A cross-site scripting vulnerability has been found in Drupal, a fully-featured content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-006 .
Comment
Archive for Debian
56 results.
Several vulnerabilities have been discovered in the Rubygems included in the interpreter for the Ruby language, which may result in denial of service or the execution of arbitrary code.
Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL PostScript/PDF interpreter, which could result in bypass of file system restrictions of the dSAFER sandbox.
Chris Coulson discovered several vulnerabilities in libssh2, a SSH2 client-side library, which could result in denial of service, information leaks or the execution of arbitrary code.
Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven) found multiple vulnerabilities in the WPA implementation found in wpa_supplication (station) and hostapd (access point). These vulnerability are also collectively known as “Dragonblood”.
It was discovered that SPIP, a website engine for publishing, did not properly sanitize its user input. This would allow an authenticated user to perform arbitrary command execution.
Jann Horn discovered that the PAM module in systemd insecurely uses the environment and lacks seat verification permitting spoofing an active session to PolicyKit. A remote attacker with SSH access can take advantage of this issue to gain PolicyKit privileges that are normally
Michael Hanselmann discovered that Samba, a SMB/CIFS file, print, and login server for Unix, was vulnerable to a symlink traversal attack. It would allow remote authenticated users with write permission to either write or detect files outside of Samba shares.
Cedric Krier discovered that missing access validation in Tryton could result in information disclosure . For the stable distribution (stretch), this problem has been fixed in
Kusano Kazuhiko discovered a buffer overflow vulnerability in the handling of Internationalized Resource Identifiers (IRI) in wget, a network utility to retrieve files from the web, which could result in the execution of arbitrary code or denial of service when recursively
Adam Dobrawy, Frederico Silva and Gregory Brzeski from HyperOne.com discovered that pdns, an authoritative DNS server, did not properly validate user-supplied data when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend. This would allow a
Multiple vulnerabilities were found in the PuTTY SSH client, which could result in denial of service and potentially the execution of arbitrary code. In addition, in some situations random numbers could potentially be re-used.
Several vulnerabilities have been found in the Apache HTTP server. CVE-2018-17189
Several vulnerabilities have been discovered in the chromium web browser. CVE-2019-5787
Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code or denial of service. For the stable distribution (stretch), these problems have been fixed in
Fabien Potencier discovered that twig, a template engine for PHP, did not correctly enforce sandboxing. This could result in potential information disclosure.
A vulnerability was discovered in the Dovecot email server. When reading FTS or POP3-UIDL headers from the Dovecot index, the input buffer size is not bounds-checked. An attacker with the ability to modify dovecot indexes, can take advantage of this flaw for privilege escalation or the
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.
It was discovered that Wireshark, a network traffic analyzer, contained several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE, ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of service.
An arbitrary file read vulnerability was discovered in passenger, a web application server. A local user allowed to deploy an application to passenger, can take advantage of this flaw by creating a symlink from the REVISION file to an arbitrary file on the system and have its
Several issues have been discovered in Apache module auth_mellon, which provides SAML 2.0 authentication. CVE-2019-3877
A heap-based buffer overflow was discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of this flaw for local root privilege escalation.
A memory disclosure vulnerability was discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in information disclosure or bypass of sandbox restrictions.
It was discovered that missing input sanitising in the file module of Drupal, a fully-featured content management framework, could result in cross-site scripting.
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.
Erik Olof Gunnar Andersson discovered that incorrect validation of port settings in the iptables security group driver of Neutron, the OpenStack virtual network service, could result in denial of service in a multi tenant setup.
Multiple security issues were discovered in liveMedia, a set of C++ libraries for multimedia streaming which could result in the execution of arbitrary code or denial of service when parsing a malformed RTSP stream.
Francis McBratney discovered that the Windows Azure Linux Agent created swap files with world-readable permissions, resulting in information disclosure.
Ross Geerlings discovered that the XMLTooling library didn’t correctly handle exceptions on malformed XML declarations, which could result in denial of service against the application using XMLTooling.
Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, that could be leveraged to cause a denial of service or possibly remote code execution.