentially the execution of arbitrary code if a malformed file is opened. oval:org.secpod.oval:def:50201 In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. oval:org.secpod.oval:def:603627 Multiple vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed. oval:org.secpod.oval:def:603629 Multiple vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-16890 Wenxiang Qian of Tencent Blade Team discovered that the function handling incoming NTLM type-2 messages does not validate incoming data correctly and is subject to an integer overflow vulnerability, which could ... oval:org.secpod.oval:def:603616 Christophe Fergeau discovered an out-of-bounds read vulnerability in spice, a SPICE protocol client and server library, which might result in denial of service , or possibly, execution of arbitrary code. oval:org.secpod.oval:def:603612 Tavis Ormandy discovered a vulnerability in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed . oval:org.secpod.oval:def:603618 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or privilege escalation. oval:org.secpod.oval:def:603643 Chris Coulson discovered a flaw in systemd leading to denial of service. An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus. oval:org.secpod.oval:def:603637 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. oval:org.secpod.oval:def:603638 Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code, denial of service or spoofing of S/MIME signatures. oval:org.secpod.oval:def:704251 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:603630 Harry Sintonen from F-Secure Corporation discovered multiple vulnerabilities in OpenSSH, an implementation of the SSH protocol suite. All the vulnerabilities are in found in the scp client implementing the SCP protocol. CVE-2018-20685 Due to improper directory name validation, the scp client allows ... oval:org.secpod.oval:def:603597 Multiple security issues were found in libarchive, a multi-format archive and compression library: Processing malformed RAR archives could result in denial of service or the execution of arbitrary code and malformed WARC, LHarc, ISO, Xar or CAB archives could result in denial of service. oval:org.secpod.oval:def:1902003 An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned . A malicious scp server can overwrite arbitrary ... oval:org.secpod.oval:def:2000615 do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. oval:org.secpod.oval:def:2000666 GPAC version 0.7.2 and earlier has a buffer overflow vulnerability in the cat_multiple_files function in applications/mp4box/fileimport.c when MP4Box is used for a local directory containing crafted filenames. oval:org.secpod.oval:def:52135 libreoffice: Office productivity suite Several security issues were fixed in LibreOffice. oval:org.secpod.oval:def:52137 gnome-keyring: GNOME keyring services GNOME Keyring could be made to expose sensitive information. oval:org.secpod.oval:def:1900480 libical-dev 1.0 allows remote attackers to cause a denial of service via a crafted ics file. oval:org.secpod.oval:def:1901711 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable. oval:org.secpod.oval:def:1901713 An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to acce ... oval:org.secpod.oval:def:1901700 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn. oval:org.secpod.oval:def:52968 openssh: secure shell for secure access to remote machines Details: USN-3885-1 fixed vulnerabilities in OpenSSH. It was discovered that the fix for CVE-2019-6111 turned out to be incomplete. This update fixes the problem. Original advisory One of the fixes in USN-3885-1 was incomplete. oval:org.secpod.oval:def:52967 libgd2: GD Graphics Library Several security issues were fixed in GD. oval:org.secpod.oval:def:603679 It was found that a security update of OpenSSH, an implementation of the SSH protocol suite, was incomplete. This update did not completely fix CVE-2019-6111, an arbitrary file overwrite vulnerability in the scp client implementing the SCP protocol. oval:org.secpod.oval:def:603677 Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL. oval:org.secpod.oval:def:2001184 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:53484 Multiple security issues were found in libarchive, a multi-format archive and compression library: Processing malformed RAR archives could result in denial of service or the execution of arbitrary code and malformed WARC, LHarc, ISO, Xar or CAB archives could result in denial of service. oval:org.secpod.oval:def:53497 Tavis Ormandy discovered a vulnerability in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed . oval:org.secpod.oval:def:53499 Christophe Fergeau discovered an out-of-bounds read vulnerability in spice, a SPICE protocol client and server library, which might result in denial of service , or possibly, execution of arbitrary code. oval:org.secpod.oval:def:1900117 In Liblibtiff-tools 4.0.9, there is a NULL pointer dereference in the libtiff-toolsWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by libtiff-tools set. oval:org.secpod.oval:def:53510 Harry Sintonen from F-Secure Corporation discovered multiple vulnerabilities in OpenSSH, an implementation of the SSH protocol suite. All the vulnerabilities are in found in the scp client implementing the SCP protocol. CVE-2018-20685 Due to improper directory name validation, the scp client allows ... oval:org.secpod.oval:def:53516 Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code, denial of service or spoofing of S/MIME signatures. oval:org.secpod.oval:def:53515 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. oval:org.secpod.oval:def:53521 Chris Coulson discovered a flaw in systemd leading to denial of service. An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus. oval:org.secpod.oval:def:53527 Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL. oval:org.secpod.oval:def:53529 It was found that a security update of OpenSSH, an implementation of the SSH protocol suite, was incomplete. This update did not completely fix CVE-2019-6111, an arbitrary file overwrite vulnerability in the scp client implementing the SCP protocol. oval:org.secpod.oval:def:1700063 Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue and tcp_prune_ofo_queue for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessi ... oval:org.secpod.oval:def:1700061 The fs/ext4/inline.c:ext4_read_inline_data function in the Linux kernel performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. The unbound copy can cause memory corruption or ... oval:org.secpod.oval:def:1900985 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Succ ... oval:org.secpod.oval:def:603829 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. oval:org.secpod.oval:def:50461 The host is missing a critical security update according to Mozilla advisory, MFSA2019-01. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50453 The host is missing a critical security update according to Mozilla advisory, MFSA2019-02. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50472 It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system and execute commands. oval:org.secpod.oval:def:50462 The host is missing a critical security update according to Mozilla advisory, MFSA2019-02. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50463 Mozilla Firefox 65, Mozilla Firefox ESR 60.5 and Mozilla Thunderbird 60.5: A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. oval:org.secpod.oval:def:50464 Mozilla Firefox 64, Mozilla Firefox ESR 60.4 and Mozilla Thunderbird 60.5: Mozilla developers and community members Alex Gaynor, Christoph Diehl, Steven Crane, Jason Kratzer, Gary Kwong, and Christian Holler reported memory safety bugs present in Firefox 64 and Firefox ESR 60.4. Some of these bugs s ... oval:org.secpod.oval:def:50468 Mozilla Firefox 65, Mozilla Firefox ESR 60.5 and Mozilla Thunderbird 60.5: An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication between IPC endpoints and server parents during IPC process creation. This authentication is insuffic ... oval:org.secpod.oval:def:50469 Mozilla Firefox 65 : When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by defa ... oval:org.secpod.oval:def:603838 Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:53501 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or privilege escalation. oval:org.secpod.oval:def:53508 Multiple vulnerabilities have been discovered in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed. oval:org.secpod.oval:def:115815 Lua is a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Lua is free software. Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and exten ... oval:org.secpod.oval:def:704499 systemd: system and service manager systemd could be made to crash if it received specially a crafted D-Bus message. oval:org.secpod.oval:def:704493 python-django: High-level Python web development framework Django could be made to consume resources if it received specially crafted network traffic. oval:org.secpod.oval:def:704490 libarchive: Library to read/write archive files Several security issues were fixed in libarchive. oval:org.secpod.oval:def:704492 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:704486 libreoffice: Office productivity suite Several security issues were fixed in LibreOffice. oval:org.secpod.oval:def:704487 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:704489 openssh: secure shell for secure access to remote machines Several security issues were fixed in OpenSSH. oval:org.secpod.oval:def:704475 avahi: Avahi IPv4LL network address configuration daemon Several security issues were fixed in Avahi. oval:org.secpod.oval:def:704473 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704465 linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:115917 A library for reading and converting Windows MetaFile vector graphics . oval:org.secpod.oval:def:704462 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel The system could be made unavailable if it received specially crafted network traffic. oval:org.secpod.oval:def:115913 A library for reading and converting Windows MetaFile vector graphics . oval:org.secpod.oval:def:50503 Mozilla Thunderbird 60.5 : A vulnerability in the Libical libary used by Thunderbird can allow remote attackers to cause a denial of service (use-after-free) via a crafted ICS calendar file. oval:org.secpod.oval:def:50504 The host is missing a critical security update according to Mozilla advisory, MFSA2019-03. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50506 Mozilla Thunderbird 60.5: A vulnerability in the Libical libary used by Thunderbird can allow remote attackers to cause a denial of service (use-after-free) via a crafted ICS calendar file. oval:org.secpod.oval:def:50507 The host is missing a critical security update according to Mozilla advisory, MFSA2019-03. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:704468 spice: SPICE protocol client and server library Spice could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:115907 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:115909 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine a ... oval:org.secpod.oval:def:115905 poppler is a PDF rendering library. oval:org.secpod.oval:def:704450 ghostscript: PostScript and PDF interpreter Ghostscript could be made to crash, access files, or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:704451 mysql-5.7: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:704440 libcaca: text mode graphics utilities Several security issues were fixed in libcaca. oval:org.secpod.oval:def:704441 libarchive: Library to read/write archive files Several security issues were fixed in libarchive. oval:org.secpod.oval:def:704447 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:704448 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:1502285 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704408 linux-aws: Linux kernel for Amazon Web Services systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1900077 A NULL pointer dereference in the function _libtiff-tools memcmp at tif_unix.c in Liblibtiff-tools 4.0.9 allows an attacker to cause a denial-of-service through a crafted libtiff-tools file. This vulnerability can be triggered by the executable libtiff-tool scp. oval:org.secpod.oval:def:51029 linux: Linux kernel - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:114689 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:205181 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrect ... oval:org.secpod.oval:def:205175 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM ... oval:org.secpod.oval:def:205176 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM ... oval:org.secpod.oval:def:205179 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrect ... oval:org.secpod.oval:def:205163 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: MIDI driver race condition leads to a double-free For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the ... oval:org.secpod.oval:def:205160 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:205161 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.1 ESR. Security Fix: * chromium-browser, mozilla: Use after free in Skia * mozilla: Integer overflow in Skia For more details about the secur ... oval:org.secpod.oval:def:205162 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.1 ESR. Security Fix: * chromium-browser, mozilla: Use after free in Skia * mozilla: Integer overflow in Skia For more details about the secur ... oval:org.secpod.oval:def:205154 The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtu ... oval:org.secpod.oval:def:114699 The kernel meta package oval:org.secpod.oval:def:205155 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.5.0. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * Mozilla: Privilege escalation through IPC channel ... oval:org.secpod.oval:def:205150 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.0 ESR. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * ... oval:org.secpod.oval:def:205151 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.0 ESR. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * ... oval:org.secpod.oval:def:205156 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.5.0. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * Mozilla: Privilege escalation through IPC channel ... oval:org.secpod.oval:def:205157 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: use-after-free in copydevice handling * ghostscript: access bypass in psi/ ... oval:org.secpod.oval:def:205158 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine arch ... oval:org.secpod.oval:def:115966 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:1901515 In GPAC through 0.7.2, gf_text_get_utf8_line in media_tools/text_import.c in libgpac_static.a allows an out-of-bounds write because of missing szLineConv bounds checking. oval:org.secpod.oval:def:115926 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:115949 MinGW Windows Poppler library. oval:org.secpod.oval:def:50619 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:45294 The host is installed with LibreOffice before 5.4.6.1 or 6.x before 6.0.2.1 and is prone to a heap-based buffer overflow vulnerability. A flaw is present in the application, which fails to properly validate a customizations index. Successful exploitation could allow remote attackers to crash the ser ... oval:org.secpod.oval:def:45295 The host is installed with LibreOffice before 5.4.5 or 6.x before 6.0.1 and is prone to an use-after-free vulnerability. A flaw is present in the application, which fails to properly handle an incorrect integer data type in the StgSmallStrm class. Successful exploitation could allow remote attackers ... oval:org.secpod.oval:def:502650 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: missing attack vector protections for CVE-2019-6116 For more details about ... oval:org.secpod.oval:def:53013 poppler: PDF rendering library poppler could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:704912 php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:1901894 Heap-buffer-overflow in exif_iif_add_value in EXIF oval:org.secpod.oval:def:1901893 Heap-buffer-overflow in php_ifd_get32s oval:org.secpod.oval:def:704814 poppler: PDF rendering library poppler could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:1502501 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114291 This package contains the Corosync Cluster Engine Executive, several default APIs and libraries, default configuration files, and an init script. oval:org.secpod.oval:def:603544 This update fixes several vulnerabilities in Imagemagick, a graphical software suite. Various memory handling problems or incomplete input sanitising have been found in the coders for BMP, DIB, PICT, DCM, CUT and PSD. oval:org.secpod.oval:def:52970 poppler: PDF rendering library poppler could be made to crash if it opened a specially crafted file. oval:org.secpod.oval:def:603942 Joe Vennix discovered an authentication bypass vulnerability in dbus, an asynchronous inter-process communication system. The implementation of the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a symbolic link attack. A local attacker could take advantage of this flaw to bypass authen ... oval:org.secpod.oval:def:705010 dbus: simple interprocess messaging system DBus could allow unintended access to services. oval:org.secpod.oval:def:705114 php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter PHP could be made to crash or execute arbitrary code if it received specially crafted image. oval:org.secpod.oval:def:705116 mariadb-10.3: MariaDB database Details: USN-4070-1 fixed multiple vulnerabilities in MySQL. This update provides the corresponding fixes for CVE-2019-2737, CVE-2019-2739, CVE-2019-2740, CVE-2019-2758, CVE-2019-2805, CVE-2019-2628, CVE-2019-2627, CVE-2019-2614 in MariaDB 10.3. Ubuntu 19.04 has been u ... oval:org.secpod.oval:def:604537 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: Missing sanitising in the EXIF extension and the iconv_mime_decode_headers function could result in information disclosure or denial of service. oval:org.secpod.oval:def:604535 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: Missing sanitising in the EXIF extension and the iconv_mime_decode_headers function could result in information disclosure or denial of service. oval:org.secpod.oval:def:58365 php7.2: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter PHP could be made to crash or execute arbitrary code if it received specially crafted image. oval:org.secpod.oval:def:503315 MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon, mysqld, and many client programs. The following packages have been upgraded to a later upstream version: mysql . Security Fix: * mysql: Server: Replication multiple unspecified vulnerabilities * mysql ... oval:org.secpod.oval:def:55512 mariadb-10.1: MariaDB database Details: USN-3957-1 fixed multiple vulnerabilities in MySQL. This update provides the corresponding fixes for CVE-2019-2614 and CVE-2019-2627 in MariaDB 10.1. Linux Mint 19.x LTS has been updated to MariaDB 10.1.40. In addition to security fixes, the updated package co ... oval:org.secpod.oval:def:1501959 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1901898 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multipl ... oval:org.secpod.oval:def:704044 libvncserver: vnc server library LibVNCServer could be made to crash, expose sensitive information, or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:114190 LibVNCServer makes writing a VNC server easy. It hides the programmer from the tedious task of managing clients and compression schemata. oval:org.secpod.oval:def:114235 LibVNCServer makes writing a VNC server easy. It hides the programmer from the tedious task of managing clients and compression schemata. oval:org.secpod.oval:def:603419 Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents. oval:org.secpod.oval:def:1901905 [Unknown description] oval:org.secpod.oval:def:1901903 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple proto ... oval:org.secpod.oval:def:704996 mariadb-10.1: MariaDB database Details: USN-3957-1 fixed multiple vulnerabilities in MySQL. This update provides the corresponding fixes for CVE-2019-2614 and CVE-2019-2627 in MariaDB 10.1. Ubuntu 18.04 LTS has been updated to MariaDB 10.1.40. In addition to security fixes, the updated package conta ... oval:org.secpod.oval:def:53345 Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents. oval:org.secpod.oval:def:52030 libvncserver: vnc server library LibVNCServer could be made to crash, expose sensitive information, or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:502264 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix: * libvncserver: Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c For more details about the security issue, including the impact, a CVSS score, and other re ... oval:org.secpod.oval:def:1700039 Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.cAn issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified ... oval:org.secpod.oval:def:603855 It was discovered that a buffer overflow in the RTSP parser of the GStreamer media framework may result in the execution of arbitrary code if a malformed RSTP stream is opened. oval:org.secpod.oval:def:1502180 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:53014 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:704026 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:704820 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:115529 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:52019 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:115258 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:115360 The libtiff package contains a library of functions for manipulating TIFF image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF f ... oval:org.secpod.oval:def:1900138 libtiff-toolsWriteScanline in tif_write.c in Liblibtiff-tools 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2libtiff-tools. oval:org.secpod.oval:def:113996 The w3m program is a pager that can also be used as a text-mode Web browser. If you want to display the inline images on w3m, you need to install w3m-img package as well. oval:org.secpod.oval:def:704220 w3m: WWW browsable pager with excellent tables/frames support Several security issues were fixed in w3m. oval:org.secpod.oval:def:52093 w3m: WWW browsable pager with excellent tables/frames support Several security issues were fixed in w3m. oval:org.secpod.oval:def:46697 The host is installed with Oracle MySQL Server through 5.6.40, 5.7.22 or 8.0.11 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Integrity and Availability. oval:org.secpod.oval:def:46693 The host is installed with Oracle MySQL Server through 5.7.22 or 8.0.11 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Integrity and Availability. oval:org.secpod.oval:def:50210 The host is installed with Oracle MySQL Server through 5.7.24 or 8.0.13 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Optimizer. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:50211 The host is installed with Oracle MySQL Server through 5.7.24 or 8.0.13 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Parser. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:50213 The host is installed with Oracle MySQL Server through 5.6.42, 5.7.24 or 8.0.13 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Parser. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:50214 The host is installed with Oracle MySQL Server through 5.6.42, 5.7.24 or 8.0.13 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Optimizer. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:50225 The host is installed with Oracle MySQL Server through 5.6.42, 5.7.24 or 8.0.13 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Optimizer. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48130 The host is installed with Oracle MySQL Server through 5.7.23 or 8.0.12 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48102 The host is installed with Oracle MySQL Server through 5.6.41, 5.7.23 or 8.0.12 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48103 The host is installed with Oracle MySQL Server through 5.6.41, 5.7.23 or 8.0.12 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48101 The host is installed with Oracle MySQL Server through 5.6.41, 5.7.23 or 8.0.12 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48110 The host is installed with Oracle MySQL Server through 5.7.23 or 8.0.12 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Integrity and Availability. oval:org.secpod.oval:def:48118 The host is installed with Oracle MySQL Server through 5.7.23 or 8.0.12 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48116 The host is installed with Oracle MySQL Server through 5.7.23 or 8.0.12 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48114 The host is installed with Oracle MySQL Server through 5.5.61, 5.6.41, 5.7.23 or 8.0.12 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Client programs. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48119 The host is installed with Oracle MySQL Server through 5.7.23 or 8.0.12 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48128 The host is installed with Oracle MySQL Server through 5.5.61, 5.6.41, 5.7.23 or 8.0.12 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Storage Engines. Successful exploitation allows attackers to affect Availabilit ... oval:org.secpod.oval:def:44771 The host is installed with OpenSSL 1.1.0 before 1.1.0h or OpenSSL 1.0.2b before 1.0.2n or MySQL Server prior to 5.6.40, 5.7.22 or 8.0.11 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle malicious input to a stack. Successful expl ... oval:org.secpod.oval:def:54331 The host is installed with Oracle MySQL Server through 5.6.43, 5.7.25 or 8.0.15 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Compiling (OpenSSL). Successful exploitation allows attackers to affect Confidentiality ... oval:org.secpod.oval:def:54344 The host is installed with Oracle MySQL Server through 5.6.43, 5.7.25 or 8.0.15 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Replication. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:54351 The host is installed with Oracle MySQL Server through 5.6.43, 5.7.25 or 8.0.15 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Security: Privileges. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:54352 The host is installed with Oracle MySQL Server through 5.7.25 or 8.0.15 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to InnoDB. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:50989 The host is installed with OpenSSL 1.0.2 through 1.0.2q or Oracle MySQL Server through 5.6.43, 5.7.25 or 8.0.15 and is prone to a padding oracle attack vulnerability. The vulnerability is present in the SSL_shutdown() method used in conjunction with non-stitched ciphersuites. On successful exploitat ... oval:org.secpod.oval:def:50230 The host is installed with Oracle MySQL Server through 5.6.42, 5.7.24 or 8.0.13 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Replication. Successful exploitation allows attackers to affect Confidentiality and Int ... oval:org.secpod.oval:def:50227 The host is installed with Oracle MySQL Server through 5.6.42, 5.7.24 or 8.0.13 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Replication. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:50228 The host is installed with Oracle MySQL Server through 5.7.24 or 8.0.13 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: Security: Privileges. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:50233 The host is installed with Oracle MySQL Server through 5.6.42, 5.7.24 or 8.0.13 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: DDL. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:42356 The host is missing a critical security update KB4041689 oval:org.secpod.oval:def:42360 The host is missing an important security update KB4041676 oval:org.secpod.oval:def:114313 Module::CoreList provides information on which core and dual-life modules are shipped with each version of perl. oval:org.secpod.oval:def:114310 Perl is a high-level programming language with roots in C, sed, awk and shell scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most comm ... oval:org.secpod.oval:def:1600879 Use-after-free on HTTP/2 stream shutdownWhen an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger ... oval:org.secpod.oval:def:114477 Perl is a high-level programming language with roots in C, sed, awk and shell scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most comm ... oval:org.secpod.oval:def:116205 The Apache HTTP Server is a powerful, efficient, and extensible web server. oval:org.secpod.oval:def:1700154 In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads could execute arbitrary code with the privileges of the parent process by manipulating the scoreboard oval:org.secpod.oval:def:54395 apache2: Apache HTTP server Several security issues were fixed in the Apache HTTP Server. oval:org.secpod.oval:def:54396 apache2: Apache HTTP server Several security issues were fixed in the Apache HTTP Server. oval:org.secpod.oval:def:502656 The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fix: * httpd: privilege escalation from modules scripts * httpd: mod_ssl: access control bypass when using per-location client certification authentication For more details about the secur ... oval:org.secpod.oval:def:704065 apache2: Apache HTTP server Details: USN-3627-1 fixed vulnerabilities in Apache HTTP Server. This update provides the corresponding updates for Ubuntu 18.04 LTS. Original advisory Several security issues were fixed in the Apache HTTP Server. oval:org.secpod.oval:def:704052 apache2: Apache HTTP server Several security issues were fixed in the Apache HTTP Server. oval:org.secpod.oval:def:48667 The host is installed with Apple Mac OS X 10.12.6 and is prone to multiple buffer overflow vulnerabilities. The flaws are present in the application, which fails to properly handle a memory related issue. Successful exploitation may allow attackers to perform buffer overflow. oval:org.secpod.oval:def:48678 The host is installed with Apple Mac OS X 10.12.6 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle issues related to ruby. Successful exploitation may allow attackers to cause unexpected application termination or arbitrary code ... oval:org.secpod.oval:def:48676 The host is installed with Apple Mac OS X 10.12.6 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle issues related to ruby. Successful exploitation may allow attackers to cause unexpected application termination or arbitrary code ... oval:org.secpod.oval:def:48677 The host is installed with Apple Mac OS X 10.12.6 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle issues related to ruby. Successful exploitation may allow attackers to cause unexpected application termination or arbitrary code ... oval:org.secpod.oval:def:48674 The host is installed with Apple Mac OS X 10.12.6 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle issues related to ruby. Successful exploitation may allow attackers to cause unexpected application termination or arbitrary code ... oval:org.secpod.oval:def:48675 The host is installed with Apple Mac OS X 10.12.6 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle issues related to ruby. Successful exploitation may allow attackers to cause unexpected application termination or arbitrary code ... oval:org.secpod.oval:def:603362 Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-6797 Brian Carpenter reported that a crafted regular expression could cause a heap buffer write overflow, with ... oval:org.secpod.oval:def:603350 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2017-15710 Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, could cause an of bound write if supplied with a crafted Accept-Language header. This could potentially be used fo ... oval:org.secpod.oval:def:114244 The Apache HTTP Server is a powerful, efficient, and extensible web server. oval:org.secpod.oval:def:704180 ruby2.3: Object-oriented scripting language - ruby1.9.1: Object-oriented scripting language - ruby2.0: Object-oriented scripting language Several security issues were fixed in Ruby. oval:org.secpod.oval:def:704176 ruby2.3: Object-oriented scripting language - ruby1.9.1: Object-oriented scripting language - ruby2.0: Object-oriented scripting language Several security issues were fixed in Ruby. oval:org.secpod.oval:def:1600997 In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads could execute arbitrary code with the privileges of the parent process by manipulating the scoreboard oval:org.secpod.oval:def:603472 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure. This update also fixes several issues in RubyGems which could all ... oval:org.secpod.oval:def:53297 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2017-15710 Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, could cause an of bound write if supplied with a crafted Accept-Language header. This could potentially be used fo ... oval:org.secpod.oval:def:114296 Module::CoreList provides information on which core and dual-life modules are shipped with each version of perl. oval:org.secpod.oval:def:114298 Perl is a high-level programming language with roots in C, sed, awk and shell scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most comm ... oval:org.secpod.oval:def:1800939 CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values¶ Affected Versions:¶ 2.4.1 to 2.4.29 Fixed in:¶ Apache 2.4.30 oval:org.secpod.oval:def:1800945 CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values¶ Affected Versions 2.4.1 to 2.4.29 Fixed in Apache 2.4.30 oval:org.secpod.oval:def:1800946 CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values¶ Affected Versions:¶ 2.4.1 to 2.4.29 Fixed in:¶ Apache 2.4.30 oval:org.secpod.oval:def:1800958 Ruby has multiple vulnerabilities: CVE-2017-17742: HTTP response splitting in WEBrick CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir CVE-2018-8777: DoS by large request in WEBrick CVE-2018-8778: Buffer under-read in String#unpack CVE-2018-877 ... oval:org.secpod.oval:def:1800960 Ruby has multiple vulnerabilities: CVE-2017-17742: HTTP response splitting in WEBrick CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir CVE-2018-8777: DoS by large request in WEBrick CVE-2018-8778: Buffer under-read in String#unpack CVE-2018-877 ... oval:org.secpod.oval:def:1800961 Ruby has multiple vulnerabilities: CVE-2017-17742: HTTP response splitting in WEBrick CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir CVE-2018-8777: DoS by large request in WEBrick CVE-2018-8778: Buffer under-read in String#unpack CVE-2018-877 ... oval:org.secpod.oval:def:53303 Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-6797 Brian Carpenter reported that a crafted regular expression could cause a heap buffer write overflow, with ... oval:org.secpod.oval:def:1800950 CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values¶ Affected Versions:¶ 2.4.1 to 2.4.29 Fixed in:¶ Apache 2.4.30 oval:org.secpod.oval:def:51536 perl: Practical Extraction and Report Language Several security issues were fixed in Perl. oval:org.secpod.oval:def:52071 ruby2.3: Object-oriented scripting language - ruby1.9.1: Object-oriented scripting language - ruby2.0: Object-oriented scripting language Several security issues were fixed in Ruby. oval:org.secpod.oval:def:52068 ruby2.3: Object-oriented scripting language - ruby1.9.1: Object-oriented scripting language - ruby2.0: Object-oriented scripting language Several security issues were fixed in Ruby. oval:org.secpod.oval:def:52034 apache2: Apache HTTP server Several security issues were fixed in the Apache HTTP Server. oval:org.secpod.oval:def:53383 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure. This update also fixes several issues in RubyGems which could all ... oval:org.secpod.oval:def:1901777 mod_auth_digest access control bypass oval:org.secpod.oval:def:1901778 Apache HTTP Server privilege escalation from modules" scripts oval:org.secpod.oval:def:114573 Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks . It is simple, straight-forward, and extensible. oval:org.secpod.oval:def:603841 Several vulnerabilities have been found in the Apache HTTP server. CVE-2018-17189 Gal Goldshtein of F5 Networks discovered a denial of service vulnerability in mod_http2. By sending malformed requests, the http/2 stream for that request unnecessarily occupied a server thread cleaning up incoming dat ... oval:org.secpod.oval:def:45091 perl: Practical Extraction and Report Language Several security issues were fixed in Perl. oval:org.secpod.oval:def:45092 perl: Practical Extraction and Report Language Several security issues were fixed in Perl. oval:org.secpod.oval:def:54093 apache2: Apache HTTP server Several security issues were fixed in the Apache HTTP Server. oval:org.secpod.oval:def:54094 apache2: Apache HTTP server Several security issues were fixed in the Apache HTTP Server. oval:org.secpod.oval:def:54095 apache2: Apache HTTP server Several security issues were fixed in the Apache HTTP Server. oval:org.secpod.oval:def:51036 apache2: Apache HTTP server Details: USN-3627-1 fixed vulnerabilities in Apache HTTP Server. This update provides the corresponding updates for Linux Mint 19.x LTS. Original advisory Several security issues were fixed in the Apache HTTP Server. oval:org.secpod.oval:def:114608 Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks . It is simple, straight-forward, and extensible. oval:org.secpod.oval:def:1801364 CVE-2019-0196: mod_ read-after-free on a string compare¶ Using fuzzed network input, the request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. Versions Affected:¶ 2.4.17 to 2.4.38 Fixed ... oval:org.secpod.oval:def:1801365 CVE-2019-0196: mod_ read-after-free on a string compare¶ Using fuzzed network input, the request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. Versions Affected:¶ 2.4.17 to 2.4.38 Fixed ... oval:org.secpod.oval:def:1801366 CVE-2019-0196: mod_ read-after-free on a string compare¶ Using fuzzed network input, the request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. Versions Affected:¶ 2.4.17 to 2.4.38 Fixed ... oval:org.secpod.oval:def:1801367 CVE-2019-0196: mod_ read-after-free on a string compare¶ Using fuzzed network input, the request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. Versions Affected:¶ 2.4.17 to 2.4.38 Fixed ... oval:org.secpod.oval:def:54101 The host is installed with Apache HTTP Server 2.4.x through 2.4.38 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle a race condition in mod_auth_digest when running in a threaded server. Successful exploitation could allow attacker ... oval:org.secpod.oval:def:54102 The host is installed with Apache HTTP Server 2.4.17 through 2.4.38 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to properly handle the less-privileged child processes or threads. Successful exploitation could allow attackers to execute arbi ... oval:org.secpod.oval:def:34666 The host is installed with Apple Mac OS X or Server 10.9.5, 10.10.5 or 10.11.x before 10.11.5 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow remote attackers to an unexpe ... oval:org.secpod.oval:def:34667 The host is installed with Apple Mac OS X or Server 10.9.5, 10.10.5 or 10.11.x before 10.11.5 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow remote attackers to an unexpe ... oval:org.secpod.oval:def:34664 The host is installed with Apple Mac OS X or Server 10.9.5, 10.10.5 or 10.11.x before 10.11.5 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow remote attackers to an unexpe ... oval:org.secpod.oval:def:34665 The host is installed with Apple Mac OS X or Server 10.9.5, 10.10.5 or 10.11.x before 10.11.5 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow remote attackers to an unexpe ... oval:org.secpod.oval:def:34662 The host is installed with Apple Mac OS X or Server 10.9.5, 10.10.5 or 10.11.x before 10.11.5 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow remote attackers to an unexpe ... oval:org.secpod.oval:def:34660 The host is installed with Apple Mac OS X or Server 10.9.5, 10.10.5 or 10.11.x before 10.11.5 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow remote attackers to an unexpe ... oval:org.secpod.oval:def:34661 The host is installed with Apple Mac OS X or Server 10.9.5, 10.10.5 or 10.11.x before 10.11.5 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow remote attackers to an unexpe ... oval:org.secpod.oval:def:114196 The Network Time Protocol is used to synchronize a computer's time with another reference time source. This package includes ntpd and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp packa ... oval:org.secpod.oval:def:114206 The Network Time Protocol is used to synchronize a computer's time with another reference time source. This package includes ntpd and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp packa ... oval:org.secpod.oval:def:33674 The host is installed with Apple Mac OS X or Server 10.9.5, 10.10.5 or 10.11.x before 10.11.4 or Apple Safari before 9.1 and is prone to an arbitrary code execution vulnerability. A flaw is present in the application, which fails to properly handle a malicious crafted XML. Successful exploitation co ... oval:org.secpod.oval:def:1700033 Ephemeral association time spoofing additional protectionntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victims clock vi ... oval:org.secpod.oval:def:602531 Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or spoofing. Wait, Firefox? No more references to Iceweasel? That"s right, Debian no longer applies ... oval:org.secpod.oval:def:602589 Multiple security issues have been found in Icedove, Debian"s version of the Mozilla Thunderbird mail client: Multiple memory safety errors may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:115130 The Network Time Protocol is used to synchronize a computer's time with another reference time source. This package includes ntpd and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp packa ... oval:org.secpod.oval:def:116979 MariaDB is a community developed branch of MySQL - a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs and generic ... oval:org.secpod.oval:def:115668 MariaDB is a community developed branch of MySQL - a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs and generic ... oval:org.secpod.oval:def:1700155 The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prio ... oval:org.secpod.oval:def:115490 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:115534 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:1600961 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:1600958 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server exe ... oval:org.secpod.oval:def:1600949 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability ... oval:org.secpod.oval:def:113859 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:1801556 CVE-2018-2755: mariaDB 10.1.33 CVE-2018-2761: mariaDB 10.1.33 CVE-2018-2766: mariaDB 10.1.33 CVE-2018-2767: mariaDB 10.1.33 CVE-2018-2771: mariaDB 10.1.33 CVE-2018-2781: mariaDB 10.1.33 CVE-2018-2782: mariaDB 10.1.33 CVE-2018-2784: mariaDB 10.1.33 CVE-2018-2787: mariaDB 10.1.33 CVE-2018-2813: mariaD ... oval:org.secpod.oval:def:1801542 CVE-2018-3060: mariaDB 10.2.17 CVE-2018-3064: mariaDB 10.2.17 CVE-2018-3063: mariaDB 10.2.17 CVE-2018-3058: mariaDB 10.2.17 CVE-2018-3066: mariaDB 10.2.17 CVE-2018-3282: mariaDB 10.2.19 CVE-2016-9843: mariaDB 10.2.19 CVE-2018-3174: mariaDB 10.2.19 CVE-2018-3143: mariaDB 10.2.19 CVE-2018-3156: mariaD ... oval:org.secpod.oval:def:1801544 CVE-2018-2755: mariaDB 10.1.33 CVE-2018-2761: mariaDB 10.1.33 CVE-2018-2766: mariaDB 10.1.33 CVE-2018-2767: mariaDB 10.1.33 CVE-2018-2771: mariaDB 10.1.33 CVE-2018-2781: mariaDB 10.1.33 CVE-2018-2782: mariaDB 10.1.33 CVE-2018-2784: mariaDB 10.1.33 CVE-2018-2787: mariaDB 10.1.33 CVE-2018-2813: mariaD ... oval:org.secpod.oval:def:1501988 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:51121 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 S ... oval:org.secpod.oval:def:51129 lcms2: Little CMS color management library Several security issues were fixed in Little CMS. oval:org.secpod.oval:def:51986 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK+. oval:org.secpod.oval:def:1600944 An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task.A vulnerability was discover ... oval:org.secpod.oval:def:1600942 During key agreement in a TLS handshake using a DH based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This cou ... oval:org.secpod.oval:def:51996 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:51997 libvirt: Libvirt virtualization toolkit Several security issues were fixed in libvirt. oval:org.secpod.oval:def:1502452 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502453 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502450 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502451 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502454 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:113972 The kernel meta package oval:org.secpod.oval:def:1600875 RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys:OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process c ... oval:org.secpod.oval:def:113936 WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. oval:org.secpod.oval:def:1801000 CVE-2018-10472,XSA-258: Information leak via crafted user-supplied CDROM oval:org.secpod.oval:def:1801001 CVE-2018-8897, XSA-260: x86: mishandling of debug exceptions oval:org.secpod.oval:def:1801004 CVE-2018-10472,XSA-258: Information leak via crafted user-supplied CDROM oval:org.secpod.oval:def:116106 The kernel meta package oval:org.secpod.oval:def:116107 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:116104 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:116105 The kernel meta package oval:org.secpod.oval:def:502541 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: stack-based buffer overflow in chap_server_compute_md5 in iscsi target * kernel: NULL pointer dereference in af_netlink.c:__netlink_ns_capable allows for denial of service For more details ... oval:org.secpod.oval:def:43587 The host is missing a security update according to apple advisory, APPLE-SA-2018-1-23-6. The update is required to fix multiple memory corruption vulnerabilities.The flaws are present in the application, which fails to properly handle maliciously crafted web content. Successful exploitation could al ... oval:org.secpod.oval:def:114497 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:44923 The host is installed with Apple iCloud before 7.2 or Apple iTunes before 12.7.2 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle memory. Successful exploitation could allow attackers to execute arbitrary code. oval:org.secpod.oval:def:1501854 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114434 The kernel meta package oval:org.secpod.oval:def:1502342 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502341 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114424 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:1700150 A kernel memory leak was found in the kernel_read_file function in the fs/exec.c file in the Linux kernel. An attacker could use this flaw to cause a memory leak and thus a denial of service .A flaw was found in mmap in the Linux kernel allowing the process to map a null page. This allows attackers ... oval:org.secpod.oval:def:1700149 Vulnerability in the Java SE component of Oracle Java SE . Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of th ... oval:org.secpod.oval:def:1700144 A vulnerability was found in polkit. When authentication is performed by a non-root user to perform an administrative task, the authentication is temporarily cached in such a way that a local attacker could impersonate the authorized process, thus gaining access to elevated privileges. oval:org.secpod.oval:def:113991 WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. oval:org.secpod.oval:def:1502306 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502307 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:112657 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:113981 The kernel meta package oval:org.secpod.oval:def:1700108 util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module. oval:org.secpod.oval:def:502616 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information ... oval:org.secpod.oval:def:502615 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Temporary auth hijacking via PID reuse and non-atomic fork For more details a ... oval:org.secpod.oval:def:502618 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information ... oval:org.secpod.oval:def:502619 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information, ... oval:org.secpod.oval:def:502621 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:502620 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:502639 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Missing check in fs/inode.c:inode_init_owner does not clear SGID bit on non-directories for non-members For more details about the security issue, including the impact, a CVSS score, acknow ... oval:org.secpod.oval:def:1502392 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502605 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Temporary auth hijacking via PID reuse and non-atomic fork For more details a ... oval:org.secpod.oval:def:45418 The host is missing an important security update for KB4103731 oval:org.secpod.oval:def:45419 The host is missing an important security update for KB4103730 oval:org.secpod.oval:def:45416 The host is missing an important security update for KB4134651 oval:org.secpod.oval:def:45421 The host is missing an important security update 4103715 oval:org.secpod.oval:def:45423 The host is missing an important security update for KB4103721 oval:org.secpod.oval:def:44100 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:44101 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:1501947 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:45436 The host is missing an important security update for KB4103725 oval:org.secpod.oval:def:45437 The host is missing an important security update 4103726 oval:org.secpod.oval:def:45438 The host is missing an important security update for KB4103727 oval:org.secpod.oval:def:45440 The host is missing an important security update 4103712 oval:org.secpod.oval:def:1501966 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:53002 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:53015 linux: Linux kernel The system could be made to run programs as an administrator. oval:org.secpod.oval:def:54407 openjdk-7: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:2000324 A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service by triggering vfs_read failures. oval:org.secpod.oval:def:115440 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:704900 openjdk-lts: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:115427 X.Org X11 X server oval:org.secpod.oval:def:704057 linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oem: Linux kernel for OEM processors The system could be made to crash under certain conditions. oval:org.secpod.oval:def:704059 linux: Linux kernel - linux-raspi2: Linux kernel for Raspberry Pi 2 The system could be made to crash under certain conditions. oval:org.secpod.oval:def:114968 The kernel meta package oval:org.secpod.oval:def:1502682 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:40632 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:603310 Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library: CVE-2018-1064 Denial Berrange discovered that the QEMU guest agent performed insufficient validationof incoming data, which allows a privileged user in the guest to exhaust resources on the virtualisation host, ... oval:org.secpod.oval:def:45543 The host is missing an important security update 4103718 oval:org.secpod.oval:def:704874 policykit-1: framework for managing administrative policies and privileges PolicyKit could allow unintended access. oval:org.secpod.oval:def:704879 openjdk-7: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:603396 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-1087 Andy Lutomirski discovered that the KVM implementation did not properly handle #DB exceptions while deferred by MOV SS/POP SS, allowing an unprivileged KVM gue ... oval:org.secpod.oval:def:704821 linux: Linux kernel The system could be made to run programs as an administrator. oval:org.secpod.oval:def:2000444 The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service . oval:org.secpod.oval:def:115587 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:2000401 In PolicyKit 0.115, the "start time" protection mechanism can be bypassed because fork is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c. oval:org.secpod.oval:def:54510 openjdk-lts: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:704185 libpng1.6: PNG library - development - libpng: PNG file library Several security issues were fixed in libpng. oval:org.secpod.oval:def:704152 ntp: Network Time Protocol daemon and utility programs Several security issues were fixed in NTP. oval:org.secpod.oval:def:704151 libjpeg-turbo: library for handling JPEG files libjpeg-turbo could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:704134 openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:704113 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1600987 Vulnerability in the Java SE component of Oracle Java SE . Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of th ... oval:org.secpod.oval:def:116064 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:1600990 A kernel memory leak was found in the kernel_read_file function in the fs/exec.c file in the Linux kernel. An attacker could use this flaw to cause a memory leak and thus a denial of service . A flaw was found in mmap in the Linux kernel allowing the process to map a null page. This allows attackers ... oval:org.secpod.oval:def:116053 The kernel meta package oval:org.secpod.oval:def:53274 Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library: CVE-2018-1064 Denial Berrange discovered that the QEMU guest agent performed insufficient validationof incoming data, which allows a privileged user in the guest to exhaust resources on the virtualisation host, ... oval:org.secpod.oval:def:703601 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:115211 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:1800989 CVE-2018-10472,XSA-258: Information leak via crafted user-supplied CDROM oval:org.secpod.oval:def:2000564 The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association. oval:org.secpod.oval:def:53326 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-1087 Andy Lutomirski discovered that the KVM implementation did not properly handle #DB exceptions while deferred by MOV SS/POP SS, allowing an unprivileged KVM gue ... oval:org.secpod.oval:def:53328 Multiple vulnerabilities have been discovered in the Xen hypervisor: CVE-2018-8897 Andy Lutomirski and Nick Peterson discovered that incorrect handling of debug exceptions could result in privilege escalation. CVE-2018-10471 An error was discovered in the mitigations against Meltdown which could res ... oval:org.secpod.oval:def:115236 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115235 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115230 The kernel meta package oval:org.secpod.oval:def:2000527 Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array. oval:org.secpod.oval:def:502032 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * A heap buffer overflow flaw was found in QEMU"s Cirrus CLGD 54xx VGA emulator"s V ... oval:org.secpod.oval:def:49231 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:51543 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:49230 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:114770 The kernel meta package oval:org.secpod.oval:def:204783 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * Qemu: vga: OOB read access during display update * Qemu: Slirp: use-after-free w ... oval:org.secpod.oval:def:114723 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:46150 The host is installed with OpenSSL 1.1.0 through 1.1.0h or OpenSSL 1.0.2 through 1.0.2o or Oracle VM VirtualBox before 5.2.20 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle a key agreement issue in a TLS handshake using a DH(E) ... oval:org.secpod.oval:def:114740 The kernel meta package oval:org.secpod.oval:def:603541 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-15471 Felix Wilhelm of Google Project Zero discovered a flaw in the hash handling of the xen-netback Linux kernel module. A malicious or buggy f ... oval:org.secpod.oval:def:603564 Integer overflows in the processing of packets in network cards emulated by QEMU, a fast processor emulator, could result in denial of service. In addition this update backports support to passthrough the new CPU features added in the intel-microcode update shipped in DSA 4273 to x86-based guests. oval:org.secpod.oval:def:603556 Narendra Shinde discovered that incorrect command-line parameter validation in the Xorg X server may result in arbitary file overwrite, which can result in privilege escalation. oval:org.secpod.oval:def:704201 openssl: Secure Socket Layer cryptographic library and tools OpenSSL could allow access to sensitive information. oval:org.secpod.oval:def:110403 The kernel meta package oval:org.secpod.oval:def:115294 X.Org X11 X server oval:org.secpod.oval:def:52083 openssl: Secure Socket Layer cryptographic library and tools OpenSSL could allow access to sensitive information. oval:org.secpod.oval:def:57782 linux: Linux kernel - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-euclid: Linux kernel for Intel Euclid systems - linux-gcp: Linux kernel for Google Cloud Platform syst ... oval:org.secpod.oval:def:115249 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115248 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:52038 linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oem: Linux kernel for OEM processors The system could be made to crash under certain conditions. oval:org.secpod.oval:def:53390 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-5390 Juha-Matti Tilli discovered that a remote attacker can trigger the worst case code paths for TCP stream reassembly with low rates of specially crafted packets ... oval:org.secpod.oval:def:52057 ntp: Network Time Protocol daemon and utility programs Several security issues were fixed in NTP. oval:org.secpod.oval:def:53435 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-15471 Felix Wilhelm of Google Project Zero discovered a flaw in the hash handling of the xen-netback Linux kernel module. A malicious or buggy f ... oval:org.secpod.oval:def:115324 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:205372 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams * QEMU ... oval:org.secpod.oval:def:52132 openjdk-lts: Open Source Java implementation - openjdk-8: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:53457 Integer overflows in the processing of packets in network cards emulated by QEMU, a fast processor emulator, could result in denial of service. In addition this update backports support to passthrough the new CPU features added in the intel-microcode update shipped in DSA 4273 to x86-based guests. oval:org.secpod.oval:def:115345 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:114886 The kernel meta package oval:org.secpod.oval:def:114891 The libpng package contains a library of functions for creating and manipulating PNG image format files. PNG is a bit-mapped graphics format similar to the GIF format. PNG was created to replace the GIF format, since GIF uses a patented data compression algorithm. Libpng should be installed if you ... oval:org.secpod.oval:def:704399 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:704393 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 The system could be made to crash or run programs as an adminis ... oval:org.secpod.oval:def:110473 The kernel meta package oval:org.secpod.oval:def:114851 The libpng10 package contains an old version of libpng, a library of functions for creating and manipulating PNG image format files. This package is needed if you want to run binaries that were linked dynamically with libpng 1.0.x. oval:org.secpod.oval:def:114853 The libpng10 package contains an old version of libpng, a library of functions for creating and manipulating PNG image format files. This package is needed if you want to run binaries that were linked dynamically with libpng 1.0.x. oval:org.secpod.oval:def:704361 xorg-server: X.Org X11 server - xorg-server-hwe-16.04: X.Org X11 server X.Org X server could be made to overwrite files as the administrator. oval:org.secpod.oval:def:114928 The libpng15 package provides libpng 1.5, an older version of the libpng. library for manipulating PNG image format files. This version should be used only if you are unable to use the current version of libpng. oval:org.secpod.oval:def:704322 lcms2: Little CMS color management library Several security issues were fixed in Little CMS. oval:org.secpod.oval:def:704312 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 S ... oval:org.secpod.oval:def:46321 ntp: Network Time Protocol daemon and utility programs Several security issues were fixed in NTP. oval:org.secpod.oval:def:204866 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF ... oval:org.secpod.oval:def:114070 Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux . The main package includes the libvirtd server exporting the virtualization support. oval:org.secpod.oval:def:115373 The kernel meta package oval:org.secpod.oval:def:43212 The host is missing a security update according to Apple advisory, APPLE-SA-2017-12-13-3. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly handle maliciously crafted web content or client certificates. Successful exploitation c ... oval:org.secpod.oval:def:43213 The host is missing a security update according to apple advisory, APPLE-SA-2017-12-13-4. The update is required to fix multiple memory corruption vulnerabilities.The flaws are present in the application, which fails to properly handle maliciously crafted web content or client certificates. Successf ... oval:org.secpod.oval:def:1700093 During key agreement in a TLS handshake using a DH based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This cou ... oval:org.secpod.oval:def:1700091 An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task.A vulnerability was discover ... oval:org.secpod.oval:def:114565 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:45915 The host is installed with Apple Mac OS X 10.11.6 or 10.12.6 and is prone to an arbitrary code execution vulnerability. A flaw is present in the application, which fails to properly handle an undocumented instructions issue. Successful exploitation allows attackers to execute arbitrary code with ker ... oval:org.secpod.oval:def:502272 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * Qemu: vga: OOB read access during display update * Qemu: Slirp: use-after-free w ... oval:org.secpod.oval:def:53540 The host is installed with Apple Mac OS X through 10.12.6, 10.13.6 or 10.14.3 and is prone to multiple vulnerabilities. The flaws are present in the application, which fails to properly handle multiple issues. Successful exploitation allows attackers to execute arbitrary code or read restricted memo ... oval:org.secpod.oval:def:52200 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:48133 The host is installed with Oracle VM VirtualBox before 5.2.20 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Core (OpenSSL). Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:114544 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:1502247 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502248 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502246 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603830 A memory disclosure vulnerability was discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in information disclosure or bypass of sandbox restrictions. oval:org.secpod.oval:def:1700029 bn_sqrx8x_internal carry bug on x86_64There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to ... oval:org.secpod.oval:def:1502203 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502204 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502201 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502202 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502205 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:703164 linux-lts-wily: Linux hardware enablement kernel from Wily for Trusty Several security issues were fixed in the kernel. oval:org.secpod.oval:def:703160 linux-lts-vivid: Linux hardware enablement kernel from Vivid for Trusty Several security issues were fixed in the kernel. oval:org.secpod.oval:def:704472 openjdk-lts: Open Source Java implementation - openjdk-8: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:704454 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1801222 In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. Fixed in Ve ... oval:org.secpod.oval:def:1502287 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502286 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502292 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502347 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF ... oval:org.secpod.oval:def:502365 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-ma packages provide the user-space component for running virtual machines that use KVM on the IBM z Systems, IBM Power, and 64-bit ARM architectures. Security Fix: * QEMU: slirp: hea ... oval:org.secpod.oval:def:115016 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115015 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:115018 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:55310 Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, the execution of arbitrary code or information disclosure. In addition this update backports support to passthrough the new md-clear CPU flag added in the intel-microcode update ship ... oval:org.secpod.oval:def:703987 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:703988 libvirt: Libvirt virtualization toolkit Several security issues were fixed in libvirt. oval:org.secpod.oval:def:703972 webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK+. oval:org.secpod.oval:def:115029 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:115020 The kernel meta package oval:org.secpod.oval:def:205141 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a later upstream version: libvir ... oval:org.secpod.oval:def:51012 ntp: Network Time Protocol daemon and utility programs Several security issues were fixed in NTP. oval:org.secpod.oval:def:205130 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: stack-based buffer overflow in chap_server_compute_md5 in iscsi target * kernel: NULL pointer dereference in af_netlink.c:__netlink_ns_capable allows for denial of service For more details ... oval:org.secpod.oval:def:51027 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:205121 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * xorg-x11-server: Incorrect permission check in Xorg X server allows for privilege escalation For more details a ... oval:org.secpod.oval:def:205164 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information ... oval:org.secpod.oval:def:205165 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Temporary auth hijacking via PID reuse and non-atomic fork For more details a ... oval:org.secpod.oval:def:205166 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information, ... oval:org.secpod.oval:def:205167 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:205168 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Temporary auth hijacking via PID reuse and non-atomic fork For more details a ... oval:org.secpod.oval:def:205169 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:603933 Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, the execution of arbitrary code or information disclosure. In addition this update backports support to passthrough the new md-clear CPU flag added in the intel-microcode update ship ... oval:org.secpod.oval:def:50583 The host is installed with Oracle Java SE through 7u201, 8u192 or 11.0.1 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to handle vectors related to unspecified vectors. Successful exploitation allows remote attackers to execute code without u ... oval:org.secpod.oval:def:50588 The host is installed with Oracle Java SE through 7u201, 8u192 or 11.0.1 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to handle vectors related to unspecified vectors. Successful exploitation allows remote attackers to execute code without u ... oval:org.secpod.oval:def:705016 linux: Linux kernel - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-euclid: Linux kernel for Intel Euclid systems - linux-gcp: Linux kernel for Google Cloud Platform syst ... oval:org.secpod.oval:def:45288 The host is installed with OpenSSL 1.1.0 through 1.1.0h or OpenSSL 1.0.2b through 1.0.2n and is prone to a cache timing side channel attack vulnerability. A flaw is present in the application, which fails to properly handle malicious input to a stack. Successful exploitation can allow attackers to c ... oval:org.secpod.oval:def:1502168 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:115174 LittleCMS intends to be a small-footprint, speed optimized color management engine in open source form. LCMS2 is the current version of LCMS, and can be parallel installed with the original lcms. oval:org.secpod.oval:def:115169 The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. oval:org.secpod.oval:def:115166 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115162 The kernel meta package oval:org.secpod.oval:def:115161 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115164 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115163 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:51064 openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:115131 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:51070 libjpeg-turbo: library for handling JPEG files libjpeg-turbo could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:115122 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115124 The kernel meta package oval:org.secpod.oval:def:115123 The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. oval:org.secpod.oval:def:115148 LittleCMS intends to be a small-footprint, speed optimized color management engine in open source form. LCMS2 is the current version of LCMS, and can be parallel installed with the original lcms. oval:org.secpod.oval:def:54117 policykit-1: framework for managing administrative policies and privileges PolicyKit could allow unintended access. oval:org.secpod.oval:def:2000338 An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function ReadPCDImage in coders/pcd.c, which allow remote attackers to cause a denial of service via a crafted file. oval:org.secpod.oval:def:2000376 ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c. oval:org.secpod.oval:def:2000365 ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c. oval:org.secpod.oval:def:2000460 ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c. oval:org.secpod.oval:def:704155 imagemagick: Image manipulation programs and library Several security issues were fixed in ImageMagick. oval:org.secpod.oval:def:2000501 In ImageMagick 7.0.8-4, there is a memory leak in the XMagickCommand function in MagickCore/animate.c. oval:org.secpod.oval:def:52119 imagemagick: Image manipulation programs and library Several security issues were fixed in ImageMagick. oval:org.secpod.oval:def:704338 imagemagick: Image manipulation programs and library Several security issues were fixed in ImageMagick. oval:org.secpod.oval:def:51023 imagemagick: Image manipulation programs and library Several security issues were fixed in ImageMagick. oval:org.secpod.oval:def:47878 imagemagick: Image manipulation programs and library Several security issues were fixed in ImageMagick. oval:org.secpod.oval:def:51073 imagemagick: Image manipulation programs and library Several security issues were fixed in ImageMagick. oval:org.secpod.oval:def:51179 openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:1700153 A microprocessor side-channel vulnerability was found on SMT architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information.If an application encounters a fatal protocol error and then calls SSL_shutdown twice t ... oval:org.secpod.oval:def:502625 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures For more details about the security issu ... oval:org.secpod.oval:def:503264 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: 0-byte record padding oracle * openssl: timing side channel attack in the DSA signature algorithm For mo ... oval:org.secpod.oval:def:51450 The host is installed with OpenSSL 1.1.0 through 1.1.0h or OpenSSL 1.0.2 through 1.0.2p and is prone to a microarchitecture timing side channel attack vulnerability. A flaw is present in the application, which fails to properly handle an issue in ECDSA signature generation. Successful exploitation c ... oval:org.secpod.oval:def:48691 This is a flaw in the Intel processor execution engine sharing on SMT (e.g. Hyper-Threading) architectures. It can result in leakage of secret data in applications such as OpenSSL that has secret dependent control flow at any granularity level. In order to exploit this flaw, the attacker needs to ru ... oval:org.secpod.oval:def:1600996 A microprocessor side-channel vulnerability was found on SMT architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information. If an application encounters a fatal protocol error and then calls SSL_shutdown twice ... oval:org.secpod.oval:def:205268 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: 0-byte record padding oracle * openssl: timing side channel attack in the DSA signature algorithm For mo ... oval:org.secpod.oval:def:49221 The host is installed with OpenSSL 1.1.0 through 1.1.0i, 1.0.2 through 1.0.2p or 1.1.1 and is prone to a timing side channel attack vulnerability. A flaw is present in the DSA algorithm. On successful exploitation, an attacker could use variations in the signing algorithm to recover the private key. oval:org.secpod.oval:def:603589 Several local side channel attacks and a denial of service via large Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets Layer toolkit. oval:org.secpod.oval:def:603582 Several local side channel attacks and a denial of service via large Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets Layer toolkit. oval:org.secpod.oval:def:53471 Several local side channel attacks and a denial of service via large Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets Layer toolkit. oval:org.secpod.oval:def:53478 Several local side channel attacks and a denial of service via large Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets Layer toolkit. oval:org.secpod.oval:def:704418 openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:205170 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures For more details about the security issu ... oval:org.secpod.oval:def:50635 The host is installed with Oracle VM VirtualBox before 5.2.24 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Core. Successful exploitation allows attackers to affect Confidentiality, Integrity and Availability. oval:org.secpod.oval:def:1600923 Quick Emulator , compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur while loading a kernel image during the guest boot, if mh_load_end_addr address is greater than the mh_bss_end_addr address. A user or process ... oval:org.secpod.oval:def:204870 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams * QEMU ... oval:org.secpod.oval:def:1700077 A heap buffer overflow issue was found in the way SLiRP networking back-end in QEMU processes fragmented packets. It could occur while reassembling the fragmented datagrams of an incoming packet. A privileged user/process inside guest could use this flaw to crash the QEMU process resulting in DoS or ... oval:org.secpod.oval:def:1502293 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502351 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams * QEMU ... oval:org.secpod.oval:def:704122 imagemagick: Image manipulation programs and library Several security issues were fixed in ImageMagick. oval:org.secpod.oval:def:51056 imagemagick: Image manipulation programs and library Several security issues were fixed in ImageMagick. oval:org.secpod.oval:def:51134 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security i ... oval:org.secpod.oval:def:53011 linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:115435 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:115530 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:114789 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:114727 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:204852 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions . It relies on the presence of a precisely-defi ... oval:org.secpod.oval:def:704330 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security i ... oval:org.secpod.oval:def:114551 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:1502222 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502240 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502241 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704466 linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:502332 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load Store instructions . It relies on the presence of a precisely-defined in ... oval:org.secpod.oval:def:115017 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:115038 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:114614 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:1600844 Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add function potentially allowing KASLR bypassThe acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SB ... oval:org.secpod.oval:def:53259 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controllin ... oval:org.secpod.oval:def:1800708 CVE-2017-5753 Versions affected: WebKitGTK+ before 2.18.5.Impact: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker via a side-channel analysis. This variant of the Spectre vulnerability triggers the spe ... oval:org.secpod.oval:def:1700012 Stack-based out-of-bounds read via vmcall instructionLinux kernel compiled with the KVM virtualization support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memor ... oval:org.secpod.oval:def:111284 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:111287 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:704098 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:1600439 A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer used to read the uploaded file if the boundary was the typical tens of bytes long. oval:org.secpod.oval:def:703196 tomcat8: Servlet and JSP engine Tomcat could be made to hang if it received specially crafted network traffic. oval:org.secpod.oval:def:703188 tomcat7: Servlet and JSP engine - tomcat6: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:602553 The TERASOLUNA Framework Development Team discovered a denial of service vulnerability in Apache Commons FileUpload, a package to make it easy to add robust, high-performance, file upload capability to servlets and web applications. A remote attacker can take advantage of this flaw by sending file u ... oval:org.secpod.oval:def:602549 The TERASOLUNA Framework Development Team discovered a denial of service vulnerability in Apache Commons FileUpload, a package to make it easy to add robust, high-performance, file upload capability to servlets and web applications. A remote attacker can take advantage of this flaw by sending file u ... oval:org.secpod.oval:def:602545 Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections, bypass of the SecurityManager or denial of service. oval:org.secpod.oval:def:1501655 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. The following packages have been upgraded to a newer upstream version: tomcat . Security Fix: * A CSRF flaw was found in Tomcat"s the index pages for the Manager and Host Manager applications. These applic ... oval:org.secpod.oval:def:51047 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:35821 The host is installed with Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3 or 9.x before 9.0.0.M7 and is prone to a denial of service vulnerability. A flaw is present in the MultipartStream class in Apache Commons Fileupload, which fails to handle a long boundary string. Succe ... oval:org.secpod.oval:def:35820 tomcat7: Servlet and JSP engine - tomcat6: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:35819 tomcat7: Servlet and JSP engine - tomcat6: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:51188 exiv2: EXIF/IPTC/XMP metadata manipulation tool Several security issues were fixed in Exiv2. oval:org.secpod.oval:def:51545 exiv2: EXIF/IPTC/XMP metadata manipulation tool Several security issues were fixed in Exiv2. oval:org.secpod.oval:def:50470 exiv2: EXIF/IPTC/XMP metadata manipulation tool Several security issues were fixed in Exiv2. oval:org.secpod.oval:def:704434 exiv2: EXIF/IPTC/XMP metadata manipulation tool Several security issues were fixed in Exiv2. oval:org.secpod.oval:def:1502478 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502479 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600905 An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode is called with a NULL bp. This can lead to a system crash and a denial of service.An issue was discovered in th ... oval:org.secpod.oval:def:1502348 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502349 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704141 linux: Linux kernel - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704140 linux-oem: Linux kernel for OEM processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704114 linux: Linux kernel - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:114788 The kernel meta package oval:org.secpod.oval:def:704299 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704298 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52055 linux-oem: Linux kernel for OEM processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52112 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52117 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52125 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52949 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704394 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52951 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52956 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704389 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:114920 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:114917 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:114913 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:114906 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:704331 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704329 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:114905 The kernel meta package oval:org.secpod.oval:def:45898 The host is installed with Apple Mac OS 10.13.4, 10.12.6 or 10.11.6 and is prone to multiple vulnerabilities. The flaw is present in the application, which fails to properly handle multiple issues. Successful exploitation allows remote attackers to execute arbitrary code or read restricted memory or ... oval:org.secpod.oval:def:1700064 An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode is called with a NULL bp. This can lead to a system crash and a denial of service.An issue was discovered in th ... oval:org.secpod.oval:def:114632 The kernel meta package oval:org.secpod.oval:def:51166 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:115654 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115651 The kernel meta package oval:org.secpod.oval:def:51105 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:115613 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115610 The kernel meta package oval:org.secpod.oval:def:115612 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115630 The kernel meta package oval:org.secpod.oval:def:1502487 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:115627 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115626 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:1502497 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502425 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600910 Fixes for L1Terminal Fault security issues:L1 Terminal Fault-OS/ SMM:Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault an ... oval:org.secpod.oval:def:1502443 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:2001436 A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect and close function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or ... oval:org.secpod.oval:def:1600933 A security flaw was found in the chap_server_compute_md5 function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The atta ... oval:org.secpod.oval:def:502598 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Use-after-free due to race condition in AF_PACKET implementation * kernel: userfaultfd bypasses tmpfs file permissions For more details about the security issue, including the impact, a CV ... oval:org.secpod.oval:def:51185 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:704806 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oracle: Linux kernel for Oracle Cloud systems Several securit ... oval:org.secpod.oval:def:704807 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-oracle: Linux kernel for Oracle Cloud systems - linux-rasp ... oval:org.secpod.oval:def:704808 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704809 linux: Linux kernel - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:51210 linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in th ... oval:org.secpod.oval:def:51216 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:2000292 In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device that is mishandled in usb_audio_probe in sound/usb/card.c. oval:org.secpod.oval:def:1502340 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700166 A flaw was found in the Linux kernel#039;s implementation of logical link control and adaptation protocol , part of the Bluetooth stack in the l2cap_parse_conf_rsp and l2cap_parse_conf_req functions. An attacker with physical access within the range of standard Bluetooth transmission can create a sp ... oval:org.secpod.oval:def:51206 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:51205 linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1700116 A flaw was found in the Linux kernel"s NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a ... oval:org.secpod.oval:def:1700114 A use-after-free vulnerability was found in the way the Linux kernel#039;s KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device, the device holds a reference to a VM object, later this reference is transferred to the caller#039;s file descriptor table ... oval:org.secpod.oval:def:1502320 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502321 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700105 A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation . The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one.An issue was discovered in the Linux ... oval:org.secpod.oval:def:502626 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Memory corruption due to incorrect socket cloning * kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks * kernel: Faulty computation of numberic bounds in the BPF v ... oval:org.secpod.oval:def:502649 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: KVM: potential use-after-free via kvm_ioctl_create_device * Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer For more details about the security issue ... oval:org.secpod.oval:def:53004 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:53003 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:53005 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:53009 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:2000354 Heap address infoleak in use of l2cap_get_conf_opt oval:org.secpod.oval:def:704870 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704863 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704868 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 S ... oval:org.secpod.oval:def:704864 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oracle: Linux kernel for Oracle Cloud systems Several securit ... oval:org.secpod.oval:def:704865 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704866 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-oracle: Linux kernel for Oracle Cloud systems - linux-rasp ... oval:org.secpod.oval:def:704867 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704825 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704826 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:115536 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115535 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:2000418 Heap data infoleak in multiple locations including functionl2cap_parse_conf_rsp oval:org.secpod.oval:def:704143 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:1600978 A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor emulates a preemption timer for L2 guests when nested virtualization is enabled. This high resolution timer runs when a L2 guest is active. After VM exit, the sync_vmcs12 timer object is stopped. The use-afte ... oval:org.secpod.oval:def:1600973 A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption ... oval:org.secpod.oval:def:1600968 A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation . The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one.An issue was discovered in the Linux ... oval:org.secpod.oval:def:55022 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:55023 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oracle: Linux kernel for Oracle Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704950 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oracle: Linux kernel for Oracle Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704945 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704946 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 S ... oval:org.secpod.oval:def:205243 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: nfs: use-after-free in svc_process_common * kernel: insufficient input validation in kernel mode driver in Intel i915 graphics leads to privilege escalation * kernel: nfs: NULL pointer der ... oval:org.secpod.oval:def:2000558 KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer oval:org.secpod.oval:def:2001012 In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free. oval:org.secpod.oval:def:704281 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704283 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:704278 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704279 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:603536 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-6554 A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial ... oval:org.secpod.oval:def:57783 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-oracle: Linux kernel for Oracle Cloud systems - linux-rasp ... oval:org.secpod.oval:def:205195 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: KVM: potential use-after-free via kvm_ioctl_create_device * Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer For more details about the security issue ... oval:org.secpod.oval:def:53396 CVE-2018-5391 Juha-Matti Tilli discovered a flaw in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker can take advantage of this flaw to trigger time and calculation expensive fragment reassembly algorithms by sending specially crafted packets, leadi ... oval:org.secpod.oval:def:52110 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52122 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52133 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52128 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52138 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oracle: Linux kernel for Oracle Cloud systems Several securit ... oval:org.secpod.oval:def:53431 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-6554 A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial ... oval:org.secpod.oval:def:52946 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52945 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704390 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:704392 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52952 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52957 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52962 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52961 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52964 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52963 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52966 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704354 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704355 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:204822 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: KVM: error in exception handling leads to wrong debug stack value * Kernel: error in exception handling leads to DoS * Kernel: ipsec: xfrm: use-after-free leading to potential privilege es ... oval:org.secpod.oval:def:204889 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensi ... oval:org.secpod.oval:def:1700082 A security flaw was found in the chap_server_compute_md5 function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The atta ... oval:org.secpod.oval:def:502287 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: KVM: error in exception handling leads to wrong debug stack value * Kernel: error in exception handling leads to DoS * Kernel: ipsec: xfrm: use-after-free leading to potential privilege es ... oval:org.secpod.oval:def:1700069 Fixes for L1Terminal Fault security issues:L1 Terminal Fault-OS/ SMM:Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault an ... oval:org.secpod.oval:def:1700044 A weakness was found in the Linux kernel#039;s implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated. A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch oper ... oval:org.secpod.oval:def:114545 The kernel meta package oval:org.secpod.oval:def:1502207 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704491 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704488 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704482 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704484 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704481 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704478 linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in th ... oval:org.secpod.oval:def:704470 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704464 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704467 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704460 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704469 linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704455 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704456 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704458 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704431 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704430 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 T ... oval:org.secpod.oval:def:115084 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115082 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:1502288 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704428 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704429 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704427 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:704410 linux-aws: Linux kernel for Amazon Web Services systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704409 linux: Linux kernel - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:115071 The kernel meta package oval:org.secpod.oval:def:205149 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Use-after-free due to race condition in AF_PACKET implementation * kernel: userfaultfd bypasses tmpfs file permissions For more details about the security issue, including the impact, a CV ... oval:org.secpod.oval:def:1601000 A flaw was found in the Linux kernel's implementation of logical link control and adaptation protocol , part of the Bluetooth stack in the l2cap_parse_conf_rsp and l2cap_parse_conf_req functions. An attacker with physical access within the range of standard Bluetooth transmission can create a s ... oval:org.secpod.oval:def:502371 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensi ... oval:org.secpod.oval:def:205173 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Memory corruption due to incorrect socket cloning * kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks * kernel: Faulty computation of numberic bounds in the BPF v ... oval:org.secpod.oval:def:114668 The kernel meta package oval:org.secpod.oval:def:115939 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:705018 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-oracle: Linux kernel for Oracle Cloud systems - linux-rasp ... oval:org.secpod.oval:def:2001338 A flaw was found in the Linux kernel"s NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a ... oval:org.secpod.oval:def:115948 The kernel meta package oval:org.secpod.oval:def:115944 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115943 The kernel meta package oval:org.secpod.oval:def:115940 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115942 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:51065 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:54112 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-oracle: Linux kernel for Oracle Cloud systems - linux-rasp ... oval:org.secpod.oval:def:54113 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oracle: Linux kernel for Oracle Cloud systems Several securit ... oval:org.secpod.oval:def:54111 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:54116 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:54114 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:54115 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:51141 git: fast, scalable, distributed revision control system Git could be made to run programs as your login if it recursively opened a malicious git repository. oval:org.secpod.oval:def:49668 The host is installed with Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, or 2.17.x before 2.17.1 and is prone to a remote code execution vulnerability. A flaw is present in the application, which fails to handle the crafted .gitmodules file. Successful exploita ... oval:org.secpod.oval:def:1600936 Git before 2.14.5, allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character. oval:org.secpod.oval:def:1600894 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x befor ... oval:org.secpod.oval:def:115426 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:114981 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:204959 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:46090 The host is installed with Apple Mac OS X 10.13.2 or later or Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4 or 2.17.x before 2.17.1 and is prone to an arbitary code execution vulnerability. A flaw is present in the application, which fails to handle crafted file ... oval:org.secpod.oval:def:603412 Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file. oval:org.secpod.oval:def:704107 git: fast, scalable, distributed revision control system Several security issues were fixed in Git. oval:org.secpod.oval:def:115217 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:53338 Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file. oval:org.secpod.oval:def:115229 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:1800993 CVE-2018-11233:¶ In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. oval:org.secpod.oval:def:1800995 CVE-2018-11233:¶ In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. oval:org.secpod.oval:def:1800999 CVE-2018-11233:¶ In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. oval:org.secpod.oval:def:114754 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:114750 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:603539 joernchen of Phenoelit discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability via a specially crafted .gitmodules file in a project cloned with --recurse-submodules. oval:org.secpod.oval:def:114819 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:115254 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:115245 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:48098 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:115315 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:114919 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:704345 git: fast, scalable, distributed revision control system Git could be made to run programs as your login if it recursively opened a malicious git repository. oval:org.secpod.oval:def:204835 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:114590 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:1700086 Git before 2.14.5, allows remote code execution during processing of a recursive quot;git clonequot; of a superproject if a .gitmodules file has a URL field beginning with a #039;-#039; character. oval:org.secpod.oval:def:114589 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:1700048 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x befor ... oval:org.secpod.oval:def:1502252 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502322 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:51048 git: fast, scalable, distributed revision control system Several security issues were fixed in Git. oval:org.secpod.oval:def:603280 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controllin ... oval:org.secpod.oval:def:704058 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704054 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704056 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:603398 Multiple vulnerabilities have been discovered in the Xen hypervisor: CVE-2018-8897 Andy Lutomirski and Nick Peterson discovered that incorrect handling of debug exceptions could result in privilege escalation. CVE-2018-10471 An error was discovered in the mitigations against Meltdown which could res ... oval:org.secpod.oval:def:704144 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:603411 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2017-15038 Tuomas Tynkkynen discovered an information leak in 9pfs. CVE-2017-15119 Eric Blake discovered that the NBD server insufficiently restricts large option requests, resulting in denial of service. CVE-2017-15124 ... oval:org.secpod.oval:def:53337 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2017-15038 Tuomas Tynkkynen discovered an information leak in 9pfs. CVE-2017-15119 Eric Blake discovered that the NBD server insufficiently restricts large option requests, resulting in denial of service. CVE-2017-15124 ... oval:org.secpod.oval:def:204791 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * hw: cpu: speculative execution permission faults handling * kernel: Buffer overflow in firewire driver via crafted incoming packets * kernel: Use-after-free vulnerability in DCCP socket * Kernel: ... oval:org.secpod.oval:def:204798 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * hw: cpu: speculative execution permission faults handling * Kernel: error in exception handling leads to DoS * kernel: nfsd: Incorrect handling of long RPC replies * kernel: Use-after-free vulner ... oval:org.secpod.oval:def:52923 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52933 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:204758 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list o ... oval:org.secpod.oval:def:52036 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52037 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:502241 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list o ... oval:org.secpod.oval:def:502267 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * hw: cpu: speculative execution permission faults handling * kernel: Buffer overflow in firewire driver via crafted incoming packets * kernel: Use-after-free vulnerability in DCCP socket * Kernel: ... oval:org.secpod.oval:def:502286 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * hw: cpu: speculative execution permission faults handling * Kernel: error in exception handling leads to DoS * kernel: nfsd: Incorrect handling of long RPC replies * kernel: Use-after-free vulner ... oval:org.secpod.oval:def:1502206 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502266 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502269 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502267 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502268 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502291 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502144 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502175 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:40418 libxslt: XSLT processing library Several security issues were fixed in Libxslt. oval:org.secpod.oval:def:40417 libxslt: XSLT processing library Several security issues were fixed in Libxslt. oval:org.secpod.oval:def:34663 The host is installed with Apple Mac OS X or Server 10.9.5, 10.10.5 or 10.11.x before 10.11.6 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow remote attackers to have unsp ... oval:org.secpod.oval:def:34287 The host is installed with Apple iTunes before 12.4.2 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash the service. oval:org.secpod.oval:def:602524 Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause a denial-of-service against the applica ... oval:org.secpod.oval:def:602520 Several vulnerabilities have been discovered in the chromium web browser. CVE-2016-1667 Mariusz Mylinski discovered a cross-origin bypass. CVE-2016-1668 Mariusz Mylinski discovered a cross-origin bypass in bindings to v8. CVE-2016-1669 Choongwoo Han discovered a buffer overflow in the v8 javascript ... oval:org.secpod.oval:def:602541 Several vulnerabilities were discovered in libxslt, an XSLT processing runtime library, which could lead to information disclosure or denial-of-service against an application using the libxslt library. oval:org.secpod.oval:def:36255 The host is missing a security update according to Apple advisory APPLE-SA-2016-07-18-6. The update is required to fix multiple memory corruption vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash the servi ... oval:org.secpod.oval:def:36326 The host is missing a security update according to Apple advisory APPLE-SA-2016-07-18-1. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted website. Successful exploitation allows attackers to crash the service, disclose th ... oval:org.secpod.oval:def:114334 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fai ... oval:org.secpod.oval:def:114335 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fai ... oval:org.secpod.oval:def:1600834 Reflected XSS in .phar 404 pageAn issue was discovered in PHP; there is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file. Denial of Service via infinite loop in libgd gdImageCreateFromGifCtx function in ext/gd/libgd/gd_gif_in.cThe gd_gif_in.c file in the GD Graphic ... oval:org.secpod.oval:def:113112 The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or JPEG file. This is particularly useful in Web applications, where PNG and JPEG are two of the fo ... oval:org.secpod.oval:def:113124 The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or JPEG file. This is particularly useful in Web applications, where PNG and JPEG are two of the fo ... oval:org.secpod.oval:def:1800681 CVE-2017-6362: Double-free in gdImagePngPtr. Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors. Fixed In Version: libgd 2.2.5 oval:org.secpod.oval:def:704014 php7.1: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:1800488 CVE-2017-6362: Double-free in gdImagePngPtr. Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors. Fixed In Version: libgd 2.2.5 oval:org.secpod.oval:def:52014 php7.1: HTML-embedded scripting language interpreter - php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:113491 The gd graphics library allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and to write out the result as a PNG or JPEG file. This is particularly useful in Web applications, where PNG and JPEG are two of the fo ... oval:org.secpod.oval:def:51546 php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:52913 php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:53365 Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language: CVE-2018-7584 Buffer underread in parsing HTTP responses CVE-2018-10545 Dumpable FPM child processes allowed the bypass of opcache access controls CVE-2018-10546 Denial of service via infinite lo ... oval:org.secpod.oval:def:603675 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: Multiple out-of-bounds memory accesses were found in the xmlrpc, mbstring and phar extensions and the dns_get_record function. oval:org.secpod.oval:def:53525 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: Multiple out-of-bounds memory accesses were found in the xmlrpc, mbstring and phar extensions and the dns_get_record function. oval:org.secpod.oval:def:1800778 CVE-2017-6362: Double-free in gdImagePngPtr. Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors. Fixed In Version libgd 2.2.5 oval:org.secpod.oval:def:703979 php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:51007 php7.0: HTML-embedded scripting language interpreter - php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:1501955 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501956 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114362 The Apache HTTP Server is a powerful, efficient, and extensible web server. oval:org.secpod.oval:def:42910 The host is missing a security update according to Apple advisory, APPLE-SA-2017-10-31-2. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary ... oval:org.secpod.oval:def:110858 This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parsed. ... oval:org.secpod.oval:def:1901278 Expat allows context-dependent attackers to cause a denial of service or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. oval:org.secpod.oval:def:204140 Expat is a C library for parsing XML documents. Security Fix: * An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, pos ... oval:org.secpod.oval:def:110629 This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parsed. ... oval:org.secpod.oval:def:36618 The host is missing an important security update according to Mozilla advisory, MFSA2016-68. The update is required to fix an out-of-bounds read vulnerability. A flaw is present in the application, which fail to handle malformed XML data. Successful exploitation allows remote attackers to read other ... oval:org.secpod.oval:def:36617 The host is installed with Mozilla Firefox before 48.0 and is prone to an out-of-bounds read vulnerability. A flaw is present in the application, which fails to handle malformed XML data. Successful exploitation allows remote attackers to read other inaccessible memory. oval:org.secpod.oval:def:34942 The host is installed with RHEL 6 or 7 and is prone to an out-of-bounds heap read vulnerability. A flaw is present in the application, which fails to handle a malformed input document. Successful exploitation could allow attackers to execute arbitrary code or crash the service. oval:org.secpod.oval:def:110714 This is expat, the C library for parsing XML, written by James Clark. Expat is a stream oriented XML parser. This means that you register handlers with the parser prior to starting the parse. These handlers are called when the parser discovers the associated structures in the document being parsed. ... oval:org.secpod.oval:def:51563 expat: XML parsing C library Expat could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:51609 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:1600483 CVE-2016-0718 : Out-of-bounds read flaw An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary ... oval:org.secpod.oval:def:204045 Expat is a C library for parsing XML documents. Security Fix: * An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, pos ... oval:org.secpod.oval:def:400755 This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. - CVE-2015-1283: Fix multiple integer overflows oval:org.secpod.oval:def:602506 Gustavo Grieco discovered that Expat, an XML parsing C library, does not properly handle certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. A remote attacker can take advantage of this flaw to cause an application using the Expat library ... oval:org.secpod.oval:def:703172 xmlrpc-c: Lightweight RPC library based on XML and HTTP Several security issues were fixed in XML-RPC for C and C++. oval:org.secpod.oval:def:703112 expat: XML parsing C library Expat could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:1501684 Expat is a C library for parsing XML documents. Security Fix: * An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, pos ... oval:org.secpod.oval:def:1501685 Expat is a C library for parsing XML documents. Security Fix: * An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, pos ... oval:org.secpod.oval:def:501941 Expat is a C library for parsing XML documents. Security Fix: * An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, pos ... oval:org.secpod.oval:def:36289 The host is installed with Apple Mac OS X or Server 10.11.x before 10.11.6 or apple itunes before 12.6 or mozilla firefox before 48.0 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle unknown vectors. Successful exploitation could ... oval:org.secpod.oval:def:703220 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:39507 The host is missing a critical security update according to Apple advisory, APPLE-SA-2017-03-22-1. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly handle crafted vectors. Successful exploitation allows attackers to execute arb ... oval:org.secpod.oval:def:39508 The host is missing a security update according to Apple advisory, APPLE-SA-2017-03-22-2. The update is required to fix multiple vulnerabilities in Apple iTunes. The flaws are present in SQLite and expat which fails to handle vectors related to iTunes, crafted xml files. Successful exploitation coul ... oval:org.secpod.oval:def:115667 The kernel meta package oval:org.secpod.oval:def:115661 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115660 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:1700130 The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.A flaw was found where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect an ... oval:org.secpod.oval:def:1600970 The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.A flaw was found where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect an ... oval:org.secpod.oval:def:2000582 An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c. oval:org.secpod.oval:def:52134 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52965 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704483 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704480 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:47525 Microsoft is aware of a denial of service vulnerability (named "FragmentSmack" CVE-2018-5391) affecting Windows systems. An attacker could send many 8-byte sized IP fragments with random starting offsets, but withhold the last fragment and exploit the worst-case complexity of linked lists in reassem ... oval:org.secpod.oval:def:42351 The host is missing an important security update KB4042895 oval:org.secpod.oval:def:45422 The host is missing an important security update for KB4103716 oval:org.secpod.oval:def:42355 The host is missing a critical security update KB4041691 oval:org.secpod.oval:def:42412 A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network. Multiple conditions would need to be met ... oval:org.secpod.oval:def:45388 An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new a ... oval:org.secpod.oval:def:45435 The host is missing an important security update for KB4103723 oval:org.secpod.oval:def:47526 The host is missing an important security update according to MS advisory ADV180022. oval:org.secpod.oval:def:503137 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * An integer overflow flaw was found in the way the Linux kernel"s networking subsystem processed TCP Selective Acknowledgment segments. While processing SACK segments, the Linux kernel"s socket buff ... oval:org.secpod.oval:def:1600883 Ephemeral association time spoofing additional protectionntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim#039;s clo ... oval:org.secpod.oval:def:704042 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704045 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52921 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52029 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1502220 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502215 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502217 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502177 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502178 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603111 Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks. CVE-2017-7518 Andy Lutomirski discovered that KVM is prone to an incorrect debug exception error occurring while emulating a syscall instruction. A process ... oval:org.secpod.oval:def:53140 Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks. CVE-2017-7518 Andy Lutomirski discovered that KVM is prone to an incorrect debug exception error occurring while emulating a syscall instruction. A process ... oval:org.secpod.oval:def:602546 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-7515, CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187, CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140 Ralf Spenneberg of O ... oval:org.secpod.oval:def:43535 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Libraries. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:43539 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JNDI. Successful exploitation allows attackers to affect Integrity and Availability. oval:org.secpod.oval:def:43538 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to LDAP. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:43537 The host is installed with Oracle Java SE through 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Hotspot. Successful exploitation allows attackers to affect Integrity. oval:org.secpod.oval:def:43542 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JCE. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:43541 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Libraries. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:43540 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to I18n. Successful exploitation allows attackers to affect Confidentiality, Integrity and Availabi ... oval:org.secpod.oval:def:43546 The host is installed with Oracle Java SE through 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JGSS. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:43545 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JNDI. Successful exploitation allows attackers to affect Confidentiality, Integrity and Availabi ... oval:org.secpod.oval:def:43544 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JGSS. Successful exploitation allows attackers to affect Integrity. oval:org.secpod.oval:def:43547 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JMX. Successful exploitation allows attackers to affect Confidentiality and Integrity. oval:org.secpod.oval:def:43553 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to AWT. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:43552 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Libraries. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:43550 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to AWT. Successful exploitation allows attackers to affect Integrity. oval:org.secpod.oval:def:43554 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JNDI. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:50264 The host is installed with Oracle Java SE through 7u201, 8u192 or 11.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Libraries. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:45167 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Security. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45168 The host is installed with Oracle Java SE through 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Concurrency. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45169 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JMX. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45165 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Security. Successful exploitation allows attackers to affect Integrity. oval:org.secpod.oval:def:45166 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162, 10 or JRockit: R28.3.17 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Security. Successful exploitation allows attackers to affect Confidentiality, In ... oval:org.secpod.oval:def:45170 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to AWT. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45171 The host is installed with Oracle Java SE through 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JAXP. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45172 The host is installed with Oracle Java SE through 6u181, 7u171 or 8u162 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to RMI. Successful exploitation allows attackers to affect Confidentiality and Integrity. oval:org.secpod.oval:def:45174 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Hotspot. Successful exploitation allows attackers to affect Confidentiality, Integrity and Availabi ... oval:org.secpod.oval:def:45175 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Serialization. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:704911 php5: HTML-embedded scripting language interpreter Details: USN-3922-1 fixed vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 14.04 LTS. It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to access sensitive informa ... oval:org.secpod.oval:def:54514 php5: HTML-embedded scripting language interpreter Details: USN-3922-1 fixed vulnerabilities in PHP. This update provides the corresponding update for Linux Mint 17.x LTS. It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to access sensitive info ... oval:org.secpod.oval:def:51127 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:47405 The host is installed with Artifex Ghostscript before 9.24 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to properly handle the .setdistillerkeys PostScript command. Successful exploitation could allow attackers to supply crafted postScript file ... oval:org.secpod.oval:def:53411 Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed . oval:org.secpod.oval:def:704319 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:1700083 It was discovered that the ghostscript .shfill operator did not properly validate certain types. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document. ... oval:org.secpod.oval:def:51113 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:51203 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-oem: Linux kernel for OEM processors - linux-gcp: Linux kernel for Google Cloud Platform systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1502394 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502395 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:53006 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-oem: Linux kernel for OEM processors - linux-gcp: Linux kernel for Google Cloud Platform systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52113 linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704300 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704301 linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704461 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-oem: Linux kernel for OEM processors - linux-gcp: Linux kernel for Google Cloud Platform systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704142 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704139 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52932 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52054 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52950 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704302 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:114358 The kernel meta package oval:org.secpod.oval:def:114328 The kernel meta package oval:org.secpod.oval:def:1600892 A weakness was found in the Linux kernel#039;s implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated. A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch oper ... oval:org.secpod.oval:def:114143 The kernel meta package oval:org.secpod.oval:def:114145 The kernel meta package oval:org.secpod.oval:def:704089 linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:603383 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-9016 Ming Lei reported a race condition in the multiqueue block layer . On a system with a driver using blk-mq , a local user might be able to us ... oval:org.secpod.oval:def:603384 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controllin ... oval:org.secpod.oval:def:114282 The kernel meta package oval:org.secpod.oval:def:53315 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controllin ... oval:org.secpod.oval:def:34616 The host is missing a security update according to Apple advisory, APPLE-SA-2016-05-16-4. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to properly handle unspecified vectors. Successful exploitation could allow remote attackers to caus ... oval:org.secpod.oval:def:36575 The host is missing an important security update according to Mozilla advisory, MFSA2016-68. The update is required to fix an out-of-bounds read vulnerability. A flaw is present in the application, which fail to handle malformed XML data. Successful exploitation allows remote attackers to read other ... oval:org.secpod.oval:def:36574 The host is installed with Mozilla Firefox before 48.0 or iTunes before 12.6 and is prone to an out-of-bounds read vulnerability. A flaw is present in the application, which fails to handle malformed XML data. Successful exploitation allows remote attackers to read other inaccessible memory. oval:org.secpod.oval:def:43599 Mozilla Firefox before 58.0 :- Mozilla developers and community members reported memory safety bugs present in Firefox. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. oval:org.secpod.oval:def:43589 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 :- A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43588 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- Mozilla developers and community members reported memory safety bugs present in Firefox, Firefox ESR and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort th ... oval:org.secpod.oval:def:43593 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when the widget listener is holding strong references to browser objects that have previously been freed, resulting in a potentially exploitable crash when these references a ... oval:org.secpod.oval:def:43592 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when form input elements, focus, and selections are manipulated by script content. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43591 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potentially exploitab ... oval:org.secpod.oval:def:43590 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 8 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially e ... oval:org.secpod.oval:def:43597 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displ ... oval:org.secpod.oval:def:43596 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during font face manipulation when a font face is freed while still in use, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43595 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during mouse event handling due to issues with multiprocess support. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43594 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when manipulating HTML media elements with media streams, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43601 Mozilla Firefox before 58.0 :- A heap buffer overflow vulnerability may occur in WebAssembly during Memory/Table resizing, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43600 Mozilla Firefox before 58.0 :- A use-after-free vulnerability can occur when the thread for a Web Worker is freed from memory prematurely instead of from memory in the main thread while cancelling fetch operations. oval:org.secpod.oval:def:43605 Mozilla Firefox before 58.0 :- WebExtensions can bypass user prompts to first save and then open an arbitrarily downloaded file. This can result in an executable file running with local user privileges without explicit user consent. oval:org.secpod.oval:def:43604 Mozilla Firefox before 58.0 :- A use-after-free vulnerability can occur when manipulating floating first-letter style elements, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43603 Mozilla Firefox before 58.0 :- A use-after-free vulnerability can occur when arguments passed to the IsPotentiallyScrollable function are freed while still in use by scripts. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43602 Mozilla Firefox before 58.0 :- A heap buffer overflow vulnerability may occur in WebAssembly when shrinkElements is called followed by garbage collection on memory that is now uninitialized. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43609 Mozilla Firefox before 58.0 :- An audio capture session can started under an incorrect origin from the site making the capture request. Users are still prompted to allow the request but the prompt can display the wrong origin, leading to user confusion about which site is making the request to captu ... oval:org.secpod.oval:def:43608 Mozilla Firefox before 58.0 :- A Blob URL can violate origin attribute segregation, allowing it to be accessed from a private browsing tab and for data to be passed between the private browsing tab and a normal tab. This could allow for the leaking of private information specific to the private brow ... oval:org.secpod.oval:def:43607 Mozilla Firefox before 58.0 :- The printing process can bypass local access protections to read files available through symlinks, bypassing local file restrictions. The printing process requires files in a specific format so arbitrary data cannot be read but it is possible that some local file infor ... oval:org.secpod.oval:def:43606 Mozilla Firefox before 58.0 :- Style editor traffic in the Developer Tools can be routed through a service worker hosted on a third party website if a user selects error links when these tools are open. This can allow style editor information used within Developer Tools to leak cross-origin. oval:org.secpod.oval:def:43612 Mozilla Firefox before 58.0 :- Development Tools panels of an extension are required to load URLs for the panels as relative URLs from the extension manifest file but this requirement was not enforced in all instances. This could allow the development tools panel for the extension to load a URL that ... oval:org.secpod.oval:def:43611 Mozilla Firefox before 58.0 :- When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. This allows for phishing attacks where a malicious page can spoof the identify of another site. oval:org.secpod.oval:def:43610 Mozilla Firefox before 58.0 :- A potential integer overflow in the DoCrypt function of WebCrypto was identified. If a means was found of exploiting it, it could result in an out-of-bounds write. oval:org.secpod.oval:def:43616 Mozilla Firefox before 58.0 :- WebExtensions with the ActiveTab permission are able to access frames hosted within the active tab even if the frames are cross-origin. Malicious extensions can inject frames from arbitrary origins into the loaded page and then interact with them, bypassing same-origin ... oval:org.secpod.oval:def:43615 Mozilla Firefox before 58.0 :- If an HTTP authentication prompt is triggered by a background network request from a page or extension, it is displayed over the currently loaded foreground page. Although the prompt contains the real domain making the request, this can result in user confusion about t ... oval:org.secpod.oval:def:43614 Mozilla Firefox before 58.0 :- If an existing cookie is changed to be HttpOnly while a document is open, the original value remains accessible through script until that document is closed. Network requests correctly use the changed HttpOnly cookie. oval:org.secpod.oval:def:43613 Mozilla Firefox before 58.0 :- The browser.identity.launchWebAuthFlow function of WebExtensions is only allowed to load content over https: but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. oval:org.secpod.oval:def:43619 The host is missing a critical security update according to Mozilla advisory, MFSA2018-02. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:43618 Mozilla Firefox before 58.0 :- The reader view will display cross-origin content when CORS headers are set to prohibit the loading of cross-origin content by a site. This could allow access to content that should be restricted in reader view. oval:org.secpod.oval:def:43617 Mozilla Firefox before 58.0 :- The screenshot images displayed in the Activity Stream page displayed when a new tab is opened is created from the meta tags of websites. An issue was discovered where the page could attempt to create these images through file: URLs from the local file system. This loa ... oval:org.secpod.oval:def:50799 The host is missing a high security update according to Mozilla advisory, MFSA2019-04. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:45487 Mozilla Firefox before 60.0, Firefox or ESR before 52.8 : Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party ... oval:org.secpod.oval:def:45488 Mozilla Firefox before 60.0, Firefox or ESR before 52.8 : The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. oval:org.secpod.oval:def:45489 Mozilla Firefox before 60.0, Firefox, Thunderbird or ESR before 52.8 : An integer overflow can occur in the Skia library due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable b ... oval:org.secpod.oval:def:45512 The host is missing a critical security update according to Mozilla advisory, MFSA2018-11. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:47371 Mozilla Firefox 62, Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : Mozilla developers and community members Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, and Andrei ... oval:org.secpod.oval:def:47370 Mozilla Firefox 62 : Mozilla developers and community members Christian Holler, Looben Yang, Jesse Ruderman, Sebastian Hengst, Nicolas Grunbaum, and Gary Kwong reported memory safety bugs present in Firefox 61. Some of these bugs showed evidence of memory corruption and we presume that with enough e ... oval:org.secpod.oval:def:47373 Mozilla Firefox 62, Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. oval:org.secpod.oval:def:47372 Mozilla Firefox 62, Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. oval:org.secpod.oval:def:47375 Mozilla Firefox 62, Mozilla Firefox ESR 60.2.1, Mozilla Thunderbird 60.2.1 : If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was ... oval:org.secpod.oval:def:46108 The host is missing a critical security update according to Mozilla advisory, MFSA2018-15. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:46113 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A use-after-free vulnerability can occur when deleting an code input/code element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash. oval:org.secpod.oval:def:46112 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A buffer overflow can occur when rendering canvas content while adjusting the height and width of the 'canvas' element dynamically, causing data to be written outside of the currently computed boundaries. This results i ... oval:org.secpod.oval:def:46118 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. oval:org.secpod.oval:def:46125 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occuring. This can result in stream data being cast to the wrong type causing a potentially exploitable cra ... oval:org.secpod.oval:def:46128 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety ... oval:org.secpod.oval:def:49280 The host is installed with Google Chrome before 71.0.3578.80, Firefox before 65.0.1, Firefox ESR before 60.5.1 or Thunderbird before 60.5.1 and is prone to a use after free vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows ... oval:org.secpod.oval:def:47607 Mozilla Firefox 62.0.2, Mozilla Firefox ESR 60.2.1, Mozilla Thunderbird 60.2.1 : A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerab ... oval:org.secpod.oval:def:47605 The host is missing a moderate security update according to Mozilla advisory, MFSA2018-22. The update is required to fix a denial of service vulnerability. A flaw is present in the application, which fails to handle the TransportSecurityInfo used for SSL. Successful exploitation allows attackers to ... oval:org.secpod.oval:def:50460 Mozilla Firefox 65 or Firefox ESR 60.6 : When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior i ... oval:org.secpod.oval:def:50452 The host is missing a critical security update according to Mozilla advisory, MFSA2019-01. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50454 Mozilla Firefox 65, Mozilla Firefox ESR 60.5 and Mozilla Thunderbird 60.5 : A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash ... oval:org.secpod.oval:def:50455 Mozilla Firefox 64, Mozilla Firefox ESR 60.4 and Mozilla Thunderbird 60.5 : Mozilla developers and community members Alex Gaynor, Christoph Diehl, Steven Crane, Jason Kratzer, Gary Kwong, and Christian Holler reported memory safety bugs present in Firefox 64 and Firefox ESR 60.4. Some of these bugs ... oval:org.secpod.oval:def:50459 Mozilla Firefox 65, Mozilla Firefox ESR 60.5 and Mozilla Thunderbird 60.5 : An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication between IPC endpoints and server parents during IPC process creation. This authentication is insuffi ... oval:org.secpod.oval:def:47769 Mozilla Firefox 62.0.3, Mozilla Firefox ESR 60.2.2 : A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as ... oval:org.secpod.oval:def:47770 The host is missing a critical security update according to Mozilla advisory, MFSA2018-24. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:44694 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : A buffer overflow can occur when manipulating the SVG animatedPathSegList through script. This results in a potentially exploitable crash. oval:org.secpod.oval:def:44695 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process. oval:org.secpod.oval:def:44696 Mozilla Firefox before 59.0 or Firefox ESR before 52.7 : When packets with a mismatched RTP payload type are sent in WebRTC connections, in some circumstances a potentially exploitable crash is triggered. oval:org.secpod.oval:def:44697 Mozilla Firefox before 59.0 or Firefox ESR before 52.7 : Under certain circumstances the fetch() API can return transient local copies of resources that were sent with a no-store or no-cache cache header instead of downloading a copy from the network as it should. This can result in previously store ... oval:org.secpod.oval:def:44693 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : Mozilla developers and community members reported memory safety bugs present in Firefox and Firefox ESR. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these ... oval:org.secpod.oval:def:44698 Mozilla Firefox before 59.0 : Mozilla developers and community members reported memory safety bugs present in Firefox. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. oval:org.secpod.oval:def:44699 Mozilla Firefox before 59.0 : A use-after-free vulnerability can occur when manipulating elements, events, and selection ranges during editor operations. This results in a potentially exploitable crash. oval:org.secpod.oval:def:44713 The host is missing a critical security update according to Mozilla advisory, MFSA2018-06. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:44766 Mozilla Firefox before 59.0.1 or Firefox ESR before 52.7.2 : An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. oval:org.secpod.oval:def:44767 The host is missing a critical security update according to Mozilla advisory, MFSA2018-08. The update is required to fix out-of-bound memory write vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the se ... oval:org.secpod.oval:def:44774 Mozilla Firefox before 59.0.2 or Firefox ESR before 52.7.3 : A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash. oval:org.secpod.oval:def:44775 The host is missing a important security update according to Mozilla advisory, MFSA2018-10. The update is required to fix use-after-free vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the service. oval:org.secpod.oval:def:46789 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:46752 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:46827 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:46821 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:53380 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-4117 AhsanEjaz discovered an information leak. Rob Wu discovered a way to escalate privileges using extensions. CVE-2018-6150 Rob Wu discovered an information disclosure issue . CVE-2018-6151 Rob Wu discovered an issu ... oval:org.secpod.oval:def:115022 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:115120 Chromium is an open-source web browser, powered by WebKit . |