- Arch-security - lists.archlinux.org

[arch-security] [ASA-201711-20] mediawiki: multiple issues
by Levente Polyak 15 Nov '17

15 Nov '17

Arch Linux Security Advisory ASA-201711-20 ========================================== Severity: High Date : 2017-11-15 CVE-ID : CVE-2017-0361 CVE-2017-8808 CVE-2017-8809 CVE-2017-8810 CVE-2017-8811 CVE-2017-8812 CVE-2017-8814 CVE-2017-8815 Package : mediawiki Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-490 Summary ======= The package mediawiki before version 1.29.2-1 is vulnerable to multiple issues including cross-site scripting, information disclosure, url request injection and insufficient validation. Resolution ========== Upgrade to 1.29.2-1. # pacman -Syu "mediawiki>=1.29.2-1" The problems have been fixed upstream in version 1.29.2. Workaround ========== None. Description =========== - CVE-2017-0361 (information disclosure) MediaWiki before 1.29.2 may leak passwords in plaintext. API parameters may now be marked as "sensitive" to keep their values out of the logs. - CVE-2017-8808 (cross-site scripting) MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has XSS when the $wgShowExceptionDetails setting is false and the browser sends non-standard URL escaping. - CVE-2017-8809 (url request injection) api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. - CVE-2017-8810 (information disclosure) MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests. - CVE-2017-8811 (cross-site scripting) The implementation of raw message parameter expansion in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows HTML mangling attacks. - CVE-2017-8812 (insufficient validation) MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows remote attackers to inject > (greater than) characters via the id attribute of a headline. - CVE-2017-8814 (cross-site scripting) The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk." - CVE-2017-8815 (cross-site scripting) The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules. Impact ====== A remote attacker is able to perform a cross-side scripting attack by injecting javascript into the site, disclose information or perform a reflected file download attack. References ========== https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/0002… https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.… https://phabricator.wikimedia.org/T125177 https://phabricator.wikimedia.org/T180488 https://github.com/wikimedia/mediawiki/commit/8b0220e81ba462d21d8e1facbe6ae… https://github.com/wikimedia/mediawiki/commit/59ce3456a8007d76875fe8fb21eff… https://phabricator.wikimedia.org/T178451 https://github.com/wikimedia/mediawiki/commit/1713ddeff12b263fb7634796dc029… https://phabricator.wikimedia.org/T128209 https://github.com/wikimedia/mediawiki/commit/9bf2c01ea238d0e71c56bad7341c8… https://phabricator.wikimedia.org/T134100 https://github.com/wikimedia/mediawiki/commit/e7ea90509c73c60b665b8f63e3bb9… https://phabricator.wikimedia.org/T176247 https://github.com/wikimedia/mediawiki/commit/410c00a9ae92411d3d1568e84c4aa… https://phabricator.wikimedia.org/T125163 https://github.com/wikimedia/mediawiki/commit/31041e4557c2f4b96ef0a16e44bf6… https://phabricator.wikimedia.org/T124404 https://github.com/wikimedia/mediawiki/commit/fbe78cfa094645b907d0fd2885c57… https://phabricator.wikimedia.org/T119158 https://github.com/wikimedia/mediawiki/commit/f21f3942eb10d7e688eb25261ac3a… https://security.archlinux.org/CVE-2017-0361 https://security.archlinux.org/CVE-2017-8808 https://security.archlinux.org/CVE-2017-8809 https://security.archlinux.org/CVE-2017-8810 https://security.archlinux.org/CVE-2017-8811 https://security.archlinux.org/CVE-2017-8812 https://security.archlinux.org/CVE-2017-8814 https://security.archlinux.org/CVE-2017-8815

1 0

[arch-security] [ASA-201711-19] konversation: denial of service
by Morten Linderud 14 Nov '17

14 Nov '17

Arch Linux Security Advisory ASA-201711-19 ========================================== Severity: Medium Date : 2017-11-12 CVE-ID : CVE-2017-15923 Package : konversation Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-489 Summary ======= The package konversation before version 1.7.3-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.7.3-1. # pacman -Syu "konversation>=1.7.3-1" The problem has been fixed upstream in version 1.7.3. Workaround ========== Go to Interface -> Colors in the Configure Konversation dialog and uncheck Allow Colored Text in IRC Messages (near the bottom) Description =========== A denial of service vulnerability has been discovered in Konversation before 1.7.3 when handling colors in IRC messages. Any malicious user connected to the same IRC network could send a carefully crafted message that would crash the Konversation user client. Impact ====== A remote attacker is able to craft messages that can result in the client crashing. References ========== https://www.kde.org/info/security/advisory-20171112-1.txt https://cgit.kde.org/konversation.git/commit/?h=1.7&id=34cc9556c1a089fac6b6… https://security.archlinux.org/CVE-2017-15923

1 0

[arch-security] [ASA-201711-18] postgresql-old-upgrade: multiple issues
by Levente Polyak 10 Nov '17

10 Nov '17

Arch Linux Security Advisory ASA-201711-18 ========================================== Severity: Medium Date : 2017-11-10 CVE-ID : CVE-2017-15098 CVE-2017-15099 Package : postgresql-old-upgrade Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-486 Summary ======= The package postgresql-old-upgrade before version 9.6.6-1 is vulnerable to multiple issues including access restriction bypass and information disclosure. Resolution ========== Upgrade to 9.6.6-1. # pacman -Syu "postgresql-old-upgrade>=9.6.6-1" The problems have been fixed upstream in version 9.6.6. Workaround ========== None. Description =========== - CVE-2017-15098 (information disclosure) A denial of service and potential memory disclosure vulnerability has been discovered in PostgreSQL in the json_populate_recordset() and jsonb_populate_recordset() functions. - CVE-2017-15099 (access restriction bypass) An access restriction bypass vulnerability has been discovered in PostgreSQL, the "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the executing user had permission to perform a "SELECT" on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would not check the SELECT policies for that table before performing the update. The fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against table permissions and RLS policies before executing. Impact ====== A remote attacker is able to bypass access restrictions via certain queries or possibly leak sensitive information from the running process. References ========== https://www.postgresql.org/about/news/1801/ https://security.archlinux.org/CVE-2017-15098 https://security.archlinux.org/CVE-2017-15099

1 0

[arch-security] [ASA-201711-17] postgresql: multiple issues
by Levente Polyak 10 Nov '17

10 Nov '17

Arch Linux Security Advisory ASA-201711-17 ========================================== Severity: Medium Date : 2017-11-10 CVE-ID : CVE-2017-15098 CVE-2017-15099 Package : postgresql Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-485 Summary ======= The package postgresql before version 10.1-1 is vulnerable to multiple issues including access restriction bypass and information disclosure. Resolution ========== Upgrade to 10.1-1. # pacman -Syu "postgresql>=10.1-1" The problems have been fixed upstream in version 10.1. Workaround ========== None. Description =========== - CVE-2017-15098 (information disclosure) A denial of service and potential memory disclosure vulnerability has been discovered in PostgreSQL in the json_populate_recordset() and jsonb_populate_recordset() functions. - CVE-2017-15099 (access restriction bypass) An access restriction bypass vulnerability has been discovered in PostgreSQL, the "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the executing user had permission to perform a "SELECT" on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would not check the SELECT policies for that table before performing the update. The fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against table permissions and RLS policies before executing. Impact ====== A remote attacker is able to bypass access restrictions via certain queries or possibly leak sensitive information from the running process. References ========== https://www.postgresql.org/about/news/1801/ https://security.archlinux.org/CVE-2017-15098 https://security.archlinux.org/CVE-2017-15099

1 0

[arch-security] [ASA-201711-16] libextractor: denial of service
by Levente Polyak 10 Nov '17

10 Nov '17

Arch Linux Security Advisory ASA-201711-16 ========================================== Severity: Low Date : 2017-11-08 CVE-ID : CVE-2017-15922 Package : libextractor Type : denial of service Remote : No Link : https://security.archlinux.org/AVG-471 Summary ======= The package libextractor before version 1.6-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.6-1. # pacman -Syu "libextractor>=1.6-1" The problem has been fixed upstream in version 1.6. Workaround ========== None. Description =========== In GNU Libextractor before 1.6, there is an out-of-bounds read in the EXTRACTOR_dvi_extract_method function in plugins/dvi_extractor.c. Impact ====== An attacker is able to crash the application by providing a crafted DVI file. References ========== http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html https://security.archlinux.org/CVE-2017-15922

1 0

[arch-security] [ASA-201711-15] lib32-openssl: multiple issues
by Levente Polyak 10 Nov '17

10 Nov '17

Arch Linux Security Advisory ASA-201711-15 ========================================== Severity: Medium Date : 2017-11-08 CVE-ID : CVE-2017-3735 CVE-2017-3736 Package : lib32-openssl Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-478 Summary ======= The package lib32-openssl before version 1:1.1.0.g-1 is vulnerable to multiple issues including information disclosure and denial of service. Resolution ========== Upgrade to 1:1.1.0.g-1. # pacman -Syu "lib32-openssl>=1:1.1.0.g-1" The problems have been fixed upstream in version 1.1.0.g. Workaround ========== None. Description =========== - CVE-2017-3735 (denial of service) A security issue has been found in OpenSSL < 1.1.0g. If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format. - CVE-2017-3736 (information disclosure) A carry propagation bug has been found in OpenSSL < 1.1.0g in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. Impact ====== A remote attacker can cause a denial of service via a crafted X.509 certificate. A remote attacker with access to a large amount of resources might be able to retrieve a private key, depending on the kind of processor used. References ========== https://www.openssl.org/news/vulnerabilities.html#2017-3735 https://www.openssl.org/news/secadv/20170828.txt https://github.com/openssl/openssl/commit/b23171744b01e473ebbfd6edad70c1c38… https://www.openssl.org/news/vulnerabilities.html#2017-3736 https://www.openssl.org/news/secadv/20171102.txt https://github.com/openssl/openssl/commit/668a709a8d7ea374ee72ad2d43ac72ec6… https://security.archlinux.org/CVE-2017-3735 https://security.archlinux.org/CVE-2017-3736

1 0

[arch-security] [ASA-201711-14] openssl: multiple issues
by Remi Gacogne 08 Nov '17

08 Nov '17

Arch Linux Security Advisory ASA-201711-14 ========================================== Severity: Medium Date : 2017-11-07 CVE-ID : CVE-2017-3735 CVE-2017-3736 Package : openssl Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-477 Summary ======= The package openssl before version 1.1.0.g-1 is vulnerable to multiple issues including information disclosure and denial of service. Resolution ========== Upgrade to 1.1.0.g-1. # pacman -Syu "openssl>=1.1.0.g-1" The problems have been fixed upstream in version 1.1.0.g. Workaround ========== None. Description =========== - CVE-2017-3735 (denial of service) A security issue has been found in OpenSSL < 1.1.0g. If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format. - CVE-2017-3736 (information disclosure) A carry propagation bug has been found in OpenSSL < 1.1.0g in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. Impact ====== A remote attacker can cause a denial of service via a crafted X.509 certificate. A remote attacker with access to a large amount of resources might be able to retrieve a private key, depending on the kind of processor used. References ========== https://www.openssl.org/news/vulnerabilities.html#2017-3735 https://www.openssl.org/news/secadv/20170828.txt https://github.com/openssl/openssl/commit/b23171744b01e473ebbfd6edad70c1c38… https://www.openssl.org/news/vulnerabilities.html#2017-3736 https://www.openssl.org/news/secadv/20171102.txt https://github.com/openssl/openssl/commit/668a709a8d7ea374ee72ad2d43ac72ec6… https://security.archlinux.org/CVE-2017-3735 https://security.archlinux.org/CVE-2017-3736

1 0

[arch-security] [ASA-201711-13] libzip: arbitrary code execution
by Remi Gacogne 08 Nov '17

08 Nov '17

Arch Linux Security Advisory ASA-201711-13 ========================================== Severity: High Date : 2017-11-07 CVE-ID : CVE-2017-12858 Package : libzip Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-390 Summary ======= The package libzip before version 1.3.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.3.0-1. # pacman -Syu "libzip>=1.3.0-1" The problem has been fixed upstream in version 1.3.0. Workaround ========== None. Description =========== Double free vulnerability in the _zip_dirent_read function in zip_dirent.c in libzip allows attackers to execute arbitrary code via a crafted zip file. Impact ====== A remote attacker can execute arbitrary code on the affected host by tricking the user or an application using libzip into opening a crafted zip file. References ========== https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d917… https://security.archlinux.org/CVE-2017-12858

1 0

[arch-security] [ASA-201711-12] chromium: arbitrary code execution
by Remi Gacogne 07 Nov '17

07 Nov '17

Arch Linux Security Advisory ASA-201711-12 ========================================== Severity: Critical Date : 2017-11-07 CVE-ID : CVE-2017-15398 CVE-2017-15399 Package : chromium Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-482 Summary ======= The package chromium before version 62.0.3202.89-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 62.0.3202.89-1. # pacman -Syu "chromium>=62.0.3202.89-1" The problems have been fixed upstream in version 62.0.3202.89. Workaround ========== None. Description =========== - CVE-2017-15398 (arbitrary code execution) A stack-based buffer overflow has been found in the QUIC component of the Chromium browser before 62.0.3202.89. - CVE-2017-15399 (arbitrary code execution) A use-after-free has been found in the V8 component of the Chromium browser before 62.0.3202.89. Impact ====== A remote attacker can execute arbitrary code on the affected host. References ========== https://chromereleases.googleblog.com/2017/11/stable-channel-update-for-des… https://bugs.chromium.org/p/chromium/issues/detail?id=777728 https://bugs.chromium.org/p/chromium/issues/detail?id=776677 https://security.archlinux.org/CVE-2017-15398 https://security.archlinux.org/CVE-2017-15399

1 0

[arch-security] [ASA-201711-11] libcurl-gnutls: information disclosure
by Levente Polyak 06 Nov '17

06 Nov '17

Arch Linux Security Advisory ASA-201711-11 ========================================== Severity: Medium Date : 2017-11-02 CVE-ID : CVE-2017-1000257 Package : libcurl-gnutls Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-462 Summary ======= The package libcurl-gnutls before version 7.56.1-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 7.56.1-1. # pacman -Syu "libcurl-gnutls>=7.56.1-1" The problem has been fixed upstream in version 7.56.1. Workaround ========== None. Description =========== A heap buffer overrun flaw was found in the IMAP handler of libcurl >= 7.20.0 and < 7.56.1. An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application. Impact ====== A remote attacker is able to disclose sensitive information or crash the application by tricking an unsuspecting user into connecting to a malicious IMAP server. References ========== https://curl.haxx.se/docs/adv_20171023.html https://curl.haxx.se/CVE-2017-1000257.patch https://github.com/curl/curl/commit/13c9a9ded3ae744a1e11cbc14e9146d9fa427040 https://security.archlinux.org/CVE-2017-1000257

1 0