diff options
Diffstat (limited to 'security/vuxml')
| -rw-r--r-- | security/vuxml/Makefile | 4 | ||||
| -rw-r--r-- | security/vuxml/files/euvd_provider.sh | 69 | ||||
| -rw-r--r-- | security/vuxml/files/mitre_provider.sh | 61 | ||||
| -rw-r--r-- | security/vuxml/files/newentry.sh | 172 | ||||
| -rw-r--r-- | security/vuxml/files/nvd_provider.sh | 72 | ||||
| -rw-r--r-- | security/vuxml/vuln/2015.xml | 2 | ||||
| -rw-r--r-- | security/vuxml/vuln/2017.xml | 2 | ||||
| -rw-r--r-- | security/vuxml/vuln/2018.xml | 4 | ||||
| -rw-r--r-- | security/vuxml/vuln/2019.xml | 6 | ||||
| -rw-r--r-- | security/vuxml/vuln/2020.xml | 2 | ||||
| -rw-r--r-- | security/vuxml/vuln/2021.xml | 8 | ||||
| -rw-r--r-- | security/vuxml/vuln/2022.xml | 6 | ||||
| -rw-r--r-- | security/vuxml/vuln/2023.xml | 8 | ||||
| -rw-r--r-- | security/vuxml/vuln/2024.xml | 4 | ||||
| -rw-r--r-- | security/vuxml/vuln/2025.xml | 3299 |
15 files changed, 3617 insertions, 102 deletions
diff --git a/security/vuxml/Makefile b/security/vuxml/Makefile index 9a3ef8b7a291..243b5cd5723e 100644 --- a/security/vuxml/Makefile +++ b/security/vuxml/Makefile @@ -102,10 +102,6 @@ newentry: @${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.' @${ECHO_CMD} @${SH} ${FILESDIR}/newentry.sh "${VUXML_CURRENT_FILE}" "CVE_ID=${CVE_ID}" "SA_ID=${SA_ID}" - @${ECHO_CMD} - @${ECHO_CMD} 'Be sure to get versioning right for PORTEPOCH and remember possible linux-* ports!' - @${ECHO_CMD} 'Also, <gt> tags are usually wrong in ranges. Use <ge> where adequate.' - @${ECHO_CMD} .if defined(VID) && !empty(VID) html: work/${VID}.html diff --git a/security/vuxml/files/euvd_provider.sh b/security/vuxml/files/euvd_provider.sh new file mode 100644 index 000000000000..821d2fcc06a2 --- /dev/null +++ b/security/vuxml/files/euvd_provider.sh @@ -0,0 +1,69 @@ +# Provider for the European Union Vulnerability Database +# https://euvd.enisa.europa.eu/ + +tmp_euvd="" + +init_euvd() { + tmp_euvd=$(mktemp "${TMPDIR:-/tmp}"/euvd_json_data.XXXXXXXXXX) || exit 1 + fetch -q -o "${tmp_euvd}" "https://euvdservices.enisa.europa.eu/api/enisaid?id=${CVE_ID}" || exit 1 +} + +cleanup_euvd() { + rm -f "${tmp_euvd}" 2>/dev/null +} + +get_cvename_from_euvd() { + # EUVD response includes "aliases" (CVE ID if available) + jq -r '.aliases // .id' "${tmp_euvd}" +} + +get_cveurl_from_euvd() { + echo "https://euvd.enisa.europa.eu/ui/vuln/${CVE_ID}" +} + +get_details_from_euvd() { + jq -r '.description // empty | @html' "${tmp_euvd}" | fmt -p -s | sed '1!s/^/\t/' +} + +get_discovery_date_from_euvd() { + raw=$(jq -r '.datePublished // empty' "${tmp_euvd}") + if [ -n "$raw" ]; then + trimmed=$(echo "$raw" | cut -d, -f1-2) + if date -d "$trimmed" "+%Y-%m-%d" >/dev/null 2>&1; then + date -d "$trimmed" "+%Y-%m-%d" + else + date -j -f "%b %d, %Y" "$trimmed" "+%Y-%m-%d" + fi + fi +} + +get_entry_date_from_euvd() { + echo "${entry_date}" +} + + +get_product_name_from_euvd() { + jq -r ' .enisaIdProduct[]?.product?.name ' "${tmp_euvd}" +} + +get_product_range_from_euvd() { + jq -r '.enisaIdProduct[]? | "\(.product_version? | gsub("<";"<") | gsub(">";">") | gsub("&";"&"))"' "${tmp_euvd}" +} + +get_package_name_from_euvd() { + jq -r '.enisaIdProduct[0]?.product?.name // empty' "${tmp_euvd}" +} + +get_references_from_euvd() { + jq -r '.references // empty | @html' "${tmp_euvd}" | tr " " "\n" +} + +get_source_from_euvd() { + jq -r '.assigner // empty | @html' "${tmp_euvd}" +} + +get_topic_from_euvd() { + # Use first sentence of description + jq -r '.description // empty' "${tmp_euvd}" | cut -f1 -d. +} + diff --git a/security/vuxml/files/mitre_provider.sh b/security/vuxml/files/mitre_provider.sh new file mode 100644 index 000000000000..c2b1f8ffa73e --- /dev/null +++ b/security/vuxml/files/mitre_provider.sh @@ -0,0 +1,61 @@ +# Provider for MITRE +# https://www.mitre.org/ + +tmp_mitre="" + +init_mitre() +{ + tmp_mitre=$(mktemp "${TMPDIR:-/tmp}"/mitre.XXXXXXXXXX) || exit 1 + fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" +} + +cleanup_mitre() +{ + rm "${tmp_mitre}" 2>/dev/null +} + +get_cvename_from_mitre() +{ + cvename="${CVE_ID}" + echo "${cvename}" +} + +get_cveurl_from_mitre() { + echo https://cveawg.mitre.org/api/cve/"${CVE_ID}" +} + +get_details_from_mitre() { + jq -r '.containers?.cna?.descriptions[0]?.value' "${tmp_mitre}" | fmt -p -s +} + +get_discovery_date_from_mitre() { + jq -r '.cveMetadata?.datePublished?' "${tmp_mitre}" | cut -f1 -dT +} + +get_entry_date_from_mitre() { + echo "${entry_date}" +} + +get_product_name_from_mitre() { + jq -r '.containers?.cna?.affected[]?.product' "${tmp_mitre}" +} + +get_product_range_from_mitre() { + jq -r '.containers?.cna?.affected[]??.versions[0]?.lessThan' "${tmp_mitre}" +} + +get_package_name_from_mitre() { + jq -r '.containers?.cna?.affected[0]?.product' "${tmp_mitre}" +} + +get_references_from_mitre() { + jq -r '.containers?.cna?.references[0]?.url' "${tmp_mitre}" | fmt -p -s +} + +get_source_from_mitre() { + jq -r '.containers?.cna?.references[0]?.url' "${tmp_mitre}" +} + +get_topic_from_mitre() { + jq -r ".containers?.cna?.problemTypes[0]?.descriptions[0]?.description" "${tmp_mitre}" +} diff --git a/security/vuxml/files/newentry.sh b/security/vuxml/files/newentry.sh index 0298a5376a9e..8d1f9b6eba94 100644 --- a/security/vuxml/files/newentry.sh +++ b/security/vuxml/files/newentry.sh @@ -15,6 +15,9 @@ if [ -z "${vuxml_file}" ]; then show_usage fi +# ----------------- +# Process arguments +# ----------------- shift while [ $# -gt 0 ]; do case "$1" in @@ -34,27 +37,45 @@ case "$1" in esac done -tmp="`mktemp ${TMPDIR:-/tmp}/vuxml.XXXXXXXXXX`" || exit 1 +tmp=$(mktemp "${TMPDIR:-/tmp}"/vuxml.XXXXXXXXXX) || exit 1 tmp_fbsd_sa="" -tmp_mitre="" -tmp_nvd="" +# ------------------------------------- +# Define how to clean up temporal files +# ------------------------------------- +# doclean="yes" cleanup() { if [ "${doclean}" = "yes" ]; then - rm -f "${tmp}" "${tmp_fbsd_sa}" "${tmp_mitre}" "${tmp_nvd}" > /dev/null + rm -f "${tmp}" "${tmp_fbsd_sa}" > /dev/null fi + + # Call cleaners for providers + for provider in ${providers}; do + cleanup_"${provider}" + cleanup_"${provider}" + done } -trap cleanup EXIT 1 2 13 15 +trap cleanup EXIT HUP INT PIPE TERM -vid="`uuidgen | tr '[:upper:]' '[:lower:]'`" +# ----------------------------- +# Variables with default values +# ----------------------------- +vid="$(uuidgen | tr '[:upper:]' '[:lower:]')" [ -z "$vid" ] && exit 1 + +discovery_date="" cvename="INSERT CVE RECORD IF AVAILABLE" cveurl="INSERT BLOCKQUOTE URL HERE" details="." -discovery="`date -u '+%Y-%m'`-FIXME" || exit 1 -entry="`date -u '+%Y-%m-%d'`" || exit 1 +discovery_date="$(date -u '+%Y-%m')-FIXME" || exit 1 +entry_date="$(date -u '+%Y-%m-%d')" || exit 1 package_name="" +product_name="" +product_range="" +package_list="<package> +<name></name> +<range><lt></lt></range>" references="INSERT URL HERE" topic="" source="SO-AND-SO" @@ -67,38 +88,65 @@ DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> </blockquote> </body>" - -# Try to retrieve information if a CVE identifier was provided -if [ -n "${CVE_ID}" ]; then +# -------------------------------- +# Check we have everything we need +# -------------------------------- +check_dependencies() +{ if ! command -v jq > /dev/null; then echo textproc/jq is needed for CVE automatic entry fill exit 1 fi +} + +# ------------------------------------------ +# List of CVE providers sorted by preference +# ------------------------------------------ +providers="mitre nvd euvd" + +# ------------------------------------------ +# List of fields to query for every provider +# ------------------------------------------ +fields="cvename cveurl details discovery_date entry_date product_name product_range package_name references source topic" - # NVD database only accepts uppercase CVE ids, like CVE-2022-39282, NOT - # cve-2022-39282. - CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1 - - # Get information from the NVD database JSON format - tmp_nvd="`mktemp ${TMPDIR:-/tmp}/nvd_json_data.XXXXXXXXXX`" || exit 1 - fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 - # Get information from MITRE database (they provide a nice "topic") - tmp_mitre="`mktemp ${TMPDIR:-/tmp}/mitre.XXXXXXXXXX`" || exit 1 - fetch -q -o "${tmp_mitre}" https://cveawg.mitre.org/api/cve/"${CVE_ID}" - - # Create variables from input and online sources - cvename="${CVE_ID}" - cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID} - pref=.vulnerabilities[0].cve - details=$(jq -r "${pref}.descriptions[0].value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/') || exit 1 - discovery=$(jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT) || exit 1 - pref=.vulnerabilities[0].cve.configurations[0].nodes[0].cpeMatch[0] - package_name=$(jq -r "${pref}.criteria|@html" "${tmp_nvd}" | cut -f4 -d:) || exit 1 - upstream_fix=$(jq -r "${pref}.versionEndExcluding|@html" "${tmp_nvd}") || exit 1 - pref=.vulnerabilities[0].cve.references[0] - references=$(jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 - source=$(jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n") || exit 1 - topic=$(jq -r ".containers.cna.title|@html" "${tmp_mitre}" ) || exit 1 +# Some providers only allow for upper case identifiers +CVE_ID=$(echo "${CVE_ID}" | tr '[:lower:]' '[:upper:]') || exit 1 + +# ----------------------------------------------------------------------------- +# Generic resolver +# +# Gets a variable name and the list of providers and returns the value of the +# variable. If the first defined provider returns empty or nullm, it tries with +# the next one until one provider returns a value or we run out of providers +# ----------------------------------------------------------------------------- +resolve_field() { + field="${1}" + shift + providers="$@" + + for provider in $providers; do + func="get_${field}_from_${provider}" + if command -v "${func}" >/dev/null 2>&1; then + value="$($func)" + if [ -n "${value}" ] && [ "${value}" != "null" ] && [ "${value}" != "n/a" ]; then + echo "${value}" + return 0 + fi + else + echo "Warning: function ${func} not implemented in provider ${provider}" + fi + done + echo "null" +} + +# -------------------------------------------------- +# Fill global variables with data from CVE databases +# -------------------------------------------------- +get_cve_info() { + for field in ${fields}; do + value=$(resolve_field "${field}" ${providers}) + eval "${field}=\$value" + done DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> <p>${source} reports:</p> @@ -106,14 +154,17 @@ DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> <p>${details}</p> </blockquote> </body>" -fi +} -if [ -n "${SA_ID}" ]; then +# ---------------------------------------------------------------- +# Fill global variables with data from FreeBSD Security Advisories +# ---------------------------------------------------------------- +get_sa_info() { SA_URL_BASE=https://www.freebsd.org/security/advisories/ # Get information from the Project's SA site - tmp_fbsd_sa="$(mktemp ${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX)" || exit 1 - fetch -q -o "${tmp_fbsd_sa}" ${SA_URL_BASE}${SA_ID} || exit 1 + tmp_fbsd_sa=$(mktemp "${TMPDIR:-/tmp}/fbsd_sa_data.XXXXXXXXXX") || exit 1 + fetch -q -o "${tmp_fbsd_sa}" "${SA_URL_BASE}${SA_ID}" || exit 1 # Create variables from SA note if grep -q 'CVE Name' "${tmp_fbsd_sa}"; then @@ -148,6 +199,40 @@ DESC_BODY="<body xmlns=\"http://www.w3.org/1999/xhtml\"> <h1>Impact:</h1> ${impact} </body>" +} + +init_providers() { + for provider in files/*_provider.sh; do + provider_name=$(basename "${provider}" | cut -f1 -d_) + . "files/${provider_name}_provider.sh" + init_"${provider_name}" + done +} + +create_packages_list() { + tmp_prod=$(mktemp "${TMPDIR:-/tmp}"/vuxml.prod.XXXXXXXXXX) || exit 1 + tmp_ver=$(mktemp "${TMPDIR:-/tmp}"/vuxml.ver.XXXXXXXXXX) || exit 1 + printf "%s" "${product_name}" > "${tmp_prod}" + printf "%s" "${product_range}" > "${tmp_ver}" + + package_list=$(paste "${tmp_prod}" "${tmp_ver}" | sed \ + -e 's|\t|</name>\n\t<range><lt>|g' \ + -e 's|^| <package>\n\t<name>|g' \ + -e 's|$|</lt></range>\n </package>|g') + + rm "${tmp_prod}" "${tmp_ver}" 2>/dev/null +} + +# Try to retrieve information if a CVE identifier was provided +if [ -n "${CVE_ID}" ]; then + check_dependencies + init_providers + get_cve_info "${CVE_ID}" + create_packages_list +fi + +if [ -n "${SA_ID}" ]; then + get_sa_info fi awk '/^<\?/,/^<vuxml/ { print }' "${vuxml_file}" >> "${tmp}" || exit 1 @@ -155,10 +240,7 @@ cat << EOF >> "${tmp}" || exit 1 <vuln vid="${vid}"> <topic>${package_name} -- ${topic}</topic> <affects> - <package> - <name>${package_name}</name> - <range><lt>${upstream_fix}</lt></range> - </package> +${package_list} </affects> <description> ${DESC_BODY} @@ -168,8 +250,8 @@ cat << EOF >> "${tmp}" || exit 1 <url>${cveurl}</url> </references> <dates> - <discovery>${discovery}</discovery> - <entry>${entry}</entry> + <discovery>${discovery_date}</discovery> + <entry>${entry_date}</entry> </dates> </vuln> diff --git a/security/vuxml/files/nvd_provider.sh b/security/vuxml/files/nvd_provider.sh new file mode 100644 index 000000000000..8a383a7d6752 --- /dev/null +++ b/security/vuxml/files/nvd_provider.sh @@ -0,0 +1,72 @@ +# Provider for the National Vulnerability Database +# https://nvd.nist.gov/ + +tmp_nvd="" + +init_nvd() +{ + tmp_nvd=$(mktemp "${TMPDIR:-/tmp}"/nvd_json_data.XXXXXXXXXX) || exit 1 + fetch -q -o "${tmp_nvd}" https://services.nvd.nist.gov/rest/json/cves/2.0?cveId="${CVE_ID}" || exit 1 +} + +cleanup_nvd() +{ + rm "${tmp_nvd}" 2>/dev/null +} + +get_cvename_from_nvd() +{ + cvename="${CVE_ID}" + echo "${cvename}" +} + +get_cveurl_from_nvd() { + cveurl=https://nvd.nist.gov/vuln/detail/${CVE_ID} + echo "${cveurl}" +} + +get_details_from_nvd() { + pref=".vulnerabilities[0]?.cve?" + jq -r "${pref}.descriptions[0]?.value|@html" "${tmp_nvd}" | fmt -p -s | sed '1!s/^/\t/' +} + +get_discovery_date_from_nvd() { + pref=".vulnerabilities[0]?.cve?" + jq -r "${pref}.published|@html" "${tmp_nvd}" | cut -f1 -dT +} + +get_entry_date_from_nvd() { + echo "${entry_date}" +} + +get_product_name_from_nvd() { + jq -r '.vulnerabilities[]?.cve?.configurations[]?.nodes[]?.cpeMatch[]? | + (.criteria | split(":")[4])' "${tmp_nvd}" +} + +get_product_range_from_nvd() { + jq -r '.vulnerabilities[]?.cve.configurations[]?.nodes[]?.cpeMatch[]?.versionEndExcluding ' "${tmp_nvd}" +} + +get_package_name_from_nvd() { + jq -r '.vulnerabilities[]?.cve?.configurations[]?.nodes[]?.cpeMatch[0]?.criteria' "${tmp_nvd}" | cut -f5 -d: +} + +get_references_from_nvd() { + pref=".vulnerabilities[0]?.cve?.references[0]?" + jq -r "${pref}.url|@html" "${tmp_nvd}" | tr " " "\n" +} + +get_source_from_nvd() +{ + pref=".vulnerabilities[0]?.cve?.references[0]?" + jq -r "${pref}.source|@html" "${tmp_nvd}" | tr " " "\n" +} + +get_topic_from_nvd() { + # NVD does not provide a nice summary. Let's use the first sentence from + # the details instead + pref=".vulnerabilities[0]?.cve?" + jq -r "${pref}.descriptions[0]?.value|@html" "${tmp_nvd}" | cut -f1 -d. +} + diff --git a/security/vuxml/vuln/2015.xml b/security/vuxml/vuln/2015.xml index 36997bebdfe4..3f343f329e9d 100644 --- a/security/vuxml/vuln/2015.xml +++ b/security/vuxml/vuln/2015.xml @@ -17642,7 +17642,7 @@ </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>MIT krb5 Security Advisory 2015-001 reports:</p> <blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt"> <p>CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context diff --git a/security/vuxml/vuln/2017.xml b/security/vuxml/vuln/2017.xml index 66964ad2a106..8fca5b4c468b 100644 --- a/security/vuxml/vuln/2017.xml +++ b/security/vuxml/vuln/2017.xml @@ -4548,7 +4548,7 @@ </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>Meta CPAN reports:</p> <blockquote cite="https://metacpan.org/changes/release/SHAY/perl-5.26.1#Security"> <p>CVE-2017-12814: $ENV{$key} stack buffer overflow on Windows</p> <p>A possible stack buffer overflow in the %ENV code on Windows has been diff --git a/security/vuxml/vuln/2018.xml b/security/vuxml/vuln/2018.xml index ccf9fab5631e..70d128471a3a 100644 --- a/security/vuxml/vuln/2018.xml +++ b/security/vuxml/vuln/2018.xml @@ -1314,7 +1314,7 @@ </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The PHPMailer Team reports:</p> <blockquote cite="https://github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6"> <p>CVE-2018-19296:Fix potential object injection vulnerability.</p> </blockquote> @@ -1889,7 +1889,7 @@ </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The GitLab Team reports:</p> <blockquote cite="https://about.gitlab.com/2018/11/01/critical-security-release-gitlab-11-dot-4-dot-4-released/"> <p>SSRF in Kubernetes integration</p> </blockquote> diff --git a/security/vuxml/vuln/2019.xml b/security/vuxml/vuln/2019.xml index bbb8785ae92e..9fdca5d18b3e 100644 --- a/security/vuxml/vuln/2019.xml +++ b/security/vuxml/vuln/2019.xml @@ -2532,7 +2532,7 @@ </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The GitLab Team reports:</p> <blockquote cite="https://about.gitlab.com/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/"> <p>XSS in Markdown Preview Using Mermaid</p> <p>Bypass Email Verification using Salesforce Authentication</p> @@ -3964,7 +3964,7 @@ directly evident from logs. </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>Frederic Cambus reports:</p> <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2019-13207"> <p>nsd-checkzone in NLnet Labs NSD 4.2.0 has a Stack-based Buffer Overflow in the dname_concatenate() function in dname.c.</p> @@ -4134,7 +4134,7 @@ or the current user.</p> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The Apache Team reports:</p> <blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.4"> <h1>SECURITY: CVE-2019-10081</h1> <p>mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", diff --git a/security/vuxml/vuln/2020.xml b/security/vuxml/vuln/2020.xml index 138f108b0578..77f8e44c0d2b 100644 --- a/security/vuxml/vuln/2020.xml +++ b/security/vuxml/vuln/2020.xml @@ -13152,7 +13152,7 @@ whitespace) </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The GitLab Team reports:</p> <blockquote cite="https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/"> <p>Group Maintainers Can Update/Delete Group Runners Using API</p> <p>GraphQL Queries Can Hang the Application</p> diff --git a/security/vuxml/vuln/2021.xml b/security/vuxml/vuln/2021.xml index 12c2d0bcdc77..4b6c9e9f7b0f 100644 --- a/security/vuxml/vuln/2021.xml +++ b/security/vuxml/vuln/2021.xml @@ -8873,7 +8873,7 @@ In limited circumstances it was possible for users to authenticate using variati </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>GitLab Team reports:</p> <blockquote cite="https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/"> <p>Remote code execution when uploading specially crafted image files</p> <p>Update Rexml</p> @@ -11170,7 +11170,7 @@ raptor_xml_writer_start_element_common.</p> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The oauth2-proxy Team reports:</p> <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-21291"> <p>In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to @@ -12044,7 +12044,7 @@ raptor_xml_writer_start_element_common.</p> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>NVD reports:</p> <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2020-15900"> <p>A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard @@ -12123,7 +12123,7 @@ raptor_xml_writer_start_element_common.</p> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The GitLab Team reports:</p> <blockquote cite="https://about.gitlab.com/releases/2021/01/14/critical-security-release-gitlab-13-7-4-released/"> <p>Ability to steal a user's API access token through GitLab Pages</p> </blockquote> diff --git a/security/vuxml/vuln/2022.xml b/security/vuxml/vuln/2022.xml index ed08974d84aa..2d1a028b23bf 100644 --- a/security/vuxml/vuln/2022.xml +++ b/security/vuxml/vuln/2022.xml @@ -1583,8 +1583,8 @@ </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> - <blockquote cite="INSERT URL HERE"> + <p>CVE.org reports:</p> + <blockquote cite="https://www.cve.org/CVERecord?id=CVE-2022-43995"> <p>Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This @@ -5040,7 +5040,7 @@ </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The Django Project reports:</p> <blockquote cite="https://www.djangoproject.com/weblog/2022/jul/04/security-releases/"> <p>CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments.</p> diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 9d6a9444af0b..0e917c8c007b 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1852,7 +1852,7 @@ Reported by Niccolo Belli and WIPocket (Github #400, #417). </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The OpenSSL team reports:</p> <blockquote cite="https://www.openssl.org/news/secadv/20231024.txt"> <p>Moderate severity: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to @@ -5516,7 +5516,7 @@ Reported by Niccolo Belli and WIPocket (Github #400, #417). <affects> <package> <name>krb5</name> - <range><lt>1.21.1_1</lt></range> + <range><gt>1.20</gt><lt>1.21.1_1</lt></range> </package> <package> <name>krb5-121</name> @@ -5524,12 +5524,12 @@ Reported by Niccolo Belli and WIPocket (Github #400, #417). </package> <package> <name>krb5-devel</name> - <range><lt>1.22.2023.08.07</lt></range> + <range><gt>1.20</gt><lt>1.22.2023.08.07</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The MIT krb5 Team reports:</p> <blockquote cite="https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840"> <p>When issuing a ticket for a TGS renew or validate request, copy only the server field from the outer part of the header ticket diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 64f19bfb38aa..fbc958655802 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -5885,7 +5885,7 @@ All of these are related to the CometVisu add-on for openHAB - if you are a user </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The Vaultwarden Team reports:</p> <blockquote cite="https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0"> <p>This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.</p> @@ -13486,7 +13486,7 @@ All of these are related to the CometVisu add-on for openHAB - if you are a user </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The OpenSSL Team reports:</p> <blockquote cite="https://www.openssl.org/news/secadv/20240109.txt"> <p>The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index f6e442e66486..eaf80f882338 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,3234 @@ + <vuln vid="93ff3ebe-bba8-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>142.0.7444.134</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>142.0.7444.134</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html"> + <p>This update includes 5 security fixes:</p> + <ul> + <li>[443906252] High CVE-2025-12725: Out of bounds write in WebGPU. Reported by Anonymous on 2025-09-09</li> + <li>[447172715] High CVE-2025-12726: Inappropriate implementation in Views. Reported by Alesandro Ortiz on 2025-09-25</li> + <li>[454485895] High CVE-2025-12727: Inappropriate implementation in V8. Reported by 303f06e3 on 2025-10-23</li> + <li>[452392032] Medium CVE-2025-12728: Inappropriate implementation in Omnibox. Reported by Hafiizh on 2025-10-16</li> + <li>[454354281] Medium CVE-2025-12729: Inappropriate implementation in Omnibox. Reported by Khalil Zhani on 2025-10-23</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12725</cvename> + <cvename>CVE-2025-12726</cvename> + <cvename>CVE-2025-12727</cvename> + <cvename>CVE-2025-12728</cvename> + <cvename>CVE-2025-12729</cvename> + <url>https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html</url> + </references> + <dates> + <discovery>2025-11-05</discovery> + <entry>2025-11-07</entry> + </dates> + </vuln> + + <vuln vid="77bac392-ba98-11f0-aada-f59a8ea34d12"> + <topic>OpenJPH < 0.24.5 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>openjph</name> + <range><lt>0.24.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Aous Naman reports several vulnerabilities fixed in OpenJPH versions + up to 0.24.5 and credits Cary Phillips for reporting them from the + OSS-fuzz project.</p> + <blockquote cite="https://github.com/aous72/OpenJPH/releases"> + <p>[0.24.5] Addresses OpenEXR OSS-fuzz issue 5747129672073216 that can cause heap corruption.</p> + <p>[0.24.4...] we now check that the ATK marker segment length (Latk) makes sense. + The issue was identified in OpenEXR fuzzing.</p> + <p>[0.24.3] This is an important bug fix. It protects against illegally long QCD and QCC marker segments. It was discovered during OpenEXR fussing; thanx to [Cary Phillips].</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/aous72/OpenJPH/releases</url> + </references> + <dates> + <discovery>2025-10-29</discovery> + <entry>2025-11-05</entry> + </dates> + </vuln> + + <vuln vid="c71a3914-ba96-11f0-aada-f59a8ea34d12"> + <topic>OpenEXR < 3.4.3 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>openexr</name> + <range><lt>3.4.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Cary Phillips reports:</p> + <blockquote cite="https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.3"> + <p> + Patch release that addresses several bugs, primarily involving + properly rejecting corrupt input data. + </p> + </blockquote> + <p> + He goes on to report various relevant items including heap buffer + overflows, use-after-free, use of uninitialized memory and other bugs, + several of them found by OSS-fuzz, and some also found in OpenJPH. + </p> + </body> + </description> + <references> + <url>https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.3</url> + </references> + <dates> + <discovery>2025-10-29</discovery> + <entry>2025-11-05</entry> + </dates> + </vuln> + + <vuln vid="970159e6-ba60-11f0-8447-b42e991fc52e"> + <topic>MongoDB -- Improper Check for Unusual or Exceptional Conditions</topic> + <affects> + <package> + <name>mongodb70</name> + <range><lt>7.0.22</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://jira.mongodb.org/browse/SERVER-101230 reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-101230"> + <p>The KMIP response parser built into mongo binaries is + overly tolerant of certain malformed packets, and may parse + them into invalid objects. Later reads of this object can + result in read access violations.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12657</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-12657</url> + </references> + <dates> + <discovery>2025-11-03</discovery> + <entry>2025-11-05</entry> + </dates> + </vuln> + + <vuln vid="e99a32c8-b8e2-11f0-8510-b42e991fc52e"> + <topic>Xorg -- multiple vulnerabilities</topic> + <affects> + <package> + <name>xorg-server</name> + <range><lt>21.1.19,1</lt></range> + </package> + <package> + <name>xwayland</name> + <range><lt>24.1.9,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://access.redhat.com/errata/RHSA-2025:19432 reports:</p> + <blockquote cite="https://access.redhat.com/errata/RHSA-2025:19432"> + <p>CVE-2025-62229: A flaw was found in the X.Org X server + and Xwayland when processing X11 Present extension + notifications. Improper error handling during notification + creation can leave dangling pointers that lead to a + use-after-free condition. This can cause memory corruption + or a crash, potentially allowing an attacker to execute + arbitrary code or cause a denial of service.</p> + <p>CVE-2025-62230: A flaw was discovered in the X.Org X + servers X Keyboard (Xkb) extension when handling client + resource cleanup. The software frees certain data + structures without properly detaching related resources, + leading to a use-after-free condition. This can cause + memory corruption or a crash when affected clients + disconnect.</p> + <p>CVE-2025-62231: A flaw was identified in the X.Org X + servers X Keyboard (Xkb) extension where improper bounds + checking in the XkbSetCompatMap() function can cause an + unsigned short overflow. If an attacker sends specially + crafted input data, the value calculation may overflow, + leading to memory corruption or a crash.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62229</cvename> + <cvename>CVE-2025-62230</cvename> + <cvename>CVE-2025-62231</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-62229</url> + </references> + <dates> + <discovery>2025-10-30</discovery> + <entry>2025-11-03</entry> + </dates> + </vuln> + + <vuln vid="5523394e-b889-11f0-9446-f02f7497ecda"> + <topic>redis -- Bug in XACKDEL may lead to stack overflow and potential RCE</topic> + <affects> + <package> + <name>redis</name> + <range><ge>8.2.0</ge><lt>8.2.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Google Big Sleep reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-jhjx-x4cf-4vm8"> + <p>A user can run the XACKDEL command with multiple ID's and + trigger a stack buffer overflow, which may potentially lead to + remote code execution. + The problem exists in Redis 8.2 or newer. + The code doesn't handle the case where the number of ID's exceeds + the STREAMID_STATIC_VECTOR_LEN, and skips a reallocation, which + leads to a stack buffer overflow. + An additional workaround to mitigate the problem without patching + the redis-server executable is to prevent users from executing + XACKDEL operation. This can be done using ACL to restrict XACKDEL + command. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62507</cvename> + <url></url> + </references> + <dates> + <discovery>2025-11-03</discovery> + <entry>2025-11-03</entry> + </dates> + </vuln> + + <vuln vid="1ba0b62b-b80a-11f0-8016-b42e991fc52e"> + <topic>Mozilla -- Denial-of-service due to out-of-memory</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>142.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.2.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>142.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1975837 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1975837"> + <p>Denial-of-service due to out-of-memory in the Graphics: + WebRender component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9182</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-9182</url> + </references> + <dates> + <discovery>2025-08-19</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="0723a60e-b80a-11f0-8016-b42e991fc52e"> + <topic>Mozilla -- Same-origin policy bypass in the Graphics: Canvas2D component</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>142.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.2.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>142.0.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>140.2.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1979782 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1979782"> + <p>Same-origin policy bypass in the Graphics: Canvas2D + component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9180</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-9180</url> + </references> + <dates> + <discovery>2025-08-19</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="f752879f-b809-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Sandbox escape due to integer overflow</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.3,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1987246 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1987246"> + <p>Sandbox escape due to integer overflow in the Graphics: + Canvas2D component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11152</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-11152</url> + </references> + <dates> + <discovery>2025-09-30</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="ea017037-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Information disclosure in the Networking: Cache component</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1981502 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1981502"> + <p>Information disclosure in the Networking: Cache + component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10536</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10536</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="d09efc3b-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Spoofing issue in the Site Permissions component</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1665334 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1665334"> + <p>Spoofing issue in the Site Permissions component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10534</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10534</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="c80baae7-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Integer overflow in the SVG component</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1980788 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1980788"> + <p>Integer overflow in the SVG component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10533</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10533</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="af9c5b99-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Incorrect boundary conditions</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1979502 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1979502"> + <p>Incorrect boundary conditions in the JavaScript: GC + component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10532</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10532</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="a4bebda9-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Mitigation bypass</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1978453 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1978453"> + <p>Mitigation bypass in the Web Compatibility: Tooling + component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10531</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10531</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="944d968c-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Same-origin policy bypass</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>140.3.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1970490 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1970490"> + <p>Same-origin policy bypass in the Layout component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10529</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10529</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="8b5f4eb3-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Sandbox escape due to undefined behavior</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>140.3.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1986185 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1986185"> + <p>Sandbox escape due to undefined behavior, invalid pointer + in the Graphics: Canvas2D component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10528</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10528</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="82595339-b808-11f0-8016-b42e991fc52e"> + <topic>Firefox -- Sandbox escape due to use-after-free</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1984825 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1984825"> + <p>Sandbox escape due to use-after-free in the Graphics: + Canvas2D component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10527</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-10527</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-11-02</entry> + </dates> + </vuln> + + <vuln vid="77a0f93a-b71e-11f0-8d86-d7789240c8c2"> + <topic>python 3.9 -- end of life, not receiving security support</topic> + <affects> + <package> + <name>python39</name> + <range><ge>3</ge></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <blockquote cite="https://devguide.python.org/versions/"> + <p>Unsupported versions: [...] End of life: 2025-10-31.</p> + </blockquote> + </body> + </description> + <references> + <url>https://devguide.python.org/versions/</url> + </references> + <dates> + <discovery>2020-10-05</discovery> + <entry>2025-11-01</entry> + </dates> + </vuln> + + <vuln vid="c4fb21e4-b579-11f0-871c-6805ca2fa271"> + <topic>powerdns-recursor -- cache pollution</topic> + <affects> + <package> + <name>powerdns_recursor</name> + <range><lt>5.3.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>PowerDNS Team reports:</p> + <blockquote cite="https://blog.powerdns.com/powerdns-security-advisory-2025-06-2025-10-22"> + <p>It has been brought to our attention that the Recursor does not + apply strict enough validation of received delegation information. + The malicious delegation information can be sent by an attacker + spoofing packets.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-59023</cvename> + <cvename>CVE-2025-59024</cvename> + <url>https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html</url> + </references> + <dates> + <discovery>2025-10-15</discovery> + <entry>2025-10-30</entry> + </dates> + </vuln> + + <vuln vid="7c09fcb7-b5d6-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>142.0.7444.59</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>142.0.7444.59</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html"> + <p>This update includes 20 security fixes:</p> + <ul> + <li>[447613211] High CVE-2025-12428: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2025-09-26</li> + <li>[450618029] High CVE-2025-12429: Inappropriate implementation in V8. Reported by Aorui Zhang on 2025-10-10</li> + <li>[442860743] High CVE-2025-12430: Object lifecycle issue in Media. Reported by round.about on 2025-09-04</li> + <li>[436887350] High CVE-2025-12431: Inappropriate implementation in Extensions. Reported by Alesandro Ortiz on 2025-08-06</li> + <li>[439522866] High CVE-2025-12432: Race in V8. Reported by Google Big Sleep on 2025-08-18</li> + <li>[449760249] High CVE-2025-12433: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-07</li> + <li>[452296415] High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15</li> + <li>[337356054] Medium CVE-2025-12434: Race in Storage. Reported by Lijo A.T on 2024-04-27</li> + <li>[446463993] Medium CVE-2025-12435: Incorrect security UI in Omnibox. Reported by Hafiizh on 2025-09-21</li> + <li>[40054742] Medium CVE-2025-12436: Policy bypass in Extensions. Reported by Luan Herrera (@lbherrera_) on 2021-02-08</li> + <li>[446294487] Medium CVE-2025-12437: Use after free in PageInfo. Reported by Umar Farooq on 2025-09-20</li> + <li>[433027577] Medium CVE-2025-12438: Use after free in Ozone. Reported by Wei Yuan of MoyunSec VLab on 2025-07-20</li> + <li>[382234536] Medium CVE-2025-12439: Inappropriate implementation in App-Bound Encryption. Reported by Ari Novick on 2024-12-04</li> + <li>[430555440] Low CVE-2025-12440: Inappropriate implementation in Autofill. Reported by Khalil Zhani on 2025-07-09</li> + <li>[444049512] Medium CVE-2025-12441: Out of bounds read in V8. Reported by Google Big Sleep on 2025-09-10</li> + <li>[452071845] Medium CVE-2025-12443: Out of bounds read in WebXR. Reported by Aisle Research on 2025-10-15</li> + <li>[390571618] Low CVE-2025-12444: Incorrect security UI in Fullscreen UI. Reported by syrf on 2025-01-18</li> + <li>[428397712] Low CVE-2025-12445: Policy bypass in Extensions. Reported by Thomas Greiner on 2025-06-29</li> + <li>[444932667] Low CVE-2025-12446: Incorrect security UI in SplitView. Reported by Hafiizh on 2025-09-14</li> + <li>[442636157] Low CVE-2025-12447: Incorrect security UI in Omnibox. Reported by Khalil Zhani on 2025-09-03</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12036</cvename> + <cvename>CVE-2025-12428</cvename> + <cvename>CVE-2025-12429</cvename> + <cvename>CVE-2025-12430</cvename> + <cvename>CVE-2025-12431</cvename> + <cvename>CVE-2025-12432</cvename> + <cvename>CVE-2025-12433</cvename> + <cvename>CVE-2025-12434</cvename> + <cvename>CVE-2025-12435</cvename> + <cvename>CVE-2025-12436</cvename> + <cvename>CVE-2025-12437</cvename> + <cvename>CVE-2025-12438</cvename> + <cvename>CVE-2025-12439</cvename> + <cvename>CVE-2025-12440</cvename> + <cvename>CVE-2025-12441</cvename> + <cvename>CVE-2025-12443</cvename> + <cvename>CVE-2025-12444</cvename> + <cvename>CVE-2025-12445</cvename> + <cvename>CVE-2025-12446</cvename> + <cvename>CVE-2025-12447</cvename> + <url>https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html</url> + </references> + <dates> + <discovery>2025-10-29</discovery> + <entry>2025-10-30</entry> + </dates> + </vuln> + + <vuln vid="291773e6-b5b2-11f0-8f61-b42e991fc52e"> + <topic>Firefox -- use-after-free in the GPU or browser process</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.2,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://bugzilla.mozilla.org/show_bug.cgi?id=1993113 reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1993113"> + <p>Starting with Firefox 142, it was possible for a + compromised child process to trigger a use-after-free in the + GPU or browser process using WebGPU-related IPC calls. + This may have been usable to escape the child process + sandbox.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12380</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-12380</url> + </references> + <dates> + <discovery>2025-10-28</discovery> + <entry>2025-10-30</entry> + </dates> + </vuln> + + <vuln vid="237f4f57-b50f-11f0-ae9b-b42e991fc52e"> + <topic>Erlang - Absolute Path in Zip Module</topic> + <affects> + <package> + <name>erlang</name> + <range><ge>17.0</ge><lt>26.2.5.13,4</lt></range> + </package> + <package> + <name>erlang-runtime26</name> + <range><lt>26.2.5.13</lt></range> + </package> + <package> + <name>erlang-runtime27</name> + <range><lt>27.3.4.1</lt></range> + </package> + <package> + <name>erlang-runtime28</name> + <range><lt>28.0.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc reports:</p> + <blockquote cite="https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc"> + <p>Improper Limitation of a Pathname to a Restricted + Directory ('Path Traversal') vulnerability in Erlang OTP + (stdlib modules) allows Absolute Path Traversal, File Manipulation. + This vulnerability is associated with program files lib/stdlib/src/zip.erl + and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, + zip:extract/2unless the memory option is passed. This issue + affects OTP from OTP 17.0 until OTP28.0.1, OTP27.3.4.1 and + OTP26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, + 6.2.2.1 and 5.2.3.4.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-4748</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-4748</url> + </references> + <dates> + <discovery>2025-06-16</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="55c4e822-b4e4-11f0-8438-001b217e4ee5"> + <topic>ISC KEA -- Invalid characters cause assert</topic> + <affects> + <package> + <name>kea</name> + <range><ge>3.0.1</ge><lt>3.0.2</lt></range> + </package> + <package> + <name>kea-devel</name> + <range><ge>3.1.1</ge><lt>3.1.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Internet Systems Consortium, Inc. reports:</p> + <blockquote cite="https://kb.isc.org/docs/cve-2025-11232"> + <p>To trigger the issue, three configuration parameters + must have specific settings: "hostname-char-set" must be + left at the default setting, which is "[^A-Za-z0-9.-]"; + "hostname-char-replacement" must be empty (the default); + and "ddns-qualifying-suffix" must NOT be empty (the default is empty). + DDNS updates do not need to be enabled for this issue to manifest. + A client that sends certain option content would then + cause kea-dhcp4 to exit unexpectedly. + This addresses CVE-2025-11232 [#4142, #4155].</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11232</cvename> + <url>https://kb.isc.org/docs/cve-2025-11232</url> + </references> + <dates> + <discovery>2025-10-29</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="c5889223-b4e1-11f0-ae9b-b42e991fc52e"> + <topic>SQLite -- CWE-190 Integer Overflow or Wraparound</topic> + <affects> + <package> + <name>sqlite3</name> + <range><lt>3.50.3,1</lt></range> + </package> + <package> + <name>linux_base-rl9-9.6</name> + <range><le>9.6_1</le></range> + </package> + <package> + <name>linux-c7-sqlite</name> + <range><lt>3.50.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g reports:</p> + <blockquote cite="https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g"> + <p>An integer overflow exists in the FTS5 https://sqlite.org/fts5.html + extension. It occurs when the size of an array of tombstone + pointers is calculated and truncated into a 32-bit integer. + A pointer to partially controlled data can then be written + out of bounds.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-7709</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-7709</url> + </references> + <dates> + <discovery>2025-09-08</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="3116b6f3-b433-11f0-82ac-901b0edee044"> + <topic>py-social-auth-app-django -- Unsafe account association</topic> + <affects> + <package> + <name>py39-social-auth-app-django</name> + <name>py310-social-auth-app-django</name> + <name>py311-social-auth-app-django</name> + <name>py312-social-auth-app-django</name> + <range><lt>5.4.3_1</lt></range> + </package> + <package> + <name>py310-dj51-social-auth-app-django</name> + <name>py311-dj51-social-auth-app-django</name> + <name>py312-dj51-social-auth-app-django</name> + <range><lt>5.6.0</lt></range> + </package> + <package> + <name>py310-dj52-social-auth-app-django</name> + <name>py311-dj52-social-auth-app-django</name> + <name>py312-dj52-social-auth-app-django</name> + <range><lt>5.6.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Michal Čihař reports:</p> + <blockquote cite="https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg"> + <p>Upon authentication, the user could be associated by e-mail even if the + associate_by_email pipeline was not included. This could lead to account + compromise when a third-party authentication service does not validate + provided e-mail addresses or doesn't require unique e-mail addresses.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-61783</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-61783</url> + </references> + <dates> + <discovery>2025-10-09</discovery> + <entry>2025-10-29</entry> + </dates> + </vuln> + + <vuln vid="2cd61f76-b41b-11f0-bf21-b42e991fc52e"> + <topic>SQLite -- Integer Overflow vulnerability</topic> + <affects> + <package> + <name>sqlite3</name> + <range><lt>3.50.1,1</lt></range> + </package> + <package> + <name>linux_base-rl9-9.6</name> + <range><le>9.6_1</le></range> + </package> + <package> + <name>linux-c7-sqlite</name> + <range><lt>3.50.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>http://sqlite3.com reports:</p> + <blockquote cite="http://sqlite3.com"> + <p>Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 + allows a remote attacker to cause a denial of service via + the setupLookaside function</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-52099</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-52099</url> + </references> + <dates> + <discovery>2025-10-24</discovery> + <entry>2025-10-28</entry> + </dates> + </vuln> + + <vuln vid="a8dacd4b-b416-11f0-9f23-ecf4bbefc954"> + <topic>privatebin - Missing HTML sanitisation of attached filename in file size hint enabling persistent XSS</topic> + <affects> + <package> + <name>privatebin</name> + <range><lt>2.0.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>PrivateBin reports:</p> + <blockquote cite="https://privatebin.info/reports/vulnerability-2025-10-28.html"> + <p>We've identified an HTML injection/XSS vulnerability in the PrivateBin + service that allows the injection of arbitrary HTML markup via the attached + filename.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62796</cvename> + <url>https://www.cve.org/CVERecord?id=CVE-2025-62796</url> + </references> + <dates> + <discovery>2025-10-23</discovery> + <entry>2025-10-28</entry> + </dates> + </vuln> + + <vuln vid="1f1cf967-b35c-11f0-bce7-bc2411002f50"> + <topic>strongSwan -- Heap-based buffer overflow in eap-mschapv2 plugin due to improper handling of failure request packets</topic> + <affects> + <package> + <name>strongswan</name> + <range><ge>4.2.12</ge><lt>6.0.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Xu Biang reports:</p> + <blockquote cite="https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-(cve-2025-62291).html"> + <p>The eap-mschapv2 plugin doesn't correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client, + which can cause an integer underflow that leads to a crash and, depending on the compiler options, even a heap-based + buffer overflow that's potentially exploitable for remote code execution. Affected are all strongSwan versions since 4.2.12.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62291</cvename> + <url>https://www.cve.org/CVERecord?id=CVE-2025-62291</url> + </references> + <dates> + <discovery>2025-10-27</discovery> + <entry>2025-10-27</entry> + </dates> + </vuln> + + <vuln vid="823b4e48-b340-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- security fix</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>141.0.7390.122</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>141.0.7390.122</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_21.html"> + <p>This update includes 1 security fix:</p> + <ul> + <li>[452296415] High CVE-2025-12036: Inappropriate implementation in V8. Reported by Google Big Sleep on 2025-10-15</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-12036</cvename> + <url>https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_21.html</url> + </references> + <dates> + <discovery>2025-10-21</discovery> + <entry>2025-10-27</entry> + </dates> + </vuln> + + <vuln vid="ea1c485f-b025-11f0-bce7-bc2411002f50"> + <topic>unbound -- Possible domain hijacking via promiscuous records in the authority section</topic> + <affects> + <package> + <name>unbound</name> + <range><lt>1.24.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>sep@nlnetlabs.nl reports:</p> + <blockquote cite="https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt"> + <p>NLnet Labs Unbound up to and including version 1.24.0 is vulnerable + to possible domain hijack attacks. Promiscuous NS RRSets that + complement positive DNS replies in the authority section can be + used to trick resolvers to update their delegation information for + the zone. Usually these RRSets are used to update the resolver's + knowledge of the zone's name servers. A malicious actor can + exploit the possible poisonous effect by injecting NS RRSets (and + possibly their respective address records) in a reply. This could + be done for example by trying to spoof a packet or fragmentation + attacks. Unbound would then proceed to update the NS RRSet data + it already has since the new data has enough trust for it, i.e., + in-zone data for the delegation point. Unbound 1.24.1 includes a + fix that scrubs unsolicited NS RRSets (and their respective address + records) from replies mitigating the possible poison effect.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11411</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11411</url> + </references> + <dates> + <discovery>2025-10-22</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="269c2de7-afaa-11f0-b4c8-792b26d8a051"> + <topic>RT -- XSS via calendar invitations</topic> + <affects> + <package> + <name>rt60</name> + <name>rt50</name> + <range><ge>6.0.0</ge><lt>6.0.2</lt></range> + <range><ge>5.0.4</ge><lt>5.0.9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Mateusz Szymaniec and CERT Polska Reports:</p> + <blockquote cite="https://github.com/bestpractical/rt/releases/tag/rt-6.0.2"> + <p>RT is vulnerable to XSS via calendar invitations added to a + ticket. Thanks to Mateusz Szymaniec and CERT Polska for + reporting this finding.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9158</cvename> + <url>https://github.com/bestpractical/rt/releases/tag/rt-6.0.2</url> + </references> + <dates> + <discovery>2025-10-23</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="b374df95-afa8-11f0-b4c8-792b26d8a051"> + <topic>RT -- CSV injection</topic> + <affects> + <package> + <name>rt60</name> + <name>rt50</name> + <name>rt44</name> + <range><ge>6.0.0</ge><lt>6.0.2</lt></range> + <range><ge>5.0.0</ge><lt>5.0.9</lt></range> + <range><ge>4.4.0</ge><lt>4.4.9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gareth Watkin-Jones from 4armed reports:</p> + <blockquote cite="https://github.com/bestpractical/rt/releases/tag/rt-6.0.2"> + <p>RT is vulnerable to CSV injection via ticket values with + special characters that are exported to a TSV from search + results. Thanks to Gareth Watkin-Jones from 4armed for + reporting this finding.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-61873</cvename> + <url>https://github.com/bestpractical/rt/releases/tag/rt-6.0.2</url> + </references> + <dates> + <discovery>2025-10-23</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="114cc98b-afad-11f0-af12-bc241121aa0a"> + <topic>FreeBSD -- SO_REUSEPORT_LB breaks connect(2) for UDP sockets</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>14.3</ge><lt>14.3_5</lt></range> + <range><ge>13.5</ge><lt>13.5_6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>Connected sockets are not intended to belong to load-balancing + groups. However, the kernel failed to check the connection state + of sockets when adding them to load-balancing groups. Furthermore, + when looking up the destination socket for an incoming packet, the + kernel will match a socket belonging to a load-balancing group even + if it is connected.</p> + <p>Connected sockets are only supposed to receive packets originating + from the connected host. The above behavior violates this contract.</p> + <h1>Impact:</h1> + <p>Software which sets SO_REUSEPORT_LB on a socket and then connects + it to a host will not observe any problems. However, due to its + membership in a load-balancing group, that socket will receive + packets originating from any host. This breaks the contract of the + connect(2) and implied connect via sendto(2), and may leave the + application vulnerable to spoofing attacks.</p> + </body> + </description> + <references> + <cvename>CVE-2025-24934</cvename> + <freebsdsa>SA-25:09.netinet</freebsdsa> + </references> + <dates> + <discovery>2025-10-22</discovery> + <entry>2025-10-23</entry> + </dates> + </vuln> + + <vuln vid="f741ea93-af61-11f0-98b5-2cf05da270f3"> + <topic>Gitlab -- vulnerabilities</topic> + <affects> + <package> + <name>gitlab-ce</name> + <name>gitlab-ee</name> + <range><ge>18.5.0</ge><lt>18.5.1</lt></range> + <range><ge>18.4.0</ge><lt>18.4.3</lt></range> + <range><ge>10.6.0</ge><lt>18.3.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gitlab reports:</p> + <blockquote cite="https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/"> + <p>Improper access control issue in runner API impacts GitLab EE</p> + <p>Denial of service issue in event collection impacts GitLab CE/EE</p> + <p>Denial of service issue in JSON validation impacts GitLab CE/EE</p> + <p>Denial of service issue in upload impacts GitLab CE/EE</p> + <p>Incorrect Authorization issue in pipeline builds impacts GitLab CE</p> + <p>Business logic error issue in group memberships impacts GitLab EE</p> + <p>Missing authorization issue in quick actions impacts GitLab EE</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11702</cvename> + <cvename>CVE-2025-10497</cvename> + <cvename>CVE-2025-11447</cvename> + <cvename>CVE-2025-11974</cvename> + <cvename>CVE-2025-11971</cvename> + <cvename>CVE-2025-6601</cvename> + <cvename>CVE-2025-11989</cvename> + <url>https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/</url> + </references> + <dates> + <discovery>2025-10-22</discovery> + <entry>2025-10-22</entry> + </dates> + </vuln> + + <vuln vid="88f34edb-ae9b-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>141.0.7390.107</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>141.0.7390.107</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_14.html"> + <p>This update includes 1 security fix:</p> + <ul> + <li>[447192722] High CVE-2025-11756: Use after free in Safe Browsing. Reported by asnine on 2025-09-25</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11756</cvename> + <url>https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_14.html</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-21</entry> + </dates> + </vuln> + + <vuln vid="60ddafd2-ae9e-11f0-b3f7-a8a1599412c6"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>141.0.7390.65</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>141.0.7390.65</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop.html"> + <p>This update includes 3 security fixes:</p> + <ul> + <li>[443196747] High CVE-2025-11458: Heap buffer overflow in Sync. Reported by raven at KunLun lab on 2025-09-05</li> + <li>[446722008] High CVE-2025-11460: Use after free in Storage. Reported by Sombra on 2025-09-23</li> + <li>[441917796] Medium CVE-2025-11211: Out of bounds read in WebCodecs. Reported by Jakob Košir on 2025-08-29</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11458</cvename> + <cvename>CVE-2025-11460</cvename> + <cvename>CVE-2025-11211</cvename> + <url>https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop.html</url> + </references> + <dates> + <discovery>2025-10-07</discovery> + <entry>2025-10-21</entry> + </dates> + </vuln> + + <vuln vid="cdf2abf7-ae83-11f0-b5fb-b42e991fc52e"> + <topic>Mongodb -- Use-after-free in the MongoDB</topic> + <affects> + <package> + <name>mongodb70</name> + <range><lt>7.0.25</lt></range> + </package> + <package> + <name>mongodb80</name> + <range><lt>8.0.15</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-105873"> + <p>An authorized user may crash the MongoDB server by + causing buffer over-read. This can be done by issuing a DDL + operation while queries are being issued, under some + conditions.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11979</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11979</url> + </references> + <dates> + <discovery>2025-10-20</discovery> + <entry>2025-10-21</entry> + </dates> + </vuln> + + <vuln vid="4553e4b3-addf-11f0-9b8d-40a6b7c3b3b8"> + <topic>Hidden/Protected custom variables are prone to filter enumeration</topic> + <affects> + <package> + <name>icingaweb2-module-icingadb-php81</name> + <range><lt>1.1.4</lt></range> + <range><ge>1.2</ge><lt>1.2.3,1</lt></range> + </package> + <package> + <name>icingaweb2-module-icingadb-php82</name> + <range><lt>1.1.4</lt></range> + <range><ge>1.2</ge><lt>1.2.3,1</lt></range> + </package> + <package> + <name>icingaweb2-module-icingadb-php83</name> + <range><lt>1.1.4</lt></range> + <range><ge>1.2</ge><lt>1.2.3,1</lt></range> + </package> + <package> + <name>icingaweb2-module-icingadb-php84</name> + <range><lt>1.1.4</lt></range> + <range><ge>1.2</ge><lt>1.2.3,1</lt></range> + </package> + <package> + <name>icingaweb2-module-icingadb-php85</name> + <range><lt>1.1.4</lt></range> + <range><ge>1.2</ge><lt>1.2.3,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Icinga reports:</p> + <blockquote cite="https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429"> + <p>An authorized user with access to Icinga DB Web, can use + a custom variable in a filter that is either protected by + icingadb/protect/variables or hidden by icingadb/denylist/variables, + to guess values assigned to it.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-61789</cvename> + <url>https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429</url> + </references> + <dates> + <discovery>2025-10-16</discovery> + <entry>2025-10-20</entry> + </dates> + </vuln> + + <vuln vid="4355ce42-ad06-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- XSS in sites without content-type header</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1979536"> + <p>A malicious page could have used the type attribute of an OBJECT + tag to override the default browser behavior when encountering a + web resource served without a content-type. This could have + contributed to an XSS on a site that unsafely serves files without + a content-type header.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11712</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11712</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="fff839db-ad04-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- JavaScript Object property overriding</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1989978"> + <p>There was a way to change the value of JavaScript Object + properties that were supposed to be non-writeable.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11711</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11711</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="f7047dfc-ad02-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- Memory disclosure</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1989899"> + <p>A compromised web process using malicious IPC messages + could have caused the privileged browser process to reveal + blocks of its memory to the compromised process.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11710</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11710</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="b760c618-ad02-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- Out-of-bounds reads and writes</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1989127"> + <p>A compromised web process was able to trigger out of + bounds reads and writes in a more privileged process using + manipulated WebGL textures.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11709</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11709</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="85c17eb8-ad02-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- Use-after-free</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1988931"> + <p>Use-after-free in MediaTrackGraphImpl::GetInstance()</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11708</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11708</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="247bc43f-ad02-11f0-b2aa-b42e991fc52e"> + <topic>Mozilla -- Memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1973699%2C1989945%2C1990970%2C1991040%2C1992113"> + <p>Memory safety bugs. Some of these bugs showed evidence of + memory corruption and we presume that with enough effort + some of these could have been exploited to run arbitrary + code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11714</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11714</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-19</entry> + </dates> + </vuln> + + <vuln vid="20840621-ab82-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- Memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.4.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>140.4.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1983838%2C1987624%2C1988244%2C1988912%2C1989734%2C1990085%2C1991899"> + <p>Memory safety bugs. Some of these bugs showed evidence of + memory corruption and we presume that with enough effort + some of these could have been exploited to run arbitrary + code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11715</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11715</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="ed132d42-ab81-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- Memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>144.0.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>144.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1986816"> + <p>Memory safety bug. This bug showed evidence of memory + corruption and we presume that with enough effort this could + have been exploited to run arbitrary code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11721</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11721</url> + </references> + <dates> + <discovery>2025-10-14</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="f3550d26-ab7d-11f0-b961-b42e991fc52e"> + <topic>Firefox -- Sandbox escape</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.3,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1987246"> + <p>Sandbox excape due to integer overflow in the Graphics: + Canvas2D component</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11152</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11152</url> + </references> + <dates> + <discovery>2025-09-30</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="7b9a8247-ab7b-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- Memory safety bugs</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>142.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.2.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>142.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/buglist.cgi?bug_id=1938220%2C1980730%2C1981280%2C1981283%2C1984505%2C1985067"> + <p>Some of these bugs showed evidence of memory corruption + and we presume that with enough effort some of these could + have been exploited to run arbitrary code.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10537</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10537</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="4fe6f98e-ab7b-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- Information disclosure</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1981502"> + <p>This vulnerability affects Firefox < 143, Firefox ESR < 140.3, + Thunderbird < 143, and Thunderbird < 140.3.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10536</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10536</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="1e8a6581-ab7b-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- spoofing</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1665334"> + <p>Spoofing issue in the Site Permission component</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10534</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10534</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="c7383de4-ab7a-11f0-b961-b42e991fc52e"> + <topic>Mozilla -- integer overflow</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>115.28.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1980788"> + <p>Integer overflow in the SVG component</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10533</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10533</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="511f5aac-ab46-11f0-9446-f02f7497ecda"> + <topic>minio -- Privilege Escalation via Session Policy Bypass in Service Accounts and STS</topic> + <affects> + <package> + <name>minio</name> + <range><lt>RELEASE.2025-10-15T17-29-55Z</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>mino reports:</p> + <blockquote cite="https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr"> + <p>A privilege escalation vulnerability allows service accounts and STS + (Security Token Service) accounts with restricted session policies to + bypass their inline policy restrictions when performing "own" account + operations, specifically when creating new service accounts for the same + user.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-62506</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-62506</url> + </references> + <dates> + <discovery>2025-10-17</discovery> + <entry>2025-10-17</entry> + </dates> + </vuln> + + <vuln vid="50fd6a75-0587-4987-bef2-bb933cd78ea1"> + <topic>zeek -- information leak vulnerability</topic> + <affects> + <package> + <name>zeek</name> + <range><lt>8.0.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Tim Wojtulewicz of Corelight reports:</p> + <blockquote cite="INSERT URL HERE"> + <p>The KRB analyzer can leak information about hosts in + analyzed traffic via external DNS lookups.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/zeek/zeek/releases/tag/v8.0.2</url> + </references> + <dates> + <discovery>2025-10-13</discovery> + <entry>2025-10-13</entry> + </dates> + </vuln> + + <vuln vid="6dd86212-a859-11f0-bd95-b42e991fc52e"> + <topic>Firefox -- JIT miscompilation in the JavaScript Engine</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.3,2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1987481"> + <p>JIT miscompilation in the JavaScript Engine: JIT + component.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11153</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-11153</url> + </references> + <dates> + <discovery>2025-09-30</discovery> + <entry>2025-10-13</entry> + </dates> + </vuln> + + <vuln vid="87fdaf3c-a5b5-11f0-98b5-2cf05da270f3"> + <topic>Gitlab -- vulnerabilities</topic> + <affects> + <package> + <name>gitlab-ce</name> + <name>gitlab-ee</name> + <range><ge>18.4.0</ge><lt>18.4.2</lt></range> + <range><ge>18.3.0</ge><lt>18.3.4</lt></range> + <range><ge>5.2.0</ge><lt>18.2.8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gitlab reports:</p> + <blockquote cite="https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/"> + <p>Incorrect authorization issue in GraphQL mutations impacts GitLab EE</p> + <p>Denial of Service issue in GraphQL blob type impacts GitLab CE/EE</p> + <p>Missing authorization issue in manual jobs impacts GitLab CE/EE</p> + <p>Denial of Service issue in webhook endpoints impacts GitLab CE/EE</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11340</cvename> + <cvename>CVE-2025-10004</cvename> + <cvename>CVE-2025-9825</cvename> + <cvename>CVE-2025-2934</cvename> + <url>https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/</url> + </references> + <dates> + <discovery>2025-10-08</discovery> + <entry>2025-10-10</entry> + </dates> + </vuln> + + <vuln vid="0b5145e9-a500-11f0-a136-10ffe07f9334"> + <topic>Mailpit -- Performance information disclosure</topic> + <affects> + <package> + <name>mailpit</name> + <range><lt>1.27.10</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Ralph Slooten (Mailpit developer) reports:</p> + <blockquote cite="https://github.com/axllent/mailpit/releases/tag/v1.27.10"> + <p>An HTTP endpoint was found which exposed expvar runtime + information (memory usage, goroutine counts, GC behavior, + uptime and potential runtime flags) due to the Prometheus + client library dependency.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/axllent/mailpit/releases/tag/v1.27.10</url> + </references> + <dates> + <discovery>2025-10-09</discovery> + <entry>2025-10-09</entry> + </dates> + </vuln> + + <vuln vid="f60c790a-a394-11f0-9617-b42e991fc52e"> + <topic>Mozilla -- Incorrect boundary conditions</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1979502"> + <p>The vulnerability has been assessed to have moderate + impact on affected systems, potentially allowing attackers + to exploit incorrect boundary conditions in the JavaScript + Garbage Collection component. In Thunderbird specifically, + these flaws cannot be exploited through email as scripting + is disabled when reading mail, but remain potential risks in + browser or browser-like contexts </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10532</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10532</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-07</entry> + </dates> + </vuln> + + <vuln vid="a240c31b-a394-11f0-9617-b42e991fc52e"> + <topic>Mozilla -- mitigation bypass vulnerability</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0,2</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1978453"> + <p>The vulnerability has been rated as having moderate + impact, affecting both confidentiality and integrity + with low severity, while having no impact on + availability. For Thunderbird specifically, the + vulnerability cannot be exploited through email as + scripting is disabled when reading mail, but remains a + potential risk in browser or browser-like contexts </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10531</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10531</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-07</entry> + </dates> + </vuln> + + <vuln vid="f2de2f64-a2cc-11f0-8402-b42e991fc52e"> + <topic>Mozilla -- Sandbox escape due to use-after-free</topic> + <affects> + <package> + <name>firefox</name> + <range><lt>143.0.0,2</lt></range> + </package> + <package> + <name>firefox-esr</name> + <range><lt>140.3.0</lt></range> + </package> + <package> + <name>thunderbird</name> + <range><lt>143.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@mozilla.org reports:</p> + <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1986185"> + <p>Sandbox escape due to use-after-free</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10527</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10527</url> + <cvename>CVE-2025-10528</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10528</url> + </references> + <dates> + <discovery>2025-09-16</discovery> + <entry>2025-10-06</entry> + </dates> + </vuln> + + <vuln vid="a5395e02-a2ca-11f0-8402-b42e991fc52e"> + <topic>mongodb -- Malformed $group Query May Cause MongoDB Server to Crash</topic> + <affects> + <package> + <name>mongodb60</name> + <range><lt>6.0.25</lt></range> + </package> + <package> + <name>mongodb70</name> + <range><lt>7.0.22</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-99616"> + <p>An authorized user can cause a crash in the MongoDB Server through + a specially crafted $group query. This vulnerability is related + to the incorrect handling of certain accumulator functions when + additional parameters are specified within the $group operation. + This vulnerability could lead to denial of service if triggered + repeatedly.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10061</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10061</url> + </references> + <dates> + <discovery>2025-09-05</discovery> + <entry>2025-10-06</entry> + <modified>2025-10-07</modified> + </dates> + </vuln> + + <vuln vid="6d16b410-a2ca-11f0-8402-b42e991fc52e"> + <topic>mongodb -- MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation</topic> + <affects> + <package> + <name>mongodb60</name> + <range><lt>6.0.25</lt></range> + </package> + <package> + <name>mongodb70</name> + <range><lt>7.0.22</lt></range> + </package> + <package> + <name>mongodb80</name> + <range><lt>8.0.12</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-95524"> + <p>MongoDB Server may allow upsert operations retried + within a transaction to violate unique index constraints, + potentially causing an invariant failure and server crash + during commit. This issue may be triggered by improper + WriteUnitOfWork state management.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10060</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10060</url> + </references> + <dates> + <discovery>2025-09-05</discovery> + <entry>2025-10-06</entry> + </dates> + </vuln> + + <vuln vid="4329e3bd-a2ca-11f0-8402-b42e991fc52e"> + <topic>mongodb -- MongoDB Server router will crash when incorrect lsid is set on a sharded query</topic> + <affects> + <package> + <name>mongodb60</name> + <range><lt>6.0.24</lt></range> + </package> + <package> + <name>mongodb70</name> + <range><lt>7.0.18</lt></range> + </package> + <package> + <name>mongodb80</name> + <range><lt>8.0.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-100901"> + <p>An improper setting of the lsid field on any sharded query can cause + a crash in MongoDB routers. This issue occurs when a generic + argument (lsid) is provided in a case when it is not applicable.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10059</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-10059</url> + </references> + <dates> + <discovery>2025-09-05</discovery> + <entry>2025-10-06</entry> + </dates> + </vuln> + + <vuln vid="a9dc3c61-a20f-11f0-91d8-b42e991fc52e"> + <topic>mongodb -- MongoDB Server access to non-initialized memory</topic> + <affects> + <package> + <name>mongodb6</name> + <range><lt>6.0.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cna@mongodb.com reports:</p> + <blockquote cite="https://jira.mongodb.org/browse/SERVER-71477"> + <p>MongoDB Server may access non-initialized region of + memory leading to unexpected behaviour when zero arguments + are called in internal aggregation stage.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-8654</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2024-8654</url> + </references> + <dates> + <discovery>2024-09-10</discovery> + <entry>2025-10-05</entry> + </dates> + </vuln> + + <vuln vid="0af2f18e-a119-11f0-9446-f02f7497ecda"> + <topic>redis,valkey -- Out of bound read due to a bug in LUA</topic> + <affects> + <package> + <name>redis</name> + <range><ge>8.2.0</ge><lt>8.2.2</lt></range> + </package> + <package> + <name>redis80</name> + <range><ge>8.0.0</ge><lt>8.0.4</lt></range> + </package> + <package> + <name>redis74</name> + <range><ge>7.4.0</ge><lt>7.4.6</lt></range> + </package> + <package> + <name>redis72</name> + <range><ge>7.2.0</ge><lt>7.2.11</lt></range> + </package> + <package> + <name>redis62</name> + <range><ge>6.2.0</ge><lt>6.2.20</lt></range> + </package> + <package> + <name>valkey</name> + <range><lt>8.1.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>redis reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-4c68-q8q8-3g4f"> + <p> + An authenticated user may use a specially crafted LUA script to read + out-of-bound data or crash the server and subsequent denial of + service. + The problem exists in all versions of Redis with Lua scripting + An additional workaround to mitigate the problem without patching + the redis-server executable is to prevent users from executing Lua + scripts. This can be done using ACL to block a script by restricting + both the EVAL and FUNCTION command families. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-46819</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-46819</url> + </references> + <dates> + <discovery>2025-10-03</discovery> + <entry>2025-10-04</entry> + </dates> + </vuln> + + <vuln vid="0258d37d-a118-11f0-9446-f02f7497ecda"> + <topic>redis,valkey -- Running Lua function as a different user</topic> + <affects> + <package> + <name>redis</name> + <range><ge>8.2.0</ge><lt>8.2.2</lt></range> + </package> + <package> + <name>redis80</name> + <range><ge>8.0.0</ge><lt>8.0.4</lt></range> + </package> + <package> + <name>redis74</name> + <range><ge>7.4.0</ge><lt>7.4.6</lt></range> + </package> + <package> + <name>redis72</name> + <range><ge>7.2.0</ge><lt>7.2.11</lt></range> + </package> + <package> + <name>redis62</name> + <range><ge>6.2.0</ge><lt>6.2.20</lt></range> + </package> + <package> + <name>valkey</name> + <range><lt>8.1.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>redis reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-qrv7-wcrx-q5jp"> + <p> + An authenticated user may use a specially crafted Lua script to + manipulate different LUA objects and potentially run their own code + in the context of another user + The problem exists in all versions of Redis with Lua scripting. + An additional workaround to mitigate the problem without patching + the redis-server executable is to prevent users from executing Lua + scripts. This can be done using ACL to block a script by restricting + both the EVAL and FUNCTION command families. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-46818</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-46818</url> + </references> + <dates> + <discovery>2025-10-03</discovery> + <entry>2025-10-04</entry> + </dates> + </vuln> + + <vuln vid="f6b8de04-a116-11f0-9446-f02f7497ecda"> + <topic>redis,valkey -- Lua library commands may lead to integer overflow and potential RCE</topic> + <affects> + <package> + <name>redis</name> + <range><ge>8.2.0</ge><lt>8.2.2</lt></range> + </package> + <package> + <name>redis80</name> + <range><ge>8.0.0</ge><lt>8.0.4</lt></range> + </package> + <package> + <name>redis74</name> + <range><ge>7.4.0</ge><lt>7.4.6</lt></range> + </package> + <package> + <name>redis72</name> + <range><ge>7.2.0</ge><lt>7.2.11</lt></range> + </package> + <package> + <name>redis62</name> + <range><ge>6.2.0</ge><lt>6.2.20</lt></range> + </package> + <package> + <name>valkey</name> + <range><lt>8.1.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>redis reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-m8fj-85cg-7vhp"> + <p> + An authenticated user may use a specially crafted Lua script to + cause an integer overflow and potentially lead to remote code + execution + The problem exists in all versions of Redis with Lua scripting. + An additional workaround to mitigate the problem without patching + the redis-server executable is to prevent users from executing Lua + scripts. This can be done using ACL to block a script by restricting + both the EVAL and FUNCTION command families. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-46817</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-46817</url> + </references> + <dates> + <discovery>2025-10-03</discovery> + <entry>2025-10-04</entry> + </dates> + </vuln> + + <vuln vid="17e85cae-a115-11f0-9446-f02f7497ecda"> + <topic>redis,valkey -- Lua Use-After-Free may lead to remote code execution</topic> + <affects> + <package> + <name>redis</name> + <range><ge>8.2.0</ge><lt>8.2.2</lt></range> + </package> + <package> + <name>redis80</name> + <range><ge>8.0.0</ge><lt>8.0.4</lt></range> + </package> + <package> + <name>redis74</name> + <range><ge>7.4.0</ge><lt>7.4.6</lt></range> + </package> + <package> + <name>redis72</name> + <range><ge>7.2.0</ge><lt>7.2.11</lt></range> + </package> + <package> + <name>redis62</name> + <range><ge>6.2.0</ge><lt>6.2.20</lt></range> + </package> + <package> + <name>valkey</name> + <range><lt>8.1.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>redis reports:</p> + <blockquote cite="https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q"> + <p> + An authenticated user may use a specially crafted Lua script to + manipulate the garbage collector, trigger a use-after-free and + potentially lead to remote code execution. + The problem exists in all versions of Redis with Lua scripting. + An additional workaround to mitigate the problem without patching the + redis-server executable is to prevent users from executing Lua scripts. + This can be done using ACL to restrict EVAL and EVALSHA commands. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-49844</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-49844</url> + </references> + <dates> + <discovery>2025-10-03</discovery> + <entry>2025-10-04</entry> + </dates> + </vuln> + + <vuln vid="c27c05a7-a0c8-11f0-8471-4ccc6adda413"> + <topic>qt6-webengine -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>qt6-pdf</name> + <name>qt6-webengine</name> + <range><lt>6.9.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Qt qtwebengine-chromium repo reports:</p> + <blockquote cite="https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=130-based"> + <p>Backports for 9 security bugs in Chromium:</p> + <ul> + <li>CVE-2025-9866: Determine whether to bypass redirect checks per request</li> + <li>CVE-2025-10200: Use after free in Serviceworker</li> + <li>CVE-2025-10201: Inappropriate implementation in Mojo</li> + <li>CVE-2025-10500: Use after free in Dawn</li> + <li>CVE-2025-10501: Use after free in WebRTC</li> + <li>CVE-2025-10502: Heap buffer overflow in ANGLE</li> + <li>CVE-2025-10890: Side-channel information leakage in V8 (1/2)</li> + <li>CVE-2025-10891: Integer overflow in V8</li> + <li>CVE-2025-10892: Integer overflow in V8</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9866</cvename> + <cvename>CVE-2025-10200</cvename> + <cvename>CVE-2025-10201</cvename> + <cvename>CVE-2025-10500</cvename> + <cvename>CVE-2025-10501</cvename> + <cvename>CVE-2025-10502</cvename> + <cvename>CVE-2025-10890</cvename> + <cvename>CVE-2025-10891</cvename> + <cvename>CVE-2025-10892</cvename> + <url>https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=130-based</url> + </references> + <dates> + <discovery>2025-09-25</discovery> + <entry>2025-10-04</entry> + </dates> + </vuln> + + <vuln vid="21fba35e-a05f-11f0-a8b8-a1ef31191bc1"> + <topic>fetchmail -- potential crash when authenticating to SMTP server</topic> + <affects> + <package> + <name>fetchmail</name> + <range><ge>5.9.9</ge><lt>6.5.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Matthias Andree reports:</p> + <blockquote cite="https://www.fetchmail.info/fetchmail-SA-2025-01.txt"> + <p> + fetchmail's SMTP client, when configured to authenticate, is + susceptible to a protocol violation where, when a trusted but + malicious or malfunctioning SMTP server responds to an + authentication request with a "334" code but without a following + blank on the line, it will attempt to start reading from memory + address 0x1 to parse the server's SASL challenge. This address is + constant and not under the attacker's control. This event will + usually cause a crash of fetchmail. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-61962</cvename> + <url>https://www.fetchmail.info/fetchmail-SA-2025-01.txt</url> + <url>https://gitlab.com/fetchmail/fetchmail/-/raw/legacy_6x/fetchmail-SA-2025-01.txt?ref_type=heads</url> + <url>https://gitlab.com/fetchmail/fetchmail/-/commit/4c3cebfa4e659fb778ca2cae0ccb3f69201609a8</url> + </references> + <dates> + <discovery>2025-10-02</discovery> + <entry>2025-10-03</entry> + <modified>2025-10-04</modified> + </dates> + </vuln> + + <vuln vid="169a87de-a157-4558-9f97-a7395a9ae144"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>141.0.7390.54</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>141.0.7390.54</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_30.html"> + <p>This update includes 21 security fixes:</p> + <ul> + <li>[442444724] High CVE-2025-11205: Heap buffer overflow in WebGPU. Reported by Atte Kettunen of OUSPG on 2025-09-02</li> + <li>[444755026] High CVE-2025-11206: Heap buffer overflow in Video. Reported by Elias Hohl on 2025-09-12</li> + <li>[428189824] Medium CVE-2025-11207: Side-channel information leakage in Storage. Reported by Alesandro Ortiz on 2025-06-27</li> + <li>[397878997] Medium CVE-2025-11208: Inappropriate implementation in Media. Reported by Kevin Joensen on 2025-02-20</li> + <li>[438226517] Medium CVE-2025-11209: Inappropriate implementation in Omnibox. Reported by Hafiizh on 2025-08-13</li> + <li>[440523110] Medium CVE-2025-11210: Side-channel information leakage in Tab. Reported by Umar Farooq on 2025-08-22</li> + <li>[441917796] Medium CVE-2025-11211: Out of bounds read in Media. Reported by Kosir Jakob on 2025-08-29</li> + <li>[420734141] Medium CVE-2025-11212: Inappropriate implementation in Media. Reported by Ameen Basha M K on 2025-05-28</li> + <li>[443408317] Medium CVE-2025-11213: Inappropriate implementation in Omnibox. Reported by Hafiizh on 2025-09-06</li> + <li>[439758498] Medium CVE-2025-11215: Off by one error in V8. Reported by Google Big Sleep on 2025-08-19</li> + <li>[419721056] Low CVE-2025-11216: Inappropriate implementation in Storage. Reported by Farras Givari on 2025-05-23</li> + <li>[439772737] Low CVE-2025-11219: Use after free in V8. Reported by Google Big Sleep on 2025-08-19</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-11205</cvename> + <cvename>CVE-2025-11206</cvename> + <cvename>CVE-2025-11207</cvename> + <cvename>CVE-2025-11208</cvename> + <cvename>CVE-2025-11209</cvename> + <cvename>CVE-2025-11210</cvename> + <cvename>CVE-2025-11211</cvename> + <cvename>CVE-2025-11212</cvename> + <cvename>CVE-2025-11213</cvename> + <cvename>CVE-2025-11215</cvename> + <cvename>CVE-2025-11216</cvename> + <cvename>CVE-2025-11219</cvename> + <url>https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_30.html</url> + </references> + <dates> + <discovery>2025-09-30</discovery> + <entry>2025-10-03</entry> + </dates> + </vuln> + + <vuln vid="90fc859e-9fe4-11f0-9fa2-080027836e8b"> + <topic>Django -- multiple vulnerabilities</topic> + <affects> + <package> + <name>py39-django42</name> + <name>py310-django42</name> + <name>py311-django42</name> + <range><lt>4.2.25</lt></range> + </package> + <package> + <name>py310-django51</name> + <name>py311-django51</name> + <range><lt>5.1.13</lt></range> + </package> + <package> + <name>py310-django52</name> + <name>py311-django52</name> + <range><lt>5.2.7</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Django reports:</p> + <blockquote cite="https://www.djangoproject.com/weblog/2025/oct/01/security-releases/"> + <p>CVE-2025-59681: Potential SQL injection in QuerySet.annotate(), alias(), aggregate(), and extra() on MySQL and MariaDB.</p> + <p>CVE-2025-59682: Potential partial directory-traversal via archive.extract().</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-59681</cvename> + <cvename>CVE-2025-59682</cvename> + <url>https://www.djangoproject.com/weblog/2025/oct/01/security-releases/</url> + </references> + <dates> + <discovery>2025-10-01</discovery> + <entry>2025-10-02</entry> + </dates> + </vuln> + + <vuln vid="cb570d6f-9ea9-11f0-9446-f02f7497ecda"> + <topic>py-mysql-connector-python -- Vulnerability in the MySQL Connectors product of Oracle MySQL</topic> + <affects> + <package> + <name>py39-mysql-connector-python</name> + <name>py310-mysql-connector-python</name> + <name>py311-mysql-connector-python</name> + <name>py312-mysql-connector-python</name> + <range><lt>9.2.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Oracle reports:</p> + <blockquote cite="https://www.oracle.com/security-alerts/cpujan2025.html"> + <p>Vulnerability in the MySQL Connectors product of Oracle MySQL + (component: Connector/Python). Supported versions that are affected are + 9.1.0 and prior. Easily exploitable vulnerability allows high privileged + attacker with network access via multiple protocols to compromise MySQL + Connectors. Successful attacks require human interaction from a person + other than the attacker. Successful attacks of this vulnerability can + result in unauthorized creation, deletion or modification access to + critical data or all MySQL Connectors accessible data as well as + unauthorized read access to a subset of MySQL Connectors accessible data + and unauthorized ability to cause a hang or frequently repeatable crash + (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 6.4 + (Confidentiality, Integrity and Availability impacts). CVSS Vector: + (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H).</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-21548</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-21548</url> + </references> + <dates> + <discovery>2025-01-21</discovery> + <entry>2025-10-01</entry> + </dates> + </vuln> + + <vuln vid="00e912c5-9e92-11f0-bc5f-8447094a420f"> + <topic>OpenSSL -- multiple vulnerabilities</topic> + <affects> + <package> + <name>openssl</name> + <range><lt>3.0.18,1</lt></range> + </package> + <package> + <name>openssl32</name> + <range><lt>3.2.6</lt></range> + </package> + <package> + <name>openssl33</name> + <range><lt>3.3.5</lt></range> + </package> + <package> + <name>openssl33-quictls</name> + <range><lt>3.3.5</lt></range> + </package> + <package> + <name>openssl34</name> + <range><lt>3.4.3</lt></range> + </package> + <package> + <name>openssl35</name> + <range><lt>3.5.4</lt></range> + </package> + <package> + <name>openssl36</name> + <range><lt>3.6.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The OpenSSL project reports reports:</p> + <blockquote cite="https://openssl-library.org/news/secadv/20250930.txt"> + <p>Out-of-bounds read & write in RFC 3211 KEK Unwrap</p> + <p>Timing side-channel in SM2 algorithm on 64-bit ARM</p> + <p>Fix Out-of-bounds read in HTTP client no_proxy handling</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9230</cvename> + <cvename>CVE-2025-9231</cvename> + <cvename>CVE-2025-9232</cvename> + <freebsdsa>SA-25:08.openssl</freebsdsa> + <url>https://openssl-library.org/news/secadv/20250930.txt</url> + </references> + <dates> + <discovery>2025-09-30</discovery> + <entry>2025-10-01</entry> + <modified>2025-10-03</modified> + </dates> + </vuln> + + <vuln vid="699ef80f-9e91-11f0-bc5f-8447094a420f"> + <topic>LibreSSL -- overwrite and -read vulnerability</topic> + <affects> + <package> + <name>libressl</name> + <range><lt>4.1.1</lt></range> + </package> + <package> + <name>libressl-devel</name> + <range><lt>4.1.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The LibreSSL project reports:</p> + <blockquote cite="https://github.com/libressl/portable/releases/tag/v4.1.1"> + <p>An incorrect length check can result in a 4-byte overwrite and an 8-byte overread.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-9230</cvename> + <url>https://github.com/libressl/portable/releases/tag/v4.1.1</url> + </references> + <dates> + <discovery>2025-10-01</discovery> + <entry>2025-10-01</entry> + </dates> + </vuln> + + <vuln vid="4ccd6222-9c83-11f0-a337-b42e991fc52e"> + <topic>goldendict -- dangerous method exposed</topic> + <affects> + <package> + <name>goldendict</name> + <range><lt>1.5.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>cve@mitre.org reports:</p> + <blockquote cite="https://github.com/goldendict/goldendict/releases"> + <p>GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous + method that allows reading and modifying files when a user + adds a crafted dictionary and then searches for any term + included in that dictionary.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-53964</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-53964</url> + </references> + <dates> + <discovery>2025-07-17</discovery> + <entry>2025-09-28</entry> + </dates> + </vuln> + + <vuln vid="3bf134f4-942d-11f0-95de-0800276af896"> + <topic>libudisks -- Udisks: out-of-bounds read in udisks daemon</topic> + <affects> + <package> + <name>libudisks</name> + <range><lt>2.10.2</lt></range> + <range><ge>2.10.90</ge><lt>2.10.91</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>secalert@redhat.com reports:</p> + <blockquote cite="https://access.redhat.com/errata/RHSA-2025:15017"> + <p>A flaw was found in the Udisks daemon, where it allows unprivileged + users to create loop devices using the D-BUS system. This is + achieved via the loop device handler, which handles requests sent + through the D-BUS interface. As two of the parameters of this + handle, it receives the file descriptor list and index specifying + the file where the loop device should be backed. The function + itself validates the index value to ensure it isn't bigger + than the maximum value allowed. However, it fails to validate the + lower bound, allowing the index parameter to be a negative value. + Under these circumstances, an attacker can cause the UDisks daemon + to crash or perform a local privilege escalation by gaining access + to files owned by privileged users.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-8067</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-8067</url> + </references> + <dates> + <discovery>2025-08-28</discovery> + <entry>2025-09-26</entry> + </dates> + </vuln> + + <vuln vid="32bdeb94-9958-11f0-b6e2-6805ca2fa271"> + <topic>quiche -- Infinite loop triggered by connection ID retirement</topic> + <affects> + <package> + <name>quiche</name> + <range><lt>0.24.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Quiche Releases reports:</p> + <blockquote cite="https://github.com/cloudflare/quiche/releases/tag/0.24.5"> + <p>This update includes 1 security fix:</p> + <ul> + <li>High CVE-2025-7054: Infinite loop triggered by connection ID retirement. Reported by Catena cyber on 2025-08-07.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-7054</cvename> + <url>https://www.cve.org/CVERecord?id=CVE-2025-7054</url> + </references> + <dates> + <discovery>2025-08-07</discovery> + <entry>2025-09-26</entry> + </dates> + </vuln> + + <vuln vid="7b0cbc73-9955-11f0-b6e2-6805ca2fa271"> + <topic>quiche -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>quiche</name> + <range><lt>0.24.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Quiche Releases reports:</p> + <blockquote cite="https://github.com/cloudflare/quiche/releases/tag/0.24.4"> + <p>This update includes 2 security fixes:</p> + <ul> + <li>Medium CVE-2025-4820: Incorrect congestion window growth by optimistic ACK. Reported by Louis Navarre on 2025-06-18.</li> + <li>High CVE-2025-4821: Incorrect congestion window growth by invalid ACK ranges. Reported by Louis Navarre on 2025-06-18.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-4820</cvename> + <cvename>CVE-2025-4821</cvename> + <url>https://github.com/cloudflare/quiche/releases/tag/0.24.4</url> + </references> + <dates> + <discovery>2025-06-18</discovery> + <entry>2025-09-26</entry> + </dates> + </vuln> + + <vuln vid="477fdc04-9aa2-11f0-961b-2cf05da270f3"> + <topic>Gitlab -- Vulnerabilities</topic> + <affects> + <package> + <name>gitlab-ce</name> + <name>gitlab-ee</name> + <range><ge>18.4.0</ge><lt>18.4.1</lt></range> + <range><ge>18.3.0</ge><lt>18.3.3</lt></range> + <range><ge>11.10.0</ge><lt>18.2.7</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gitlab reports:</p> + <blockquote cite="https://about.gitlab.com/releases/2025/09/25/patch-release-gitlab-18-4-1-released/"> + <p>Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE</p> + <p>Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE</p> + <p>Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE</p> + <p>Privilege Escalation issue from within the Developer role impacts GitLab EE</p> + <p>Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE</p> + <p>Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE</p> + <p>Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE</p> + <p>Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE</p> + <p>Denial of Service issue via string conversion methods impacts GitLab CE/EE</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10858</cvename> + <cvename>CVE-2025-8014</cvename> + <cvename>CVE-2025-9958</cvename> + <cvename>CVE-2025-7691</cvename> + <cvename>CVE-2025-10871</cvename> + <cvename>CVE-2025-10867</cvename> + <cvename>CVE-2025-5069</cvename> + <cvename>CVE-2025-10868</cvename> + <url>https://about.gitlab.com/releases/2025/09/25/patch-release-gitlab-18-4-1-released/</url> + </references> + <dates> + <discovery>2025-09-25</discovery> + <entry>2025-09-26</entry> + </dates> + </vuln> + + <vuln vid="e5cf9f44-9a64-11f0-8241-93c889bb8de1"> + <topic>openvpn-devel -- script injection vulnerability from trusted but malicious server</topic> + <affects> + <package> + <name>openvpn-devel</name> + <range><ge>g20250629,1</ge><lt>g20250925,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gert Doering reports:</p> + <blockquote cite="https://github.com/OpenVPN/openvpn/commit/0fb5a00549be6b065f9a4d61940ee06786d9fa61"> + <p>Notable changes beta1 -> + beta2 are: [...] add proper input sanitation to DNS strings to + prevent an attack coming from a trusted-but-malicous OpenVPN server + (CVE: 2025-10680, affects unixoid systems with --dns-updown scripts + and windows using the built-in powershell call) + </p> + </blockquote> + <p>Lev Stipakov writes:</p> + <blockquote cite="https://github.com/OpenVPN/openvpn/commit/3a66045b407321c9d1c096227db164df3955ab40"> + <p> On Linux (and similar platforms), those options are written to a tmp + file, which is later sourced by a script running as root. Since + options are controlled by the server, it is possible for a malicious + server to execute script injection attack [...].</p> + </blockquote> + <p>The original report is credited to Stanislav Fort <disclosure@aisle.com>.</p> + </body> + </description> + <references> + <cvename>CVE-2025-10680</cvename> + <url>https://github.com/OpenVPN/openvpn/commit/0fb5a00549be6b065f9a4d61940ee06786d9fa61</url> + <url>https://github.com/OpenVPN/openvpn/commit/3a66045b407321c9d1c096227db164df3955ab40</url> + </references> + <dates> + <discovery>2025-09-24</discovery> + <entry>2025-09-25</entry> + </dates> + </vuln> + + <vuln vid="c2253bff-9952-11f0-b6e2-6805ca2fa271"> + <topic>dnsdist -- Denial of service via crafted DoH exchange</topic> + <affects> + <package> + <name>dnsdist</name> + <range><lt>1.9.11</lt></range> + <range><ge>2.0.0</ge><lt>2.0.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security@open-xchange.com reports:</p> + <blockquote cite="https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-05.html"> + <p>In some circumstances, when DNSdist is configured to use the nghttp2 + library to process incoming DNS over HTTPS queries, an attacker + might be able to cause a denial of service by crafting a DoH exchange + that triggers an unbounded I/O read loop, causing an unexpected + consumption of CPU resources. The offending code was introduced in + DNSdist 1.9.0-alpha1 so previous versions are not affected.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-30187</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-30187</url> + </references> + <dates> + <discovery>2025-09-18</discovery> + <entry>2025-09-24</entry> + <modified>2025-09-26</modified> + </dates> + </vuln> + + <vuln vid="57b54de1-85a5-439a-899e-75d19cbdff54"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>140.0.7339.207</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>140.0.7339.207</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html"> + <p>This update includes 4 security fixes:</p> + <ul> + <li>[430336833] High CVE-2025-10890: Side-channel information leakage in V8. Reported by Mate Marjanović (SharpEdged) on 2025-07-09</li> + <li>[443765373] High CVE-2025-10891: Integer overflow in V8. Reported by Google Big Sleep on 2025-09-09</li> + <li>[444048019] High CVE-2025-10892: Integer overflow in V8. Reported by Google Big Sleep on 2025-09-10</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10890</cvename> + <cvename>CVE-2025-10891</cvename> + <cvename>CVE-2025-10892</cvename> + <url>https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_23.html</url> + </references> + <dates> + <discovery>2025-09-23</discovery> + <entry>2025-09-23</entry> + </dates> + </vuln> + + <vuln vid="6904ba53-22ff-4478-bfae-059dc2eefee1"> + <topic>chromium -- multiple security fixes</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>140.0.7339.185</lt></range> + </package> + <package> + <name>ungoogled-chromium</name> + <range><lt>140.0.7339.185</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html"> + <p>This update includes 4 security fixes:</p> + <ul> + <li>[445380761] High CVE-2025-10585: Type Confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16</li> + <li>[435875050] High CVE-2025-10500: Use after free in Dawn. Reported by Giunash (Gyujeong Jin) on 2025-08-03</li> + <li>[440737137] High CVE-2025-10501: Use after free in WebRTC. Reported by sherkito on 2025-08-23</li> + <li>[438038775] High CVE-2025-10502: Heap buffer overflow in ANGLE. Reported by Google Big Sleep on 2025-08-12</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-10585</cvename> + <cvename>CVE-2025-10500</cvename> + <cvename>CVE-2025-10501</cvename> + <cvename>CVE-2025-10502</cvename> + <url>https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html</url> + </references> + <dates> + <discovery>2025-09-17</discovery> + <entry>2025-09-22</entry> + </dates> + </vuln> + + <vuln vid="b51a4121-9607-11f0-becf-00a098b42aeb"> + <topic>PCRE2: heap-buffer-overflow read in match_ref due to missing boundary restoration in SCS</topic> + <affects> + <package> + <name>pcre2</name> + <range><eq>10.45</eq></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/PCRE2Project/pcre2/commit/a141712e5967d448c7ce13090ab530c8e3d82254"> + <p>The PCRE2 library is a set of C functions that implement regular + expression pattern matching. In version 10.45, a heap-buffer-overflow + read vulnerability exists in the PCRE2 regular expression matching + engine, specifically within the handling of the (*scs:...) (Scan + SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. + This vulnerability may potentially lead to information disclosure + if the out-of-bounds data read during the memcmp affects the final + match result in a way observable by the attacker.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-58050</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-58050</url> + </references> + <dates> + <discovery>2025-08-27</discovery> + <entry>2025-09-20</entry> + </dates> + </vuln> + + <vuln vid="744966b3-93d8-11f0-b8da-589cfc10a551"> + <topic>expat -- dynamic memory allocations issue</topic> + <affects> + <package> + <name>expat2</name> + <range><lt>2.7.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>expat security advisory:</p> + <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2025-59375"> + <p>libexpat allows attackers to trigger large dynamic memory allocations + via a small document that is submitted for parsing.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-59375</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-59375</url> + </references> + <dates> + <discovery>2025-09-17</discovery> + <entry>2025-09-17</entry> + </dates> + </vuln> + + <vuln vid="b9b668f0-96ec-4568-b618-2edea45d6933"> + <topic>jenkins -- multiple vulnerabilities</topic> + <affects> + <package> + <name>jenkins</name> + <range><lt>2.528</lt></range> + </package> + <package> + <name>jenkins-lts</name> + <range><lt>2.516.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Jenkins Security Advisory:</p> + <blockquote cite="https://www.jenkins.io/security/advisory/2025-09-17/"> + <h1>Description</h1> + <h5>(High) SECURITY-3618 / CVE-2025-5115</h5> + <p>HTTP/2 denial of service vulnerability in bundled Jetty</p> + <h5>(Medium) SECURITY-3594 / CVE-2025-59474</h5> + <p>Missing permission check allows obtaining agent names</p> + <h5>(Medium) SECURITY-3625 / CVE-2025-59475</h5> + <p> Missing permission check in authenticated users' profile menu</p> + <h5>(Medium) SECURITY-3424 / CVE-2025-59476</h5> + <p>Log message injection vulnerability</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-5115</cvename> + <cvename>CVE-2025-59474</cvename> + <cvename>CVE-2025-59475</cvename> + <cvename>CVE-2025-59476</cvename> + <url>https://www.jenkins.io/security/advisory/2025-09-17/</url> + </references> + <dates> + <discovery>2025-09-17</discovery> + <entry>2025-09-17</entry> + </dates> + </vuln> + + <vuln vid="f6ca7c47-9190-11f0-b8da-589cfc10a551"> + <topic>unit-java -- security vulnerability</topic> + <affects> + <package> + <name>unit-java</name> + <range><lt>1.34.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>F5 reports:</p> + <blockquote cite="https://my.f5.com/manage/s/article/K000149959"> + <p>When NGINX Unit with the Java Language Module is in use, + undisclosed requests can lead to an infinite loop and cause + an increase in CPU resource utilization.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-1695</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-1695</url> + </references> + <dates> + <discovery>2025-09-14</discovery> + <entry>2025-09-14</entry> + </dates> + </vuln> + + <vuln vid="3aee6703-8ff6-11f0-b8da-589cfc10a551"> + <topic>cups -- security vulnerabilities</topic> + <affects> + <package> + <name>cups</name> + <range><lt>2.4.13</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>OpenPrinting reports:</p> + <blockquote cite="https://github.com/OpenPrinting/cups/security/advisories/GHSA-4c68-qgrh-rmmq"> + <p>When the AuthType is set to anything but Basic, if the request contains an + Authorization: Basic ... header, the password is not checked.</p> + </blockquote> + <blockquote cite="https://github.com/OpenPrinting/cups/security/advisories/GHSA-7qx3-r744-6qv4"> + <p>An unsafe deserialization and validation of printer attributes, causes null + dereference in libcups library.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-58060</cvename> + <cvename>CVE-2025-58364</cvename> + <url>https://github.com/OpenPrinting/cups/security/advisories/GHSA-4c68-qgrh-rmmq</url> + <url>https://github.com/OpenPrinting/cups/security/advisories/GHSA-7qx3-r744-6qv4</url> + </references> + <dates> + <discovery>2025-09-11</discovery> + <entry>2025-09-12</entry> + <modified>2025-09-16</modified> + </dates> + </vuln> + <vuln vid="f50640fa-89a4-4795-a302-47b0dea8cee5"> <topic>chromium -- multiple security fixes</topic> <affects> @@ -456,7 +3687,7 @@ <affects> <package> <name>sqlite3</name> - <range><lt>3.49.1</lt></range> + <range><lt>3.49.1,1</lt></range> </package> <package> <name>linux_base-rl9-9.6</name> @@ -1116,7 +4347,7 @@ <affects> <package> <name>sqlite3</name> - <range><lt>3.49.1</lt></range> + <range><lt>3.49.1,1</lt></range> </package> <package> <name>linux-c7-sqlite</name> @@ -1135,7 +4366,7 @@ function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap - Buffer overflow of size ~4GB can be triggered. This can result in + Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.</p> </blockquote> </body> @@ -1186,8 +4417,6 @@ <name>sqlite3</name> <range><ge>3.39.2,1</ge><lt>3.41.2,1</lt></range> </package> - <!-- as of 2025-08-01, sqlite in -c7 is 3.7.17 and matched by the <3.50.2 below, - and -rl9 aka linux_base ships 3.34.1 which is outside this range. --> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> @@ -2145,12 +5374,18 @@ <name>sqlite3</name> <range><lt>3.50.2,1</lt></range> </package> + <!-- as of 2025-08-01, sqlite in -c7 is 3.7.17 and matched by the <3.50.2 below, + and -rl9 aka linux_base ships 3.34.1 which is outside this range. --> <package> <name>linux-c7-sqlite</name> <range><lt>3.50.2</lt></range> </package> <package> <name>linux_base-rl9</name> + <range><ge>9.5.14</ge><lt>9.6_1</lt></range> + </package> + <package> + <name>linux-rl9-sqlite3</name> <range><ge>0</ge></range> </package> </affects> @@ -2172,7 +5407,7 @@ <dates> <discovery>2025-07-15</discovery> <entry>2025-07-23</entry> - <modified>2025-08-01</modified> + <modified>2025-09-07</modified> </dates> </vuln> @@ -2255,7 +5490,7 @@ i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing - queries to accommodate for different outgoing ECS information. This + queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.</p> @@ -3910,7 +7145,7 @@ by ClamAV on an affected device. A successful exploit could allow the attacker to trigger a buffer overflow, likely resulting in the termination of the ClamAV scanning process and a DoS condition on - the affected software. Although unproven, there is also a possibility + the affected software. Although unproven, there is also a possibility that an attacker could leverage the buffer overflow to execute arbitrary code with the privileges of the ClamAV process.</p> </blockquote> @@ -4268,7 +7503,7 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>secalert@redhat.com reports:</p> <blockquote cite="https://access.redhat.com/errata/RHSA-2025:4450"> - <p>A flaw was found in Yelp. The Gnome user help application allows + <p>A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.</p> @@ -4297,7 +7532,7 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>secalert@redhat.com reports:</p> <blockquote cite="https://access.redhat.com/errata/RHSA-2025:4450"> - <p>A flaw was found in Yelp. The Gnome user help application allows + <p>A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.</p> @@ -4715,7 +7950,7 @@ <p>zdi-disclosures@trendmicro.com reports:</p> <blockquote cite="https://www.zerodayinitiative.com/advisories/ZDI-25-204/"> <p>GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution - Vulnerability. This vulnerability allows remote attackers to execute + Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. @@ -4750,7 +7985,7 @@ <p>zdi-disclosures@trendmicro.com reports:</p> <blockquote cite="https://www.zerodayinitiative.com/advisories/ZDI-25-203/"> <p>GIMP XWD File Parsing Integer Overflow Remote Code Execution - Vulnerability. This vulnerability allows remote attackers to execute + Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. @@ -4921,7 +8156,7 @@ <li>[417169470] High CVE-2025-5280: Out of bounds write in V8. Reported by [pwn2car] on 2025-05-12</li> <li>[40058068] Medium CVE-2025-5064: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-11-29</li> <li>[40059071] Medium CVE-2025-5065: Inappropriate implementation in FileSystemAccess API. Reported by NDevTK on 2022-03-11</li> - <li>[356658477] Medium CVE-2025-5066: Inappropriate implementation in Messages. Reported by Mohit Raj (shadow2639) on 2024-07-31</li> + <li>[356658477] Medium CVE-2025-5066: Inappropriate implementation in Messages. Reported by Mohit Raj (shadow2639) on 2024-07-31</li> <li>[417215501] Medium CVE-2025-5281: Inappropriate implementation in BFCache. Reported by Jesper van den Ende (Pelican Party Studios) on 2025-05-12</li> <li>[419467315] Medium CVE-2025-5283: Use after free in libvpx. Reported by Mozilla on 2025-05-22</li> <li>[40075024] Low CVE-2025-5067: Inappropriate implementation in Tab Strip. Reported by Khalil Zhani on 2023-10-17</li> @@ -5152,7 +8387,7 @@ special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available - at pull request 3389 and expected to be part of version 2.9.9. No + at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.</p> </blockquote> </body> @@ -5405,7 +8640,7 @@ <p>A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend - plugin that will execute arbitrary JavaScript. This vulnerability + plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve @@ -5454,7 +8689,7 @@ `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your - usage is not affected. To work-around this issue you may stop + usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.</p> </blockquote> @@ -7828,7 +11063,7 @@ <p>cna@mongodb.com reports:</p> <blockquote cite="https://jira.mongodb.org/browse/SERVER-103153"> <p>When run on commands with certain arguments set, explain may fail - to validate these arguments before using them. This can lead to + to validate these arguments before using them. This can lead to crashes in router servers. This affects MongoDB Server v5.0 prior to 5.0.31, MongoDB Server v6.0 prior to 6.0.20, MongoDB Server v7.0 prior to 7.0.16 and MongoDB Server v8.0 prior to 8.0.4</p> @@ -7981,8 +11216,8 @@ responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity - issues, or the client was configured with aggressive timeouts. The - problem occurs for multiple use cases. For sticky connections, you + issues, or the client was configured with aggressive timeouts. The + problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned @@ -7999,7 +11234,7 @@ Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's - argument), with a constant factor of about 16. This issue is fixed + argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.</p> </blockquote> </body> @@ -8048,12 +11283,12 @@ <blockquote cite="https://bugzilla.mozilla.org/show_bug.cgi?id=1945392"> <p>An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected - version 122 and later. This vulnerability affects Firefox < + version 122 and later. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.</p> <p>Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed - (distinct from CVE-2025-0245). This vulnerability affects Firefox + (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.</p> <p>When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result @@ -8654,7 +11889,7 @@ <p>LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was - added. In the affected versions of LibreOffice a link in a browser + added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 @@ -8809,13 +12044,13 @@ <body xmlns="http://www.w3.org/1999/xhtml"> <p>security-advisories@github.com reports:</p> <blockquote cite="https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403"> - <p>Jinja is an extensible templating engine. Prior to 3.1.6, an + <p>Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using - Jinja. This vulnerability impacts users of applications which + Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference @@ -9045,9 +12280,9 @@ <blockquote cite="https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98"> <p>Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth - token. Prior to version 2.25.1, the file created has `rw-r--r--` + token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to - `rw-------` (600) permissions. This leads to overly broad exposure + `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify @@ -9165,7 +12400,7 @@ </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> - <p>SO-AND-SO reports:</p> + <p>The NGINX Unit team reports:</p> <blockquote cite="https://mailman.nginx.org/pipermail/unit/2025-March/QVYLJKLBIDWOJ7OLYGT27VUWH7RGBRQM.html"> <p>Unit 1.34.2 fixes two issues in the Java language module websocket code.</p> <ol> @@ -9898,7 +13133,7 @@ opened in normal browsing windows. This could have resulted in a potential privacy leak.</p> <p>Certificate length was not properly checked when added to a certificate - store. In practice only trusted data was processed.</p> + store. In practice only trusted data was processed.</p> <p>Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some @@ -9988,7 +13223,7 @@ use-after-free.</p> <p>Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird - 128.6. Some of these bugs showed evidence of memory corruption and + 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.</p> </blockquote> @@ -10099,7 +13334,7 @@ <li>CVE-2018-20547: Illegal READ memory access at caca/dither.c</li> <li>CVE-2018-20548: Illegal WRITE memory access at common-image.c</li> <li>CVE-2018-20549: Illegal WRITE memory access at caca/file.c</li> - <li>CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize</li> + <li>CVE-2021-3410: Buffer overflow in libcaca/caca/canvas.c in function caca_resize</li> <li>CVE-2021-30498: Heap buffer overflow in export.c in function export_tga</li> <li>CVE-2021-30499: Buffer overflow in export.c in function export_troff</li> </ul> @@ -10387,7 +13622,7 @@ can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, - though this has not been demonstrated. In particular, release + though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.</p> </body> |