Download
| Alert*
oval:org.secpod.oval:def:1600841
Remote DoS via search filters in slapi_filter_sprintf in slapd/util.cA stack buffer overflow flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus ... oval:org.secpod.oval:def:1600895 It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of ... oval:org.secpod.oval:def:116890 dtkwidget is installed oval:org.secpod.oval:def:1501787 It was found that IdM's ca-del, ca-disable, and ca-enable commands did not properly check the user's permissions while modifying CAs in Dogtag. An authenticated, unauthorized attacker could use this flaw to delete, disable, or enable CAs causing various denial of service problems with certificate is ... oval:org.secpod.oval:def:112087 IPA is an integrated solution to provide centrally managed Identity , Authentication , and Authorization . The solution provides features for further integration with Linux based clients and integration with Active Directory based infrastructures . oval:org.secpod.oval:def:501985 Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Security Fix: * It was found that IdM"s ca-del, ca-disable, and ca-enable commands did not properly check the user"s permissions ... oval:org.secpod.oval:def:52443 tiff: Tag Image File Format library Details: USN-2553-1 fixed vulnerabilities in LibTIFF. One of the security fixes caused a regression when saving certain TIFF files with a Predictor tag. The problematic patch has been temporarily backed out until a more complete fix is available. We apologize for ... oval:org.secpod.oval:def:51993 firefox: Mozilla Open Source web browser Details: USN-3544-1 fixed vulnerabilities in Firefox. The update caused a web compatibility regression and a tab crash during printing in some circumstances. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-3544-1 cause ... oval:org.secpod.oval:def:51946 firefox: Mozilla Open Source web browser Details: USN-3477-1 fixed vulnerabilities in Firefox. The update caused search suggestions to not be displayed when performing Google searches from the search bar. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-3477-1 ... oval:org.secpod.oval:def:52830 tomcat7: Servlet and JSP engine - tomcat6: Servlet and JSP engine Details: USN-3177-1 fixed vulnerabilities in Tomcat. The update introduced a regression in environments where Tomcat is started with a security manager. This update fixes the problem. We apologize for the inconvenience. Original advis ... oval:org.secpod.oval:def:1600885 Malicious patch files cause ed to execute arbitrary commandsGNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation can result in code execution. This attack appear to be exploitable via a patch file processed via th ... oval:org.secpod.oval:def:54105 libapache2-mod-auth-mellon: SAML 2.0 authentication module for Apache Several security issues were fixed in mod_auth_mellon. oval:org.secpod.oval:def:1502089 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502088 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600819 Unsanitized input when searching in local cache databaseIt was found that sssd#039;s sysdb_search_user_by_upn_res function did not sanitize requests when querying its local cache and was vulnerable to injection. In a centralized login environment, if a password hash was locally cached for a given us ... oval:org.secpod.oval:def:1801558 A vulnerability was found in popd. It can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells on some environments to cause use-after-free. oval:org.secpod.oval:def:115202 The kernel meta package oval:org.secpod.oval:def:51895 bind9: Internet Domain Name Server Details: USN-3346-1 fixed vulnerabilities in Bind. The fix for CVE-2017-3142 introduced a regression in the ability to receive an AXFR or IXFR in the case where TSIG is used and not every message is signed. This update fixes the problem. In addition, this update ad ... oval:org.secpod.oval:def:1801080 CVE-2018-14349: Heap Overflow in imap/command.c¶ Fixed In Version:¶ mutt 1.10.1 oval:org.secpod.oval:def:1801082 CVE-2018-14349: Heap Overflow in imap/command.c¶ Fixed In Version:¶ mutt 1.10.1 oval:org.secpod.oval:def:1801083 CVE-2018-14349: Heap Overflow in imap/command.c¶ Fixed In Version:¶ mutt 1.10.1 oval:org.secpod.oval:def:1801084 CVE-2018-14349: Heap Overflow in imap/command.c¶ Fixed In Version:¶ mutt 1.10.1 oval:org.secpod.oval:def:1800108 CVE-2017-5470: Memory safety bugs CVE-2017-5472: Use-after-free using destroyed node when regenerating trees CVE-2017-7749: Use-after-free during docshell reloading CVE-2017-7750: Use-after-free with track elements CVE-2017-7751: Use-after-free with content viewer listeners CVE-2017-7752: Use-after- ... oval:org.secpod.oval:def:1800545 An out-of-bounds write vulnerability was found in purple_markup_unescape_entity. It can be triggered by sending invalid XMLentities separated by whitespace, eg "ஸ". In default installation, this can get called only when receiving data from a server. Fixed In Version pidgin 2.12.0 oval:org.secpod.oval:def:602812 It was discovered a vulnerability in Pidgin, a multi-protocol instant messaging client. A server controlled by an attacker can send an invalid XML that can trigger an out-of-bound memory access. This might lead to a crash or, in some extreme cases, to remote code execution in the client-side. oval:org.secpod.oval:def:1800857 An out-of-bounds write vulnerability was found in purple_markup_unescape_entity. It can be triggered by sending invalid XML entities separated by whitespace, eg "ஸ". In default installation, this can get called only when receiving data from a server. Fixed In Version: pidgin 2.12.0 oval:org.secpod.oval:def:43821 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:54589 python-gnupg: Python wrapper for the GNU Privacy Guard Several security issues were fixed in python-gnupg oval:org.secpod.oval:def:1600951 There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h. A crafted input will lead to a remote denial of service attack.The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler allows remote attackers to cause a denial of service via a crafted PDF file, a ... oval:org.secpod.oval:def:1801298 spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial-of-service, or, in the worst case, code-execution by unauthenticated attackers. Fixed In Version:¶ spice 0.14.2 oval:org.secpod.oval:def:1801353 spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial-of-service, or, in the worst case, code-execution by unauthenticated attackers. Fixed In Version:¶ spice 0.14.2 oval:org.secpod.oval:def:1801304 spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial-of-service, or, in the worst case, code-execution by unauthenticated attackers. Fixed In Version:¶ spice 0.14.2 oval:org.secpod.oval:def:1801305 spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial-of-service, or, in the worst case, code-execution by unauthenticated attackers. Fixed In Version:¶ spice 0.14.2 oval:org.secpod.oval:def:43598 Mozilla Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur while editing events in form elements on a page, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43620 The host is missing a critical security update according to Mozilla advisory, MFSA2018-03. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:43778 The host is missing a critical security update according to Mozilla advisory, MFSA2018-04. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:1600868 Buffer overflow in dhclient possibly allowing code execution triggered by malicious serverAn out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client mach ... oval:org.secpod.oval:def:1600864 Vorbis audio processing out of bounds write:An out of bounds write flaw was found in the processing of vorbis audio data. A maliciously crafted file or audio stream could cause the application to crash or, potentially, execute arbitrary code oval:org.secpod.oval:def:1600893 A cookie injection flaw was found in wget. An attacker can create a malicious website which, when accessed, overrides cookies belonging to arbitrary domains. oval:org.secpod.oval:def:1801011 GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures. oval:org.secpod.oval:def:1801014 GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures. oval:org.secpod.oval:def:1801009 GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures. oval:org.secpod.oval:def:1801550 CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers Affected versions:¶ 9.4.0- oval:org.secpod.oval:def:1801551 CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers Affected versions:¶ 9.4.0- oval:org.secpod.oval:def:1801527 CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone transfers Affected versions:¶ 9.4.0- oval:org.secpod.oval:def:1800828 The comic book backend in evince 3.24.0 is vulnerable to a commandinjection bug that can be used to execute arbitrary commands when a cbtfile is opened. oval:org.secpod.oval:def:1800103 An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. Fixed In Vers ... oval:org.secpod.oval:def:1800201 An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. Fixed In Vers ... oval:org.secpod.oval:def:1600822 Use-after-free in processing SMB1 requestsA use-after-free flaw was found in the way samba servers handled certain SMB1 requests. An unauthenticated attacker could send specially-crafted SMB1 requests to cause the server to crash or execute arbitrary code. Server heap-memory disclosureA memory discl ... oval:org.secpod.oval:def:1800886 CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements CVE-2017-7779: Memory safety bugs CVE-2017-7784: Use-after-free with image observers CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM CVE-2017-7786: Buffer overflow while painting non-displayable SVG CVE-2 ... oval:org.secpod.oval:def:42277 The host is missing a critical security update according to Mozilla advisory, MFSA2017-22. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:42421 The host is missing a critical security update according to Mozilla advisory, MFSA2017-23. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:42796 The host is missing a critical security update according to Mozilla advisory, MFSA2017-25. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:1800926 CVE-2018-1050: Denial of Service Attack on external print server. Affected Versions All versions of Samba from 4.0.0 onwards. Fixed In Version Samba 4.7.6, 4.6.14 and 4.5.16. oval:org.secpod.oval:def:1800962 CVE-2018-1050: Denial of Service Attack on external print server. Affected Versions:¶ All versions of Samba from 4.0.0 onwards. Fixed In Version:¶ Samba 4.7.6, 4.6.14 and 4.5.16. oval:org.secpod.oval:def:1800963 CVE-2018-1050: Denial of Service Attack on external print server. Affected Versions:¶ All versions of Samba from 4.0.0 onwards. Fixed In Version:¶ Samba 4.7.6, 4.6.14 and 4.5.16. oval:org.secpod.oval:def:1800964 CVE-2018-1050: Denial of Service Attack on external print server. Affected Versions:¶ All versions of Samba from 4.0.0 onwards. Fixed In Version:¶ Samba 4.7.6, 4.6.14 and 4.5.16. oval:org.secpod.oval:def:1800928 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write¶ Affected versions:¶ curl 7.12.3 to and including curl 7.58.0 Not affected versions:¶ curl = 7.59.0 oval:org.secpod.oval:def:1800930 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write¶ Affected versions:¶ curl 7.12.3 to and including curl 7.58.0 Not affected versions:¶ curl = 7.59.0 oval:org.secpod.oval:def:1800931 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write¶ Affected versions:¶ curl 7.12.3 to and including curl 7.58.0 Not affected versions:¶ curl = 7.59.0 oval:org.secpod.oval:def:1800947 CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write¶ Affected versions curl 7.12.3 to and including curl 7.58.0 Not affected versions curl = 7.59.0 oval:org.secpod.oval:def:1600843 Out-of-bounds read in code handling HTTP/2 trailers:libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTT ... oval:org.secpod.oval:def:1600871 FTP path trickery leads to NIL byte out of bounds write:It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, re ... oval:org.secpod.oval:def:1800161 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read. Affected versions: libcurl 7.49.0 to and including 7.57.0 Not affected versions: libcurl = 7.58.0 oval:org.secpod.oval:def:1800705 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read¶ Affected versions:¶ libcurl 7.49.0 to and including 7.57.0 Not affected versions:¶ libcurl = 7.58.0 oval:org.secpod.oval:def:1502005 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502115 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The following packages have been upgraded to a later upstream version: pidgin . Security Fix: * A denial of service flaw was found in the way Pidgin"s Mxit plug-in han ... oval:org.secpod.oval:def:108443 The FreeType engine is a free and portable font rendering engine, developed to provide advanced font support for a variety of platforms and environments. FreeType is a library which can open and manages font files as well as efficiently load, hint and render individual glyphs. FreeType is not a font ... oval:org.secpod.oval:def:52460 wpa: client support for WPA and WPA2 wpa_supplicant could be made to crash, expose memory, or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:109373 wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 . Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association ... oval:org.secpod.oval:def:1501035 The wpa_supplicant package contains an 802.1X Supplicant with support for WEP, WPA, WPA2 , and various EAP authentication methods. It implements key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. A ... oval:org.secpod.oval:def:108789 wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 . Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association ... oval:org.secpod.oval:def:602065 The Google security team and the smart hardware research group of Alibaba security team discovered a flaw in how wpa_supplicant used SSID information when creating or updating P2P peer entries. A remote attacker can use this flaw to cause wpa_supplicant to crash, expose memory contents, and potentia ... oval:org.secpod.oval:def:501578 The wpa_supplicant package contains an 802.1X Supplicant with support for WEP, WPA, WPA2 , and various EAP authentication methods. It implements key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. A ... oval:org.secpod.oval:def:108854 wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 . Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association ... oval:org.secpod.oval:def:49284 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:41727 The host is missing a critical security update according to Mozilla advisory, MFSA2017-19. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code o ... oval:org.secpod.oval:def:49217 The host is installed with Artifex Ghostscript before 9.26 and is prone to a type confusion vulnerability. A flaw is present in the application, which fails to properly handle psi/zicc.c component. Successful exploitation could allow attackers to bypass intended access restrictions because of a setc ... oval:org.secpod.oval:def:49218 The host is installed with Artifex Ghostscript before 9.26 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle psi/zdevice2.c component. Successful exploitation could allow attackers to bypass intended access restrictions because avai ... oval:org.secpod.oval:def:49215 The host is installed with Artifex Ghostscript before 9.26 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle LockSafetyParams device parameter. Successful exploitation could allow attackers to bypass security restrictions on the sys ... oval:org.secpod.oval:def:49216 The host is installed with Artifex Ghostscript before 9.26 and is prone to a type confusion vulnerability. A flaw is present in the application, which fails to properly handle psi/zfjbig2.c component. Successful exploitation could allow attackers to bypass intended access restrictions because of a J ... oval:org.secpod.oval:def:204731 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.2. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204721 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.5.1 ESR. Security Fix: * A privacy flaw was discovered in Firefox. In Private Browsing mode, a web worker could write persistent data to IndexedDB, which was not cleared when exiting and would persist across mu ... oval:org.secpod.oval:def:204716 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204715 Liblouis is an open source braille translator and back-translator named in honor of Louis Braille. It features support for computer and literary braille, supports contracted and uncontracted translation for many languages and has support for hyphenation. New languages can easily be added through tab ... oval:org.secpod.oval:def:204714 The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch and the Pluggable Authentication Modules interfaces toward the system, and a pluggable back-end system to connect to ... oval:org.secpod.oval:def:204706 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A use-after-free flaw was found in the way samba servers handled c ... oval:org.secpod.oval:def:204770 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Buffer overflow manipulating SVG animatedPathSegList * Mozilla: Out-of-bounds write with malformed IP ... oval:org.secpod.oval:def:204774 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Memory safety bugs fixed in Firefox ESR 52.7 * Mozilla: Vorbis audio processing out o ... oval:org.secpod.oval:def:204772 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.2 ESR. Security Fix: * Mozilla: Vorbis audio processing out of bounds write For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:204763 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: Cross-site scripting vulnerability in web UI For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References secti ... oval:org.secpod.oval:def:204767 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:204751 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204755 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204754 The gcab package contains a utility for managing the Cabinet archives. It can list, extract, and create Microsoft cabinet files. Security Fix: * gcab: Extracting malformed .cab files causes stack smashing potentially leading to arbitrary code execution For more details about the security issue, in ... oval:org.secpod.oval:def:702489 tiff: Tag Image File Format library Details: USN-2553-1 fixed vulnerabilities in LibTIFF. One of the security fixes caused a regression when saving certain TIFF files with a Predictor tag. The problematic patch has been temporarily backed out until a more complete fix is available. We apologize for ... oval:org.secpod.oval:def:204745 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:204744 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * A stack buffer overflow flaw was found in the way 389-ds-base handled certain LDAP search fil ... oval:org.secpod.oval:def:204743 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.6.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204749 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:702430 freetype: FreeType 2 is a font engine library FreeType could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:203584 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled ... oval:org.secpod.oval:def:48036 The host is installed with Google Chrome before 70.0.3538.67 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:48037 The host is installed with Google Chrome before 70.0.3538.67 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:49784 The host is missing a critical security update according to Mozilla advisory, MFSA2018-30. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:41827 The host is missing a critical security update according to Mozilla advisory, MFSA2017-20. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code o ... oval:org.secpod.oval:def:204476 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * An invalid pointer dereference flaw was found in the way 389-ds-base handled LDAP bind requests ... oval:org.secpod.oval:def:204474 The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix: * A race condition was found in the way su handled the management of child pr ... oval:org.secpod.oval:def:204850 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow usin ... oval:org.secpod.oval:def:204855 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.9.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow using computed size of canvas element * Mozilla: Use ... oval:org.secpod.oval:def:204821 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix: * libvncserver: Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c For more details about the security issue, including the impact, a CVSS score, and other re ... oval:org.secpod.oval:def:204820 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix: * Mozilla: Vorbis audio processing out of bounds ... oval:org.secpod.oval:def:204826 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: ns-slapd crash via large filter value in ldapsearch For more details about the ... oval:org.secpod.oval:def:204891 The SpamAssassin tool provides a way to reduce unsolicited commercial email from incoming email. Security Fix: * spamassassin: Certain unclosed tags in crafted emails allow for scan timeouts and result in denial of service * spamassassin: Local user code injection in the meta rule syntax For more ... oval:org.secpod.oval:def:204886 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.1 ESR. Security Fix: * Mozilla: Crash in TransportSecurityInfo due to cached data * Mozilla: Setting a master password post-Firefox 58 does no ... oval:org.secpod.oval:def:703451 tomcat7: Servlet and JSP engine - tomcat6: Servlet and JSP engine Details: USN-3177-1 fixed vulnerabilities in Tomcat. The update introduced a regression in environments where Tomcat is started with a security manager. This update fixes the problem. We apologize for the inconvenience. Original advis ... oval:org.secpod.oval:def:204871 PostgreSQL is an advanced object-relational database management system . The following packages have been upgraded to a later upstream version: postgresql . Security Fix: * postgresql: Certain host connection parameters defeat client-side security defenses For more details about the security issue ... oval:org.secpod.oval:def:204875 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozi ... oval:org.secpod.oval:def:204868 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix: * mutt: Remote code injection vulnerability to an IMAP mailbox * mutt: Remote Code Execu ... oval:org.secpod.oval:def:204813 The procps-ng packages contain a set of system utilities that provide system information, including ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx. Security Fix: * procps-ng, procps: Integer overflows leading to heap overflow in file2strvec * procps-ng, procps: ... oval:org.secpod.oval:def:204819 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.3 ESR. Security Fix: * firefox: Use-after-free in compositor potentially allows code execution For more details about the security issue, incl ... oval:org.secpod.oval:def:204818 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:702517 wpa: client support for WPA and WPA2 wpa_supplicant could be made to crash, expose memory, or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:204160 The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix: * It was found that util-linux"s libblkid library did not properly handle Ext ... oval:org.secpod.oval:def:204181 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled ... oval:org.secpod.oval:def:204573 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.4.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204563 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, exec ... oval:org.secpod.oval:def:204567 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.4.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:40633 bash: GNU Bourne Again SHell Several security issues were fixed in Bash. oval:org.secpod.oval:def:204589 The bash packages provide Bash , which is the default shell for Red Hat Enterprise Linux. Security Fix: * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines ... oval:org.secpod.oval:def:204588 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * A stack-based buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler to crash, or potentially execut ... oval:org.secpod.oval:def:203642 The wpa_supplicant package contains an 802.1X Supplicant with support for WEP, WPA, WPA2 , and various EAP authentication methods. It implements key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver. A ... oval:org.secpod.oval:def:204535 Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects. Security Fix: * A flaw was found in the way "hg serve --stdio" command in Mercurial handled command-line options. A remote, authenticated attacker could use ... oval:org.secpod.oval:def:204537 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A flaw was found in the way BIND handled TSIG authentication for dynamic ... oval:org.secpod.oval:def:204522 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.2.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204516 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.2.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:703522 pidgin: graphical multi-protocol instant messaging client for X Pidgin could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:1500945 The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. oval:org.secpod.oval:def:1500946 The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. oval:org.secpod.oval:def:40397 The host is installed with Pidgin before 2.12.0 and is prone to an out-of-bounds write vulnerability. A flaw is present in the application, which fails to properly handle a invalid xml. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:204697 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.5.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204666 Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The following packages have been upgraded to a later upstream version: pidgin . Security Fix: * A denial of service flaw was found in the way Pidgin"s Mxit plug-in han ... oval:org.secpod.oval:def:204606 The evince packages provide a simple multi-page document viewer for Portable Document Format , PostScript , Encapsulated PostScript files, and, with additional back-ends, also the Device Independent File format files. Security Fix: * It was found that evince did not properly sanitize the command l ... oval:org.secpod.oval:def:49637 The host is installed with Google Chrome before 71.0.3578.80 and is prone to a use after free vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:49638 The host is installed with Google Chrome before 71.0.3578.80 and is prone to a use after free vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:49646 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:49645 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:204641 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.3.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204645 The libsoup packages provide an HTTP client and server library for GNOME. Security Fix: * A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially ... oval:org.secpod.oval:def:204625 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.3.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:54507 Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL PostScript/PDF interpreter, which could result in bypass of file system restrictions of the dSAFER sandbox. oval:org.secpod.oval:def:1600941 Paramiko contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity. This issue does not affect instances where only the ssh client functionality of the paramiko library is used. oval:org.secpod.oval:def:1801333 Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code. Fixed In Version:¶ python-paramiko 2 ... oval:org.secpod.oval:def:1801336 Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code. Fixed In Version:¶ python-paramiko 2 ... oval:org.secpod.oval:def:1801329 Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code. Fixed In Version:¶ python-paramiko 2 ... oval:org.secpod.oval:def:54505 Chris Coulson discovered several vulnerabilities in libssh2, a SSH2 client-side library, which could result in denial of service, information leaks or the execution of arbitrary code. oval:org.secpod.oval:def:1600927 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1600960 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1600889 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of ... oval:org.secpod.oval:def:1600887 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromis ... oval:org.secpod.oval:def:204867 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * mysql: Client programs unspecified vulnerability * mysql: Server: DML unspecified vulnerability * my ... oval:org.secpod.oval:def:1600900 A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have ... oval:org.secpod.oval:def:204851 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification For more details abou ... oval:org.secpod.oval:def:1600890 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of ... oval:org.secpod.oval:def:48027 The host is missing an important security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:48060 The host is missing an important security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:48061 The host is missing an important security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:603017 The security update announced as DSA-3904-1 in bind9 introduced a regression. The fix for CVE-2017-3142 broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. This is conform to the spec and may be used in AXFR and IXFR response. oval:org.secpod.oval:def:116181 Openwsman is a project intended to provide an open-source implementation of the Web Services Management specification and to expose system management information on the Linux operating system using the WS-Management protocol. WS-Management is based on a suite of web services specifications and usag ... oval:org.secpod.oval:def:116173 Openwsman is a project intended to provide an open-source implementation of the Web Services Management specification and to expose system management information on the Linux operating system using the WS-Management protocol. WS-Management is based on a suite of web services specifications and usag ... oval:org.secpod.oval:def:502544 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: incomplete fix for CVE-2018-16509 For more details about the security issue ... oval:org.secpod.oval:def:1502399 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600939 A vulnerability was discovered in 389-ds-base. The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency. An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash.A race condition was found in the way 38 ... oval:org.secpod.oval:def:204879 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: race condition on reference counter leads to DoS using persistent search * 389- ... oval:org.secpod.oval:def:1600907 A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal ... oval:org.secpod.oval:def:204861 The yum-utils packages provide a collection of utilities and examples for the yum package manager to make yum easier and more powerful to use. Security Fix: * yum-utils: reposync: improper path validation may lead to directory traversal For more details about the security issue, including the impac ... oval:org.secpod.oval:def:703842 ceph: distributed storage and file system Several security issues were fixed in Ceph. oval:org.secpod.oval:def:204468 OpenJPEG is an open source library for reading and writing image files in JPEG2000 format. Security Fix: * Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in OpenJPEG. A specially crafted JPEG2000 image could cause an application using OpenJPEG to crash or, potent ... oval:org.secpod.oval:def:204722 PostgreSQL is an advanced object-relational database management system . Security Fix: * Privilege escalation flaws were found in the initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine. Note: T ... oval:org.secpod.oval:def:1502087 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:39116 The host installed with kernel package on RHEL 7 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to handle clearing of SELinux attributes. Successful exploitation could allow attackers to empty (null) write to /proc/pid/attr file that can crash th ... oval:org.secpod.oval:def:502208 PostgreSQL is an advanced object-relational database management system . Security Fix: * Privilege escalation flaws were found in the initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine. Note: T ... oval:org.secpod.oval:def:43820 The host is installed with oracle webLogic server 12.1.3.0, 12.2.1.2 or 12.2.1.3, and is prone to an information disclosure vulnerability. A flaw is present in the application, which fails to handle unauthenticated data access. Successful exploitaion can result in unauthorized read access to a subse ... oval:org.secpod.oval:def:1800905 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should Affected versions: samba 3.0.25 to 4.6.7 Fixed In: samba 4.6.8, 4.5.14 and 4.4.16 oval:org.secpod.oval:def:204786 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos ... oval:org.secpod.oval:def:204560 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * It was found that samba did not enforce "SMB signing" wh ... oval:org.secpod.oval:def:1800860 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should Affected versions:¶ samba 3.0.25 to 4.6.7 Fixed in:¶ samba 4.6.8, 4.5.14 and 4.4.16 oval:org.secpod.oval:def:1800862 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should Affected versions: samba 3.0.25 to 4.6.7 Fixed in: samba 4.6.8, 4.5.14 and 4.4.16 oval:org.secpod.oval:def:1600891 Command injection vulnerability in the DHCP client NetworkManager integration scriptA command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Amazon Linux 2. A malicious DHCP server, or an attacker on the local network able to spoof DHCP resp ... oval:org.secpod.oval:def:1600866 Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c:It was found that 389-ds-base did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass ... oval:org.secpod.oval:def:204759 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: remote Denial of Service via search filters in SetUnicodeStringFromUTF_8 in col ... oval:org.secpod.oval:def:703576 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:1600920 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1600929 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1600948 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1502078 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502206 Liblouis is an open source braille translator and back-translator named in honor of Louis Braille. It features support for computer and literary braille, supports contracted and uncontracted translation for many languages and has support for hyphenation. New languages can easily be added through tab ... oval:org.secpod.oval:def:53040 The host is missing a critical security update according to Mozilla advisory, MFSA2019-08. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:54108 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:111722 The OpenJPEG library is an open-source JPEG 2000 library developed in order to promote the use of JPEG 2000. This package contains * JPEG 2000 codec compliant with the Part 1 of the standard . * JP2 oval:org.secpod.oval:def:111727 The OpenJPEG library is an open-source JPEG 2000 library developed in order to promote the use of JPEG 2000. This package contains * JPEG 2000 codec compliant with the Part 1 of the standard . * JP2 oval:org.secpod.oval:def:111834 MinGW Windows openjpeg2 library. oval:org.secpod.oval:def:111835 MinGW Windows openjpeg2 library. oval:org.secpod.oval:def:112582 BIND is an implementation of the DNS protocols. This package set contains only export version of BIND libraries, that are used for building ISC DHCP. oval:org.secpod.oval:def:112572 DHCP oval:org.secpod.oval:def:112597 This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server. oval:org.secpod.oval:def:112594 BIND is an implementation of the DNS protocols. BIND includes a DNS server , which resolves host names to IP addresses; a resolver library ; and tools for verifying that the DNS server is operating properly. oval:org.secpod.oval:def:112567 This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server. oval:org.secpod.oval:def:112568 BIND is an implementation of the DNS protocols. BIND includes a DNS server , which resolves host names to IP addresses; a resolver library ; and tools for verifying that the DNS server is operating properly. oval:org.secpod.oval:def:112564 This is dnsperf, a collection of DNS server performance testing tools. For more information, see the dnsperf and resperf man pages. oval:org.secpod.oval:def:112608 This is dnsperf, a collection of DNS server performance testing tools. For more information, see the dnsperf and resperf man pages. oval:org.secpod.oval:def:1800652 CVE-2017-9462: Python debugger accessible to authorized users In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. oval:org.secpod.oval:def:1800673 CVE-2017-1000115: Mercurial"s symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. oval:org.secpod.oval:def:53127 Several issues were discovered in Mercurial, a distributed revision control system. CVE-2017-9462 Jonathan Claudius of Mozilla discovered that repositories served over stdio could be tricked into granting authorized users access to the Python debugger. CVE-2017-1000115 Mercurial"s symlink auditing ... oval:org.secpod.oval:def:1800490 CVE-2017-9462: Python debugger accessible to authorized users In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. oval:org.secpod.oval:def:603088 Several issues were discovered in Mercurial, a distributed revision control system. CVE-2017-9462 Jonathan Claudius of Mozilla discovered that repositories served over stdio could be tricked into granting authorized users access to the Python debugger. CVE-2017-1000115 Mercurial"s symlink auditing ... oval:org.secpod.oval:def:2000515 An error within the "leaf_hdr_load_raw" function in LibRaw versions prior to 0.18.8 can be exploited to trigger a NULL pointer dereference. oval:org.secpod.oval:def:2000408 A boundary error within the "quicktake_100_load_raw" function in LibRaw versions prior to 0.18.8 can be exploited to cause a stack-based buffer overflow and subsequently cause a crash. oval:org.secpod.oval:def:1502469 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:205197 Openwsman is a project intended to provide an open source implementation of the Web Services Management specification and to expose system management information on the Linux operating system using the WS-Management protocol. WS-Management is based on a suite of web services specifications and usag ... oval:org.secpod.oval:def:1700161 Earlier versions of Openwsman are vulnerable to arbitrary file disclosure because the working directory of openwsmand daemon was set to root directory. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to openwsman server oval:org.secpod.oval:def:1502319 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502631 Openwsman is a project intended to provide an open source implementation of the Web Services Management specification and to expose system management information on the Linux operating system using the WS-Management protocol. WS-Management is based on a suite of web services specifications and usag ... oval:org.secpod.oval:def:502657 Openwsman is a project intended to provide an open source implementation of the Web Services Management specification and to expose system management information on the Linux operating system using the WS-Management protocol. WS-Management is based on a suite of web services specifications and usag ... oval:org.secpod.oval:def:1700085 A vulnerability was discovered in 389-ds-base. The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency. An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash.A race condition was found in the way 38 ... oval:org.secpod.oval:def:502364 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: race condition on reference counter leads to DoS using persistent search * 389- ... oval:org.secpod.oval:def:1800901 Improper sequencing during cleanup operations of upstream recursion fetch contexts in BIND can lead to a use-after-free error, triggering an assertion failure and crash in named. Affected BIND versions acting as DNSSEC validating resolvers are currently known to crash with an assertion failure in ne ... oval:org.secpod.oval:def:1600842 Improper fetch cleanup sequencing in the resolver can cause named to crash:A use-after-free flaw leading to denial of service was found in the way BIND internally handled cleanup operations on upstream recursion fetch contexts. A remote attacker could potentially use this flaw to make named, acting ... oval:org.secpod.oval:def:204740 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A use-after-free flaw leading to denial of service was found in the way ... oval:org.secpod.oval:def:1800274 Improper sequencing during cleanup operations of upstream recursion fetch contexts in BIND can lead to a use-after-free error, triggering an assertion failure and crash in named. Affected BIND versions acting as DNSSEC validating resolvers are currently known to crash with an assertion failure in ne ... oval:org.secpod.oval:def:1800780 Improper sequencing during cleanup operations of upstream recursion fetch contexts in BIND can lead to a use-after-free error, triggering an assertion failure and crash in named. Affected BIND versions acting as DNSSEC validating resolvers are currently known to crash with an assertion failure in ne ... oval:org.secpod.oval:def:114861 BIND is an implementation of the DNS protocols. BIND includes a DNS server , which resolves host names to IP addresses; a resolver library ; and tools for verifying that the DNS server is operating properly. oval:org.secpod.oval:def:116049 flatpak is a system for building, distributing and running sandboxed desktop applications on Linux. See https://wiki.gnome.org/Projects/SandboxedApps for more information. oval:org.secpod.oval:def:52414 freetype: FreeType 2 is a font engine library FreeType could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:601984 Mateusz Jurczyk discovered multiple vulnerabilities in Freetype. Opening malformed fonts may result in denial of service or the execution of arbitrary code. oval:org.secpod.oval:def:203573 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled ... oval:org.secpod.oval:def:602358 Mateusz Jurczyk discovered multiple vulnerabilities in Freetype. Opening malformed fonts may result in denial of service or the execution of arbitrary code. oval:org.secpod.oval:def:1200105 Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled Mac fonts. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, ex ... oval:org.secpod.oval:def:501539 FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently. Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled ... oval:org.secpod.oval:def:108438 The FreeType engine is a free and portable font rendering engine, developed to provide advanced font support for a variety of platforms and environments. FreeType is a library which can open and manages font files as well as efficiently load, hint and render individual glyphs. FreeType is not a font ... oval:org.secpod.oval:def:502056 Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects. Security Fix: * A flaw was found in the way "hg serve --stdio" command in Mercurial handled command-line options. A remote, authenticated attacker could use ... oval:org.secpod.oval:def:204702 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.5.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204471 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix An invalid pointer dereference flaw was found in the way 389-ds-base handled LDAP bind requests. A ... oval:org.secpod.oval:def:1600730 Python debugger accessible to authorized users:A flaw was found in the way hg serve --stdio command in Mercurial handled command-line options. A remote, authenticated attacker could use this flaw to execute arbitrary code on the Mercurial server by using specially crafted command-line options oval:org.secpod.oval:def:1501907 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501908 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:204572 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.4.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204565 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, exec ... oval:org.secpod.oval:def:204568 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.4.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204552 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.3.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204551 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.3.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204558 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * It was found that samba did not enforce "SMB signing" when certain configuratio ... oval:org.secpod.oval:def:204559 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A race condition was found in samba server. A malicious samba clie ... oval:org.secpod.oval:def:204549 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * An integer overflow leading to heap-based buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler to ... oval:org.secpod.oval:def:204106 The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtu ... oval:org.secpod.oval:def:204532 Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects. Security Fix: * A flaw was found in the way "hg serve --stdio" command in Mercurial handled command-line options. A remote, authenticated attacker could use ... oval:org.secpod.oval:def:204536 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A flaw was found in the way BIND handled TSIG authentication for dynamic ... oval:org.secpod.oval:def:204523 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.2.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204517 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.2.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:112497 Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects oval:org.secpod.oval:def:112490 Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects oval:org.secpod.oval:def:204694 The bash packages provide Bash , which is the default shell for Red Hat Enterprise Linux. Security Fix: * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines ... oval:org.secpod.oval:def:204659 The coreutils packages contain the GNU Core Utilities and represent a combination of the previously used GNU fileutils, sh-utils, and textutils packages. Security Fix: * A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this ... oval:org.secpod.oval:def:204797 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: ns-slapd crash via large filter value in ldapsearch For more details about the ... oval:org.secpod.oval:def:204732 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.2. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204738 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A use-after-free flaw leading to denial of service was found in the way ... oval:org.secpod.oval:def:603569 Multiple vulnerabilities were discovered in Ceph, a distributed storage and file system: The cephx authentication protocol was suspectible to replay attacks and calculated signatures incorrectly, ceph mon did not validate capabilities for pool operations and a format string vulnerability in librado ... oval:org.secpod.oval:def:204712 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204711 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * A use-after-free flaw was found in the way samba servers handled certain SMB1 requests. A ... oval:org.secpod.oval:def:204713 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.5.1 ESR. Security Fix: * A privacy flaw was discovered in Firefox. In Private Browsing mode, a web worker could write persistent data to IndexedDB, which was not cleared when exiting and would persist across mu ... oval:org.secpod.oval:def:204771 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.2 ESR. Security Fix: * Mozilla: Vorbis audio processing out of bounds write For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:204778 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:204776 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix: * Mozilla: Vorbis audio processing out of bounds ... oval:org.secpod.oval:def:204775 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Memory safety bugs fixed in Firefox ESR 52.7 * Mozilla: Vorbis audio processing out o ... oval:org.secpod.oval:def:204779 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.3 ESR. Security Fix: * firefox: Use-after-free in compositor potentially allows code execution For more details about the security issue, incl ... oval:org.secpod.oval:def:204766 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: Cross-site scripting vulnerability in web UI For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References secti ... oval:org.secpod.oval:def:204764 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:204769 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Buffer overflow manipulating SVG animatedPathSegList * Mozilla: Out-of-bounds write with malformed IP ... oval:org.secpod.oval:def:204768 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: remote Denial of Service via search filters in SetUnicodeStringFromUTF_8 in col ... oval:org.secpod.oval:def:204750 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204756 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:204742 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.6.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204853 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow usin ... oval:org.secpod.oval:def:204858 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.9.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow using computed size of canvas element * Mozilla: Use ... oval:org.secpod.oval:def:204840 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:204843 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: Null pointer indirection in printer server process For mor ... oval:org.secpod.oval:def:204841 The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch and the Pluggable Authentication Modules interfaces toward the system, and a pluggable back-end system to connect to ... oval:org.secpod.oval:def:204848 The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch and the Pluggable Authentication Modules interfaces toward the system, and a pluggable back-end system to connect to ... oval:org.secpod.oval:def:204846 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * samba: Null pointer indirection in printer server process For more details about the sec ... oval:org.secpod.oval:def:204849 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification For more details abou ... oval:org.secpod.oval:def:204833 The procps packages contain a set of system utilities that provide system information. The procps packages include the following utilities: ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, pwdx, sysctl, pmap, and slabtop. Security Fix: * procps-ng, procps: Integer overflow ... oval:org.secpod.oval:def:204898 The python-paramiko package provides a Python module that implements the SSH2 protocol for encrypted and authenticated connections to remote machines. Unlike SSL, the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. The protocol also includes the abili ... oval:org.secpod.oval:def:204897 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.2.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozilla: Use-after-free in IndexedDB * Mozilla: Prox ... oval:org.secpod.oval:def:204884 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.1 ESR. Security Fix: * Mozilla: Crash in TransportSecurityInfo due to cached data * Mozilla: Setting a master password post-Firefox 58 does no ... oval:org.secpod.oval:def:204888 GlusterFS is a key building block of Red Hat Gluster Storage. It is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system. The glust ... oval:org.secpod.oval:def:204874 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozi ... oval:org.secpod.oval:def:204862 The yum-utils packages provide a collection of utilities and examples for the yum package manager to make yum easier and more powerful to use. Security Fix: * yum-utils: reposync: improper path validation may lead to directory traversal For more details about the security issue, including the impac ... oval:org.secpod.oval:def:204869 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix: * mutt: Remote code injection vulnerability to an IMAP mailbox * mutt: Remote Code Execu ... oval:org.secpod.oval:def:502290 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:1700074 A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal ... oval:org.secpod.oval:def:114513 DHCP oval:org.secpod.oval:def:114512 DHCP oval:org.secpod.oval:def:1700041 Command injection vulnerability in the DHCP client NetworkManager integration script:A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Amazon Linux 2. A malicious DHCP server, or an attacker on the local network able to spoof DHCP res ... oval:org.secpod.oval:def:1502218 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502216 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:50971 Core Plugins for DNF. This package enhances DNF with builddep, config-manager, copr, debug, debuginfo-install, download, needs-restarting, repoclosure, repograph, repomanage, reposync, changelog and repodiff commands. Additionally provides generate_completion_cache passive plugin. oval:org.secpod.oval:def:50972 Extras Plugins for DNF. oval:org.secpod.oval:def:50973 Utility that allows users to manage packages on their systems. It supports RPMs, modules and comps groups and environments. oval:org.secpod.oval:def:50974 Libcomps is library for structure-like manipulation with content of comps XML files. Supports read/write XML file, structure modification. oval:org.secpod.oval:def:50975 A Library providing simplified C and Python API to libsolv. oval:org.secpod.oval:def:50976 A library providing C and Python API to downloading repository metadata. oval:org.secpod.oval:def:1502283 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502284 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:115138 yum-utils is a collection of utilities and examples for the yum package manager. It includes utilities by different authors that make yum easier and more powerful to use. These tools include: debuginfo-install, find-repos-of-install, needs-restarting, package-cleanup, repoclosure, repodiff, repo-gra ... oval:org.secpod.oval:def:115146 yum-utils is a collection of utilities and examples for the yum package manager. It includes utilities by different authors that make yum easier and more powerful to use. These tools include: debuginfo-install, find-repos-of-install, needs-restarting, package-cleanup, repoclosure, repodiff, repo-gra ... oval:org.secpod.oval:def:53351 Danny Grander discovered a directory traversal flaw in plexus-archiver, an Archiver plugin for the Plexus compiler system, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted Zip archive. oval:org.secpod.oval:def:204834 The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can utilise component-oriented programming to build modular, reusable components that can easily be assembled and reused. The plexus-archiver component prov ... oval:org.secpod.oval:def:1700057 A path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names. A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vul ... oval:org.secpod.oval:def:1502242 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114634 The Plexus project seeks to create end-to-end developer tools for writing applications. At the core is the container, which can be embedded or for a full scale application server. There are many reusable components for hibernate, form processing, jndi, i18n, velocity, etc. Plexus also includes an ap ... oval:org.secpod.oval:def:114633 The Plexus project seeks to create end-to-end developer tools for writing applications. At the core is the container, which can be embedded or for a full scale application server. There are many reusable components for hibernate, form processing, jndi, i18n, velocity, etc. Plexus also includes an ap ... oval:org.secpod.oval:def:603429 Danny Grander discovered a directory traversal flaw in plexus-archiver, an Archiver plugin for the Plexus compiler system, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted Zip archive. oval:org.secpod.oval:def:111288 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. oval:org.secpod.oval:def:1600485 CVE-2016-5405 389-ds-base: Password verification vulnerable to timing attack It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries.CVE-2016-5416 38 ... oval:org.secpod.oval:def:204044 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI cou ... oval:org.secpod.oval:def:204146 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. The following packages have been upgraded to a newer upstream version: 389-ds-base . Security Fix: * It was ... oval:org.secpod.oval:def:1501668 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI cou ... oval:org.secpod.oval:def:1501635 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. The following packages have been upgraded to a newer upstream version: 389-ds-base . Security Fix: * It was ... oval:org.secpod.oval:def:501927 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. The following packages have been upgraded to a newer upstream version: 389-ds-base . Security Fix: * It was ... oval:org.secpod.oval:def:501935 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI cou ... oval:org.secpod.oval:def:2001495 389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, th ... oval:org.secpod.oval:def:502291 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: ns-slapd crash via large filter value in ldapsearch For more details about the ... oval:org.secpod.oval:def:502288 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: ns-slapd crash via large filter value in ldapsearch For more details about the ... oval:org.secpod.oval:def:1700049 It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of ... oval:org.secpod.oval:def:1502208 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502209 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:2000448 A flaw was found in 389-ds-base before version 1.3.8.4-13. The process ns-slapd crashes in delete_passwdPolicy function when persistent search connections are terminated unexpectedly leading to remote denial of service. oval:org.secpod.oval:def:1502446 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700147 Earlier versions of flatpak exposes /proc in the apply_extra script sandbox, which allows attackers to modify a host-side executable file. oval:org.secpod.oval:def:502611 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix: * flatpak: potential /proc based sandbox escape For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to ... oval:org.secpod.oval:def:205159 Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fix: * flatpak: potential /proc based sandbox escape For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to ... oval:org.secpod.oval:def:114811 Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage. oval:org.secpod.oval:def:114901 Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage. oval:org.secpod.oval:def:204596 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204581 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204586 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204585 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204691 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204690 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204695 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204682 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204681 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204683 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204688 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204674 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204673 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204679 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204661 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204665 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204613 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204612 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204610 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204600 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204609 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204650 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204655 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204658 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204640 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204646 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204643 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204632 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204620 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204623 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204622 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204621 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:204629 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:1502427 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502596 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:205153 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:115233 BIND is an implementation of the DNS protocols. BIND includes a DNS server , which resolves host names to IP addresses; a resolver library ; and tools for verifying that the DNS server is operating properly. oval:org.secpod.oval:def:116889 DtkWidget is Deepin graphical user interface for deepin desktop development. oval:org.secpod.oval:def:1801349 CVE-2018-18500: Use-after-free parsing HTML5 stream CVE-2018-18501: Memory safety bugs CVE-2018-18505: Privilege escalation through IPC channel messages Fixed In Version:¶ Firefox ESR 60.5 oval:org.secpod.oval:def:116192 The mod_auth_mellon module is an authentication service that implements the SAML 2.0 federation protocol. It grants access based on the attributes received in assertions generated by a IdP server. oval:org.secpod.oval:def:1600994 A vulnerability was found in mod_auth_mellon. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users , adding special HTTP headers that are normally used to start the special SAML ECP can be used to bypass authentication. A vulnerability ... oval:org.secpod.oval:def:116183 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:116224 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:116149 libssh2 is a library implementing the SSH2 protocol as defined by Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION, SECSH-ARCH, SECSH-FILEXFER*, SECSH-DHGEX, and SECSH-NUMBERS. oval:org.secpod.oval:def:116213 libssh2 is a library implementing the SSH2 protocol as defined by Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION, SECSH-ARCH, SECSH-FILEXFER*, SECSH-DHGEX, and SECSH-NUMBERS. oval:org.secpod.oval:def:1801342 CVE-2019-3855: Possible integer overflow in transport read allows out-of-bounds write Affected versions: all versions to and including 1.8.0 Not affected versions: libssh2 oval:org.secpod.oval:def:1801343 CVE-2019-3855: Possible integer overflow in transport read allows out-of-bounds write Affected versions: all versions to and including 1.8.0 Not affected versions: libssh2 oval:org.secpod.oval:def:1801344 CVE-2019-3855: Possible integer overflow in transport read allows out-of-bounds write Affected versions: all versions to and including 1.8.0 Not affected versions: libssh2 oval:org.secpod.oval:def:1801361 CVE-2019-3855: Possible integer overflow in transport read allows out-of-bounds write Affected versions: all versions to and including 1.8.0 Not affected versions: libssh2 oval:org.secpod.oval:def:116101 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:116022 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:117136 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:1801261 CVE-2018-19409: An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. Fixed In Version:¶ ghostscript 9.26 oval:org.secpod.oval:def:1801263 CVE-2018-19409: An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. Fixed In Version:¶ ghostscript 9.26 oval:org.secpod.oval:def:1801266 CVE-2018-19409: An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. Fixed In Version:¶ ghostscript 9.26 oval:org.secpod.oval:def:1600937 A flaw was found in the way a local user on the SpamAssassin server could inject code in the meta rule syntax. This could cause the arbitrary code execution on the server when these rules are being processed.A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin ... oval:org.secpod.oval:def:1502317 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600904 Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue and tcp_prune_ofo_queue for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessi ... oval:org.secpod.oval:def:111974 This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. oval:org.secpod.oval:def:111976 This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. oval:org.secpod.oval:def:111999 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine a ... oval:org.secpod.oval:def:111988 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine a ... oval:org.secpod.oval:def:1800770 CVE-2016-9603, XSA-211: Cirrus VGA Heap overflow via display refresh oval:org.secpod.oval:def:116186 With FUSE it is possible to implement a fully functional filesystem in a userspace program. This package contains the FUSE v2 userspace tools to mount a FUSE filesystem. oval:org.secpod.oval:def:1801098 In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the "allow_other" mount option regardless of whether "user_allow_other" is set in the fuse configuration. An attack ... oval:org.secpod.oval:def:1801100 In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the "allow_other" mount option regardless of whether "user_allow_other" is set in the fuse configuration. An attack ... oval:org.secpod.oval:def:1801101 In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the "allow_other" mount option regardless of whether "user_allow_other" is set in the fuse configuration. An attack ... oval:org.secpod.oval:def:1801102 In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the "allow_other" mount option regardless of whether "user_allow_other" is set in the fuse configuration. An attack ... oval:org.secpod.oval:def:116229 With FUSE it is possible to implement a fully functional filesystem in a userspace program. This package contains the FUSE v2 userspace tools to mount a FUSE filesystem. oval:org.secpod.oval:def:1801021 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. ... oval:org.secpod.oval:def:1801022 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. ... oval:org.secpod.oval:def:1801019 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. ... oval:org.secpod.oval:def:114969 PostgreSQL is an advanced Object-Relational database management system . The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as t ... oval:org.secpod.oval:def:1600955 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with "host" or "hostaddr" connection parameters from untrusted input, attackers could b ... oval:org.secpod.oval:def:1600947 A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do a symbolic link resolution in the aforementioned path. If the user affected is p ... oval:org.secpod.oval:def:1600862 Cross-site scripting vulnerability in web UIA cross-site scripting flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user's side and force the victim to perform unintended actions. CSRF protection missing in t ... oval:org.secpod.oval:def:1600921 A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.An authentication bypass flaw was found in the way krb5's certauth interface ha ... oval:org.secpod.oval:def:48078 The host is missing an important security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:49590 The host is missing a high severity security update according to Google advisory. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows attackers to have unspecified impact. oval:org.secpod.oval:def:53475 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-17480 Guang Gong discovered an out-of-bounds write issue in the v8 javascript library. CVE-2018-17481 Several use-after-free issues were discovered in the pdfium library. CVE-2018-18335 A buffer overflow issue was dis ... oval:org.secpod.oval:def:1502477 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700160 An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.An integer overflow flaw ... oval:org.secpod.oval:def:502635 The libssh2 packages provide a library that implements the SSH2 protocol. Security Fix: * libssh2: Integer overflow in transport read resulting in out of bounds write * libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write * libssh2: Integer overflow in SSH pa ... oval:org.secpod.oval:def:603849 Chris Coulson discovered several vulnerabilities in libssh2, a SSH2 client-side library, which could result in denial of service, information leaks or the execution of arbitrary code. oval:org.secpod.oval:def:205182 The libssh2 packages provide a library that implements the SSH2 protocol. Security Fix: * libssh2: Integer overflow in transport read resulting in out of bounds write * libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write * libssh2: Integer overflow in SSH pa ... oval:org.secpod.oval:def:603586 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-17480 Guang Gong discovered an out-of-bounds write issue in the v8 javascript library. CVE-2018-17481 Several use-after-free issues were discovered in the pdfium library. CVE-2018-18335 A buffer overflow issue was dis ... oval:org.secpod.oval:def:50019 The host is installed with Artifex Ghostscript through 9.25 and is prone to an arbitrary code execution vulnerability. A flaw is present in the application, which fails to properly handle crafted postscript document. Successful exploitation could allow attackers toexecute arbitrary code. oval:org.secpod.oval:def:53381 Jann Horn discovered that FUSE, a Filesystem in USErspace, allows the bypass of the "user_allow_other" restriction when SELinux is active . A local user can take advantage of this flaw in the fusermount utility to bypass the system configuration and mount a FUSE filesystem with the "allow_other" mou ... oval:org.secpod.oval:def:1700097 A vulnerability was discovered in fuse. When SELinux is active, fusermount is vulnerable to a restriction bypass. This allows non-root users to mount a FUSE file system with the #039;allow_other#039; mount option regardless of whether #039;user_allow_other#039; is set in the fuse configuration. An a ... oval:org.secpod.oval:def:114542 PostgreSQL is an advanced Object-Relational database management system . The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as t ... oval:org.secpod.oval:def:114536 PostgreSQL is an advanced Object-Relational database management system . The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as t ... oval:org.secpod.oval:def:114027 Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of sending passwords over the network in unencrypted form. oval:org.secpod.oval:def:2000226 MIT libkrb5-dev 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service or bypass a DN container check by supplying tagged data that is internal to the database module. oval:org.secpod.oval:def:1700106 MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a quot;linkdnquot; and quot;containerdnquot; database argument, or by supplying a DN string which is a left extension of a cont ... oval:org.secpod.oval:def:114073 Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of sending passwords over the network in unencrypted form. oval:org.secpod.oval:def:113555 Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-all ... oval:org.secpod.oval:def:502265 Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos ... oval:org.secpod.oval:def:1700032 Authentication bypass by improper validation of certificate EKU and SANAn authentication bypass flaw was found in the way krb5#039;s certauth interface handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arb ... oval:org.secpod.oval:def:1502171 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:48066 The host is installed with Google Chrome before 70.0.3538.67 or Mozilla Firefox before 64, Mozilla Firefox ESR, Mozilla Thunderbird before 60.4 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation ... oval:org.secpod.oval:def:49586 The host is installed with Google Chrome before 71.0.3578.80, Thunderbird before 60.5.1, Firefox before 65.0.1 or Firefox ESR before 60.5.1 and is prone to a use after free vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows ... oval:org.secpod.oval:def:205146 GNOME is the default desktop environment of Red Hat Enterprise Linux. Security Fix: * libsoup: Crash in soup_cookie_jar.c:get_cookies on empty hostnames * poppler: Infinite recursion in fofi/FoFiType1C.cc:FoFiType1C::cvtGlyph function allows denial of service * libgxps: heap based buffer over read ... oval:org.secpod.oval:def:41112 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable c ... oval:org.secpod.oval:def:41113 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell. This results in a potentially exploitable crash. oval:org.secpod.oval:def:41114 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- A use-after-free vulnerability during video control operations when a 'track' element holds a reference to an older window if that window has been replaced in the DOM. This results in a potentially exploitable crash. oval:org.secpod.oval:def:41115 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- A use-after-free vulnerability with content viewer listeners that results in a potentially exploitable crash. oval:org.secpod.oval:def:41116 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled. This results in a potentially exploitable crash but would require sp ... oval:org.secpod.oval:def:41121 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. oval:org.secpod.oval:def:41127 The host is missing a critical security update according to Mozilla advisory, MFSA2017-15. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code o ... oval:org.secpod.oval:def:41128 The host is missing a critical security update according to Mozilla advisory, MFSA2017-16. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code o ... oval:org.secpod.oval:def:41129 The host is missing a critical security update according to Mozilla advisory, MFSA2017-17. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code o ... oval:org.secpod.oval:def:41728 Mozilla Firefox before 55.0Firefox ESR before 52.3 or Thunderbird 52.3 :- An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data. oval:org.secpod.oval:def:41736 Mozilla Firefox before 55.0Firefox ESR before 52.3 or Thunderbird 52.3 :- A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash. oval:org.secpod.oval:def:41740 Mozilla Firefox before 55.0Firefox ESR before 52.3 or Thunderbird 52.3 :- When a pages content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP. oval:org.secpod.oval:def:41752 The host is missing a critical security update according to Mozilla advisory, MFSA2017-18. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code o ... oval:org.secpod.oval:def:41753 The host is missing a critical security update according to Mozilla advisory, MFSA2017-19. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code o ... oval:org.secpod.oval:def:41828 The host is missing a critical security update according to Mozilla advisory, MFSA2017-20. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code o ... oval:org.secpod.oval:def:42278 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:42280 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- Mozilla developers and community members Christoph Diehl, Jan de Mooij, Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian Hengst reported memory safety bugs present in Firefox and Firefox ESR. Some of thes ... oval:org.secpod.oval:def:42281 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- File downloads encoded with blob: and data: URL elements bypassed normal file download checks though the Phishing and Malware Protection feature and its block lists of suspicious sites and files. This would allow malicious s ... oval:org.secpod.oval:def:42282 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- A use-after-free vulnerability can occur when manipulating arrays of Accessible Rich Internet Applications (ARIA) elements within containers through the DOM. This results in a potentially exploitable crash. oval:org.secpod.oval:def:42283 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- A use-after-free vulnerability can occur in design mode when image objects are resized if objects referenced during the resizing have been freed from memory. This results in a potentially exploitable crash. oval:org.secpod.oval:def:42284 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- The content security policy (CSP) sandbox directive did not create a unique origin for the document, causing it to behave as if the allow-same-origin keyword were always specified. This could allow a Cross-Site Scripting (XS ... oval:org.secpod.oval:def:42285 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- A buffer overflow occurs when drawing and validating elements with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentia ... oval:org.secpod.oval:def:42295 The host is missing a critical security update according to Mozilla advisory, MFSA2017-21. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:42296 The host is missing a critical security update according to Mozilla advisory, MFSA2017-22. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:42422 The host is missing a critical security update according to Mozilla advisory, MFSA2017-23. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:42821 Mozilla Firefox before 57.0 or Firefox ESR before 52.5 :- A use-after-free vulnerability can occur when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations. oval:org.secpod.oval:def:42822 Mozilla Firefox before 57.0 or Firefox ESR before 52.5 :- The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. oval:org.secpod.oval:def:42823 Mozilla Firefox before 57.0 or Firefox ESR before 52.5 :- Mozilla developers and community members Christian Holler, David Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp, Nicholas Nethercote, Oriol Brufau, Andre Bargull, Bob Clary, Jet Villegas, Randell Jesup, Tyson Smith ... oval:org.secpod.oval:def:42836 The host is missing a critical security update according to Mozilla advisory, MFSA2017-24. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:42837 The host is missing a critical security update according to Mozilla advisory, MFSA2017-25. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:43033 Mozilla Firefox before 57.0.1 :- When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mo ... oval:org.secpod.oval:def:1502077 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502080 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:43141 The host is missing a critical security update according to Mozilla advisory, MFSA2017-28. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to bypass security. oval:org.secpod.oval:def:603208 It discovered that the Private Browsing mode in the Mozilla Firefox web browser allowed to fingerprint a user across multiple sessions via IndexedDB. oval:org.secpod.oval:def:502205 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.5.1 ESR. Security Fix: * A privacy flaw was discovered in Firefox. In Private Browsing mode, a web worker could write persistent data to IndexedDB, which was not cleared when exiting and would persist across mu ... oval:org.secpod.oval:def:1800363 CVE-2017-7845: Buffer overflow when drawing and validating elements with ANGLE library using Direct 3D 9 CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data Fixed In Version:¶ Firefox ESR 52.5.2 oval:org.secpod.oval:def:53207 It discovered that the Private Browsing mode in the Mozilla Firefox web browser allowed to fingerprint a user across multiple sessions via IndexedDB. oval:org.secpod.oval:def:43035 The host is missing a critical security update according to Mozilla advisory, MFSA2017-27. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to disclose information or ... oval:org.secpod.oval:def:43640 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- Mozilla developers and community members reported memory safety bugs present in Firefox, Firefox ESR and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort th ... oval:org.secpod.oval:def:43641 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 :- A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43642 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 8 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially e ... oval:org.secpod.oval:def:43643 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potentially exploitab ... oval:org.secpod.oval:def:43644 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when form input elements, focus, and selections are manipulated by script content. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43645 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when the widget listener is holding strong references to browser objects that have previously been freed, resulting in a potentially exploitable crash when these references a ... oval:org.secpod.oval:def:43646 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when manipulating HTML media elements with media streams, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43647 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during mouse event handling due to issues with multiprocess support. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43648 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during font face manipulation when a font face is freed while still in use, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43649 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displ ... oval:org.secpod.oval:def:43650 Mozilla Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur while editing events in form elements on a page, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43673 The host is missing a critical security update according to Mozilla advisory, MFSA2018-02. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:43674 The host is missing a critical security update according to Mozilla advisory, MFSA2018-03. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:43779 The host is missing a critical security update according to Mozilla advisory, MFSA2018-04. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:1502308 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502357 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozi ... oval:org.secpod.oval:def:502356 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozi ... oval:org.secpod.oval:def:49887 The host is missing a critical security update according to Mozilla advisory, MFSA2018-29. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:49888 The host is missing a critical security update according to Mozilla advisory, MFSA2018-30. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:1801282 CVE-2018-1000807: Use-after-free in X509 object handling¶ Python Cryptographic Authority pyopenssl version before 17.5.0 has a use-after-free vulnerability in X509 object handling. This can result in a denial of service or potentially even code execution. oval:org.secpod.oval:def:1801284 CVE-2018-1000807: Use-after-free in X509 object handling¶ Python Cryptographic Authority pyopenssl version before 17.5.0 has a use-after-free vulnerability in X509 object handling. This can result in a denial of service or potentially even code execution. oval:org.secpod.oval:def:1801288 CVE-2018-1000807: Use-after-free in X509 object handling¶ Python Cryptographic Authority pyopenssl version before 17.5.0 has a use-after-free vulnerability in X509 object handling. This can result in a denial of service or potentially even code execution. oval:org.secpod.oval:def:1600837 SingleEntryRegistry incorrect setup of deserialization filter It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass intended deserialization restrict ... oval:org.secpod.oval:def:204733 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * Multiple flaws were found in the Hotspot and AWT components of OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java ... oval:org.secpod.oval:def:204735 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * Multiple flaws were found in the Hotspot and AWT components of OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java ... oval:org.secpod.oval:def:1600857 DerValue unbounded memory allocation:It was discovered that the Libraries component of OpenJDK failed to sufficiently limit the amount of memory allocated when reading DER encoded input. A remote attacker could possibly use this flaw to make a Java application use an excessive amount of memory if it ... oval:org.secpod.oval:def:204752 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * A flaw was found in the AWT component of OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ... oval:org.secpod.oval:def:204753 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * A flaw was found in the AWT component of OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ... oval:org.secpod.oval:def:204781 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:204782 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:1600884 Unbounded memory allocation during deserialization in NamedNodeMapImpl Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE . Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerabi ... oval:org.secpod.oval:def:1600876 Unbounded memory allocation during deserialization in Container Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE . Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerabi ... oval:org.secpod.oval:def:204824 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:204829 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:603561 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-5179 Yannic Boneberger discovered an error in the ServiceWorker implementation. CVE-2018-17462 Ned Williamson and Niklas Baumstark discovered a way to escape the sandbox. CVE-2018-17463 Ned Williamson and Niklas Baums ... oval:org.secpod.oval:def:204052 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.5.1. Security Fix: * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary ... oval:org.secpod.oval:def:204056 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.6.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204049 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.1 ESR. Security Fix: * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privil ... oval:org.secpod.oval:def:204090 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.7.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204061 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:204453 KVM is a full virtualization solution for Linux on x86 hardware. Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc. Security Fix: * Quick emulator built wit ... oval:org.secpod.oval:def:204456 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.8.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204440 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.7.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:204465 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.8.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:1800216 CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP CVE-2017-5376: Use-after-free in XSL CVE-2017-5378: Pointer and frame data leakage of Javascript objects CVE-2017-5380: Potential use-after-free durin ... oval:org.secpod.oval:def:1800751 CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP CVE-2017-5401: Memory Corruption when handling ErrorResult CVE-2017-5402: Use-after-free working with events in FontFace objects CVE-2017-5404: Use-after-free working with ranges in selections CVE-2017-5407: Pixel and history stealing via floati ... oval:org.secpod.oval:def:1800704 CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP CVE-2017-5376: Use-after-free in XSL CVE-2017-5378: Pointer and frame data leakage of Javascript objects CVE-2017-5380: Potential use-after-free durin ... oval:org.secpod.oval:def:204104 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.7.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:115569 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:115524 Chromium is an open-source web browser, powered by WebKit . oval:org.secpod.oval:def:1800084 CVE: none assigned, XSA-207: memory leak when destroying guest without PT devices Reference: CVE-2017-2615, XSA-208: oob access in cirrus bitblt copy Reference: CVE-2017-2620, XSA-209: cirrus_bitblt_cputovideo does not check if memory region is safe Reference: oval:org.secpod.oval:def:1600909 The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. The ... oval:org.secpod.oval:def:116193 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:1600945 When the default servlet in Apache Tomcat versions 7.0.23 to 7.0.90 returned a redirect to a directory a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. oval:org.secpod.oval:def:1600906 The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. The ... oval:org.secpod.oval:def:204892 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: A bug in the UTF-8 decoder can lead to DoS For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed ... oval:org.secpod.oval:def:111608 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:111607 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:204021 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicio ... oval:org.secpod.oval:def:204023 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application de ... oval:org.secpod.oval:def:501880 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application de ... oval:org.secpod.oval:def:2000164 There is a heap-based buffer over-read in the function ft_font_face_hash of gxps-fonts.c in libgxps through 0.3.0. A crafted input will lead to a remote denial of service attack. oval:org.secpod.oval:def:2001448 The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD has too wide permissions, which means that anyone who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. This affects versions of SSSD before 1 ... oval:org.secpod.oval:def:114735 libgxps is a GObject based library for handling and rendering XPS documents. oval:org.secpod.oval:def:115244 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:114488 libgxps is a GObject based library for handling and rendering XPS documents. oval:org.secpod.oval:def:114421 libgxps is a GObject based library for handling and rendering XPS documents. oval:org.secpod.oval:def:1700134 An improper input validation was found in function __zzip_fetch_disk_trailer of ZZIPlib, up to 0.13.68, that could lead to a crash in __zzip_parse_root_directory function of zzip/ip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file.A memory lea ... oval:org.secpod.oval:def:1700110 The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD utilizes too broad of a set of permissions. Any user who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. oval:org.secpod.oval:def:502238 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: remote Denial of Service via search filters in SetUnicodeStringFromUTF_8 in col ... oval:org.secpod.oval:def:502249 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * 389-ds-base: remote Denial of Service via search filters in SetUnicodeStringFromUTF_8 in col ... oval:org.secpod.oval:def:1900153 An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters, affecting all versions including 1.4.x. A remote, unauthenticated attacker could potentially use this flaw to makens-slapd crash via a specially crafted LDAP request, thus result ing in denial of ... oval:org.secpod.oval:def:1700016 Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c:It was found that 389-ds-base did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass ... oval:org.secpod.oval:def:1900098 There is a heap-based buffer over-read in the function ft_font_face_hash of gxps-fonts.c in libgxps-dev through 0.3.0. A crafted input will lead to a remote denial of service attack. oval:org.secpod.oval:def:1502142 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502158 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1900164 The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD has too wide permissions, which means that anyone who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. This affects versions of SSSD before1. ... oval:org.secpod.oval:def:1900323 It was discovered that libxdmcp6 before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to bruteforce the key, allowing them to hijack other users" sessions. oval:org.secpod.oval:def:1900329 It was discovered that libice-dev before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list. oval:org.secpod.oval:def:1900330 389-ds-base before versions 1.3.5.17 and 1.3.6.10 is vulnerable to an invalid pointer dereference in the way LDAP bind requests are handled. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bind request, result ing in denial of service. oval:org.secpod.oval:def:112190 X Display Manager Control Protocol library. oval:org.secpod.oval:def:502016 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * An invalid pointer dereference flaw was found in the way 389-ds-base handled LDAP bind reques ... oval:org.secpod.oval:def:502015 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * An invalid pointer dereference flaw was found in the way 389-ds-base handled LDAP bind reques ... oval:org.secpod.oval:def:112133 X Display Manager Control Protocol library. oval:org.secpod.oval:def:112163 The X.Org X11 ICE runtime library. oval:org.secpod.oval:def:112113 The X.Org X11 ICE runtime library. oval:org.secpod.oval:def:1501828 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501831 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600695 Remote crash via crafted LDAP messages: An invalid pointer dereference flaw was found in the way 389-ds-base handled LDAP bind requests. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bind request, resulting in denial of service oval:org.secpod.oval:def:1501975 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:602749 Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression / decompression library, may result in denial of service or the execution of arbitrary code if a malformed JPEG 2000 file is processed. oval:org.secpod.oval:def:502113 Red Hat Certificate System is an enterprise software system designed to manage enterprise public key infrastructure deployments. PKI Core contains fundamental packages required by Red Hat Certificate System, which comprise the Certificate Authority subsystem. Security Fix: * It was found that a mo ... oval:org.secpod.oval:def:1700131 An integer wraparound has been discovered in the Binary File Descriptor library distributed in GNU Binutils up to version 2.30. An attacker could cause a crash by providing an ELF file with corrupted DWARF debug information.The ignore_section_sym function in elf.c in the Binary File Descriptor lib ... oval:org.secpod.oval:def:1501801 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502008 OpenJPEG is an open source library for reading and writing image files in JPEG2000 format. Security Fix: * Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in OpenJPEG. A specially crafted JPEG2000 image could cause an application using OpenJPEG to crash or, potent ... oval:org.secpod.oval:def:2000205 A stack buffer overflow flaw was found in the way 389-ds-base 1.3.6.x before 1.3.6.13, 1.3.7.x before 1.3.7.9, 1.4.x before 1.4.0.5 handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thu ... oval:org.secpod.oval:def:502227 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: * A stack buffer overflow flaw was found in the way 389-ds-base handled certain LDAP search fil ... oval:org.secpod.oval:def:1900979 A stack buffer overflow flaw was found in the way 389-ds-base 1.3.6.x before 1.3.6.13, 1.3.7.x before 1.3.7.9, 1.4.x before 1.4.0.5 handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thu ... oval:org.secpod.oval:def:1700008 Remote DoS via search filters in slapi_filter_sprintf in slapd/util.cA stack buffer overflow flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus ... oval:org.secpod.oval:def:1901245 389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to infer the existence of RDN component objects. oval:org.secpod.oval:def:704925 python-gnupg: Python wrapper for the GNU Privacy Guard Several security issues were fixed in python-gnupg oval:org.secpod.oval:def:1700103 A flaw was found in dict.c:dict_unserialize function of glusterfs, dic_unserialize function does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value. oval:org.secpod.oval:def:115066 GlusterFS is a distributed file-system capable of scaling to several petabytes. It aggregates various storage bricks over Infiniband RDMA or TCP/IP interconnect into one large parallel network file system. GlusterFS is one of the most sophisticated file systems in terms of features and extensibility ... oval:org.secpod.oval:def:502369 GlusterFS is a key building block of Red Hat Gluster Storage. It is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system. The glust ... oval:org.secpod.oval:def:115154 GlusterFS is a distributed file-system capable of scaling to several petabytes. It aggregates various storage bricks over Infiniband RDMA or TCP/IP interconnect into one large parallel network file system. GlusterFS is one of the most sophisticated file systems in terms of features and extensibility ... oval:org.secpod.oval:def:1902091 concat_filename in dwarf2.c in the Binary File Descriptor library , as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service via a crafted binary file, as demonstrated by nm-new. oval:org.secpod.oval:def:1902092 The bfd_section_from_shdr function in elf.c in the Binary File Descriptor library , as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service via a large attribute section. oval:org.secpod.oval:def:1902064 The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXigen.c in the Binary File Descriptor library , as distributed in GNU Binutils 2.30, processes a negative Data Directory size with an unbounded loop that increases the value of *edd so that the address exceeds its own memory region, resul ... oval:org.secpod.oval:def:1902079 The ignore_section_sym function in elf.c in the Binary File Descriptor library , as distributed in GNU Binutils 2.30, does not validate the output_section pointer in the case of a symtab entry with a "SECTION" type that has a "0" value, which allows remote attackers to cause a denial of service vi ... oval:org.secpod.oval:def:1902072 process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service via a crafted binary file, as demonstrated by readelf. oval:org.secpod.oval:def:53329 OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer library, could be tricked into reading data beyond the end of a heap based buffer when parsing invalid headers in an RTSP response. oval:org.secpod.oval:def:51537 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:1700054 Curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.Curl version cu ... oval:org.secpod.oval:def:704079 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:114538 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:603399 OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer library, could be tricked into reading data beyond the end of a heap based buffer when parsing invalid headers in an RTSP response. oval:org.secpod.oval:def:51040 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:45660 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:47236 postgresql-10: object-relational SQL database - postgresql-9.5: Object-relational SQL database - postgresql-9.3: Object-relational SQL database Several security issues were fixed in PostgreSQL. oval:org.secpod.oval:def:1900101 It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of tilibming-dev data using crafted packets. oval:org.secpod.oval:def:1501778 Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potent ... oval:org.secpod.oval:def:1700096 It was found that GnuTLS#039;s implementation of HMAC-SHA-256 was vulnerable to Lucky Thirteen-style attack. A remote attacker could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.It was found that GnuTLS# ... oval:org.secpod.oval:def:1900122 It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of tilibming-dev data using crafted packets. oval:org.secpod.oval:def:1700079 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with quot;hostquot; or quot;hostaddrquot; connection parameters from untrusted input, attackers could bypas ... oval:org.secpod.oval:def:114956 PostgreSQL is an advanced Object-Relational database management system . The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as t ... oval:org.secpod.oval:def:47262 The host is installed with PostgreSQL 10.x before 10.5, 9.6.x before 9.6.10, 9.5.x before 9.5.14, 9.4.x before 9.4.19, and 9.3.x before 9.3.24 and is prone to a security bypass vulnerability. The flaw present in the application's libpq component where it fails to properly reset its internal state be ... oval:org.secpod.oval:def:501889 The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix: * It was found that util-linux"s libblkid library did not properly handle Ext ... oval:org.secpod.oval:def:1502299 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502353 PostgreSQL is an advanced object-relational database management system . The following packages have been upgraded to a later upstream version: postgresql . Security Fix: * postgresql: Certain host connection parameters defeat client-side security defenses For more details about the security issue ... oval:org.secpod.oval:def:205140 The gnutls packages provide the GNU Transport Layer Security library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. The following packages have been upgraded to a later upstream version: gnutls . Security Fix: * gnutls: HMAC-SHA-256 vulnerable to Lucky thirtee ... oval:org.secpod.oval:def:1501658 The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix: * It was found that util-linux"s libblkid library did not properly handle Ext ... oval:org.secpod.oval:def:50590 The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset. oval:org.secpod.oval:def:501983 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * Quick emulator built with the Cirrus CLGD 54xx VGA emulator support is vulnerabl ... oval:org.secpod.oval:def:112184 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:112137 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:112101 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:602753 Multiple security issues have been found in the Mozilla Firefox web browser: Memory safety errors, use-after-frees and other implementation errors may lead to the execution of arbitrary code, information disclosure or privilege escalation. oval:org.secpod.oval:def:112125 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:112118 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:602776 Several vulnerabilities were discovered in spice, a SPICE protocol client and server library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9577 Frediano Ziglio of Red Hat discovered a buffer overflow vulnerability in the main_channel_alloc_msg_rcv_buf ... oval:org.secpod.oval:def:502098 The X11 libraries provide library routines that are used within all X Window applications. The following packages have been upgraded to a later upstream version: libX11 , libXaw , libXdmcp , libXfixes , libXfont , libXi , libXpm , libXrandr , libXrender , libXt , libXtst , libXv , libXvMC , libXxf8 ... oval:org.secpod.oval:def:1501599 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application dep ... oval:org.secpod.oval:def:703399 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:602696 Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or information leaks. oval:org.secpod.oval:def:602692 Multiple security issues have been found in Icedove, Debian"s version of the Mozilla Thunderbird mail client: Multiple memory safety errors, same-origin policy bypass issues, integer overflows, buffer overflows and use-after-frees may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:602687 A use-after-free vulnerability in the SVG Animation was discovered in the Mozilla Firefox web browser, allowing a remote attacker to cause a denial of service or execute arbitrary code, if a user is tricked into opening a specially crafted website. oval:org.secpod.oval:def:703376 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:703375 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:1600425 Tomcat"s CGI support used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly ... oval:org.secpod.oval:def:1901153 Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an ap ... oval:org.secpod.oval:def:1800620 CVE: none assigned, XSA-207: memory leak when destroying guest without PT devices Reference CVE-2017-2615, XSA-208: oob access in cirrus bitblt copy Reference CVE-2017-2620, XSA-209: cirrus_bitblt_cputovideo does not check if memory region is safe Reference oval:org.secpod.oval:def:602813 Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees and other implementation errors may lead to the execution of arbitrary code, ASLR bypass, information disclosure or denial of service. oval:org.secpod.oval:def:602856 Multiple security issues have been found in Thunderbird, which may may lead to the execution of arbitrary code or information leaks. With this update, the Icedove packages are de-branded back to the official Mozilla branding. With the removing of the Debian branding the packages are also renamed bac ... oval:org.secpod.oval:def:112212 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. oval:org.secpod.oval:def:112203 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. oval:org.secpod.oval:def:703476 spice: SPICE protocol client and server library Spice could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:703459 firefox: Mozilla Open Source web browser Details: USN-3175-1 fixed vulnerabilities in Firefox. The update caused a regression on systems where the AppArmor profile for Firefox is set to enforce mode. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-3175-1 intr ... oval:org.secpod.oval:def:703440 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:703436 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine - tomcat6: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:703439 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:1501952 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1800650 CVE: none assigned, XSA-207: memory leak when destroying guest without PT devices Reference: CVE-2017-2615, XSA-208: oob access in cirrus bitblt copy Reference: CVE-2017-2620, XSA-209: cirrus_bitblt_cputovideo does not check if memory region is safe oval:org.secpod.oval:def:1501786 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501789 Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potent ... oval:org.secpod.oval:def:1501792 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.8.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501793 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.8.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501791 Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potent ... oval:org.secpod.oval:def:1501796 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.8.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:1501794 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.8.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501795 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501799 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501749 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.7.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501750 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.7.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501751 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.7.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501754 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501758 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501759 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501761 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:501881 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicio ... oval:org.secpod.oval:def:1800382 CVE-2016-9893: Memory safety bugs CVE-2016-9895: CSP bypass using marquee tag CVE-2016-9897: Memory corruption in libGLES CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements CVE-2016-9900: Restricted e ... oval:org.secpod.oval:def:501871 The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. ... oval:org.secpod.oval:def:703569 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:703535 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:1501839 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:703525 firefox: Mozilla Open Source web browser An integer overflow was discovered in Firefox. oval:org.secpod.oval:def:703502 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:112075 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:1501688 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.1 ESR. Security Fix: * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privil ... oval:org.secpod.oval:def:1501689 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.1 ESR. Security Fix: * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privil ... oval:org.secpod.oval:def:112022 This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor oval:org.secpod.oval:def:602602 Hanno Boeck and Marcin Noga discovered multiple vulnerabilities in libarchive; processing malformed archives may result in denial of service or the execution of arbitrary code. oval:org.secpod.oval:def:1501690 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.5.1 ESR. Security Fix: * A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privil ... oval:org.secpod.oval:def:1501691 A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. oval:org.secpod.oval:def:1501692 A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. oval:org.secpod.oval:def:501974 The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtu ... oval:org.secpod.oval:def:501984 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * Quick emulator built with the Cirrus CLGD 54xx VGA Emulator support is vulnerabl ... oval:org.secpod.oval:def:1501701 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.6.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501702 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.6.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501706 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:1501703 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 45.6.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501717 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:112189 This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. oval:org.secpod.oval:def:502052 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.2.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:114363 GNU Wget is a file retrieval utility which can use either the HTTP or FTP protocols. Wget features include the ability to work in the background while you are logged out, recursive retrieval of directories, file name wildcard matching, remote file timestamp storage and comparison, use of Rest with F ... oval:org.secpod.oval:def:114364 GNU Wget is a file retrieval utility which can use either the HTTP or FTP protocols. Wget features include the ability to work in the background while you are logged out, recursive retrieval of directories, file name wildcard matching, remote file timestamp storage and comparison, use of Rest with F ... oval:org.secpod.oval:def:112182 This package contains an implementation of the image compression standard JPEG-2000, Part 1. It consists of tools for conversion to and from the JP2 and JPC formats. oval:org.secpod.oval:def:1800502 A vulnerability was found in popd. It can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells on some environments to cause use-after-free. Reference Patch oval:org.secpod.oval:def:502063 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A flaw was found in the way BIND handled TSIG authentication for dynamic ... oval:org.secpod.oval:def:502065 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A flaw was found in the way BIND handled TSIG authentication for dynamic ... oval:org.secpod.oval:def:703828 dnsmasq: Small caching DNS proxy and DHCP/TFTP server Several security issues were fixed in Dnsmasq. oval:org.secpod.oval:def:703825 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:502075 The evince packages provide a simple multi-page document viewer for Portable Document Format , PostScript , Encapsulated PostScript files, and, with additional back-ends, also the Device Independent File format files. Security Fix: * It was found that evince did not properly sanitize the command l ... oval:org.secpod.oval:def:502078 The bash packages provide Bash , which is the default shell for Red Hat Enterprise Linux. Security Fix: * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines ... oval:org.secpod.oval:def:113043 Libsoup is an HTTP library implementation in C. It was originally part of a SOAP implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications. This enables GNOME application ... oval:org.secpod.oval:def:113044 Libsoup is an HTTP library implementation in C. It was originally part of a SOAP implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications. This enables GNOME application ... oval:org.secpod.oval:def:703808 samba: SMB/CIFS file, print, and login server for Unix Samba could be made to expose sensitive information over the network. oval:org.secpod.oval:def:703804 bind9: Internet Domain Name Server Details: USN-3346-1 fixed vulnerabilities in Bind. The fix for CVE-2017-3142 introduced a regression in the ability to receive an AXFR or IXFR in the case where TSIG is used and not every message is signed. This update fixes the problem. In addition, this update ad ... oval:org.secpod.oval:def:1501968 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502012 The util-linux packages contain a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, these include the fdisk configuration tool and the login program. Security Fix: * A race condition was found in the way su handled the management of child pr ... oval:org.secpod.oval:def:1501973 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501970 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501979 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502022 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.1.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501985 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114336 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:114331 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:502048 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.2.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:112104 The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, Util-linux contains the fdisk configuration tool and the login program. oval:org.secpod.oval:def:1502002 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502009 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502012 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502015 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1900798 Memory safety bugs were reported in Firefox 55 and Firefox ESR 52.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thun ... oval:org.secpod.oval:def:51981 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:51980 gcab: Microsoft Cabinet file manipulation tool gcab could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:51984 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:51988 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:602780 Several vulnerabilities were discovered in the shadow suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-6252 An integer overflow vulnerability was discovered, potentially allowing a local user to escalate privileges via crafted input to the newuidmap ... oval:org.secpod.oval:def:112626 Poppler, a PDF rendering library, is a fork of the xpdf PDF viewer developed by Derek Noonburg of Glyph and Cog, LLC. oval:org.secpod.oval:def:113953 This is dnsperf, a collection of DNS server performance testing tools. For more information, see the dnsperf and resperf man pages. oval:org.secpod.oval:def:112623 Evince is simple multi-page document viewer. It can display and print Portable Document Format , PostScript and Encapsulated PostScript files. When supported by the document format, evince allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks a ... oval:org.secpod.oval:def:113951 gcab is a tool to manipulate Cabinet archive. oval:org.secpod.oval:def:1502067 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:113945 This is dnsperf, a collection of DNS server performance testing tools. For more information, see the dnsperf and resperf man pages. oval:org.secpod.oval:def:113946 This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server. oval:org.secpod.oval:def:113948 BIND is an implementation of the DNS protocols. BIND includes a DNS server , which resolves host names to IP addresses; a resolver library ; and tools for verifying that the DNS server is operating properly. oval:org.secpod.oval:def:1502070 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502074 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502075 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:113964 This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP server. oval:org.secpod.oval:def:1502020 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502023 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502024 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502021 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502035 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502036 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603571 Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.1.37. Please see the MariaDB 10.1 Release Notes for further details: https://mariadb.com/kb/en/mariadb/mariadb-10127-release-notes/ https://mariad ... oval:org.secpod.oval:def:113928 BIND is an implementation of the DNS protocols. BIND includes a DNS server , which resolves host names to IP addresses; a resolver library ; and tools for verifying that the DNS server is operating properly. oval:org.secpod.oval:def:603119 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, buffer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service, cross-site scripting or bypass of the phishing and malware prot ... oval:org.secpod.oval:def:603116 Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron Bowes and Gynvael Coldwind of the Google Security Team discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, which may result in denial of service, information leak or the execution of arbit ... oval:org.secpod.oval:def:603114 Multiple security issues have been discoverd in Samba, a SMB/CIFS file, print, and login server for Unix: CVE-2017-12150 Stefan Metzmacher discovered multiple code paths where SMB signing was not enforced. CVE-2017-12151 Stefan Metzmacher discovered that tools using libsmbclient did not enforce encr ... oval:org.secpod.oval:def:703794 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:603148 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:1800581 CVE-2017-14746: Use-after-free vulnerability. Affected Versions: All versions of Samba from 4.0.0 onwards. Fixed In: Samba 4.7.3, 4.6.11 and 4.5.15 oval:org.secpod.oval:def:703762 ubufox: Ubuntu Firefox specific configuration defaults and apt support Details: USN-3391-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubufox. Original advisory This update provides compatible packages for Firefox 55. oval:org.secpod.oval:def:502120 The libsoup packages provide an HTTP client and server library for GNOME. Security Fix: * A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially ... oval:org.secpod.oval:def:703765 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:703752 libsoup2.4: HTTP client/server library for GNOME Applications using libsoup could be made to crash or run programs as your login if it received specially crafted network traffic. oval:org.secpod.oval:def:113078 Libsoup is an HTTP library implementation in C. It was originally part of a SOAP implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications. This enables GNOME application ... oval:org.secpod.oval:def:1800541 CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements CVE-2017-7779: Memory safety bugs CVE-2017-7784: Use-after-free with image observers CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM CVE-2017-7786: Buffer overflow while painting non-displayable SVG CVE-2 ... oval:org.secpod.oval:def:1800543 A vulnerability was found in popd. It can be tricked to free a user supplied address in the following way: $ popd +-111111 This could be used to bypass restricted shells on some environments to cause use-after-free.. oval:org.secpod.oval:def:603183 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-14746 Yihan Lian and Zhibin Hu of Qihoo 360 GearTeam discovered a use-after-free vulnerability allowing ... oval:org.secpod.oval:def:603174 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees and other implementation errors may lead to the execution of arbitrary code, denial of service or bypass of the same origin policy. oval:org.secpod.oval:def:1800537 CVE-2017-7793: Use-after-free with Fetch API CVE-2017-7818: Use-after-free during ARIA array manipulation CVE-2017-7819: Use-after-free while resizing images in design mode CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE CVE-2017-7805: Use-after-free in TLS 1.2 generat ... oval:org.secpod.oval:def:113083 Libsoup is an HTTP library implementation in C. It was originally part of a SOAP implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. libsoup uses the Glib main loop and is designed to work well with GTK applications. This enables GNOME application ... oval:org.secpod.oval:def:502175 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.3.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:1501895 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:703954 bind9: Internet Domain Name Server Bind could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:1501896 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502182 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.4.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:502181 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.3.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:1800616 Improper sequencing during cleanup operations of upstream recursion fetch contexts in BIND can lead to a use-after-free error, triggering an assertion failure and crash in named. Affected BIND versions acting as DNSSEC validating resolvers are currently known to crash with an assertion failure in ne ... oval:org.secpod.oval:def:502195 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.5.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:502196 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A use-after-free flaw was found in the way samba servers handled c ... oval:org.secpod.oval:def:53464 Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.1.37. Please see the MariaDB 10.1 Release Notes for further details: https://mariadb.com/kb/en/mariadb/mariadb-10127-release-notes/ https://mariad ... oval:org.secpod.oval:def:502130 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * A stack-based buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler to crash, or potentially execut ... oval:org.secpod.oval:def:703916 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:502139 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * A race condition was found in samba server. A malicious samba clie ... oval:org.secpod.oval:def:1501852 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501850 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:113589 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:502140 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * It was found that samba did not enforce "SMB signing" when certain configuratio ... oval:org.secpod.oval:def:502141 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * It was found that samba did not enforce "SMB signing" wh ... oval:org.secpod.oval:def:502144 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, exec ... oval:org.secpod.oval:def:502143 The dnsmasq packages contain Dnsmasq, a lightweight DNS forwarder and DHCP server. Security Fix: * A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, exec ... oval:org.secpod.oval:def:703907 firefox: Mozilla Open Source web browser Details: USN-3477-1 fixed vulnerabilities in Firefox. The update caused search suggestions to not be displayed when performing Google searches from the search bar. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-3477-1 ... oval:org.secpod.oval:def:502147 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.4.0 ESR. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with t ... oval:org.secpod.oval:def:602854 Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, buffer overflows and other implementation errors may lead to the execution of arbitrary code, information disclosure or denial of service. oval:org.secpod.oval:def:113525 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:603209 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:1600736 Security Fix: A flaw was found in the way BIND handled TSIG authentication for dynamic updates. A remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG signature for a dynamic update request. A f ... oval:org.secpod.oval:def:113604 Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-all ... oval:org.secpod.oval:def:603225 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service, information disclosure or spoofing of sender"s email addresses. oval:org.secpod.oval:def:1600759 popd controlled free:A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session.Arbitrary code execution via malicious hostname:An arbitrary command inject ... oval:org.secpod.oval:def:1600782 Stack-buffer overflow in GfxState.cc:A stack-based buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler to crash, or potentially execute arbitrary code when opened. Integer overflow in JBIG2Stream.cc:An intege ... oval:org.secpod.oval:def:1600780 Information leak in the DHCPv6 relay codeAn information leak was found in dnsmasq in the DHCPv6 relay code. An attacker on the local network could send crafted DHCPv6 packets to dnsmasq causing it to forward the contents of process memory, potentially leaking sensitive data. Memory exhaustion vulner ... oval:org.secpod.oval:def:603248 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, integer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service or URL spoofing. oval:org.secpod.oval:def:603249 It was discovered that gcab, a Microsoft Cabinet file manipulation tool, is prone to a stack-based buffer overflow vulnerability when extracting .cab files. An attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of ... oval:org.secpod.oval:def:1600789 Server memory information leak over SMB1:An information leak flaw was found in the way SMB1 protocol was implemented by Samba. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be c ... oval:org.secpod.oval:def:1501925 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501926 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:52198 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:502219 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.2. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:502223 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A use-after-free flaw leading to denial of service was found in the way ... oval:org.secpod.oval:def:502224 The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Security Fix: * A use-after-free flaw leading to denial of service was found in the way ... oval:org.secpod.oval:def:603255 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or URL spoofing. oval:org.secpod.oval:def:703891 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:1501949 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502231 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:502234 The gcab package contains a utility for managing the Cabinet archives. It can list, extract, and create Microsoft cabinet files. Security Fix: * gcab: Extracting malformed .cab files causes stack smashing potentially leading to arbitrary code execution For more details about the security issue, in ... oval:org.secpod.oval:def:502233 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.6.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:703888 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:1501960 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501904 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501905 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114062 gcab is a tool to manipulate Cabinet archive. oval:org.secpod.oval:def:703855 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:502200 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * A use-after-free flaw was found in the way samba servers handled certain SMB1 requests. A ... oval:org.secpod.oval:def:502203 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.5.0. Security Fix: * Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute a ... oval:org.secpod.oval:def:113295 Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-all ... oval:org.secpod.oval:def:113296 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:53101 It was discovered that Atril, the MATE document viewer, made insecure use of tar when opening tar comic book archives . Opening a malicious CBT archive could result in the execution of arbitrary code. This update disables the CBT format entirely. oval:org.secpod.oval:def:53110 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, buffer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service, bypass of the same-origin policy or incorrect enforcement of CS ... oval:org.secpod.oval:def:53104 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. Debian follows the extended support releases of Thunderbird. Support for the 45.x series has ended, so starting with this update we"re now following the 52.x releases. oval:org.secpod.oval:def:602935 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, buffer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service or domain spoofing. Debian follows the extended support releases ... oval:org.secpod.oval:def:113256 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:1700076 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.57 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability c ... oval:org.secpod.oval:def:113679 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:51796 bash: GNU Bourne Again SHell Several security issues were fixed in Bash. oval:org.secpod.oval:def:112789 Evince is simple multi-page document viewer. It can display and print Portable Document Format , PostScript and Encapsulated PostScript files. When supported by the document format, evince allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks a ... oval:org.secpod.oval:def:1700009 Improper fetch cleanup sequencing in the resolver can cause named to crashA use-after-free flaw leading to denial of service was found in the way BIND internally handled cleanup operations on upstream recursion fetch contexts. A remote attacker could potentially use this flaw to make named, acting a ... oval:org.secpod.oval:def:1700007 Access to automounted volumes can lock upA race condition was found in systemd. This could result in automount requests not being serviced and processes using them could hang, causing denial of service. oval:org.secpod.oval:def:112860 poppler is a PDF rendering library. oval:org.secpod.oval:def:51821 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:51835 bind9: Internet Domain Name Server Bind could be made to serve incorrect information or expose sensitive information over the network. oval:org.secpod.oval:def:51839 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:51840 poppler: PDF rendering library poppler could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:51842 evince: Document viewer Evince could be made run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:703594 firefox: Mozilla Open Source web browser Details: USN-3260-1 fixed vulnerabilities in Firefox. The update caused the date picker panel and form validation errors to close immediately on opening. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-3260-1 caused a ... oval:org.secpod.oval:def:703584 shadow: system login tools su could be made to crash or stop programs as an administrator. oval:org.secpod.oval:def:1900922 Memory safety bugs were reported in Firefox 57 and Firefox ESR 52.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, an ... oval:org.secpod.oval:def:1502294 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:43359 The host is installed with Mozilla Thunderbird before 52.5.2 and is prone to an address spoofing vulnerability. A flaw is present in the application, which fails to properly handle null character. Successful exploitation could allow attackers to modify the message body. oval:org.secpod.oval:def:1501804 The bash packages provide Bash , which is the default shell for Red Hat Enterprise Linux. Security Fix: * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines ... oval:org.secpod.oval:def:43358 The host is installed with Mozilla Thunderbird before 52.5.2 and is prone to a cross site scripting vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation could allow attackers to inject new lines into the created email structure. oval:org.secpod.oval:def:43357 The host is installed with Mozilla Thunderbird before 52.5.2 and is prone to an information disclosure vulnerability. A flaw is present in the application, which fails to handle crafted CSS. Successful exploitation could allow attackers to leak and reveal local path strings, which may contain user n ... oval:org.secpod.oval:def:43356 The host is installed with Mozilla Thunderbird before 52.5.2 and is prone to a javascript execution vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation could allow attackers to execute JavaScript in the parsed RSS feed. oval:org.secpod.oval:def:43360 The host is missing a security update according to Mozilla advisory, MFSA 2017-30. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle to crafted data. Successful exploitation could allow attackers to disclose sensitive information, ... oval:org.secpod.oval:def:1501816 The coreutils packages contain the GNU Core Utilities and represent a combination of the previously used GNU fileutils, sh-utils, and textutils packages. Security Fix: * A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this ... oval:org.secpod.oval:def:502349 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a later upstream version: mariadb . Security Fix: * mysql: Client programs unspecified vulnerability * mysql: Server: DML unspecified vulnerability * my ... oval:org.secpod.oval:def:1501823 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:53186 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees and other implementation errors may lead to the execution of arbitrary code, denial of service or bypass of the same origin policy. oval:org.secpod.oval:def:1600694 Sending SIGKILL to other processes with root privileges via su:A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. oval:org.secpod.oval:def:53194 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-14746 Yihan Lian and Zhibin Hu of Qihoo 360 GearTeam discovered a use-after-free vulnerability allowing ... oval:org.secpod.oval:def:115062 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:1501845 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501843 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:53115 Aleksandar Nikolic of Cisco Talos discovered a stack-based buffer overflow vulnerability in libsoup2.4, a HTTP library implementation in C. A remote attacker can take advantage of this flaw by sending a specially crafted HTTP request to cause an application using the libsoup2.4 library to crash , or ... oval:org.secpod.oval:def:1800303 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should Affected versions samba 3.0.25 to 4.6.7 Fixed in samba 4.6.8, 4.5.14 and 4.4.16 oval:org.secpod.oval:def:703982 firefox: Mozilla Open Source web browser Details: USN-3544-1 fixed vulnerabilities in Firefox. The update caused a web compatibility regression and a tab crash during printing in some circumstances. This update fixes the problem. We apologize for the inconvenience. Original advisory USN-3544-1 cause ... oval:org.secpod.oval:def:53131 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:703970 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:53143 Multiple security issues have been discoverd in Samba, a SMB/CIFS file, print, and login server for Unix: CVE-2017-12150 Stefan Metzmacher discovered multiple code paths where SMB signing was not enforced. CVE-2017-12151 Stefan Metzmacher discovered that tools using libsmbclient did not enforce encr ... oval:org.secpod.oval:def:53145 Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron Bowes and Gynvael Coldwind of the Google Security Team discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, which may result in denial of service, information leak or the execution of arbit ... oval:org.secpod.oval:def:703975 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:53148 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, buffer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service, cross-site scripting or bypass of the phishing and malware prot ... oval:org.secpod.oval:def:703965 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:43351 The host is installed with Mozilla Thunderbird before 52.5.2 and is prone to a javascript execution vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation could allow attackers to execute JavaScript in the parsed RSS feed. oval:org.secpod.oval:def:703964 gcab: Microsoft Cabinet file manipulation tool gcab could be made to crash or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:43355 The host is missing a security update according to Mozilla advisory, MFSA 2017-30. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle to crafted data. Successful exploitation could allow attackers to disclose sensitive information, ... oval:org.secpod.oval:def:43354 The host is installed with Mozilla Thunderbird before 52.5.2 and is prone to an address spoofing vulnerability. A flaw is present in the application, which fails to properly handle null character. Successful exploitation could allow attackers to modify the message body. oval:org.secpod.oval:def:43353 The host is installed with Mozilla Thunderbird before 52.5.2 and is prone to a cross site scripting vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation could allow attackers to inject new lines into the created email structure. oval:org.secpod.oval:def:43352 The host is installed with Mozilla Thunderbird before 52.5.2 and is prone to an information disclosure vulnerability. A flaw is present in the application, which fails to handle crafted CSS. Successful exploitation could allow attackers to leak and reveal local path strings, which may contain user n ... oval:org.secpod.oval:def:603094 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:703700 evince: Document viewer Evince could be made run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:53220 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service, information disclosure or spoofing of sender"s email addresses. oval:org.secpod.oval:def:112080 The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, Util-linux contains the fdisk configuration tool and the login program. oval:org.secpod.oval:def:1800406 An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. Fixed In Vers ... oval:org.secpod.oval:def:113341 Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-all ... oval:org.secpod.oval:def:115542 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:1502100 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502101 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:51898 samba: SMB/CIFS file, print, and login server for Unix Samba could be made to expose sensitive information over the network. oval:org.secpod.oval:def:1502115 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502114 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502128 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502130 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502131 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:51866 libsoup2.4: HTTP client/server library for GNOME Applications using libsoup could be made to crash or run programs as your login if it received specially crafted network traffic. oval:org.secpod.oval:def:51872 ubufox: Ubuntu Firefox specific configuration defaults and apt support Details: USN-3391-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubufox. Original advisory This update provides compatible packages for Firefox 55. oval:org.secpod.oval:def:51875 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:51890 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:51935 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:51938 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:51952 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:112944 BIND is an implementation of the DNS protocols. This package set contains only export version of BIND libraries, that are used for building ISC DHCP. oval:org.secpod.oval:def:112945 MinGW Windows Poppler library. oval:org.secpod.oval:def:112940 MinGW Windows Poppler library. oval:org.secpod.oval:def:112943 DHCP oval:org.secpod.oval:def:51908 dnsmasq: Small caching DNS proxy and DHCP/TFTP server Several security issues were fixed in Dnsmasq. oval:org.secpod.oval:def:51905 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:703693 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:112968 Evince is simple multi-page document viewer. It can display and print Portable Document Format , PostScript and Encapsulated PostScript files. When supported by the document format, evince allows searching for text, copying text to the clipboard, hypertext navigation, table-of-contents bookmarks a ... oval:org.secpod.oval:def:703694 poppler: PDF rendering library poppler could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:51918 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:703685 bind9: Internet Domain Name Server Bind could be made to serve incorrect information or expose sensitive information over the network. oval:org.secpod.oval:def:112948 MinGW Windows Poppler library. oval:org.secpod.oval:def:603028 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. Debian follows the extended support releases of Thunderbird. Support for the 45.x series has ended, so starting with this update we"re now following the 52.x releases. oval:org.secpod.oval:def:1800460 CVE-2017-14746: Use-after-free vulnerability. Affected Versions All versions of Samba from 4.0.0 onwards. Fixed In Samba 4.7.3, 4.6.11 and 4.5.15 oval:org.secpod.oval:def:1800466 CVE-2017-14746: Use-after-free vulnerability. Affected Versions: All versions of Samba from 4.0.0 onwards. Fixed In: Samba 4.7.3, 4.6.11 and 4.5.15 oval:org.secpod.oval:def:603016 It was discovered that Atril, the MATE document viewer, made insecure use of tar when opening tar comic book archives . Opening a malicious CBT archive could result in the execution of arbitrary code. This update disables the CBT format entirely. oval:org.secpod.oval:def:1800451 CVE-2016-6252: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. oval:org.secpod.oval:def:603049 Aleksandar Nikolic of Cisco Talos discovered a stack-based buffer overflow vulnerability in libsoup2.4, a HTTP library implementation in C. A remote attacker can take advantage of this flaw by sending a specially crafted HTTP request to cause an application using the libsoup2.4 library to crash , or ... oval:org.secpod.oval:def:703656 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:603043 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, buffer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service, bypass of the same-origin policy or incorrect enforcement of CS ... oval:org.secpod.oval:def:502007 The bash packages provide Bash , which is the default shell for Red Hat Enterprise Linux. Security Fix: * An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines ... oval:org.secpod.oval:def:502006 The coreutils packages contain the GNU Core Utilities and represent a combination of the previously used GNU fileutils, sh-utils, and textutils packages. Security Fix: * A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this ... oval:org.secpod.oval:def:1800476 CVE-2017-7826: Memory safety bugs CVE-2017-7828: Use-after-free of PressShell while restyling layout CVE-2017-7830: Cross-origin URL information leak through Resource Timing API Fixed In:¶ Firefox ESR 52.5 oval:org.secpod.oval:def:53235 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, integer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service or URL spoofing. oval:org.secpod.oval:def:53236 It was discovered that gcab, a Microsoft Cabinet file manipulation tool, is prone to a stack-based buffer overflow vulnerability when extracting .cab files. An attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of ... oval:org.secpod.oval:def:703612 bash: GNU Bourne Again SHell Several security issues were fixed in Bash. oval:org.secpod.oval:def:703609 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:1800434 An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. Fixed In Vers ... oval:org.secpod.oval:def:53311 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation. oval:org.secpod.oval:def:115691 MinGW Windows Poppler library. oval:org.secpod.oval:def:2001411 It was found that sssd"s sysdb_search_user_by_upn_res function before 1.16.0 did not sanitize requests when querying its local cache and was vulnerable to injection. In a centralized login environment, if a password hash was locally cached for a given user, an authenticated attacker could use this f ... oval:org.secpod.oval:def:53332 The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-1122 top read its configuration from the current working directory ... oval:org.secpod.oval:def:52010 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:52012 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:52003 isc-dhcp: DHCP server and client Several security issues were fixed in DHCP. oval:org.secpod.oval:def:52009 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:114379 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:114373 DHCP oval:org.secpod.oval:def:114375 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:52022 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:52013 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:53346 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/00 ... oval:org.secpod.oval:def:52018 libvorbis: The Vorbis General Audio Compression Codec libvorbis could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:53349 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/00 ... oval:org.secpod.oval:def:1501969 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114326 LibreOffice is an Open Source, community-developed, office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editor and drawing program, with a user interface and feature set similar to other office suites. Sophisticate ... oval:org.secpod.oval:def:114344 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:51112 mozjs52: SpiderMonkey JavaScript library Several security issues were fixed in Spidermonkey. oval:org.secpod.oval:def:114752 GnuPG is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of ... oval:org.secpod.oval:def:704295 mozjs52: SpiderMonkey JavaScript library Several security issues were fixed in Spidermonkey. oval:org.secpod.oval:def:114726 This package contains dcraw, a command line tool to decode raw image data downloaded from digital cameras. oval:org.secpod.oval:def:46158 The host is missing a critical security update according to Mozilla advisory, MFSA2018-18. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:46154 The host is missing a security update according to Mozilla advisory, MFSA2018-18. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle the crafted data. Successful exploitation could allow attackers to disclose sensitive information, ... oval:org.secpod.oval:def:2001473 An issue was discovered in ZZIPlib 0.13.68. There is a bus error caused by the __zzip_parse_root_directory function of zip.c. Attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. oval:org.secpod.oval:def:51999 libreoffice: Office productivity suite LibreOffice would allow unintended access to files over the network. oval:org.secpod.oval:def:2000106 An issue was discovered in ZZIPlib 0.13.68. An invalid memory address dereference was discovered in zzip_disk_fread in mmapped.c. The vulnerability causes an application crash, which leads to denial of service. oval:org.secpod.oval:def:113957 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:1502079 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:52919 openjdk-7: Open Source Java implementation Several security issues were fixed in OpenJDK 7. oval:org.secpod.oval:def:704212 sssd: System Security Services Daemon -- metapackage SSSD could be made to expose sensitive information. oval:org.secpod.oval:def:704213 mailman: Powerful, web-based mailing list manager Mailman could be made to run arbitrary code. oval:org.secpod.oval:def:113962 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:52930 openjdk-7: Open Source Java implementation Several security issues were fixed in OpenJDK 7. oval:org.secpod.oval:def:704209 patch: Apply a diff file to an original Several security issues were fixed in Patch. oval:org.secpod.oval:def:2000194 An error within the "LibRaw::unpack" function in LibRaw versions prior to 0.18.7 can be exploited to trigger a NULL pointer dereference. oval:org.secpod.oval:def:52078 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:52069 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:52086 patch: Apply a diff file to an original Several security issues were fixed in Patch. oval:org.secpod.oval:def:52089 mailman: Powerful, web-based mailing list manager Mailman could be made to run arbitrary code. oval:org.secpod.oval:def:52088 sssd: System Security Services Daemon -- metapackage SSSD could be made to expose sensitive information. oval:org.secpod.oval:def:115257 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:53360 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service, cross-site request forgery or information disclosure. oval:org.secpod.oval:def:52025 openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK 8. oval:org.secpod.oval:def:52024 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:52026 libraw: raw image decoder library LibRaw could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:52042 openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK 8. oval:org.secpod.oval:def:52035 mysql-5.7: MySQL database - mysql-5.5: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:52052 gnupg2: GNU privacy guard - a free PGP replacement Details: This update provides the corresponding update for GnuPG 2 in Linux Mint 18.x LTS and Linux Mint 17.x LTS. Original advisory GnuPG 2 could be made to present validity information incorrectly. oval:org.secpod.oval:def:52061 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:52062 zsh: shell with lots of features Several security issues were fixed in Zsh. oval:org.secpod.oval:def:114005 LibreOffice is an Open Source, community-developed, office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editor and drawing program, with a user interface and feature set similar to other office suites. Sophisticate ... oval:org.secpod.oval:def:2001542 Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in the shell autocomplete functionality. A local unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use autocomplete to traverse the before mentioned ... oval:org.secpod.oval:def:502131 Poppler is a Portable Document Format rendering library, used by applications such as Evince. Security Fix: * An integer overflow leading to heap-based buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler to ... oval:org.secpod.oval:def:114437 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:53404 Several issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak. oval:org.secpod.oval:def:115784 Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed audio format for audio and music at fixed and variable bitrates from 16 to 128 kbps/channel. This package contains the MinGW Windows cross compiled libvorbis library. oval:org.secpod.oval:def:113552 Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a plug-gable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy service ... oval:org.secpod.oval:def:1502344 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:2000269 zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd function. A local attacker could exploit this to cause a denial of service. oval:org.secpod.oval:def:2000282 An error within the "kodak_radc_load_raw" function related to the "buf" variable in LibRaw versions prior to 0.18.7 can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. oval:org.secpod.oval:def:114841 This package contains dcraw, a command line tool to decode raw image data downloaded from digital cameras. oval:org.secpod.oval:def:1700124 The nss-pem package provides the PEM file reader for Network Security Services implemented as a PKCS#11 module. This update contains fixes related to CURL security updates, specifically updating an object ID when reusing a certificate oval:org.secpod.oval:def:114860 The zziplib library is intentionally lightweight, it offers the ability to easily extract data from files archived in a single zip file. Applications can bundle files into a single zip archive and access them. The implementation is based only on the subset of compression with the zlib algorithm whi ... oval:org.secpod.oval:def:1700107 A null pointer dereference flaw was found in Samba RPC external printer service. An attacker could use this flaw to cause the printer spooler service to crash.A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server coul ... oval:org.secpod.oval:def:114931 poppler is a PDF rendering library. oval:org.secpod.oval:def:603229 Multiple vulnerabilities were discovered in the poppler PDF rendering library, which could result in denial of service or the execution of arbitrary code if a malformed PDF file is processed. oval:org.secpod.oval:def:603268 Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that missing restrictions in the implementation of the WEBSERVICE function in LibreOffice could result in the disclosure of arbitrary files readable by the user who opens a malformed document. oval:org.secpod.oval:def:603269 Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that missing restrictions in the implementation of the WEBSERVICE function in LibreOffice could result in the disclosure of arbitrary files readable by the user who opens a malformed document. oval:org.secpod.oval:def:603266 Calum Hutton and the Mailman team discovered a cross site scripting and information leak vulnerability in the user options page. A remote attacker could use a crafted URL to steal cookie information or to fish for whether a user is subscribed to a list with a private roster. oval:org.secpod.oval:def:502222 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * Multiple flaws were found in the Hotspot and AWT components of OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java ... oval:org.secpod.oval:def:502229 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:1800697 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read; Affected versions: libcurl 7.49.0 to and including 7.57.0 Not affected versions: libcurl = 7.58.0 oval:org.secpod.oval:def:603251 Two vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-1000005 Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn"t affect the oldstable distribution . CVE-2018-1000007 Craig de Stigter discovered that authentication data mi ... oval:org.secpod.oval:def:502235 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * A flaw was found in the AWT component of OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ... oval:org.secpod.oval:def:502239 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:502243 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:502242 The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable ... oval:org.secpod.oval:def:502245 LibreOffice is an open source, community-developed office productivity suite. It includes key desktop applications, such as a word processor, a spreadsheet, a presentation manager, a formula editor, and a drawing program. LibreOffice replaces OpenOffice and provides a similar but enhanced and extend ... oval:org.secpod.oval:def:502244 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: Cross-site scripting vulnerability in web UI For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References secti ... oval:org.secpod.oval:def:502246 Mailman is a program used to help manage e-mail discussion lists. Security Fix: * mailman: Cross-site scripting vulnerability in web UI For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed in the References secti ... oval:org.secpod.oval:def:502204 The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch and the Pluggable Authentication Modules interfaces toward the system, and a pluggable back-end system to connect to ... oval:org.secpod.oval:def:114144 Mailman is software to help manage email discussion lists, much like Majordomo and Smartmail. Unlike most similar products, Mailman gives each mailing list a webpage, and allows users to subscribe, unsubscribe, etc. over the Web. Even the list manager can administer his or her list entirely from the ... oval:org.secpod.oval:def:114138 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:114134 An extensible library that implements an LDAP like API to access remote LDAP servers, or use local tdb databases. oval:org.secpod.oval:def:1700092 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. oval:org.secpod.oval:def:502250 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Buffer overflow manipulating SVG animatedPathSegList * Mozilla: Out-of-bounds write with malformed IP ... oval:org.secpod.oval:def:502252 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.2 ESR. Security Fix: * Mozilla: Vorbis audio processing out of bounds write For more details about the security issue, including the impact, ... oval:org.secpod.oval:def:502251 Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.7.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Buffer overflow manipulating SVG animatedPathSegList * Mozilla: Out-of-bounds write with malformed IP ... oval:org.secpod.oval:def:502258 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix: * Mozilla: Vorbis audio processing out of bounds ... oval:org.secpod.oval:def:502257 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Memory safety bugs fixed in Firefox ESR 52.7 * Mozilla: Vorbis audio processing out o ... oval:org.secpod.oval:def:502259 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.7.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 * Mozilla: Memory safety bugs fixed in Firefox ESR 52.7 * Mozilla: Vorbis audio processing out o ... oval:org.secpod.oval:def:502261 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.3 ESR. Security Fix: * firefox: Use-after-free in compositor potentially allows code execution For more details about the security issue, incl ... oval:org.secpod.oval:def:114550 The procps package contains a set of system utilities that provide system information. Procps includes ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch and pwdx. The ps command displays a snapshot of running processes. The top command provides a repetitive update of the sta ... oval:org.secpod.oval:def:502263 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.7.3 ESR. Security Fix: * firefox: Use-after-free in compositor potentially allows code execution For more details about the security issue, incl ... oval:org.secpod.oval:def:502269 The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis, a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed format for audio and music at fixed and variable bitrates. Security Fix: * Mozilla: Vorbis audio processing out of bounds ... oval:org.secpod.oval:def:502276 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:502278 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:502277 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:502279 The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file . Patch should ... oval:org.secpod.oval:def:1700072 Use-after-free when appending DOM nodes Use-after-free using focus Compromised IPC child process can list local filenames Buffer overflow using computed size of canvas element Using form to exfiltrate encrypted mail part by pressing enter in form field S/MIME plaintext can be leaked through HTML rep ... oval:org.secpod.oval:def:502285 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:502284 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass * OpenJDK: unrestricted deserialization of data from JCEKS key stores * OpenJ ... oval:org.secpod.oval:def:704091 procps: /proc file system utilities Several security issues were fixed in procps-ng. oval:org.secpod.oval:def:1700066 A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have ... oval:org.secpod.oval:def:1700050 Multiple integer overflows leading to heap corruption flaws were discovered in file2strvec. These vulnerabilities can lead to privilege escalation for a local attacker who can create entries in procfs by starting processes, which will lead to crashes or arbitrary code execution in proc utilities run ... oval:org.secpod.oval:def:704072 openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK 8. oval:org.secpod.oval:def:114990 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:1502232 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502237 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114543 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:704063 mysql-5.7: MySQL database Details: USN-3629-1 fixed vulnerabilities in MySQL. This update provides the corresponding updates for Ubuntu 18.04 LTS. Original advisory Several security issues were fixed in MySQL. oval:org.secpod.oval:def:1700037 Malicious patch files cause ed to execute arbitrary commandsGNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation can result in code execution. This attack appear to be exploitable via a patch file processed via th ... oval:org.secpod.oval:def:1700036 1553531: Stack-based buffer overflow in exec.c:hashcmdzsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd function. A local attacker could exploit this to cause a denial of service.Stack-based buffer overflow in gen_matches_files at compctl.cA buffer overfl ... oval:org.secpod.oval:def:1700030 Unbounded memory allocation during deserialization in Container Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE . Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerabi ... oval:org.secpod.oval:def:1700034 Unbounded memory allocation during deserialization in NamedNodeMapImpl Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE . Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerabi ... oval:org.secpod.oval:def:114539 The procps package contains a set of system utilities that provide system information. Procps includes ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch and pwdx. The ps command displays a snapshot of running processes. The top command provides a repetitive update of the sta ... oval:org.secpod.oval:def:704053 mysql-5.7: MySQL database - mysql-5.5: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:1502254 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502253 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502259 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700024 FTP path trickery leads to NIL byte out of bounds write:It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, re ... oval:org.secpod.oval:def:1700021 Buffer overflow in dhclient possibly allowing code execution triggered by malicious serverAn out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client mach ... oval:org.secpod.oval:def:1700015 Vorbis audio processing out of bounds write :An out of bounds write flaw was found in the processing of vorbis audio data. A maliciously crafted file or audio stream could cause the application to crash or, potentially, execute arbitrary code oval:org.secpod.oval:def:1700018 Cross-site scripting vulnerability in web UIA cross-site scripting flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user#039;s side and force the victim to perform unintended actions oval:org.secpod.oval:def:1700010 Omapi code doesn"t free socket descriptors when empty message is received allowing denial-of-serviceIt was found that the DHCP daemon did not properly clean up closed OMAPI connections in certain cases. A remote attacker able to connect to the OMAPI port could use this flaw to exhaust file descripto ... oval:org.secpod.oval:def:704035 openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK 8. oval:org.secpod.oval:def:704036 openjdk-7: Open Source Java implementation Several security issues were fixed in OpenJDK 7. oval:org.secpod.oval:def:704037 libraw: raw image decoder library LibRaw could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:704031 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704034 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:1700005 SingleEntryRegistry incorrect setup of deserialization filter It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass intended deserialization restrict ... oval:org.secpod.oval:def:1700004 HTTP authentication leak in redirectslibcurl might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response ... oval:org.secpod.oval:def:704024 libvorbis: The Vorbis General Audio Compression Codec libvorbis could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:603404 The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-1122 top read its configuration from the current working directory ... oval:org.secpod.oval:def:704013 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704012 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:603308 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-1050 It was discovered that Samba is prone to a denial of service attack when the RPC spoolss service i ... oval:org.secpod.oval:def:704000 isc-dhcp: DHCP server and client Several security issues were fixed in DHCP. oval:org.secpod.oval:def:603302 Several vulnerabilities have been discovered in the ISC DHCP client, relay and server. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3144 It was discovered that the DHCP server does not properly clean up closed OMAPI connections, which can lead to exhaust ... oval:org.secpod.oval:def:603309 Multiple vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-1000120 Duy Phan Thanh discovered that curl could be fooled into writing a zero byte out of bounds when curl is told to work on an FTP URL with the setting to only issue a single CWD command, if the directory part of ... oval:org.secpod.oval:def:704008 samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba. oval:org.secpod.oval:def:704009 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:603317 Richard Zhu and Huzaifa Sidhpurwala discovered that an out-of-bounds memory write when playing Vorbis media files could result in the execution of arbitrary code. oval:org.secpod.oval:def:603315 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code, incorrect LDAP/GSS authentication, insecure use of cryptography or bypass of deserialisation restrictions. oval:org.secpod.oval:def:603312 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service or information disclosure. oval:org.secpod.oval:def:603313 Richard Zhu discovered that an out-of-bounds memory write in the codeboook parsing code of the Libvorbis multimedia library could result in the execution of arbitrary code. oval:org.secpod.oval:def:115092 The zziplib library is intentionally lightweight, it offers the ability to easily extract data from files archived in a single zip file. Applications can bundle files into a single zip archive and access them. The implementation is based only on the subset of compression with the zlib algorithm whi ... oval:org.secpod.oval:def:1502264 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603335 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or information disclosure. oval:org.secpod.oval:def:1900953 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:1502272 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502273 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603333 It was discovered that a use-after-free in the compositor of Firefox can result in the execution of arbitrary code. oval:org.secpod.oval:def:1502278 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502279 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603359 It was discovered that the poppler upload for the oldstable distribution , released as DSA-4079-1, did not correctly address CVE-2017-9776 and additionally caused regressions when rendering PDFs embedding JBIG2 streams. Updated packages are now available to correct this issue. oval:org.secpod.oval:def:603353 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code, incorrect LDAP/GSS authentication, insecure use of cryptography or bypass of deserialisation restrictions. oval:org.secpod.oval:def:502331 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow usin ... oval:org.secpod.oval:def:502330 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.1.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow usin ... oval:org.secpod.oval:def:502335 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification For more details abou ... oval:org.secpod.oval:def:502334 The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix: * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification For more details abou ... oval:org.secpod.oval:def:502339 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.9.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow using computed size of canvas element * Mozilla: Use ... oval:org.secpod.oval:def:502340 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.9.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9 * Mozilla: Buffer overflow using computed size of canvas element * Mozilla: Use ... oval:org.secpod.oval:def:603377 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation. oval:org.secpod.oval:def:603370 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.60, which includes additional changes oval:org.secpod.oval:def:703990 libreoffice: Office productivity suite LibreOffice would allow unintended access to files over the network. oval:org.secpod.oval:def:114165 Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed audio format for audio and music at fixed and variable bitrates. The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis. oval:org.secpod.oval:def:114167 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:114150 Samba is the standard Windows interoperability suite of programs for Linux and Unix. oval:org.secpod.oval:def:114152 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:502306 The procps-ng packages contain a set of system utilities that provide system information, including ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx. Security Fix: * procps-ng, procps: Integer overflows leading to heap overflow in file2strvec * procps-ng, procps: ... oval:org.secpod.oval:def:45516 Mozilla Firefox before 60.0 or Firefox ESR before 52.8 : Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party w ... oval:org.secpod.oval:def:45517 Mozilla Firefox before 60.0 or Firefox ESR before 52.8 : The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. oval:org.secpod.oval:def:114186 Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free, general-purpose compressed audio format for audio and music at fixed and variable bitrates. The libvorbis package contains runtime libraries for use in programs that support Ogg Vorbis. oval:org.secpod.oval:def:502311 The procps packages contain a set of system utilities that provide system information. The procps packages include the following utilities: ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, pwdx, sysctl, pmap, and slabtop. Security Fix: * procps-ng, procps: Integer overflow ... oval:org.secpod.oval:def:502314 The System Security Services Daemon service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch and the Pluggable Authentication Modules interfaces toward the system, and a pluggable back-end system to connect to ... oval:org.secpod.oval:def:502318 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. Security Fix: * samba: Null pointer indirection in printer server process For mor ... oval:org.secpod.oval:def:502320 Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. Security Fix: * samba: Null pointer indirection in printer server process For more details about the sec ... oval:org.secpod.oval:def:1800316 CVE-2018-1000005: HTTP/2 trailer out-of-bounds read Affected versions libcurl 7.49.0 to and including 7.57.0 Not affected versions libcurl = 7.58.0 oval:org.secpod.oval:def:44721 Mozilla Firefox ESR before 52.7 or Thunderbird before 52.7 : An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. oval:org.secpod.oval:def:44722 Mozilla Firefox ESR before 52.7 or Thunderbird before 52.7 : Mozilla developers reported memory safety bugs present in Firefox ESR. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. oval:org.secpod.oval:def:46916 The host is missing a security update according to Mozilla advisory, MFSA2018-19. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle the crafted data. Successful exploitation could allow attackers to disclose sensitive information, ... oval:org.secpod.oval:def:44733 The host is missing a critical security update according to Mozilla advisory, MFSA2018-07. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:44734 The host is missing a critical security update according to Mozilla advisory, MFSA2018-06. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:46917 The host is missing a critical security update according to Mozilla advisory, MFSA2018-19. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:205139 Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information. The following packages have been upgraded to a later upstream version: samba . Se ... oval:org.secpod.oval:def:51044 procps: /proc file system utilities Several security issues were fixed in procps-ng. oval:org.secpod.oval:def:51035 mysql-5.7: MySQL database Details: USN-3629-1 fixed vulnerabilities in MySQL. This update provides the corresponding updates for Linux Mint 19.x LTS. Original advisory Several security issues were fixed in MySQL. oval:org.secpod.oval:def:115103 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:51050 gnupg2: GNU privacy guard - a free PGP replacement - gnupg: GNU privacy guard - a free PGP replacement Several security issues were fixed in GnuPG. oval:org.secpod.oval:def:53224 Multiple vulnerabilities were discovered in the poppler PDF rendering library, which could result in denial of service or the execution of arbitrary code if a malformed PDF file is processed. oval:org.secpod.oval:def:502374 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: A bug in the UTF-8 decoder can lead to DoS For more details about the security issue, including the impact, a CVSS score, and other related information, refer to the CVE page listed ... oval:org.secpod.oval:def:44700 Mozilla Firefox ESR before 52.7 or Thunderbird before 52.7 : An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. oval:org.secpod.oval:def:44701 Mozilla Firefox ESR before 52.7 or Thunderbird before 52.7 : Mozilla developers reported memory safety bugs present in Firefox ESR. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. oval:org.secpod.oval:def:44714 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : Mozilla developers and community members reported memory safety bugs present in Firefox and Firefox ESR. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these ... oval:org.secpod.oval:def:44715 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : A buffer overflow can occur when manipulating the SVG animatedPathSegList through script. This results in a potentially exploitable crash. oval:org.secpod.oval:def:44716 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process. oval:org.secpod.oval:def:44712 The host is missing a critical security update according to Mozilla advisory, MFSA2018-07. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:44717 Mozilla Firefox before 59.0 or Firefox ESR before 52.7 : When packets with a mismatched RTP payload type are sent in WebRTC connections, in some circumstances a potentially exploitable crash is triggered. oval:org.secpod.oval:def:44718 Mozilla Firefox before 59.0 or Firefox ESR before 52.7 : Under certain circumstances the fetch() API can return transient local copies of resources that were sent with a no-store or no-cache cache header instead of downloading a copy from the network as it should. This can result in previously store ... oval:org.secpod.oval:def:1502108 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114639 GnuPG is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of ... oval:org.secpod.oval:def:704194 poppler: PDF rendering library Several security issues were fixed in poppler. oval:org.secpod.oval:def:1502111 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:113336 Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a plug-gable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy service ... oval:org.secpod.oval:def:114667 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:114669 GnuPG is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC2440. Since GnuPG doesn't use any patented algorithm, it is not compatible with any version of ... oval:org.secpod.oval:def:114666 GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440 and the S/MIME standard as describe ... oval:org.secpod.oval:def:114660 GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440 and the S/MIME standard as describe ... oval:org.secpod.oval:def:114662 This is a library that defines common error values for all GnuPG components. Among these are GPG, GPGSM, GPGME, GPG-Agent, libgcrypt, pinentry, SmartCard Daemon and possibly more in the future. oval:org.secpod.oval:def:114657 This is a library that defines common error values for all GnuPG components. Among these are GPG, GPGSM, GPGME, GPG-Agent, libgcrypt, pinentry, SmartCard Daemon and possibly more in the future. oval:org.secpod.oval:def:704177 curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. oval:org.secpod.oval:def:1502135 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502139 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704167 zsh: shell with lots of features Several security issues were fixed in Zsh. oval:org.secpod.oval:def:704166 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:704158 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704145 zziplib: library providing read access on ZIP-archives - library zziplib could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:704147 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:603516 Multiple security issues have been found in Thunderbird: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service. Debian follows the Thunderbird upstream releases. Support for the 52.x series has ended, so starting with this update we"re now ... oval:org.secpod.oval:def:704133 openjdk-7: Open Source Java implementation Several security issues were fixed in OpenJDK 7. oval:org.secpod.oval:def:1901503 Memory safety bugs were reported in Firefox 58 and Firefox ESR 52.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, an ... oval:org.secpod.oval:def:704124 gnupg2: GNU privacy guard - a free PGP replacement Details: USN-3675-1 fixed a vulnerability in GnuPG 2 for Ubuntu 18.04 LTS and Ubuntu 17.10. This update provides the corresponding update for GnuPG 2 in Ubuntu 16.04 LTS and Ubuntu 14.04 LTS. Original advisory GnuPG 2 could be made to present validi ... oval:org.secpod.oval:def:603424 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/00 ... oval:org.secpod.oval:def:603425 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation. oval:org.secpod.oval:def:46109 The host is missing a critical security update according to Mozilla advisory, MFSA2018-16. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:603423 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/00 ... oval:org.secpod.oval:def:1502181 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502184 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502185 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603420 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/00 ... oval:org.secpod.oval:def:46110 The host is missing a critical security update according to Mozilla advisory, MFSA2018-17. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:704111 gnupg2: GNU privacy guard - a free PGP replacement - gnupg: GNU privacy guard - a free PGP replacement Several security issues were fixed in GnuPG. oval:org.secpod.oval:def:1502194 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502198 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114705 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:46129 The host is missing a critical security update according to Mozilla advisory, MFSA2018-15. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:46130 The host is missing a critical security update according to Mozilla advisory, MFSA2018-16. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:603440 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service, cross-site request forgery or information disclosure. oval:org.secpod.oval:def:46131 The host is missing a critical security update according to Mozilla advisory, MFSA2018-17. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:46134 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A use-after-free vulnerability can occur when deleting an code input/code element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash. oval:org.secpod.oval:def:46133 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A buffer overflow can occur when rendering canvas content while adjusting the height and width of the 'canvas' element dynamically, causing data to be written outside of the currently computed boundaries. This results i ... oval:org.secpod.oval:def:46139 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. oval:org.secpod.oval:def:45299 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:46148 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety ... oval:org.secpod.oval:def:46145 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occuring. This can result in stream data being cast to the wrong type causing a potentially exploitable cra ... oval:org.secpod.oval:def:45298 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502145 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502148 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502149 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502146 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502147 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502151 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502152 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502155 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502153 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502154 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502159 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502162 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502160 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502166 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:44398 The host is installed with LibreOffice before 5.4.5 or 6.x before 6.0.1 and is prone to an arbitrary file read vulnerability. A flaw is present in the application, which fails to properly handle =WEBSERVICE calls in a document. Successful exploitation could allow remote attackers to read arbitrary f ... oval:org.secpod.oval:def:44394 The host is installed with LibreOffice before 5.4.5 or 6.0 before 6.0.1 and is prone to an arbitrary file read vulnerability. A flaw is present in the application, which fails to properly handle =WEBSERVICE calls in a document. Successful exploitation could allow remote attackers to read arbitrary f ... oval:org.secpod.oval:def:1502179 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:53281 Richard Zhu and Huzaifa Sidhpurwala discovered that an out-of-bounds memory write when playing Vorbis media files could result in the execution of arbitrary code. oval:org.secpod.oval:def:53288 It was discovered that a use-after-free in the compositor of Firefox can result in the execution of arbitrary code. oval:org.secpod.oval:def:53279 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code, incorrect LDAP/GSS authentication, insecure use of cryptography or bypass of deserialisation restrictions. oval:org.secpod.oval:def:1901048 Vulnerability in the MySQL Server component of Oracle MySQL . Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Succe ... oval:org.secpod.oval:def:53289 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or information disclosure. oval:org.secpod.oval:def:45211 The host is installed with Oracle MySQL Server through 5.5.59, 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: DDL. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:45213 The host is installed with Oracle MySQL Server through 5.5.59, 5.6.39 or 5.7.21 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Server: DDL. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:44769 The host is missing a critical security update according to Mozilla advisory, MFSA2018-09. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:44764 Mozilla Firefox before 59.0.1 or Firefox ESR before 52.7.2 : An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. oval:org.secpod.oval:def:44765 The host is missing a critical security update according to Mozilla advisory, MFSA2018-08. The update is required to fix out-of-bound memory write vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the se ... oval:org.secpod.oval:def:51066 zziplib: library providing read access on ZIP-archives - library zziplib could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:53238 Two vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-1000005 Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn"t affect the oldstable distribution . CVE-2018-1000007 Craig de Stigter discovered that authentication data mi ... oval:org.secpod.oval:def:1800421 LibreOffice Calc supports a WEBSERVICE function to obtain data by URL. Vulnerable versions of LibreOffice allow WEBSERVICE to take a local file URL which can be used to inject local files into the spreadsheet without warning the user. Subsequent formulas can operate on that inserted data and constr ... oval:org.secpod.oval:def:44770 The host is missing a critical security update according to Mozilla advisory, MFSA2018-09. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:44776 Mozilla Firefox before 59.0.2 or Firefox ESR before 52.7.3 : A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash. oval:org.secpod.oval:def:44777 The host is missing a important security update according to Mozilla advisory, MFSA2018-10. The update is required to fix use-after-free vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the service. oval:org.secpod.oval:def:53250 Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that missing restrictions in the implementation of the WEBSERVICE function in LibreOffice could result in the disclosure of arbitrary files readable by the user who opens a malformed document. oval:org.secpod.oval:def:51074 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:51068 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:53248 Calum Hutton and the Mailman team discovered a cross site scripting and information leak vulnerability in the user options page. A remote attacker could use a crafted URL to steal cookie information or to fish for whether a user is subscribed to a list with a private roster. oval:org.secpod.oval:def:53270 Several vulnerabilities have been discovered in the ISC DHCP client, relay and server. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3144 It was discovered that the DHCP server does not properly clean up closed OMAPI connections, which can lead to exhaust ... oval:org.secpod.oval:def:53273 Multiple vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-1000120 Duy Phan Thanh discovered that curl could be fooled into writing a zero byte out of bounds when curl is told to work on an FTP URL with the setting to only issue a single CWD command, if the directory part of ... oval:org.secpod.oval:def:53272 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-1050 It was discovered that Samba is prone to a denial of service attack when the RPC spoolss service i ... oval:org.secpod.oval:def:53277 Richard Zhu discovered that an out-of-bounds memory write in the codeboook parsing code of the Libvorbis multimedia library could result in the execution of arbitrary code. oval:org.secpod.oval:def:53276 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service or information disclosure. oval:org.secpod.oval:def:51137 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:53325 Harry Sintonen discovered that wget, a network utility to retrieve files from the web, does not properly handle "\r\n" from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replac ... oval:org.secpod.oval:def:51146 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:51149 paramiko: Python SSH2 library Paramiko could allow unintended access to network services. oval:org.secpod.oval:def:51160 spamassassin: Perl-based spam filter using text analysis Several security issues were fixed in SpamAssassin. oval:org.secpod.oval:def:115232 Paramiko is a module for python 2.3 or greater that implements the SSH2 protocol for secure connections to remote machines. Unlike SSL , the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced telnet and r ... oval:org.secpod.oval:def:51155 network-manager: Network connection manager NetworkManager could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:51157 systemd: system and service manager systemd-networkd could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:51174 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:53354 It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys. oval:org.secpod.oval:def:51116 poppler: PDF rendering library poppler could be made to crash if it received specially crafted PDF file. oval:org.secpod.oval:def:51119 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:114765 Botan is a BSD-licensed crypto library written in C++. It provides a wide variety of basic cryptographic algorithms, X.509 certificates and CRLs, PKCS \#10 certificate requests, a filter/pipe message processing system, and a wide variety of other features, all written in portable C++. The API refere ... oval:org.secpod.oval:def:603605 The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled allocas and an out-of-bounds read flaw leading to an information leak , could allow an attacker to cause a denial of service or the execution of arbitrary code. Fur ... oval:org.secpod.oval:def:114771 Botan is a BSD-licensed crypto library written in C++. It provides a wide variety of basic cryptographic algorithms, X.509 certificates and CRLs, PKCS \#10 certificate requests, a filter/pipe message processing system, and a wide variety of other features, all written in portable C++. The API refere ... oval:org.secpod.oval:def:603538 Two security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code inside the sandboxed content process. oval:org.secpod.oval:def:603554 Multiple security issues have been found in Thunderbird: Multiple memory safety errors and use-after-frees may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:704216 wget: retrieves files from the web Wget could be made to inject arbitrary cookie values. oval:org.secpod.oval:def:603575 Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed . This update rebases ghostscript for stretch to the upstream version 9.26 which includes a ... oval:org.secpod.oval:def:115295 NetworkManager is a system service that manages network interfaces and connections based on user or automatic configuration. It supports Ethernet, Bridge, Bond, VLAN, Team, InfiniBand, Wi-Fi, mobile broadband , PPPoE and other devices, and supports a variety of different VPN services. oval:org.secpod.oval:def:115289 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:502590 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:115256 Paramiko is a module for python 2.3 or greater that implements the SSH2 protocol for secure connections to remote machines. Unlike SSL , the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced telnet and r ... oval:org.secpod.oval:def:51186 nss: Network Security Service library Several security issues were fixed in NSS. oval:org.secpod.oval:def:502534 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.2.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 * Mozilla: Use-after-free in driver timers * Mozilla: Use-after-free in IndexedDB * Mozilla: Prox ... oval:org.secpod.oval:def:502539 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:51191 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:502543 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: * ruby: OpenSSL::X509::Name equality check does not work correctly For more details about the security issue, including the impact, a ... oval:org.secpod.oval:def:52121 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine Tomcat could be made to redirect to arbitrary locations. oval:org.secpod.oval:def:52123 pyopenssl: Python wrapper around the OpenSSL library Several security issues were fixed in pyOpenSSL. oval:org.secpod.oval:def:115346 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:53468 Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed . This update rebases ghostscript for stretch to the upstream version 9.26 which includes a ... oval:org.secpod.oval:def:2001509 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. oval:org.secpod.oval:def:114432 GNU Wget is a file retrieval utility which can use either the HTTP or FTP protocols. Wget features include the ability to work in the background while you are logged out, recursive retrieval of directories, file name wildcard matching, remote file timestamp storage and comparison, use of Rest with F ... oval:org.secpod.oval:def:115740 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:1700126 Large syslogd messages sent to journald can cause stack corruption, causing journald to crash. The version of systemd on Amazon Linux 2 is not vulnerable to privilege escalation in this case. Large native messages to journald can cause stack corruption, leading to possible local privilege escalation ... oval:org.secpod.oval:def:114867 poppler is a PDF rendering library. oval:org.secpod.oval:def:114862 Mutt is a small but very powerful text-based MIME mail client. Mutt is highly configurable, and is well suited to the mail power user with advanced features like key bindings, keyboard macros, mail threading, regular expression searches and a powerful pattern matching language for selecting groups o ... oval:org.secpod.oval:def:704382 pyopenssl: Python wrapper around the OpenSSL library Several security issues were fixed in pyOpenSSL. oval:org.secpod.oval:def:1700112 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate privileges.It was disc ... oval:org.secpod.oval:def:114859 Mutt is a small but very powerful text-based MIME mail client. Mutt is highly configurable, and is well suited to the mail power user with advanced features like key bindings, keyboard macros, mail threading, regular expression searches and a powerful pattern matching language for selecting groups o ... oval:org.secpod.oval:def:704376 spamassassin: Perl-based spam filter using text analysis Several security issues were fixed in SpamAssassin. oval:org.secpod.oval:def:704373 systemd: system and service manager systemd-networkd could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:704371 network-manager: Network connection manager NetworkManager could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:1502330 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704367 paramiko: Python SSH2 library Details: USN-3796-1 fixed a vulnerability in Paramiko. This update provides the corresponding update for Ubuntu 18.10. Original advisory Paramiko could allow unintended access to network services. oval:org.secpod.oval:def:704350 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704353 paramiko: Python SSH2 library Paramiko could allow unintended access to network services. oval:org.secpod.oval:def:502624 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Open redirect in default servlet For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page ... oval:org.secpod.oval:def:704344 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine Tomcat could be made to redirect to arbitrary locations. oval:org.secpod.oval:def:704335 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704326 mutt: text-based mailreader supporting MIME, GPG, PGP and threading Details: USN-3719-1 fixed vulnerabilities in Mutt. Unfortunately, the fixes were not correctly applied to the packaging for Mutt in Ubuntu 16.04 LTS. This update corrects the oversight. We apologize for the inconvenience. Original a ... oval:org.secpod.oval:def:1502393 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704309 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704306 poppler: PDF rendering library poppler could be made to crash if it received specially crafted PDF file. oval:org.secpod.oval:def:47606 The host is missing a moderate security update according to Mozilla advisory, MFSA2018-23. The update is required to fix a denial of service vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:47623 The host is missing a moderate security update according to Mozilla advisory, MFSA2018-23. The update is required to fix a denial of service vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:47622 The host is missing a moderate security update according to Mozilla advisory, MFSA2018-22. The update is required to fix a denial of service vulnerability. A flaw is present in the application, which fails to handle the TransportSecurityInfo used for SSL. Successful exploitation allows attackers to ... oval:org.secpod.oval:def:47624 Mozilla Firefox 62.0.2, Mozilla Firefox ESR 60.2.1, Mozilla Thunderbird 60.2.1 : A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerab ... oval:org.secpod.oval:def:115374 NetworkManager is a system service that manages network interfaces and connections based on user or automatic configuration. It supports Ethernet, Bridge, Bond, VLAN, Team, InfiniBand, Wi-Fi, mobile broadband , PPPoE and other devices, and supports a variety of different VPN services. oval:org.secpod.oval:def:53491 The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled allocas and an out-of-bounds read flaw leading to an information leak , could allow an attacker to cause a denial of service or the execution of arbitrary code. Fur ... oval:org.secpod.oval:def:115383 Paramiko is a module for python 2.3 or greater that implements the SSH2 protocol for secure connections to remote machines. Unlike SSL , the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. You may know SSH2 as the protocol that replaced telnet and r ... oval:org.secpod.oval:def:1700090 A flaw was found in the way SpamAssassin processes HTML email containing unclosed HTML tags. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a large number of these messages are sent, a denial of service could occur potentially delaying or preventing th ... oval:org.secpod.oval:def:1700098 A cookie injection flaw was found in wget. An attacker can create a malicious website which, when accessed, overrides cookies belonging to arbitrary domains. oval:org.secpod.oval:def:1700075 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c does not forbid characters that may have unsafe interaction with message-cache pathnames, as demonstrated by a #039;/#039; character.An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They al ... oval:org.secpod.oval:def:114995 BIND is an implementation of the DNS protocols. BIND includes a DNS server , which resolves host names to IP addresses; a resolver library ; and tools for verifying that the DNS server is operating properly. oval:org.secpod.oval:def:2000392 Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on th ... oval:org.secpod.oval:def:1502257 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:2000347 Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upo ... oval:org.secpod.oval:def:704432 nss: Network Security Service library Several security issues were fixed in NSS. oval:org.secpod.oval:def:704437 systemd: system and service manager Several security issues were fixed in systemd. oval:org.secpod.oval:def:704425 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:1502298 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502297 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704407 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:115047 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:502352 Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. Security Fix: * mutt: Remote code injection vulnerability to an IMAP mailbox * mutt: Remote Code Execu ... oval:org.secpod.oval:def:502368 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.1 ESR. Security Fix: * Mozilla: Crash in TransportSecurityInfo due to cached data * Mozilla: Setting a master password post-Firefox 58 does no ... oval:org.secpod.oval:def:502367 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.2.1 ESR. Security Fix: * Mozilla: Crash in TransportSecurityInfo due to cached data * Mozilla: Setting a master password post-Firefox 58 does no ... oval:org.secpod.oval:def:603395 Harry Sintonen discovered that wget, a network utility to retrieve files from the web, does not properly handle "\r\n" from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replac ... oval:org.secpod.oval:def:502316 The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell , but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions , a his ... oval:org.secpod.oval:def:205142 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:50168 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. oval:org.secpod.oval:def:50169 An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-jou ... oval:org.secpod.oval:def:50176 In systemd before 240-1, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems. oval:org.secpod.oval:def:50177 In systemd before 240-1, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems. oval:org.secpod.oval:def:205120 NetworkManager is a system network service that manages network devices and connections, attempting to keep active network connectivity when available. Its capabilities include managing Ethernet, wireless, mobile broadband , and PPPoE devices, as well as providing VPN integration with a variety of d ... oval:org.secpod.oval:def:205127 The python-paramiko package provides a Python module that implements the SSH2 protocol for encrypted and authenticated connections to remote machines. Unlike SSL, the SSH2 protocol does not require hierarchical certificates signed by a powerful central authority. The protocol also includes the abili ... oval:org.secpod.oval:def:502372 The SpamAssassin tool provides a way to reduce unsolicited commercial email from incoming email. Security Fix: * spamassassin: Certain unclosed tags in crafted emails allow for scan timeouts and result in denial of service * spamassassin: Local user code injection in the meta rule syntax For more ... oval:org.secpod.oval:def:205171 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * tomcat: Open redirect in default servlet For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page ... oval:org.secpod.oval:def:114663 Libgcrypt is a general purpose crypto library based on the code used in GNU Privacy Guard. This is a development version. oval:org.secpod.oval:def:704178 mutt: text-based mailreader supporting MIME, GPG, PGP and threading Several security issues were fixed in Mutt. oval:org.secpod.oval:def:114655 Libgcrypt is a general purpose crypto library based on the code used in GNU Privacy Guard. This is a development version. oval:org.secpod.oval:def:115930 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory e ... oval:org.secpod.oval:def:115952 systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups, mainta ... oval:org.secpod.oval:def:47382 Mozilla Firefox 62, Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. oval:org.secpod.oval:def:47381 Mozilla Firefox 62, Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. oval:org.secpod.oval:def:47384 Mozilla Firefox 62, Mozilla Firefox ESR 60.2.1, Mozilla Thunderbird 60.2.1 : If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was ... oval:org.secpod.oval:def:47380 Mozilla Firefox 62Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : Mozilla developers and community members Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, and Andrei C ... oval:org.secpod.oval:def:2000477 Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF fil ... oval:org.secpod.oval:def:704129 libgcrypt20: LGPL Crypto library - libgcrypt11: LGPL Crypto library Libgcrypt could be made to expose sensitive information. oval:org.secpod.oval:def:603433 It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys. oval:org.secpod.oval:def:1901496 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. oval:org.secpod.oval:def:47869 The host is missing a critical security update according to Mozilla advisory, MFSA2018-24. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:47874 The host is missing a critical security update according to Mozilla advisory, MFSA2018-25. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:47876 The host is missing a critical security update according to Mozilla advisory, MFSA2018-25. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:47875 The host is installed with Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 or 7.0.23 to 7.0.90 and is prone to an open redirection vulnerability. A flaw is present in the application which fails to handle the issue in default servlet which returned a redirect to a directory. Successful ex ... oval:org.secpod.oval:def:47870 Mozilla Firefox 62.0.3, Mozilla Firefox ESR 60.2.2 : A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as ... oval:org.secpod.oval:def:51062 libgcrypt20: LGPL Crypto library - libgcrypt11: LGPL Crypto library Libgcrypt could be made to expose sensitive information. oval:org.secpod.oval:def:115126 SpamAssassin provides you with a way to reduce if not completely eliminate Unsolicited Commercial Email from your incoming email. It can be invoked by a MDA such as sendmail or postfix, or can be called from a procmail script, .forward file, etc. It uses a genetic-algorithm evolved scoring system t ... oval:org.secpod.oval:def:115157 SpamAssassin provides you with a way to reduce if not completely eliminate Unsolicited Commercial Email from your incoming email. It can be invoked by a MDA such as sendmail or postfix, or can be called from a procmail script, .forward file, etc. It uses a genetic-algorithm evolved scoring system t ... oval:org.secpod.oval:def:51092 wget: retrieves files from the web Wget could be made to inject arbitrary cookie values. oval:org.secpod.oval:def:1502408 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:51101 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:53308 Two vulnerabilities were discovered in LibreOffice"s code to parse MS Word and Structured Storage files, which could result in denial of service and potentially the execution of arbitrary code if a malformed file is opened. oval:org.secpod.oval:def:1502467 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502468 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502466 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502475 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502476 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502423 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502424 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502428 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603616 Christophe Fergeau discovered an out-of-bounds read vulnerability in spice, a SPICE protocol client and server library, which might result in denial of service , or possibly, execution of arbitrary code. oval:org.secpod.oval:def:1502429 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603612 Tavis Ormandy discovered a vulnerability in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed . oval:org.secpod.oval:def:603618 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or privilege escalation. oval:org.secpod.oval:def:1502436 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502437 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603643 Chris Coulson discovered a flaw in systemd leading to denial of service. An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus. oval:org.secpod.oval:def:1502445 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502444 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502447 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603637 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. oval:org.secpod.oval:def:603638 Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code, denial of service or spoofing of S/MIME signatures. oval:org.secpod.oval:def:704251 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:603588 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or bypass of the same-origin policy. oval:org.secpod.oval:def:704654 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704655 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:502585 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.4.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 * Mozilla: Memory corruption in Angle * Mozilla: ... oval:org.secpod.oval:def:502587 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.4.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 * Mozilla: Memory corruption in Angle * Mozilla: ... oval:org.secpod.oval:def:45313 The host is installed with LibreOffice before 5.4.6.1 or 6.x before 6.0.2001 and is prone to a heap-based buffer overflow vulnerability. A flaw is present in the application, which fails to properly validate a customizations index. Successful exploitation could allow remote attackers to crash the se ... oval:org.secpod.oval:def:45314 The host is installed with LibreOffice before 5.4.5 or 6.x before 6.0.1 and is prone to an use-after-free vulnerability. A flaw is present in the application, which fails to properly handle an incorrect integer data type in the StgSmallStrm class. Successful exploitation could allow remote attackers ... oval:org.secpod.oval:def:502595 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.4.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 * chromium-browser, firefox: Memory corruption in Angle * Mozilla: Use-after-free with select elem ... oval:org.secpod.oval:def:502594 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.4.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 * chromium-browser, firefox: Memory corruption in Angle * Mozilla: Use-after-free with select elem ... oval:org.secpod.oval:def:502599 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.0 ESR. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * ... oval:org.secpod.oval:def:51199 ghostscript: PostScript and PDF interpreter Ghostscript could be made to crash, access files, or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:52135 libreoffice: Office productivity suite Several security issues were fixed in LibreOffice. oval:org.secpod.oval:def:51222 systemd: system and service manager systemd could be made to crash if it received specially a crafted D-Bus message. oval:org.secpod.oval:def:51228 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:51227 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:1900480 libical-dev 1.0 allows remote attackers to cause a denial of service via a crafted ics file. oval:org.secpod.oval:def:50328 The host is missing a critical security update according to Mozilla advisory, MFSA2018-31. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50329 The host is missing a critical security update according to Mozilla advisory, MFSA2018-31. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:1700163 When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manual ... oval:org.secpod.oval:def:1700148 Spice, versions 0.5.2 through 0.14.0, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers. oval:org.secpod.oval:def:51204 spice: SPICE protocol client and server library Spice could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:51207 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:1700139 It was found that bus_process_object in bus-objects.c allocates a buffer on the stack large enough to temporarily store the object path specified in the incoming message. A malicious unprivileged local user to send a message which results in the stack pointer moving outside of the bounds of the curr ... oval:org.secpod.oval:def:1502313 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502312 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502612 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.1 ESR. Security Fix: * chromium-browser, mozilla: Use after free in Skia * mozilla: Integer overflow in Skia For more details about the secur ... oval:org.secpod.oval:def:502614 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.1 ESR. Security Fix: * chromium-browser, mozilla: Use after free in Skia * mozilla: Integer overflow in Skia For more details about the secur ... oval:org.secpod.oval:def:502613 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:502629 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM ... oval:org.secpod.oval:def:502628 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM ... oval:org.secpod.oval:def:502630 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: superexec operator is available * ghostscript: forceput in DefineResource ... oval:org.secpod.oval:def:502634 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrect ... oval:org.secpod.oval:def:502636 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrect ... oval:org.secpod.oval:def:50800 The host is missing a high security update according to Mozilla advisory, MFSA2019-05. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50803 The host is missing a high security update according to Mozilla advisory, MFSA2019-04. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:50804 The host is missing a high security update according to Mozilla advisory, MFSA2019-05. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:502601 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine arch ... oval:org.secpod.oval:def:502600 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.0 ESR. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * ... oval:org.secpod.oval:def:502607 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.5.0. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * Mozilla: Privilege escalation through IPC channel ... oval:org.secpod.oval:def:502606 The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtu ... oval:org.secpod.oval:def:502608 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.5.0. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * Mozilla: Privilege escalation through IPC channel ... oval:org.secpod.oval:def:502690 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:502692 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: superexec operator is available * ghostscript: forceput in DefineResource ... oval:org.secpod.oval:def:53065 The host is installed with Artifex Ghostscript through 9.26 and is prone to a remote code execution vulnerability. A flaw is present in the application, which fails to properly handle the system operators. Successful exploitation could allow attackers to perform remote code execution. oval:org.secpod.oval:def:502655 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.1 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DO ... oval:org.secpod.oval:def:53497 Tavis Ormandy discovered a vulnerability in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed . oval:org.secpod.oval:def:53007 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel The system could be made unavailable if it received specially crafted network traffic. oval:org.secpod.oval:def:53020 The host is missing a critical security update according to Mozilla advisory, MFSA2019-08. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:53499 Christophe Fergeau discovered an out-of-bounds read vulnerability in spice, a SPICE protocol client and server library, which might result in denial of service , or possibly, execution of arbitrary code. oval:org.secpod.oval:def:53578 The host is installed with Artifex Ghostscript before 9.27 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to properly handle crafted postscript file. Successful exploitation could allow attackers to use this flaw in order to, for example, have ... oval:org.secpod.oval:def:53579 The host is installed with Artifex Ghostscript before 9.27 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to properly handle crafted postscript file. Successful exploitation could allow attackers to use this flaw in order to, for example, have ... oval:org.secpod.oval:def:53516 Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code, denial of service or spoofing of S/MIME signatures. oval:org.secpod.oval:def:53515 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. oval:org.secpod.oval:def:53521 Chris Coulson discovered a flaw in systemd leading to denial of service. An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus. oval:org.secpod.oval:def:1700063 Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue and tcp_prune_ofo_queue for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessi ... oval:org.secpod.oval:def:603829 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. oval:org.secpod.oval:def:50461 The host is missing a critical security update according to Mozilla advisory, MFSA2019-01. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50453 The host is missing a critical security update according to Mozilla advisory, MFSA2019-02. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50472 It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system and execute commands. oval:org.secpod.oval:def:50462 The host is missing a critical security update according to Mozilla advisory, MFSA2019-02. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50463 Mozilla Firefox 65, Mozilla Firefox ESR 60.5 and Mozilla Thunderbird 60.5: A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. oval:org.secpod.oval:def:50464 Mozilla Firefox 64, Mozilla Firefox ESR 60.4 and Mozilla Thunderbird 60.5: Mozilla developers and community members Alex Gaynor, Christoph Diehl, Steven Crane, Jason Kratzer, Gary Kwong, and Christian Holler reported memory safety bugs present in Firefox 64 and Firefox ESR 60.4. Some of these bugs s ... oval:org.secpod.oval:def:50468 Mozilla Firefox 65, Mozilla Firefox ESR 60.5 and Mozilla Thunderbird 60.5: An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication between IPC endpoints and server parents during IPC process creation. This authentication is insuffic ... oval:org.secpod.oval:def:50469 Mozilla Firefox 65 : When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by defa ... oval:org.secpod.oval:def:603838 Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:53501 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or privilege escalation. oval:org.secpod.oval:def:50880 The host is missing a high security update according to Mozilla advisory, MFSA2019-06. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the service. oval:org.secpod.oval:def:603851 Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL PostScript/PDF interpreter, which could result in bypass of file system restrictions of the dSAFER sandbox. oval:org.secpod.oval:def:704499 systemd: system and service manager systemd could be made to crash if it received specially a crafted D-Bus message. oval:org.secpod.oval:def:704486 libreoffice: Office productivity suite Several security issues were fixed in LibreOffice. oval:org.secpod.oval:def:704473 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:704462 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel The system could be made unavailable if it received specially crafted network traffic. oval:org.secpod.oval:def:50503 Mozilla Thunderbird 60.5 : A vulnerability in the Libical libary used by Thunderbird can allow remote attackers to cause a denial of service (use-after-free) via a crafted ICS calendar file. oval:org.secpod.oval:def:50504 The host is missing a critical security update according to Mozilla advisory, MFSA2019-03. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50506 Mozilla Thunderbird 60.5: A vulnerability in the Libical libary used by Thunderbird can allow remote attackers to cause a denial of service (use-after-free) via a crafted ICS calendar file. oval:org.secpod.oval:def:50507 The host is missing a critical security update according to Mozilla advisory, MFSA2019-03. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:704468 spice: SPICE protocol client and server library Spice could be made to crash or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:115909 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine a ... oval:org.secpod.oval:def:704450 ghostscript: PostScript and PDF interpreter Ghostscript could be made to crash, access files, or run programs if it opened a specially crafted file. oval:org.secpod.oval:def:704452 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:502707 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrec ... oval:org.secpod.oval:def:1502285 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:50953 The host is missing a high security update according to Mozilla advisory, MFSA2019-06. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the service. oval:org.secpod.oval:def:603372 Two vulnerabilities were discovered in LibreOffice"s code to parse MS Word and Structured Storage files, which could result in denial of service and potentially the execution of arbitrary code if a malformed file is opened. oval:org.secpod.oval:def:704853 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704838 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:205148 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.4.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 * chromium-browser, firefox: Memory corruption in Angle * Mozilla: Use-after-free with select elem ... oval:org.secpod.oval:def:205136 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.4.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 * Mozilla: Memory corruption in Angle * Mozilla: ... oval:org.secpod.oval:def:205137 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.4.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 * Mozilla: Memory corruption in Angle * Mozilla: ... oval:org.secpod.oval:def:205181 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrect ... oval:org.secpod.oval:def:205175 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM ... oval:org.secpod.oval:def:205176 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.6.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM ... oval:org.secpod.oval:def:205177 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: superexec operator is available * ghostscript: forceput in DefineResource ... oval:org.secpod.oval:def:205179 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.6.1. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 * Mozilla: Use-after-free when removing in-use DOM elements * Mozilla: Type inference is incorrect ... oval:org.secpod.oval:def:205160 The systemd packages contain systemd, a system and service manager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelism capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, and keeps track of processes usi ... oval:org.secpod.oval:def:205161 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.1 ESR. Security Fix: * chromium-browser, mozilla: Use after free in Skia * mozilla: Integer overflow in Skia For more details about the secur ... oval:org.secpod.oval:def:205162 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.1 ESR. Security Fix: * chromium-browser, mozilla: Use after free in Skia * mozilla: Integer overflow in Skia For more details about the secur ... oval:org.secpod.oval:def:205152 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.4.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 64 and Firefox ESR 60.4 * chromium-browser, firefox: Memory corruption in Angle * Mozilla: Use-after-free with select elem ... oval:org.secpod.oval:def:205154 The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtu ... oval:org.secpod.oval:def:205155 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.5.0. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * Mozilla: Privilege escalation through IPC channel ... oval:org.secpod.oval:def:205150 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.0 ESR. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * ... oval:org.secpod.oval:def:205151 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.5.0 ESR. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * ... oval:org.secpod.oval:def:205156 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 60.5.0. Security Fix: * Mozilla: Use-after-free parsing HTML5 stream * Mozilla: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 * Mozilla: Privilege escalation through IPC channel ... oval:org.secpod.oval:def:205158 The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine arch ... oval:org.secpod.oval:def:45294 The host is installed with LibreOffice before 5.4.6.1 or 6.x before 6.0.2.1 and is prone to a heap-based buffer overflow vulnerability. A flaw is present in the application, which fails to properly validate a customizations index. Successful exploitation could allow remote attackers to crash the ser ... oval:org.secpod.oval:def:45295 The host is installed with LibreOffice before 5.4.5 or 6.x before 6.0.1 and is prone to an use-after-free vulnerability. A flaw is present in the application, which fails to properly handle an incorrect integer data type in the StgSmallStrm class. Successful exploitation could allow remote attackers ... oval:org.secpod.oval:def:502650 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: missing attack vector protections for CVE-2019-6116 For more details about ... oval:org.secpod.oval:def:1502501 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:705151 ghostscript: PostScript and PDF interpreter Ghostscript could be made to access arbitrary files if it opened a specially crafted file. oval:org.secpod.oval:def:205361 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator * ghostsc ... oval:org.secpod.oval:def:1502600 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:503322 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator * ghostsc ... oval:org.secpod.oval:def:53345 Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents. oval:org.secpod.oval:def:1502488 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:52030 libvncserver: vnc server library LibVNCServer could be made to crash, expose sensitive information, or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:51706 tomcat8: Servlet and JSP engine - tomcat7: Servlet and JSP engine - tomcat6: Servlet and JSP engine Several security issues were fixed in Tomcat. oval:org.secpod.oval:def:502641 The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server. Security Fix: * mod_auth_mellon: authentication bypass in ECP flow ... oval:org.secpod.oval:def:502653 The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server. Security Fix: * mod_auth_mellon: authentication bypass in ECP flow ... oval:org.secpod.oval:def:502264 LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix: * libvncserver: Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c For more details about the security issue, including the impact, a CVSS score, and other re ... oval:org.secpod.oval:def:1700039 Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.cAn issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified ... oval:org.secpod.oval:def:603832 Several issues have been discovered in Apache module auth_mellon, which provides SAML 2.0 authentication. CVE-2019-3877 It was possible to bypass the redirect URL checking on logout, so the module could be used as an open redirect facility. CVE-2019-3878 When mod_auth_mellon is used in an Apache con ... oval:org.secpod.oval:def:704044 libvncserver: vnc server library LibVNCServer could be made to crash, expose sensitive information, or run programs if it received specially crafted network traffic. oval:org.secpod.oval:def:114190 LibVNCServer makes writing a VNC server easy. It hides the programmer from the tedious task of managing clients and compression schemata. oval:org.secpod.oval:def:704854 libapache2-mod-auth-mellon: SAML 2.0 authentication module for Apache Several security issues were fixed in mod_auth_mellon. oval:org.secpod.oval:def:114235 LibVNCServer makes writing a VNC server easy. It hides the programmer from the tedious task of managing clients and compression schemata. oval:org.secpod.oval:def:205187 The mod_auth_mellon module for the Apache HTTP Server is an authentication service that implements the SAML 2.0 federation protocol. The module grants access based on the attributes received in assertions generated by an IdP server. Security Fix: * mod_auth_mellon: authentication bypass in ECP flow ... oval:org.secpod.oval:def:1502180 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603419 Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents. oval:org.secpod.oval:def:1900743 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. oval:org.secpod.oval:def:1900731 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. NOTE: the previous ... oval:org.secpod.oval:def:203888 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: MariaDB . Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. Security Fix: * It wa ... oval:org.secpod.oval:def:1600443 It was found that the MariaDB client library did not properly check host names against server identities noted in the X.509 certificates when establishing secure connections using TLS/SSL. A man-in-the-middle attacker could possibly use this flaw to impersonate a server to a client. Unspecified vuln ... oval:org.secpod.oval:def:1501424 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs and ... oval:org.secpod.oval:def:1901332 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. oval:org.secpod.oval:def:602353 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.47 oval:org.secpod.oval:def:602351 Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.23. Please see the MariaDB 10.0 Release Notes for further details: https://mariadb.com/kb/en/mariadb/mariadb-10023-release-notes/ oval:org.secpod.oval:def:501798 MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. The following packages have been upgraded to a newer upstream version: MariaDB . Refer to the MariaDB Release Notes listed in the References section for a complete list of changes. Security Fix: * It wa ... oval:org.secpod.oval:def:1901284 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to UDF. oval:org.secpod.oval:def:1600337 wolfSSL before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, also know ... oval:org.secpod.oval:def:1800668 CVE-2016-2047: MariaDB 10.1.10 CVE-2016-0616: MariaDB 10.1.10 CVE-2016-0610: MariaDB 10.1.9 CVE-2016-0609: MariaDB 10.1.10 CVE-2016-0608: MariaDB 10.1.10 CVE-2016-0606: MariaDB 10.1.10 CVE-2016-0600: MariaDB 10.1.10 CVE-2016-0598: MariaDB 10.1.10 CVE-2016-0597: MariaDB 10.1.10 CVE-2016-0596: MariaDB ... oval:org.secpod.oval:def:400733 mariadb was updated to version 10.0.25 to fix 25 security issues. These security issues were fixed: - CVE-2016-0505: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Options . - CVE-2016-0546: Unspecified vulnerability allowed local u ... oval:org.secpod.oval:def:110198 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:52682 mysql-5.6: MySQL database - mysql-5.5: MySQL database Several security issues were fixed in MySQL. oval:org.secpod.oval:def:400641 mariadb was updated to version 10.0.25 to fix 25 security issues. These security issues were fixed: - CVE-2016-0505: Unspecified vulnerability allowed remote authenticated users to affect availability via unknown vectors related to Options . - CVE-2016-0546: Unspecified vulnerability allowed local u ... oval:org.secpod.oval:def:1901110 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. oval:org.secpod.oval:def:1901121 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect integrity via unknown vectors related to encryption. oval:org.secpod.oval:def:32758 The host is installed with Oracle MySQL through 5.5.46 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails unknown vectors related to Optimizer. Successful exploitation allows remote authenticated users to affect availability. oval:org.secpod.oval:def:32753 The host is installed with Oracle MySQL through 5.5.46, through 5.6.27 or 5.7.9 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails vectors related to DML. Successful exploitation allows remote authenticated users to affect availability. oval:org.secpod.oval:def:32754 The host is installed with Oracle MySQL through 5.5.46, through 5.6.27 or 5.7.9 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails unknown vectors related to Optimizer. Successful exploitation allows remote authenticated users to affect availability. oval:org.secpod.oval:def:32746 The host is installed with Oracle MySQL through 5.5.46, through 5.6.27 or 5.7.9 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails vectors related to UDF. Successful exploitation allows remote authenticated users to affect availability. oval:org.secpod.oval:def:32748 The host is installed with Oracle MySQL through 5.5.46, through 5.6.27 or 5.7.9 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails unknown vectors related to encryption. Successful exploitation allows remote authenticated users to affect integrity. oval:org.secpod.oval:def:32742 The host is installed with Oracle MySQL through 5.5.46, through 5.6.27 or 5.7.9 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails unknown vectors related to Client. Successful exploitation allows local users to affect confidentiality, integrity, and avai ... oval:org.secpod.oval:def:110278 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:110258 MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MySQL client programs and generic MySQL files. oval:org.secpod.oval:def:110256 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:502031 JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Security Fix: Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. Multiple flaws ... oval:org.secpod.oval:def:602771 Multiple vulnerabilities have been discovered in the JasPer library for processing JPEG-2000 images, which may result in denial of service or the execution of arbitrary code if a malformed image is processed. oval:org.secpod.oval:def:1501855 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501853 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:204498 JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Security Fix: Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. Multiple flaws ... oval:org.secpod.oval:def:204496 JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard. Security Fix: Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. Multiple flaws ... oval:org.secpod.oval:def:1600714 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. Aspecially crafted file could cause an application using JasPer to crash or,possibly, execute arbitrary code. Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. Aspecially crafted file could cause an a ... oval:org.secpod.oval:def:703615 jasper: Library for manipulating JPEG-2000 files Several security issues were fixed in JasPer. oval:org.secpod.oval:def:204773 The Simple Logging Facade for Java or is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging . Security Fix: * slf4j: Deserialisation vulnerability i ... oval:org.secpod.oval:def:502255 The Simple Logging Facade for Java or is a simple facade for various logging APIs allowing the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging . Security Fix: * slf4j: Deserialisation vulnerability i ... oval:org.secpod.oval:def:1700025 Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution:An XML deserialization vulnerability was discovered in slf4j#039;s EventData which accepts anXML serialized string and can lead to arbitrary code execution oval:org.secpod.oval:def:2000411 org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. oval:org.secpod.oval:def:114214 The Simple Logging Facade for Java or is intended to serve as a simple facade for various logging APIs allowing to the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging . Logging API implementations ca ... oval:org.secpod.oval:def:114211 The Simple Logging Facade for Java or is intended to serve as a simple facade for various logging APIs allowing to the end-user to plug in the desired implementation at deployment time. SLF4J also allows for a gradual migration path away from Jakarta Commons Logging . Logging API implementations ca ... oval:org.secpod.oval:def:1502157 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704215 ruby2.3: Interpreter of object-oriented scripting language Ruby - ruby1.9.1: Object-oriented scripting language - ruby2.0: Object-oriented scripting language Ruby could be made to execute arbitrary commands if opened a specially crafted file. oval:org.secpod.oval:def:204761 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: * It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attack ... oval:org.secpod.oval:def:52090 ruby2.3: Interpreter of object-oriented scripting language Ruby - ruby1.9.1: Object-oriented scripting language - ruby2.0: Object-oriented scripting language Ruby could be made to execute arbitrary commands if opened a specially crafted file. oval:org.secpod.oval:def:53383 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure. This update also fixes several issues in RubyGems which could all ... oval:org.secpod.oval:def:502236 Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: * It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attack ... oval:org.secpod.oval:def:48672 The host is installed with Apple Mac OS X 10.12.6 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle issues related to ruby. Successful exploitation may allow attackers to cause unexpected application termination or arbitrary code ... oval:org.secpod.oval:def:1502140 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603472 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure. This update also fixes several issues in RubyGems which could all ... oval:org.secpod.oval:def:602531 Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or spoofing. Wait, Firefox? No more references to Iceweasel? That"s right, Debian no longer applies ... oval:org.secpod.oval:def:602589 Multiple security issues have been found in Icedove, Debian"s version of the Mozilla Thunderbird mail client: Multiple memory safety errors may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:1801556 CVE-2018-2755: mariaDB 10.1.33 CVE-2018-2761: mariaDB 10.1.33 CVE-2018-2766: mariaDB 10.1.33 CVE-2018-2767: mariaDB 10.1.33 CVE-2018-2771: mariaDB 10.1.33 CVE-2018-2781: mariaDB 10.1.33 CVE-2018-2782: mariaDB 10.1.33 CVE-2018-2784: mariaDB 10.1.33 CVE-2018-2787: mariaDB 10.1.33 CVE-2018-2813: mariaD ... oval:org.secpod.oval:def:1801544 CVE-2018-2755: mariaDB 10.1.33 CVE-2018-2761: mariaDB 10.1.33 CVE-2018-2766: mariaDB 10.1.33 CVE-2018-2767: mariaDB 10.1.33 CVE-2018-2771: mariaDB 10.1.33 CVE-2018-2781: mariaDB 10.1.33 CVE-2018-2782: mariaDB 10.1.33 CVE-2018-2784: mariaDB 10.1.33 CVE-2018-2787: mariaDB 10.1.33 CVE-2018-2813: mariaD ... oval:org.secpod.oval:def:115490 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:115534 MariaDB is a community developed branch of MySQL. MariaDB is a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs an ... oval:org.secpod.oval:def:51153 openjdk-lts: Open Source Java implementation - openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK. oval:org.secpod.oval:def:1501988 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502032 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * A heap buffer overflow flaw was found in QEMU"s Cirrus CLGD 54xx VGA emulator"s V ... oval:org.secpod.oval:def:51539 openjdk-lts: Open Source Java implementation - openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK. oval:org.secpod.oval:def:204783 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * Qemu: vga: OOB read access during display update * Qemu: Slirp: use-after-free w ... oval:org.secpod.oval:def:502096 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * An out-of-bounds memory access issue was found in Quick Emulator in the VNC disp ... oval:org.secpod.oval:def:51996 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:51997 libvirt: Libvirt virtualization toolkit Several security issues were fixed in libvirt. oval:org.secpod.oval:def:1502452 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502453 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502450 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502451 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502454 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:603556 Narendra Shinde discovered that incorrect command-line parameter validation in the Xorg X server may result in arbitary file overwrite, which can result in privilege escalation. oval:org.secpod.oval:def:603555 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, incomplete TLS identity verification, information disclosure or the execution of arbitrary code. oval:org.secpod.oval:def:115294 X.Org X11 X server oval:org.secpod.oval:def:502536 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Improper field access checks * OpenJDK: Unrestricted access to scripting engine * OpenJDK: Incomplete enforcement of the trustURLCodebase restri ... oval:org.secpod.oval:def:52132 openjdk-lts: Open Source Java implementation - openjdk-8: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:1501854 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700149 Vulnerability in the Java SE component of Oracle Java SE . Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of th ... oval:org.secpod.oval:def:1700144 A vulnerability was found in polkit. When authentication is performed by a non-root user to perform an administrative task, the authentication is temporarily cached in such a way that a local attacker could impersonate the authorized process, thus gaining access to elevated privileges. oval:org.secpod.oval:def:204491 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * A heap buffer overflow flaw was found in QEMU"s Cirrus CLGD 54xx VGA emulator"s V ... oval:org.secpod.oval:def:704395 openjdk-7: Open Source Java implementation Several security issues were fixed in OpenJDK 7. oval:org.secpod.oval:def:112657 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:52958 openjdk-7: Open Source Java implementation Several security issues were fixed in OpenJDK 7. oval:org.secpod.oval:def:204475 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. To see the complete list of bug fixes, users are directed t ... oval:org.secpod.oval:def:1700108 util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module. oval:org.secpod.oval:def:1700100 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE . Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Jav ... oval:org.secpod.oval:def:704368 openjdk-lts: Open Source Java implementation - openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK. oval:org.secpod.oval:def:704361 xorg-server: X.Org X11 server - xorg-server-hwe-16.04: X.Org X11 server X.Org X server could be made to overwrite files as the administrator. oval:org.secpod.oval:def:502616 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information ... oval:org.secpod.oval:def:502615 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Temporary auth hijacking via PID reuse and non-atomic fork For more details a ... oval:org.secpod.oval:def:502618 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information ... oval:org.secpod.oval:def:502619 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information, ... oval:org.secpod.oval:def:502621 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:502620 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:204842 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * libvirt: Resource exhaustion via qemuMonitorIORead method * ... oval:org.secpod.oval:def:204894 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Improper field access checks * OpenJDK: Unrestricted access to scripting engine * OpenJDK: Incomplete enforcement of the trustURLCodebase restr ... oval:org.secpod.oval:def:204893 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Improper field access checks * OpenJDK: Unrestricted access to scripting engine * OpenJDK: Incomplete enforcement of the trustURLCodebase restr ... oval:org.secpod.oval:def:502605 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Temporary auth hijacking via PID reuse and non-atomic fork For more details a ... oval:org.secpod.oval:def:114070 Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux . The main package includes the libvirtd server exporting the virtualization support. oval:org.secpod.oval:def:44100 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:44101 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:204817 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * libvirt: Resource exhaustion via qemuMonitorIORead method * ... oval:org.secpod.oval:def:40179 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:53015 linux: Linux kernel The system could be made to run programs as an administrator. oval:org.secpod.oval:def:502292 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * libvirt: Resource exhaustion via qemuMonitorIORead method * ... oval:org.secpod.oval:def:54407 openjdk-7: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:704900 openjdk-lts: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:1700089 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE . Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to comprom ... oval:org.secpod.oval:def:502272 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * Qemu: vga: OOB read access during display update * Qemu: Slirp: use-after-free w ... oval:org.secpod.oval:def:52200 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:115427 X.Org X11 X server oval:org.secpod.oval:def:114544 curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+passwo ... oval:org.secpod.oval:def:603830 A memory disclosure vulnerability was discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in information disclosure or bypass of sandbox restrictions. oval:org.secpod.oval:def:1502256 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:48570 openjdk-lts: Open Source Java implementation - openjdk-8: Open Source Java implementation Several security issues were fixed in OpenJDK. oval:org.secpod.oval:def:1502213 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704472 openjdk-lts: Open Source Java implementation - openjdk-8: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:603310 Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library: CVE-2018-1064 Denial Berrange discovered that the QEMU guest agent performed insufficient validationof incoming data, which allows a privileged user in the guest to exhaust resources on the virtualisation host, ... oval:org.secpod.oval:def:1801222 In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. Fixed in Ve ... oval:org.secpod.oval:def:703565 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:704874 policykit-1: framework for managing administrative policies and privileges PolicyKit could allow unintended access. oval:org.secpod.oval:def:704879 openjdk-7: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:1501832 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1501835 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:703987 qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU. oval:org.secpod.oval:def:703988 libvirt: Libvirt virtualization toolkit Several security issues were fixed in libvirt. oval:org.secpod.oval:def:502319 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. Security Fix: * libvirt: Resource exhaustion via qemuMonitorIORead method * ... oval:org.secpod.oval:def:704821 linux: Linux kernel The system could be made to run programs as an administrator. oval:org.secpod.oval:def:205141 The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. The following packages have been upgraded to a later upstream version: libvir ... oval:org.secpod.oval:def:205121 X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. Security Fix: * xorg-x11-server: Incorrect permission check in Xorg X server allows for privilege escalation For more details a ... oval:org.secpod.oval:def:205128 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: Improper field access checks * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction * OpenJDK: Incorrect handling of unsigned at ... oval:org.secpod.oval:def:205123 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: Improper field access checks * OpenJDK: Unrestricted access to scripting engine * OpenJDK: Incomplete enforcement of the trustURLCodebase restri ... oval:org.secpod.oval:def:502375 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Improper field access checks * OpenJDK: Unrestricted access to scripting engine * OpenJDK: Incomplete enforcement of the trustURLCodebase restr ... oval:org.secpod.oval:def:502376 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: Improper field access checks * OpenJDK: Unrestricted access to scripting engine * OpenJDK: Incomplete enforcement of the trustURLCodebase restr ... oval:org.secpod.oval:def:2000401 In PolicyKit 0.115, the "start time" protection mechanism can be bypassed because fork is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c. oval:org.secpod.oval:def:205164 The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information ... oval:org.secpod.oval:def:205165 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Temporary auth hijacking via PID reuse and non-atomic fork For more details a ... oval:org.secpod.oval:def:205166 The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, and other related information, ... oval:org.secpod.oval:def:205167 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:205168 The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones. Security Fix: * polkit: Temporary auth hijacking via PID reuse and non-atomic fork For more details a ... oval:org.secpod.oval:def:205169 The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: * OpenJDK: memory disclosure in FileChannelImpl For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other re ... oval:org.secpod.oval:def:54510 openjdk-lts: Open Source Java implementation Java applets or applications could be made to expose sensitive information. oval:org.secpod.oval:def:50583 The host is installed with Oracle Java SE through 7u201, 8u192 or 11.0.1 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to handle vectors related to unspecified vectors. Successful exploitation allows remote attackers to execute code without u ... oval:org.secpod.oval:def:50588 The host is installed with Oracle Java SE through 7u201, 8u192 or 11.0.1 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to handle vectors related to unspecified vectors. Successful exploitation allows remote attackers to execute code without u ... oval:org.secpod.oval:def:1600959 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE . Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via S ... oval:org.secpod.oval:def:1600946 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE . Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to comprom ... oval:org.secpod.oval:def:1600987 Vulnerability in the Java SE component of Oracle Java SE . Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of th ... oval:org.secpod.oval:def:1502168 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:204627 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix: * An out-of-bounds memory access issue was found in Quick Emulator in the VNC disp ... oval:org.secpod.oval:def:53274 Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library: CVE-2018-1064 Denial Berrange discovered that the QEMU guest agent performed insufficient validationof incoming data, which allows a privileged user in the guest to exhaust resources on the virtualisation host, ... oval:org.secpod.oval:def:54117 policykit-1: framework for managing administrative policies and privileges PolicyKit could allow unintended access. oval:org.secpod.oval:def:51179 openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:502625 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures For more details about the security issu ... oval:org.secpod.oval:def:704418 openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:205170 OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Security Fix: * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures For more details about the security issu ... oval:org.secpod.oval:def:51450 The host is installed with OpenSSL 1.1.0 through 1.1.0h or OpenSSL 1.0.2 through 1.0.2p and is prone to a microarchitecture timing side channel attack vulnerability. A flaw is present in the application, which fails to properly handle an issue in ECDSA signature generation. Successful exploitation c ... oval:org.secpod.oval:def:48691 This is a flaw in the Intel processor execution engine sharing on SMT (e.g. Hyper-Threading) architectures. It can result in leakage of secret data in applications such as OpenSSL that has secret dependent control flow at any granularity level. In order to exploit this flaw, the attacker needs to ru ... oval:org.secpod.oval:def:1502425 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502598 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Use-after-free due to race condition in AF_PACKET implementation * kernel: userfaultfd bypasses tmpfs file permissions For more details about the security issue, including the impact, a CV ... oval:org.secpod.oval:def:205149 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Use-after-free due to race condition in AF_PACKET implementation * kernel: userfaultfd bypasses tmpfs file permissions For more details about the security issue, including the impact, a CV ... oval:org.secpod.oval:def:115217 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:51141 git: fast, scalable, distributed revision control system Git could be made to run programs as your login if it recursively opened a malicious git repository. oval:org.secpod.oval:def:53338 Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file. oval:org.secpod.oval:def:115229 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:1800993 CVE-2018-11233:¶ In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. oval:org.secpod.oval:def:1800995 CVE-2018-11233:¶ In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. oval:org.secpod.oval:def:1800999 CVE-2018-11233:¶ In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. oval:org.secpod.oval:def:114754 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:114750 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:49668 The host is installed with Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, or 2.17.x before 2.17.1 and is prone to a remote code execution vulnerability. A flaw is present in the application, which fails to handle the crafted .gitmodules file. Successful exploita ... oval:org.secpod.oval:def:1600936 Git before 2.14.5, allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character. oval:org.secpod.oval:def:603539 joernchen of Phenoelit discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability via a specially crafted .gitmodules file in a project cloned with --recurse-submodules. oval:org.secpod.oval:def:114819 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:1600894 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x befor ... oval:org.secpod.oval:def:115254 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:115245 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:48098 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:115315 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:114919 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:704345 git: fast, scalable, distributed revision control system Git could be made to run programs as your login if it recursively opened a malicious git repository. oval:org.secpod.oval:def:204835 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:114590 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:1700086 Git before 2.14.5, allows remote code execution during processing of a recursive quot;git clonequot; of a superproject if a .gitmodules file has a URL field beginning with a #039;-#039; character. oval:org.secpod.oval:def:114589 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The git rpm installs common set of tools which are usually using with small amount of dependencies. To install all git packages, incl ... oval:org.secpod.oval:def:115426 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:1700048 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x befor ... oval:org.secpod.oval:def:114981 libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. oval:org.secpod.oval:def:204959 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:502322 Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work ... oval:org.secpod.oval:def:51048 git: fast, scalable, distributed revision control system Several security issues were fixed in Git. oval:org.secpod.oval:def:46090 The host is installed with Apple Mac OS X 10.13.2 or later or Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4 or 2.17.x before 2.17.1 and is prone to an arbitary code execution vulnerability. A flaw is present in the application, which fails to handle crafted file ... oval:org.secpod.oval:def:603412 Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file. oval:org.secpod.oval:def:704107 git: fast, scalable, distributed revision control system Several security issues were fixed in Git. oval:org.secpod.oval:def:1502063 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502059 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:52429 php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:25258 The host is installed with Apple Mac OS X or Server 10.8.5, 10.9.5 or 10.10.x through 10.10.3 and is prone to an arbitrary code execution vulnerability. A flaw is present in libtiff, which fails to handle unspecified vectors. Successful exploitation allows attackers to arbitrary code execution. oval:org.secpod.oval:def:26614 The host is installed with Apple Mac OS X or Server 10.8, 10.9 or before 10.10.5 and is prone to an use-after-free vulnerability. A flaw is present in the application, which fails to handle a crafted unserialize call that leverages use of the unset function within an __wakeup function. Successful ex ... oval:org.secpod.oval:def:26617 The host is installed with Apple Mac OS X or Server 10.8, 10.9 or before 10.10.5 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to handle pipelined HTTP requests. Successful exploitation allow attackers to cause a denial of service (application c ... oval:org.secpod.oval:def:26616 The host is installed with Apple Mac OS X or Server 10.8, 10.9 or before 10.10.5 and is prone to multiple stack-based buffer overflow vulnerabilities. The flaws are present in the application, which fails to handle a crafted length value in a (1) tar, (2) phar, or (3) ZIP archive. Successful exploit ... oval:org.secpod.oval:def:26613 The host is installed with Apple Mac OS X or Server 10.8, 10.9 or before 10.10.5 and is prone to an information disclosure vulnerability. A flaw is present in the application, which fails to handle a crafted length value in conjunction with crafted serialized data in a phar archive. Successful explo ... oval:org.secpod.oval:def:702466 php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:601998 Multiple vulnerabilities have been discovered in the PHP language: CVE-2015-2301 Use-after-free in the phar extension. CVE-2015-2331 Emmanuel Law discovered an integer overflow in the processing of ZIP archives, resulting in denial of service or potentially the execution of arbitrary code. oval:org.secpod.oval:def:1501042 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, ... oval:org.secpod.oval:def:1501060 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. An uninitialized pointer use flaw was found in PHP"s Exif ex ... oval:org.secpod.oval:def:702513 php5: HTML-embedded scripting language interpreter Several security issues were fixed in PHP. oval:org.secpod.oval:def:30886 The host is installed with Apple Mac OS X or Server 10.6.8 before 10.11 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle a crafted second argument. Successful exploitation could allow attackers to bypass intended extension restrict ... oval:org.secpod.oval:def:30883 The host is installed with Apple Mac OS X or Server 10.6.8 before 10.11 and is prone to an use-after-free vulnerability. A flaw is present in the application, which fails to properly handle vectors that trigger an attempted renaming of a Phar archive to the name of an existing file. Successful explo ... oval:org.secpod.oval:def:602015 The previous update for php5, DSA-3198-1, introduced a regression causing segmentation faults when using SoapClient::__setSoapHeader. Updated packages are now available to address this regression. For reference, the original advisory text follows. Multiple vulnerabilities have been discovered in the ... oval:org.secpod.oval:def:203664 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. An uninitialized pointer use flaw was found in PHP"s Exif ex ... oval:org.secpod.oval:def:203655 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, ... oval:org.secpod.oval:def:108765 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fai ... oval:org.secpod.oval:def:108766 PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fai ... oval:org.secpod.oval:def:1200076 A use-after-free flaw was found in PHP"s OPcache extension. This flaw could possibly lead to a disclosure of portion of server memory. A NULL pointer dereference flaw was found in PHP"s pgsql extension. A specially crafted table name passed to function as pg_insert or pg_select could cause a PHP app ... oval:org.secpod.oval:def:1200003 A use-after-free flaw was found in PHP"s OPcache extension. This flaw could possibly lead to a disclosure of portion of server memory. A NULL pointer dereference flaw was found in PHP"s pgsql extension. A specially crafted table name passed to function as pg_insert or pg_select could cause a PHP app ... oval:org.secpod.oval:def:1200048 A buffer overflow vulnerability was found in PHP"s phar implementation. See https://bugs.php.net/bug.php?id=69324 for more details. A use-after-free flaw was found in PHP"s phar paths implementation. A malicious script author could possibly use this flaw to disclose certain portions of server memo ... oval:org.secpod.oval:def:30961 The host is missing a security update according to Apple advisory, APPLE-SA-2015-09-30-3. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation could allow attackers to execute arbitrary code, dis ... oval:org.secpod.oval:def:602132 Multiple vulnerabilities have been discovered in PHP: CVE-2015-4025 / CVE-2015-4026 Multiple function didn"t check for NULL bytes in path names. CVE-2015-4024 Denial of service when processing multipart/form-data requests. CVE-2015-4022 Integer overflow in the ftp_genlist function may result in deni ... oval:org.secpod.oval:def:24753 The host is installed with libtiff in RHEL 5, 6 or 7 and is prone to a divide by zero vulnerability. A flaw is present in the application, which fails to properly handle crafted data. Successful exploitation could allow attackers to execute arbitrary code or crash the service. oval:org.secpod.oval:def:501581 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, ... oval:org.secpod.oval:def:501590 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. An uninitialized pointer use flaw was found in PHP"s Exif ex ... oval:org.secpod.oval:def:43535 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Libraries. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:43539 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JNDI. Successful exploitation allows attackers to affect Integrity and Availability. oval:org.secpod.oval:def:43538 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to LDAP. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:43537 The host is installed with Oracle Java SE through 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Hotspot. Successful exploitation allows attackers to affect Integrity. oval:org.secpod.oval:def:43542 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JCE. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:43541 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Libraries. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:43540 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to I18n. Successful exploitation allows attackers to affect Confidentiality, Integrity and Availabi ... oval:org.secpod.oval:def:43546 The host is installed with Oracle Java SE through 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JGSS. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:43545 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JNDI. Successful exploitation allows attackers to affect Confidentiality, Integrity and Availabi ... oval:org.secpod.oval:def:43544 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JGSS. Successful exploitation allows attackers to affect Integrity. oval:org.secpod.oval:def:43547 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JMX. Successful exploitation allows attackers to affect Confidentiality and Integrity. oval:org.secpod.oval:def:43553 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to AWT. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:43552 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Libraries. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:43550 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to AWT. Successful exploitation allows attackers to affect Integrity. oval:org.secpod.oval:def:50264 The host is installed with Oracle Java SE through 7u201, 8u192 or 11.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Libraries. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:43554 The host is installed with Oracle Java SE through 6u171, 7u161, 8u152 or 9.0.1 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JNDI. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48090 The host is installed with Oracle Java SE through 6u201, 7u191, 8u181 or 11 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Security. Successful exploitation allows attackers to affect Integrity. oval:org.secpod.oval:def:48091 The host is installed with Oracle Java SE through 6u201, 7u191, 8u181 or 11 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Networking. Successful exploitation allows attackers to affect Confidentiality. oval:org.secpod.oval:def:48079 The host is installed with Oracle Java SE through 8u181 or 11 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to scripting. Successful exploitation allows attackers to affect confidentiality, integrity and availability. oval:org.secpod.oval:def:48085 The host is installed with Oracle Java SE through 6u201, 7u191, 8u181 or 11 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JSSE. Successful exploitation allows attackers to affect Confidentiality, Integrity and Availabilit ... oval:org.secpod.oval:def:48086 The host is installed with Oracle Java SE through 6u201, 7u191 or 8u181 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Sound. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:48083 The host is installed with Oracle Java SE through 6u201, 7u191, 8u181 or 11 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JNDI. Successful exploitation allows attackers to affect Confidentiality, Integrity and Availabilit ... oval:org.secpod.oval:def:48082 The host is installed with Oracle Java SE through 7u191, 8u181 or 11 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Hotspot. Successful exploitation allows attackers to affect Confidentiality, Integrity and Availability. oval:org.secpod.oval:def:45167 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Security. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45168 The host is installed with Oracle Java SE through 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Concurrency. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45169 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JMX. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45165 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Security. Successful exploitation allows attackers to affect Integrity. oval:org.secpod.oval:def:45166 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162, 10 or JRockit: R28.3.17 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Security. Successful exploitation allows attackers to affect Confidentiality, In ... oval:org.secpod.oval:def:45170 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to AWT. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45171 The host is installed with Oracle Java SE through 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to JAXP. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:45172 The host is installed with Oracle Java SE through 6u181, 7u171 or 8u162 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to RMI. Successful exploitation allows attackers to affect Confidentiality and Integrity. oval:org.secpod.oval:def:45174 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Hotspot. Successful exploitation allows attackers to affect Confidentiality, Integrity and Availabi ... oval:org.secpod.oval:def:45175 The host is installed with Oracle Java SE through 6u181, 7u171, 8u162 or 10 and is prone to an unspecified vulnerability. A flaw is present in the application, which fails to handle vectors related to Serialization. Successful exploitation allows attackers to affect Availability. oval:org.secpod.oval:def:41707 Mozilla Firefox before 55.0 , Firefox ESR before 52.3 or Thunderbird 52.3 :- A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash. oval:org.secpod.oval:def:41711 Mozilla Firefox before 55.0 , Firefox ESR before 52.3 or Thunderbird 52.3 :- When a pages content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP. oval:org.secpod.oval:def:41726 The host is missing a critical security update according to Mozilla advisory, MFSA2017-18. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code o ... oval:org.secpod.oval:def:42267 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- A buffer overflow occurs when drawing and validating elements with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentia ... oval:org.secpod.oval:def:42276 The host is missing a critical security update according to Mozilla advisory, MFSA2017-21. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:40061 Mozilla Firefox before 53.0, Thunderbird before 52.1, Firefox ESR before 45.9 or 52.x before 52.1 :- A use-after-free vulnerability during XSLT processing due to the result handler being held by a freed handler during handling. This results in a potentially exploitable crash. oval:org.secpod.oval:def:42262 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- Mozilla developers and community members Christoph Diehl, Jan de Mooij, Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian Hengst reported memory safety bugs present in Firefox and Firefox ESR. Some of thes ... oval:org.secpod.oval:def:42260 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- A use-after-free vulnerability can occur in the Fetch API when the worker or the associated window are freed when still in use, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:42266 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- The content security policy (CSP) sandbox directive did not create a unique origin for the document, causing it to behave as if the allow-same-origin keyword were always specified. This could allow a Cross-Site Scripting (XS ... oval:org.secpod.oval:def:42265 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- A use-after-free vulnerability can occur in design mode when image objects are resized if objects referenced during the resizing have been freed from memory. This results in a potentially exploitable crash. oval:org.secpod.oval:def:42264 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- A use-after-free vulnerability can occur when manipulating arrays of Accessible Rich Internet Applications (ARIA) elements within containers through the DOM. This results in a potentially exploitable crash. oval:org.secpod.oval:def:42263 Mozilla Firefox before 56.0, Firefox ESR before 52.4 or Thunderbird 52.4 :- File downloads encoded with blob: and data: URL elements bypassed normal file download checks though the Phishing and Malware Protection feature and its block lists of suspicious sites and files. This would allow malicious s ... oval:org.secpod.oval:def:42795 The host is missing a critical security update according to Mozilla advisory, MFSA2017-24. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:42783 Mozilla Firefox before 57.0 or Firefox ESR before 52.5 :- Mozilla developers and community members Christian Holler, David Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp, Nicholas Nethercote, Oriol Brufau, Andre Bargull, Bob Clary, Jet Villegas, Randell Jesup, Tyson Smith ... oval:org.secpod.oval:def:42782 Mozilla Firefox before 57.0, Firefox ESR before 52.5 or Apple iCloud 7.3:- The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. oval:org.secpod.oval:def:42781 Mozilla Firefox before 57.0 or Firefox ESR before 52.5 :- A use-after-free vulnerability can occur when flushing and resizing layout because the PressShell object has been freed while still in use. This results in a potentially exploitable crash during these operations. oval:org.secpod.oval:def:41080 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable c ... oval:org.secpod.oval:def:41081 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell. This results in a potentially exploitable crash. oval:org.secpod.oval:def:41084 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled. This results in a potentially exploitable crash but would require sp ... oval:org.secpod.oval:def:41082 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- A use-after-free vulnerability during video control operations when a 'track' element holds a reference to an older window if that window has been replaced in the DOM. This results in a potentially exploitable crash. oval:org.secpod.oval:def:41083 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- A use-after-free vulnerability with content viewer listeners that results in a potentially exploitable crash. oval:org.secpod.oval:def:41090 Mozilla Firefox before 54.0, Firefox ESR before 52.2 or Thunderbird before 52.2 :- An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. oval:org.secpod.oval:def:41101 The host is missing a critical security update according to Mozilla advisory, MFSA2017-15. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code o ... oval:org.secpod.oval:def:41698 Mozilla Firefox before 55.0 , Firefox ESR before 52.3 or Thunderbird 52.3 :- An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data. oval:org.secpod.oval:def:43032 The host is missing a critical security update according to Mozilla advisory, MFSA2017-27. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to disclose information or ... oval:org.secpod.oval:def:43030 Mozilla Firefox before 57.0.1 and Mozilla Firefox ESR before 52.5.2 :- When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persi ... oval:org.secpod.oval:def:49280 The host is installed with Google Chrome before 71.0.3578.80, Firefox before 65.0.1, Firefox ESR before 60.5.1 or Thunderbird before 60.5.1 and is prone to a use after free vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploitation allows ... oval:org.secpod.oval:def:43589 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 :- A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43588 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- Mozilla developers and community members reported memory safety bugs present in Firefox, Firefox ESR and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort th ... oval:org.secpod.oval:def:43593 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when the widget listener is holding strong references to browser objects that have previously been freed, resulting in a potentially exploitable crash when these references a ... oval:org.secpod.oval:def:43592 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when form input elements, focus, and selections are manipulated by script content. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43591 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potentially exploitab ... oval:org.secpod.oval:def:43590 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 8 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially e ... oval:org.secpod.oval:def:43597 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. This issue could result in the wrong URL being displ ... oval:org.secpod.oval:def:43596 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during font face manipulation when a font face is freed while still in use, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43595 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur during mouse event handling due to issues with multiprocess support. This results in a potentially exploitable crash. oval:org.secpod.oval:def:43594 Mozilla Firefox before 58.0 or Firefox ESR before 52.6 or Thunderbird before 52.6 :- A use-after-free vulnerability can occur when manipulating HTML media elements with media streams, resulting in a potentially exploitable crash. oval:org.secpod.oval:def:43619 The host is missing a critical security update according to Mozilla advisory, MFSA2018-02. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:48015 The host is installed with Google Chrome before 70.0.3538.67 or Mozilla Firefox before 64, Mozilla Firefox ESR before 60.4, Mozilla Thunderbird 60.4 and is prone to a memory corruption vulnerability. A flaw is present in the application, which fails to handle unspecified vectors. Successful exploita ... oval:org.secpod.oval:def:49783 The host is missing a critical security update according to Mozilla advisory, MFSA2018-29. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50799 The host is missing a high security update according to Mozilla advisory, MFSA2019-04. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:45487 Mozilla Firefox before 60.0, Firefox or ESR before 52.8 : Same-origin protections for the PDF viewer can be bypassed, allowing a malicious site to intercept messages meant for the viewer. This could allow the site to retrieve PDF files restricted to viewing by an authenticated user on a third-party ... oval:org.secpod.oval:def:45488 Mozilla Firefox before 60.0, Firefox or ESR before 52.8 : The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. oval:org.secpod.oval:def:47607 Mozilla Firefox 62.0.2, Mozilla Firefox ESR 60.2.1, Mozilla Thunderbird 60.2.1 : A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerab ... oval:org.secpod.oval:def:47605 The host is missing a moderate security update according to Mozilla advisory, MFSA2018-22. The update is required to fix a denial of service vulnerability. A flaw is present in the application, which fails to handle the TransportSecurityInfo used for SSL. Successful exploitation allows attackers to ... oval:org.secpod.oval:def:50460 Mozilla Firefox 65 or Firefox ESR 60.6 : When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior i ... oval:org.secpod.oval:def:50452 The host is missing a critical security update according to Mozilla advisory, MFSA2019-01. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:50454 Mozilla Firefox 65, Mozilla Firefox ESR 60.5 and Mozilla Thunderbird 60.5 : A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash ... oval:org.secpod.oval:def:50455 Mozilla Firefox 64, Mozilla Firefox ESR 60.4 and Mozilla Thunderbird 60.5 : Mozilla developers and community members Alex Gaynor, Christoph Diehl, Steven Crane, Jason Kratzer, Gary Kwong, and Christian Holler reported memory safety bugs present in Firefox 64 and Firefox ESR 60.4. Some of these bugs ... oval:org.secpod.oval:def:50459 Mozilla Firefox 65, Mozilla Firefox ESR 60.5 and Mozilla Thunderbird 60.5 : An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication between IPC endpoints and server parents during IPC process creation. This authentication is insuffi ... oval:org.secpod.oval:def:47769 Mozilla Firefox 62.0.3, Mozilla Firefox ESR 60.2.2 : A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as ... oval:org.secpod.oval:def:47770 The host is missing a critical security update according to Mozilla advisory, MFSA2018-24. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code. oval:org.secpod.oval:def:44694 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : A buffer overflow can occur when manipulating the SVG animatedPathSegList through script. This results in a potentially exploitable crash. oval:org.secpod.oval:def:44695 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process. oval:org.secpod.oval:def:44696 Mozilla Firefox before 59.0 or Firefox ESR before 52.7 : When packets with a mismatched RTP payload type are sent in WebRTC connections, in some circumstances a potentially exploitable crash is triggered. oval:org.secpod.oval:def:44697 Mozilla Firefox before 59.0 or Firefox ESR before 52.7 : Under certain circumstances the fetch() API can return transient local copies of resources that were sent with a no-store or no-cache cache header instead of downloading a copy from the network as it should. This can result in previously store ... oval:org.secpod.oval:def:44693 Mozilla Firefox before 59.0, Firefox ESR before 52.7 or Thunderbird before 52.7 : Mozilla developers and community members reported memory safety bugs present in Firefox and Firefox ESR. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these ... oval:org.secpod.oval:def:44713 The host is missing a critical security update according to Mozilla advisory, MFSA2018-06. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:47371 Mozilla Firefox 62, Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : Mozilla developers and community members Alex Gaynor, Boris Zbarsky, Christoph Diehl, Christian Holler, Jason Kratzer, Jed Davis, Tyson Smith, Bogdan Tara, Karl Tomlinson, Mats Palmgren, Nika Layzell, Ted Campbell, and Andrei ... oval:org.secpod.oval:def:47373 Mozilla Firefox 62, Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. oval:org.secpod.oval:def:47372 Mozilla Firefox 62, Mozilla Firefox ESR 60.2, Mozilla Thunderbird 60.2.1 : A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. oval:org.secpod.oval:def:47375 Mozilla Firefox 62, Mozilla Firefox ESR 60.2.1, Mozilla Thunderbird 60.2.1 : If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was ... oval:org.secpod.oval:def:46108 The host is missing a critical security update according to Mozilla advisory, MFSA2018-15. The update is required to fix multiple vulnerabilities. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows attackers to crash an application. oval:org.secpod.oval:def:46113 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A use-after-free vulnerability can occur when deleting an code input/code element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash. oval:org.secpod.oval:def:46112 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A buffer overflow can occur when rendering canvas content while adjusting the height and width of the 'canvas' element dynamically, causing data to be written outside of the currently computed boundaries. This results i ... oval:org.secpod.oval:def:46118 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. oval:org.secpod.oval:def:46125 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occuring. This can result in stream data being cast to the wrong type causing a potentially exploitable cra ... oval:org.secpod.oval:def:46128 Mozilla Firefox 61, Mozilla Thunderbird 60.0, Mozilla Firefox ESR 52.9 and 60.1: Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety ... oval:org.secpod.oval:def:44766 Mozilla Firefox before 59.0.1 or Firefox ESR before 52.7.2 : An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. oval:org.secpod.oval:def:44767 The host is missing a critical security update according to Mozilla advisory, MFSA2018-08. The update is required to fix out-of-bound memory write vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the se ... oval:org.secpod.oval:def:44774 Mozilla Firefox before 59.0.2 or Firefox ESR before 52.7.3 : A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash. oval:org.secpod.oval:def:44775 The host is missing a important security update according to Mozilla advisory, MFSA2018-10. The update is required to fix use-after-free vulnerability. A flaw is present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to crash the service. oval:org.secpod.oval:def:52133 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:51210 linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in th ... oval:org.secpod.oval:def:51216 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:51206 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704491 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704481 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704478 linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in th ... oval:org.secpod.oval:def:704470 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1600892 A weakness was found in the Linux kernel#039;s implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated. A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch oper ... oval:org.secpod.oval:def:57782 linux: Linux kernel - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-euclid: Linux kernel for Intel Euclid systems - linux-gcp: Linux kernel for Google Cloud Platform syst ... oval:org.secpod.oval:def:204822 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: KVM: error in exception handling leads to wrong debug stack value * Kernel: error in exception handling leads to DoS * Kernel: ipsec: xfrm: use-after-free leading to potential privilege es ... oval:org.secpod.oval:def:502287 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: KVM: error in exception handling leads to wrong debug stack value * Kernel: error in exception handling leads to DoS * Kernel: ipsec: xfrm: use-after-free leading to potential privilege es ... oval:org.secpod.oval:def:1700044 A weakness was found in the Linux kernel#039;s implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated. A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch oper ... oval:org.secpod.oval:def:1502240 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502241 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502247 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502248 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502246 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502207 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:705016 linux: Linux kernel - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-euclid: Linux kernel for Intel Euclid systems - linux-gcp: Linux kernel for Google Cloud Platform syst ... oval:org.secpod.oval:def:1502478 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502479 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502487 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704863 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704867 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:54114 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:54115 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704864 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oracle: Linux kernel for Oracle Cloud systems Several securit ... oval:org.secpod.oval:def:704866 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-oracle: Linux kernel for Oracle Cloud systems - linux-rasp ... oval:org.secpod.oval:def:54112 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-oracle: Linux kernel for Oracle Cloud systems - linux-rasp ... oval:org.secpod.oval:def:54113 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oracle: Linux kernel for Oracle Cloud systems Several securit ... oval:org.secpod.oval:def:2000558 KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer oval:org.secpod.oval:def:115610 The kernel meta package oval:org.secpod.oval:def:2001012 In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free. oval:org.secpod.oval:def:1502497 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:205195 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: KVM: potential use-after-free via kvm_ioctl_create_device * Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer For more details about the security issue ... oval:org.secpod.oval:def:502649 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Kernel: KVM: potential use-after-free via kvm_ioctl_create_device * Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer For more details about the security issue ... oval:org.secpod.oval:def:53315 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controllin ... oval:org.secpod.oval:def:115236 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115235 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115230 The kernel meta package oval:org.secpod.oval:def:1600944 An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task.A vulnerability was discover ... oval:org.secpod.oval:def:1502443 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1600844 Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add function potentially allowing KASLR bypassThe acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SB ... oval:org.secpod.oval:def:115249 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115248 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:704806 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oracle: Linux kernel for Oracle Cloud systems Several securit ... oval:org.secpod.oval:def:704807 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - linux-oracle: Linux kernel for Oracle Cloud systems - linux-rasp ... oval:org.secpod.oval:def:704808 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704809 linux: Linux kernel - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:115324 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115345 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:52138 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel - linux-oracle: Linux kernel for Oracle Cloud systems Several securit ... oval:org.secpod.oval:def:1700114 A use-after-free vulnerability was found in the way the Linux kernel#039;s KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device, the device holds a reference to a VM object, later this reference is transferred to the caller#039;s file descriptor table ... oval:org.secpod.oval:def:52966 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:502626 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Memory corruption due to incorrect socket cloning * kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks * kernel: Faulty computation of numberic bounds in the BPF v ... oval:org.secpod.oval:def:115373 The kernel meta package oval:org.secpod.oval:def:1700091 An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task.A vulnerability was discover ... oval:org.secpod.oval:def:1700012 Stack-based out-of-bounds read via vmcall instructionLinux kernel compiled with the KVM virtualization support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memor ... oval:org.secpod.oval:def:704484 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704410 linux-aws: Linux kernel for Amazon Web Services systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704409 linux: Linux kernel - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:603384 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controllin ... oval:org.secpod.oval:def:704870 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704868 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 S ... oval:org.secpod.oval:def:704865 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:205173 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: Memory corruption due to incorrect socket cloning * kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks * kernel: Faulty computation of numberic bounds in the BPF v ... oval:org.secpod.oval:def:115939 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115948 The kernel meta package oval:org.secpod.oval:def:115944 Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. oval:org.secpod.oval:def:115943 The kernel meta package oval:org.secpod.oval:def:115940 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:115942 This package contains the tools/ directory from the kernel source and the supporting documentation. oval:org.secpod.oval:def:1600978 A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor emulates a preemption timer for L2 guests when nested virtualization is enabled. This high resolution timer runs when a L2 guest is active. After VM exit, the sync_vmcs12 timer object is stopped. The use-afte ... oval:org.secpod.oval:def:54111 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:53259 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controllin ... oval:org.secpod.oval:def:54116 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52440 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:702486 tiff: Tag Image File Format library LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. oval:org.secpod.oval:def:25312 The host is missing a security update according to Apple advisory, APPLE-SA-2015-06-30-2. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle a crafted vectors. Successful exploitation leads to information disclosure, security bypas ... oval:org.secpod.oval:def:1502409 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:51127 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:49255 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * It was discovered that the ghostscript /invalidaccess checks fail under certain condition ... oval:org.secpod.oval:def:47518 The host is installed with Artifex Ghostscript before 9.25 and is prone to a privilege escalation vulnerability. A flaw is present in the application, which fails to properly handle an exception during incorrect "restoration of privilege" checking when running out of stack. Successful exploitation c ... oval:org.secpod.oval:def:502586 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: Incorrect free logic in pagedevice replacement * ghostscript: Incorrect &q ... oval:org.secpod.oval:def:502540 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: .tempfile file permission issues * ghostscript: shading_param incomplete t ... oval:org.secpod.oval:def:53411 Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed . oval:org.secpod.oval:def:53417 Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in the execution of arbitrary code if a malformed Postscript file is processed . oval:org.secpod.oval:def:1502343 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1801158 CVE-2018-10194: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact ... oval:org.secpod.oval:def:1801173 CVE-2018-10194: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact ... oval:org.secpod.oval:def:1801162 CVE-2018-10194: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact ... oval:org.secpod.oval:def:1801168 CVE-2018-10194: The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows remote attackers to cause a denial of service or possibly have unspecified other impact ... oval:org.secpod.oval:def:204890 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * It was discovered that the ghostscript /invalidaccess checks fail under certain condition ... oval:org.secpod.oval:def:1502391 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502398 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704319 ghostscript: PostScript and PDF interpreter Several security issues were fixed in Ghostscript. oval:org.secpod.oval:def:502602 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: use-after-free in copydevice handling * ghostscript: access bypass in psi/ ... oval:org.secpod.oval:def:1801559 An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restoration of privilege" checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. This is due to an incomplete fix fo ... oval:org.secpod.oval:def:1801533 An issue was discovered in Artifex Ghostscript before 9.25. Incorrect "restoration of privilege" checking when running out of stack during exception handling could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction. This is due to an incomplete fix fo ... oval:org.secpod.oval:def:1700083 It was discovered that the ghostscript .shfill operator did not properly validate certain types. An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document. ... oval:org.secpod.oval:def:47268 The host is installed with Artifex Ghostscript before 9.23 and is prone to a type confusion vulnerability. A flaw is present in the application, which fails to properly handle the LockDistillerParams parameter. Successful exploitation could allow attackers to crash the interpreter or execute code. oval:org.secpod.oval:def:47270 The host is installed with Artifex Ghostscript before 9.23 and is prone to a security bypass vulnerability. A flaw is present in the application, which fails to properly handle .tempfile restrictions and write files. Successful exploitation could allow attackers to supply malicious postScript files ... oval:org.secpod.oval:def:115054 Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures and an interpreter for Portable Document Format files. Ghostscript translates PostScript code into many common, bitmapped formats, like those understood by your printer or screen. Ghostscript is normally ... oval:org.secpod.oval:def:115078 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:205133 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: .tempfile file permission issues * ghostscript: shading_param incomplete t ... oval:org.secpod.oval:def:205135 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: Incorrect free logic in pagedevice replacement * ghostscript: Incorrect &q ... oval:org.secpod.oval:def:115100 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:502373 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * It was discovered that the ghostscript /invalidaccess checks fail under certain condition ... oval:org.secpod.oval:def:205157 The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: * ghostscript: use-after-free in copydevice handling * ghostscript: access bypass in psi/ ... oval:org.secpod.oval:def:115925 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:115956 This package provides useful conversion utilities based on Ghostscript software, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Systems' PostScript and Portable Document Format page description languag ... oval:org.secpod.oval:def:603515 Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in the execution of arbitrary code if a malformed Postscript file is processed . oval:org.secpod.oval:def:47397 The host is installed with Artifex Ghostscript before 9.24 and is prone to a use-after-free vulnerability. A flaw is present in the application, which fails to properly handle the builtin PDF14 converter. Successful exploitation could allow attackers to supply crafted postScript files to crash the i ... oval:org.secpod.oval:def:47399 The host is installed with Artifex Ghostscript before 9.24 and is prone to a denial of service vulnerability. A flaw is present in the application, which fails to handle the stack-size checking during error handling. Successful exploitation could allow attackers to supply crafted postScript files to ... oval:org.secpod.oval:def:1600969 It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document. oval:org.secpod.oval:def:115212 The kernel meta package oval:org.secpod.oval:def:114358 The kernel meta package oval:org.secpod.oval:def:53326 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-1087 Andy Lutomirski discovered that the KVM implementation did not properly handle #DB exceptions while deferred by MOV SS/POP SS, allowing an unprivileged KVM gue ... oval:org.secpod.oval:def:53337 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2017-15038 Tuomas Tynkkynen discovered an information leak in 9pfs. CVE-2017-15119 Eric Blake discovered that the NBD server insufficiently restricts large option requests, resulting in denial of service. CVE-2017-15124 ... oval:org.secpod.oval:def:114328 The kernel meta package oval:org.secpod.oval:def:51105 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:51121 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 S ... oval:org.secpod.oval:def:51113 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:114783 The kernel meta package oval:org.secpod.oval:def:704299 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704298 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:114725 The kernel meta package oval:org.secpod.oval:def:704281 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704283 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:704278 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704279 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1600910 Fixes for L1Terminal Fault security issues:L1 Terminal Fault-OS/ SMM:Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault an ... oval:org.secpod.oval:def:114734 The kernel meta package oval:org.secpod.oval:def:603536 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-6554 A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial ... oval:org.secpod.oval:def:52921 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52923 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52933 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1600898 An out-of-bounds read access issue was found in the VGA display emulator built into the Quick emulator . It could occur while reading VGA memory to update graphics display. A privileged user/process inside guest could use this flaw to crash the QEMU process on the host resulting in denial of service ... oval:org.secpod.oval:def:52029 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:703741 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:115247 The kernel meta package oval:org.secpod.oval:def:52036 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52055 linux-oem: Linux kernel for OEM processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52110 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52113 linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52112 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52117 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52125 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:114434 The kernel meta package oval:org.secpod.oval:def:53431 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-6554 A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial ... oval:org.secpod.oval:def:114881 The kernel meta package oval:org.secpod.oval:def:114874 Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux . The main package includes the libvirtd server exporting the virtualization support. oval:org.secpod.oval:def:51203 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-oem: Linux kernel for OEM processors - linux-gcp: Linux kernel for Google Cloud Platform systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52946 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52945 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52949 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704394 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52951 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52950 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52956 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704389 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:204854 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs ha ... oval:org.secpod.oval:def:114915 The kernel meta package oval:org.secpod.oval:def:704331 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704329 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704312 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 S ... oval:org.secpod.oval:def:704300 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704301 linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704302 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:204866 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF ... oval:org.secpod.oval:def:603280 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controllin ... oval:org.secpod.oval:def:53002 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:53004 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:53006 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-oem: Linux kernel for OEM processors - linux-gcp: Linux kernel for Google Cloud Platform systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:114599 The kernel meta package oval:org.secpod.oval:def:114569 The kernel meta package oval:org.secpod.oval:def:1700060 An incomplete fix for CVE-2018-5748 that affects QEMU monitor leading to a resource exhaustion but now also triggered via QEMU guest agent.qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service via a large QEMU reply.An industry-wide issue was found in the way many modern micr ... oval:org.secpod.oval:def:114572 The kernel meta package oval:org.secpod.oval:def:1700069 Fixes for L1Terminal Fault security issues:L1 Terminal Fault-OS/ SMM:Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault an ... oval:org.secpod.oval:def:1502222 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700052 An out-of-bounds read access issue was found in the VGA display emulator built into the Quick emulator . It could occur while reading VGA memory to update graphics display. A privileged user/process inside guest could use this flaw to crash the QEMU process on the host resulting in denial of service ... oval:org.secpod.oval:def:1502233 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502231 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:114549 The kernel meta package oval:org.secpod.oval:def:704058 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704054 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704042 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704045 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:114971 The kernel meta package oval:org.secpod.oval:def:704461 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-oem: Linux kernel for OEM processors - linux-gcp: Linux kernel for Google Cloud Platform systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704454 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704456 linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:48684 The host is installed with Apple Mac OS X through 10.12.6, 10.13.6 or 10.14 and is prone to multiple vulnerabilities. The flaws are present in the application, which fails to properly handle multiple issues. Successful exploitation allows remote attackers to execute arbitrary code or read restricted ... oval:org.secpod.oval:def:1502266 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502268 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502271 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502288 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502291 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502292 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:502333 Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix: * An industry-wide issue was found in the way many modern microprocessor designs ha ... oval:org.secpod.oval:def:502347 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF ... oval:org.secpod.oval:def:115019 The kernel meta package oval:org.secpod.oval:def:115017 QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic translation. QEMU has two operating modes: * Full system emulation. In this mode, QEMU emulates a full system , including a processor and various peripherials. It can be used to launch differe ... oval:org.secpod.oval:def:704825 linux-aws: Linux kernel for Amazon Web Services systems - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704826 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-raspi2: Linux kernel for Raspberry Pi 2 - linux-snapdragon: Linux kernel for Snapdragon processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:115537 The kernel meta package oval:org.secpod.oval:def:114687 The kernel meta package oval:org.secpod.oval:def:114653 The kernel meta package oval:org.secpod.oval:def:704141 linux: Linux kernel - linux-raspi2: Linux kernel for Raspberry Pi 2 Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704144 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704140 linux-oem: Linux kernel for OEM processors Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:603411 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2017-15038 Tuomas Tynkkynen discovered an information leak in 9pfs. CVE-2017-15119 Eric Blake discovered that the NBD server insufficiently restricts large option requests, resulting in denial of service. CVE-2017-15124 ... oval:org.secpod.oval:def:1502177 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502178 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:115165 The kernel meta package oval:org.secpod.oval:def:114282 The kernel meta package oval:org.secpod.oval:def:115129 The kernel meta package oval:org.secpod.oval:def:1800980 CVE-2018-5150: Memory safety bugs CVE-2018-5154: Use-after-free with SVG animations and clip paths CVE-2018-5155: Use-after-free with SVG animations and text paths CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files CVE-2018-5158: Malicious PDF can inject JavaScript into PDF ... oval:org.secpod.oval:def:53324 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:53368 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails. oval:org.secpod.oval:def:204825 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.8.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Ski ... oval:org.secpod.oval:def:45489 Mozilla Firefox before 60.0, Firefox, Thunderbird or ESR before 52.8 : An integer overflow can occur in the Skia library due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable b ... oval:org.secpod.oval:def:204814 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.8.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Skia * Mozilla: Use-after-free with SVG animations ... oval:org.secpod.oval:def:204812 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.8.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Skia * Mozilla: Use-after-free with SVG animations ... oval:org.secpod.oval:def:204801 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.8.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Ski ... oval:org.secpod.oval:def:502293 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.8.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Ski ... oval:org.secpod.oval:def:704095 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:502289 Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 52.8.0 ESR. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Ski ... oval:org.secpod.oval:def:704071 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:1502234 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502235 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1700046 The following CVEs are fixed in the updated thunderbird package:CVE-2018-5161 : Hang via malformed headersCVE-2018-5162 : Encrypted mail leaks plaintext through src attributeCVE-2018-5183 : Backport critical security fixes in SkiaCVE-2018-5155 : Use-after-free with SVG animations and text pathsCVE-2 ... oval:org.secpod.oval:def:603408 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails. oval:org.secpod.oval:def:1502211 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502212 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:45541 The host is missing a critical security update according to Mozilla advisory, MFSA2018-11. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:45542 The host is missing a critical security update according to Mozilla advisory, MFSA2018-12. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:603394 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code or denial of service. oval:org.secpod.oval:def:502308 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.8.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Skia * Mozilla: Use-after-free with SVG animations ... oval:org.secpod.oval:def:502307 Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 52.8.0. Security Fix: * Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 * Mozilla: Backport critical security fixes in Skia * Mozilla: Use-after-free with SVG animations ... oval:org.secpod.oval:def:45518 >Mozilla Firefox before 60.0, Firefox, Thunderbird or ESR before 52.8 : An integer overflow can occur in the Skia library due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable ... oval:org.secpod.oval:def:45512 The host is missing a critical security update according to Mozilla advisory, MFSA2018-11. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:45513 The host is missing a critical security update according to Mozilla advisory, MFSA2018-12. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:51039 firefox: Mozilla Open Source web browser Firefox could be made to crash or run programs as your login if it opened a malicious website. oval:org.secpod.oval:def:51045 thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird. oval:org.secpod.oval:def:704128 mozjs52: SpiderMonkey JavaScript library Several security issues were fixed in Spidermonkey. oval:org.secpod.oval:def:603451 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails. oval:org.secpod.oval:def:45668 The host is missing a critical security update according to Mozilla advisory, MFSA2018-13. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:45680 The host is missing a critical security update according to Mozilla advisory, MFSA2018-13. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle crafted data. Successful exploitation allows remote attackers to execute arbitrary code, ... oval:org.secpod.oval:def:51061 mozjs52: SpiderMonkey JavaScript library Several security issues were fixed in Spidermonkey. oval:org.secpod.oval:def:1502083 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502084 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:204758 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list o ... oval:org.secpod.oval:def:603111 Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks. CVE-2017-7518 Andy Lutomirski discovered that KVM is prone to an incorrect debug exception error occurring while emulating a syscall instruction. A process ... oval:org.secpod.oval:def:502241 The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated kernel packages include several security issues and numerous bug fixes, some of which you can see below. Space precludes documenting all of these bug fixes in this advisory. To see the complete list o ... oval:org.secpod.oval:def:53140 Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks. CVE-2017-7518 Andy Lutomirski discovered that KVM is prone to an incorrect debug exception error occurring while emulating a syscall instruction. A process ... oval:org.secpod.oval:def:1502144 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502163 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502164 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502449 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:113972 The kernel meta package oval:org.secpod.oval:def:47526 The host is missing an important security update according to MS advisory ADV180022. oval:org.secpod.oval:def:2000613 The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service via a crafted xfs image. oval:org.secpod.oval:def:51185 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:502541 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: stack-based buffer overflow in chap_server_compute_md5 in iscsi target * kernel: NULL pointer dereference in af_netlink.c:__netlink_ns_capable allows for denial of service For more details ... oval:org.secpod.oval:def:53396 CVE-2018-5391 Juha-Matti Tilli discovered a flaw in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker can take advantage of this flaw to trigger time and calculation expensive fragment reassembly algorithms by sending specially crafted packets, leadi ... oval:org.secpod.oval:def:113981 The kernel meta package oval:org.secpod.oval:def:52961 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:52963 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:502617 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: MIDI driver race condition leads to a double-free For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the ... oval:org.secpod.oval:def:1502392 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:204889 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensi ... oval:org.secpod.oval:def:53009 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1502201 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502205 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704464 linux-aws-hwe: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-hwe: Linux hardware enablement kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704458 linux-azure: Linux kernel for Microsoft Azure Cloud systems Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:1502287 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:1502286 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:704429 linux: Linux kernel Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:704427 linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM processors - li ... oval:org.secpod.oval:def:603396 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-1087 Andy Lutomirski discovered that the KVM implementation did not properly handle #DB exceptions while deferred by MOV SS/POP SS, allowing an unprivileged KVM gue ... oval:org.secpod.oval:def:205130 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: stack-based buffer overflow in chap_server_compute_md5 in iscsi target * kernel: NULL pointer dereference in af_netlink.c:__netlink_ns_capable allows for denial of service For more details ... oval:org.secpod.oval:def:502371 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensi ... oval:org.secpod.oval:def:205163 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * kernel: MIDI driver race condition leads to a double-free For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the ... oval:org.secpod.oval:def:115162 The kernel meta package oval:org.secpod.oval:def:115124 The kernel meta package oval:org.secpod.oval:def:51541 python2.7: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language - python3.4: An interactive high-level object-oriented language Several security issues were fixed in Python. oval:org.secpod.oval:def:1502484 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:205220 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:205222 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:116912 Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the "python3" executable: the ... oval:org.secpod.oval:def:116908 The python3-docs package contains documentation on the Python 3 programming language and interpreter. Install the python3-docs package if you'd like to use the documentation for the Python 3 language. oval:org.secpod.oval:def:603532 Multiple security issues were discovered in Python: ElementTree failed to initialise Expat"s hash salt, two denial of service issues were found in difflib and poplib and a buffer overflow in PyString_DecodeEscape. oval:org.secpod.oval:def:603531 Multiple security issues were discovered in Python: ElementTree failed to initialise Expat"s hash salt, two denial of service issues were found in difflib and poplib and the shutil module was affected by a command injection vulnerability. oval:org.secpod.oval:def:603589 Several local side channel attacks and a denial of service via large Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets Layer toolkit. oval:org.secpod.oval:def:603582 Several local side channel attacks and a denial of service via large Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets Layer toolkit. oval:org.secpod.oval:def:1600877 DOS via regular expression catastrophic backtracking in apop method in pop3libA flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop method. An attacker could use this flaw to cause denial of service. DOS via regular expression backtracking in diff ... oval:org.secpod.oval:def:116175 Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:116174 Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:116153 Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the "python3" executable: the ... oval:org.secpod.oval:def:1801401 CVE-2018-14647: Missing salt initialization in _elementtree.c module¶ A flaw was found in python"s _elementtree.c module, a wrapper for libexpat XML parser. xml.etree C accelerator don"t call XML_SetHashSalt, failing to properly initiate the random hash seed from a good CSPRNG source and making ... oval:org.secpod.oval:def:1801402 CVE-2018-14647: Missing salt initialization in _elementtree.c module¶ A flaw was found in python"s _elementtree.c module, a wrapper for libexpat XML parser. xml.etree C accelerator don"t call XML_SetHashSalt, failing to properly initiate the random hash seed from a good CSPRNG source and making ... oval:org.secpod.oval:def:53471 Several local side channel attacks and a denial of service via large Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets Layer toolkit. oval:org.secpod.oval:def:1700196 A security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is po ... oval:org.secpod.oval:def:1700197 A security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is po ... oval:org.secpod.oval:def:53430 Multiple security issues were discovered in Python: ElementTree failed to initialise Expat"s hash salt, two denial of service issues were found in difflib and poplib and a buffer overflow in PyString_DecodeEscape. oval:org.secpod.oval:def:53429 Multiple security issues were discovered in Python: ElementTree failed to initialise Expat"s hash salt, two denial of service issues were found in difflib and poplib and the shutil module was affected by a command injection vulnerability. oval:org.secpod.oval:def:1700186 A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts ... oval:org.secpod.oval:def:1700165 Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding during NFKC normalization. The impact is: Information disclosure . The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorre ... oval:org.secpod.oval:def:502638 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:26707 The host is missing a security update according to Apple advisory, APPLE-SA-2015-08-13-2. The update is required to fix multiple vulnerabilities. The flaws are present in the application, which fails to handle a crafted vectors. Successful exploitation may lead to an unexpected application terminati ... oval:org.secpod.oval:def:117108 Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:116222 Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the "python3" executable: the ... oval:org.secpod.oval:def:53478 Several local side channel attacks and a denial of service via large Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets Layer toolkit. oval:org.secpod.oval:def:502688 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. This package provid ... oval:org.secpod.oval:def:503163 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:1700093 During key agreement in a TLS handshake using a DH based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This cou ... oval:org.secpod.oval:def:503136 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:1901833 Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding during NFKC normalization. The impact is: Information disclosure . The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorre ... oval:org.secpod.oval:def:114976 Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:114974 Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:58423 python2.7: An interactive high-level object-oriented language - python3.7: An interactive high-level object-oriented language - python3.6: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language Several security issues were fixed in Python. oval:org.secpod.oval:def:58426 python2.7: An interactive high-level object-oriented language - python3.7: An interactive high-level object-oriented language - python3.6: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language Several security issues were fixed in Python. oval:org.secpod.oval:def:54086 The host is installed with Python through versions 2.7.16 or 3.7.2 and is prone to an information disclosure vulnerability. The flaw is present in the application, which fails to properly handle unicode encoding during NKFC normalization. Successful exploitation allows attackers to locate cookies or ... oval:org.secpod.oval:def:1601016 Python 2.7.x through 2.7.16 is affected by: Improper Handling of Unicode Encoding during NFKC normalization. The impact is: Information disclosure . The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate ... oval:org.secpod.oval:def:1601008 Python is affected by improper Handling of Unicode Encoding during NFKC normalization. The impact is: Information disclosure . The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authenticat ... oval:org.secpod.oval:def:50186 The host is installed with python before versions 2.7.15 or 3.4.9 and is prone to a denial-of-service vulnerability. The flaw is present in the application, which fails to properly handle catastrophic backtracking in difflib.IS_LINE_JUNK method. Successful exploitation allow context-dependent attack ... oval:org.secpod.oval:def:116893 Deepin tool kit core modules. oval:org.secpod.oval:def:1601032 An issue was discovered in urllib2 in Python 2.x and urllib in Python 3.x. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n followed by an HTTP header or a Redis command. Python 2.7.x and 3.x are affected ... oval:org.secpod.oval:def:114269 The python3-docs package contains documentation on the Python 3 programming language and interpreter. Install the python3-docs package if you'd like to use the documentation for the Python 3 language. oval:org.secpod.oval:def:114264 The python3-docs package contains documentation on the Python 3 programming language and interpreter. Install the python3-docs package if you'd like to use the documentation for the Python 3 language. oval:org.secpod.oval:def:1601038 A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authenticat ... oval:org.secpod.oval:def:1601037 A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authenticat ... oval:org.secpod.oval:def:114260 pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index . pip is a recursive acronym that can stand for either "Pip Installs Packages" or "Pip Installs Python". oval:org.secpod.oval:def:1502537 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:205184 Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix: * pyt ... oval:org.secpod.oval:def:49173 python2.7: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language - python3.4: An interactive high-level object-oriented language Several security issues were fixed in Python. oval:org.secpod.oval:def:116843 Python 3.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.6, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:116834 Python 3.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.6, see other distributions that support it, such as CentOS or RHEL with Software Co ... oval:org.secpod.oval:def:704134 openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:1801399 CVE-2018-14647: Missing salt initialization in _elementtree.c module¶ A flaw was found in python"s _elementtree.c module, a wrapper for libexpat XML parser. xml.etree C accelerator don"t call XML_SetHashSalt, failing to properly initiate the random hash seed from a good CSPRNG source and making ... oval:org.secpod.oval:def:1600954 Libgcrypt allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacke ... oval:org.secpod.oval:def:1600952 A flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop method. An attacker could use this flaw to cause denial of service.A flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacke ... oval:org.secpod.oval:def:1600998 Python is affected by improper Handling of Unicode Encoding during NFKC normalization. The impact is information disclosure . The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authenticati ... oval:org.secpod.oval:def:51064 openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL. oval:org.secpod.oval:def:114271 Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to v ... oval:org.secpod.oval:def:114270 It uses mostly the same techniques for finding packages, so packages that were made easy_installable should be pip-installable as well. oval:org.secpod.oval:def:114272 Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readibility. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the "python3" executable: the ... oval:org.secpod.oval:def:1501540 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an ... oval:org.secpod.oval:def:1501543 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an ... oval:org.secpod.oval:def:1600435 Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. Multiple flaws have been discovered in va ... oval:org.secpod.oval:def:203982 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an ... oval:org.secpod.oval:def:203978 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an ... oval:org.secpod.oval:def:501854 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an ... oval:org.secpod.oval:def:501858 The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Security Fix: * Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an ... oval:org.secpod.oval:def:204790 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: realpath buffer underflow w ... oval:org.secpod.oval:def:113939 The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets ... oval:org.secpod.oval:def:1600880 Fragmentation attacks possible when EDNS0 is enabledThe DNS stub resolver in the GNU C Library before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.Buffer overflow in glob ... oval:org.secpod.oval:def:113932 The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets ... oval:org.secpod.oval:def:703955 glibc: GNU C Library - eglibc: GNU C Library Several security issues were fixed in the GNU C library. oval:org.secpod.oval:def:502266 The glibc packages provide the standard C libraries , POSIX thread libraries , standard math libraries , and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix: * glibc: realpath buffer underflow w ... oval:org.secpod.oval:def:114546 The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets ... oval:org.secpod.oval:def:115085 The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets ... oval:org.secpod.oval:def:114173 This is a Cross Compiled version of the GNU C Library, which can be used to compile and link binaries for the arm-linux-gnu platform, instead of for the native platform. oval:org.secpod.oval:def:114170 This is a Cross Compiled version of the GNU C Library, which can be used to compile and link binaries for the arm-linux-gnu platform, instead of for the native platform. oval:org.secpod.oval:def:1502176 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:602779 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts. CVE-2016-6786 / CVE-2016-6787 It was discovered that the performance events subsystem does not properly manage locks during certain migrations, allowing ... oval:org.secpod.oval:def:703711 linux-hwe: Linux hardware enablement kernel - linux-meta-hwe: Several security issues were fixed in the Linux kernel. oval:org.secpod.oval:def:204791 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * hw: cpu: speculative execution permission faults handling * kernel: Buffer overflow in firewire driver via crafted incoming packets * kernel: Use-after-free vulnerability in DCCP socket * Kernel: ... oval:org.secpod.oval:def:502267 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix: * hw: cpu: speculative execution permission faults handling * kernel: Buffer overflow in firewire driver via crafted incoming packets * kernel: Use-after-free vulnerability in DCCP socket * Kernel: ... oval:org.secpod.oval:def:603383 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-9016 Ming Lei reported a race condition in the multiqueue block layer . On a system with a driver using blk-mq , a local user might be able to us ... oval:org.secpod.oval:def:1502175 The advisory is missing the security advisory description. For more information please visit the reference link oval:org.secpod.oval:def:47525 Microsoft is aware of a denial of service vulnerability (named "FragmentSmack" CVE-2018-5391) affecting Windows systems. An attacker could send many 8-byte sized IP fragments with random starting offsets, but withhold the last fragment and exploit the worst-case complexity of linked lists in reassem ... |