a) realloc acting as free b) realloc allocating too few bytes c) undefined behaviorFix integer overflow on variable m_groupSize in function doProlog leading to realloc acting as free. Impact is denial of service or other undefined behavior. Prevent integer overflows near memory allocation at multiple places. For more information, see:
- Use the values of –min-port and –max-port in outgoing TCP connections to upstream DNS servers.
- Fix a remote buffer overflow problem in the DNSSEC code. Any dnsmasq with DNSSEC compiled in and enabled is vulnerable to this, referenced by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687.
- Be sure to only accept UDP DNS query replies at the address from which the query was originated. This keeps as much entropy in the {query-ID, random-port} tuple as possible, to help defeat cache poisoning attacks. Refer: CVE-2020-25684.
- Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or the very insecure CRC32 (otherwise). Refer: CVE-2020-25685.
- Handle multiple identical near simultaneous DNS queries better. Previously, such queries would all be forwarded independently. This is, in theory, inefficent but in practise not a problem, _except_ that is means that an answer for any of the forwarded queries will be accepted and cached. An attacker can send a query multiple times, and for each repeat, another {port, ID} becomes capable of accepting the answer he is sending in the blind, to random IDs and ports. The chance of a succesful attack is therefore multiplied by the number of repeats of the query. The new behaviour detects repeated queries and merely stores the clients sending repeats so that when the first query completes, the answer can be sent to all the clients who asked. Refer: CVE-2020-25686.
- Inferior OCSP verification [93]
- FTP wildcard stack overflow [95]
- Trusting FTP PASV responses [97]
freepkg ir avahi
and then freepkg u libreoffice
to upgrade.
==== 2020-09-05 ====
gnutls-3.6.15: Upgraded.
libgnutls: Fixed “no_renegotiation” alert handling at incorrect timing,
which could lead to an application crash.
[GNUTLS-SA-2020-09-04, CVSS: medium]
(Security fix)
==== 2020-08-21 ====
bind-9.11.22: Upgraded.
This update fixes three security issues:
“update-policy” rules of type “subdomain” were incorrectly treated as
“zonesub” rules, which allowed keys used in “subdomain” rules to update
names outside of the specified subdomains. The problem was fixed by making
sure “subdomain” rules are again processed as described in the ARM.
When BIND 9 was compiled with native PKCS#11 support, it was possible to
trigger an assertion failure in code determining the number of bits in the
PKCS#11 RSA public key with a specially crafted packet.
It was possible to trigger an assertion failure when verifying the response
to a TSIG-signed request.
For more information, see:- CVE-2018-20030: Fix for recursion DoS
- CVE-2020-13114: Time consumption DoS when parsing canon array markers
- CVE-2020-13113: Potential use of uninitialized memory
- CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
- CVE-2020-0093: read overflow
- CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs
- CVE-2020-12767: fixed division by zero
- CVE-2016-6328: fixed integer overflow when parsing maker notes
- CVE-2017-7544: fixed buffer overread
- Potential double-free in gdImage*Ptr().
- gdImageColorMatch() out of bounds write on heap.
- Uninitialized read in gdImageCreateFromXbm().
- Double-free in gdImageBmp.
- Potential NULL pointer dereference in gdImageClone().
- Potential infinite loop in gdImageCreateFromGifCtx().
IPV6_MULTIPLE_TABLES n -> y +IPV6_SUBTREES yThese updates fix various bugs and security issues. Be sure to upgrade your initrd after upgrading the kernel packages. If you use lilo to boot your machine, be sure lilo.conf points to the correct kernel and initrd and run lilo as root to update the bootloader. If you use elilo to boot your machine, you should run eliloconfig to copy the kernel and initrd to the EFI System Partition. For more information, see: Fixed in 4.4.203:
- CRYPTO_CRC32C_INTEL m → y
- +X86_INTEL_TSX_MODE_AUTO n
- +X86_INTEL_TSX_MODE_OFF y
- +X86_INTEL_TSX_MODE_ON n
- FANOTIFY_ACCESS_PERMISSIONS n → y
- Fixed in 4.4.183:
- Fixed in 4.4.185:
- Fixed in 4.4.186:
- Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free.
- Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette.
- Fixed a memory leak in pngtest.c.
- Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in contrib/pngminus; refactor.
- libgnutls, gnutls tools: Every gnutls_free() will automatically set the free'd pointer to NULL. This prevents possible use-after-free and double free issues. Use-after-free will be turned into NULL dereference. The counter-measure does not extend to applications using gnutls_free().
- libgnutls: Fixed a memory corruption (double free) vulnerability in the certificate verification API. Reported by Tavis Ormandy; addressed with the change above. [GNUTLS-SA-2019-03-27, #694]
- libgnutls: Fixed an invalid pointer access via malformed TLS1.3 async messages; Found using tlsfuzzer. [GNUTLS-SA-2019-03-27, #704]
- libgnutls: enforce key usage limitations on certificates more actively. Previously we would enforce it for TLS1.2 protocol, now we enforce it even when TLS1.3 is negotiated, or on client certificates as well. When an inappropriate for TLS1.3 certificate is seen on the credentials structure GnuTLS will disable TLS1.3 support for that session (#690).
- libgnutls: enforce the equality of the two signature parameters fields in a certificate. We were already enforcing the signature algorithm, but there was a bug in parameter checking code.
- Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
- Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
- Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token).
- Fixed bug #77371 (heap buffer overflow in mb regex functions - compile_string_node).
- Fixed bug #77381 (heap buffer overflow in multibyte match_at).
- Fixed bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
- Fixed bug #77385 (buffer overflow in fetch_token).
- Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode).
- Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code).
- Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
- Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()).
- Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code).
- NTLM type-2 out-of-bounds buffer read.
- NTLMv2 type-3 header stack buffer overflow.
- SMTP end-of-response out-of-bounds read.
- mod_session: mod_session_cookie does not respect expiry time allowing sessions to be reused. [Hank Ibell]
- mod_http2: fixes a DoS attack vector. By sending slow request bodies to resources not consuming them, httpd cleanup code occupies a server thread unnecessarily. This was changed to an immediate stream reset which discards all stream state and incoming data. [Stefan Eissing]
- mod_ssl: Fix infinite loop triggered by a client-initiated renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and later. PR 63052. [Joe Orton]
- A NULL pointer dereference occurs for an “empty” nick.
- Certain nick names could result in out-of-bounds access when printing theme strings.
- Crash due to a NULL pointer dereference w hen the number of windows exceeds the available space.
- Use-after-free when SASL messages are received in an unexpected order.
- Use-after-free when a server is disconnected during netsplits.
- Use-after-free when hidden lines were expired from the scroll buffer.
- Segfault when using convert.quoted-printable-encode filter.
- Null pointer dereference in imap_mail.
- imap_open allows to run arbitrary shell commands via mailbox parameter.
- PharData always creates new files with mode 0666.
- Heap Buffer Overflow (READ: 4) in phar_parse_pharfile.
- CVE-2018-14629: Unprivileged adding of CNAME record causing loop in AD Internal DNS server
- CVE-2018-16841: Double-free in Samba AD DC KDC with PKINIT
- CVE-2018-16851: NULL pointer de-reference in Samba AD DC LDAP server
- CVE-2018-16852: NULL pointer de-reference in Samba AD DC DNS servers
- CVE-2018-16853: Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)
- CVE-2018-16857: Bad password count in AD DC not always effective
- Fixed crash on invalid reply (CVE-2018-14598).
- Fixed off-by-one writes (CVE-2018-14599).
- Fixed out of boundary write (CVE-2018-14600).
- LOW/MEDIUM: Sec 3012: Sybil vulnerability: ephemeral association attack
- LOW: Sec 3505:
- Insufficient input validation on client directory listing in libsmbclient.
- A malicious server could return a directory entry that could corrupt libsmbclient memory.
- Confidential attribute disclosure from the AD LDAP server.
- Missing access control checks allow discovery of confidential attribute values via authenticated LDAP search expressions.
- Fixed install script to rename config file from .new.
- Allow users in the netdev group to make changes. Thanks to voleg, kgha, and zakame.
- Client DoS due to large DH parameter.
- Cache timing vulnerability in RSA Key Generation.
- -X86_DEBUG_STATIC_CPU_HAS n
- CIFS_SMB2 n → y
- +CC_OPTIMIZE_FOR_PERFORMANCE y
- +CIFS_SMB311 n
- +X86_FAST_FEATURE_TESTS y
- Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
- heap-buffer-overflow (READ of size 48) while reading exif data
- mod_md: DoS via Coredumps on specially crafted requests
- mod_http2: DoS for HTTP/2 connections by specially crafted requests
- Make cgexec setgid root (setuid root is an unnecessarily large hammer).
- Added /etc/cgconfig.d/ directory.
- Added “LANG=C” in build script to avoid a bug where rc.cgred reports syntax errors at start.
- library: Fix integer overflow and LPE in file2strvec
- library: Use size_t for alloc functions
- pgrep: Fix stack-based buffer overflow
- ps: Fix buffer overflow in output buffer, causing DOS
- top: Don't use cwd for location of config
- FTP: shutdown response buffer overflow
- RTSP: bad headers buffer over-read
- Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
- stream filter convert.iconv leads to infinite loop on invalid sequence
- Malicious LDAP-Server Response causes crash
- fix for CVE-2018-5712 may not be complete
- Fix integer overflow in combine_hangul()
- Fix integer overflow in punycode decoder
- Fix NULL pointer dereference in g_utf8_normalize()
- Fix NULL pointer dereference in stringprep_ucs4_nfkc_normalize()
- HTTP response splitting in WEBrick.
- Unintentional file and directory creation with directory traversal in tempfile and tmpdir.
- DoS by large request in WEBrick.
- Buffer under-read in String#unpack.
- Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket.
- Unintentional directory traversal by poisoned NUL byte in Dir.
- Multiple vulnerabilities in RubyGems.
- Corrected an issue where large sized 'X/x' format options were causing option handling logic to overwrite memory when expanding them to human readable form. Reported by Felix Wilhelm, Google Security Team.
- Option reference count was not correctly decremented in error path when parsing buffer for options. Reported by Felix Wilhelm, Google Security Team. For more information, see:
- LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. Reported by Matt Van Gundy of Cisco.
- INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. Reported by Yihan Lian of Qihoo 360.
- LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations. Reported on the questions@ list.
- LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover from bad state. Reported by Miroslav Lichvar of Red Hat.
- LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet can reset authenticated interleaved association. Reported by Miroslav Lichvar of Red Hat.For more information, see:
- gcc-g++-5.5.0: Upgraded.
- gcc-gfortran-5.5.0: Upgraded.
- gcc-gnat-5.5.0: Upgraded.
- gcc-go-5.5.0: Upgraded.
- gcc-java-5.5.0: Upgraded.
- gcc-objc-5.5.0: Upgraded.
- CVE-2017-14746 (Use-after-free vulnerability.)
- CVE-2017-15275 (Server heap memory information leak.)
- gnucash-2.6.13 and its pre-requisites
- goffice0.8-0.8.17
- libgnomecanvas
- libofx-0.9.11
- libwebp-0.6.0
- webkitgtk-2.4.11
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. For more information, see:
- URL globbing out of bounds read
- TFTP sends more than buffer size
- FILE buffer read out of bounds
- DoS vulnerabilities. (CVE-2016-9317)
- double-free in gdImageWebPtr() (CVE-2016-6912)
- potential unsigned underflow in gd_interpolation.c (CVE-2016-10166)
- DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167)
- Signed Integer Overflow gd_io.c (CVE-2016-10168)
- important: ap_get_basic_auth_pw() Authentication Bypass CVE-2017-3167
- important: mod_ssl Null Pointer Dereference CVE-2017-3169
- important: mod_http2 Null Pointer Dereference CVE-2017-7659
- important: ap_find_token() Buffer Overread CVE-2017-7668
- important: mod_mime Buffer Overread CVE-2017-7679
- Denial of Service via Malformed Config (Medium)
- Authenticated DoS via Malicious Config Option (Medium)
- Potential Overflows in ctl_put() functions (Medium)
- Buffer Overflow in ntpq when fetching reslist from a malicious ntpd (Medium)
- 0rigin DoS (Medium)
- Buffer Overflow in DPTS Clock (Low)
- Improper use of snprintf() in mx4200_send() (Low)
- The following issues do not apply to Linux systems:
- Privileged execution of User Library code (WINDOWS PPSAPI ONLY) (Low)
- Stack Buffer Overflow from Command Line (WINDOWS installer ONLY) (Low)
- Data Structure terminated insufficiently (WINDOWS installer ONLY) (Low)