Log

CVE-2019-6454 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Denial of service
Description
+ It was found that bus_process_object() in bus-objects.c allocates a buffer on the stack large enough to temporarily store the object path specified in the incoming message. A malicious unprivileged local user to send a message which results in the stack pointer moving outside of the bounds of the currently mapped stack region, jumping over the stack guard pages. A specifically crafted DBUS message could crash PID 1 and result in a subsequent kernel panic.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1667032
+ https://www.openwall.com/lists/oss-security/2019/02/18/3
+ https://github.com/systemd/systemd/commit/612b74d32f970c43c14ad087ad086424792981b1
+ https://github.com/systemd/systemd/commit/61397a60d98e368a5720b37e83f3169e3eb511c4
+ https://github.com/systemd/systemd/commit/f519a19bcd5afe674a9b8fc462cd77d8bad403c1
Notes
CVE-2019-6465 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable in bind before 9.13.7. A client exercising this defect can request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL.
References
+ https://kb.isc.org/docs/cve-2019-6465
Notes
CVE-2019-6472 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Denial of service
Description
+ An issue has been found in the Kea DHCPv6 server before 1.6.0 or 1.5.0-P1, which can exit with an assertion failure if the DHCPv6 server process receives a request containing a DUID value which is too large.
References
+ https://kb.isc.org/docs/cve-2019-6472
Notes
CVE-2019-6473 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ An issue has been found in the Kea DHCPv6 server before 1.6.0 or 1.5.0-P1, which can exit with an assertion failure if it receives a packed containing a malformed option.
References
+ https://kb.isc.org/docs/cve-2019-6473
Notes
CVE-2019-6474 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Denial of service
Description
+ An issue has been found in the Kea DHCPv6 server before 1.6.0 or 1.5.0-P1, where a missing check on incoming client requests can be exploited to cause a situation where the Kea server's lease storage contains leases which are rejected as invalid when the server tries to load leases from storage on restart. If the number of such leases exceeds a hard-coded limit in the Kea code, a server trying to restart will conclude that there is a problem with its lease store and give up.
References
+ https://kb.isc.org/docs/cve-2019-6474
Notes
+ CVE-2019-6474 can only affect servers which are using memfile for lease storage
CVE-2019-6486 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Private key recovery
Description
+ Go before versions 1.10.8 and 1.11.5 has a vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves. A remote attacker can exploit this by crafting inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
References
+ https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
+ https://github.com/golang/go/issues/29903
+ https://github.com/golang/go/commit/42b42f71
Notes
CVE-2019-6974 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), the device holds a reference to a VM object, later this reference is transferred to the caller's file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service issue or, potentially, gain privileged access to a system.
References
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cfa39381173d5f969daf43582c95ad679189cbc9
+ https://bugs.chromium.org/p/project-zero/issues/detail?id=1765
+ https://www.exploit-db.com/exploits/46388
Notes
CVE-2019-6975 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows uncontrolled memory consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
+ If the affected numberformat function as used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters receives a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().
References
+ https://www.djangoproject.com/weblog/2019/feb/11/security-releases/
+ https://www.openwall.com/lists/oss-security/2019/02/11/1
+ https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227
+ https://github.com/django/django/commit/40cd19055773705301c3428ed5e08a036d2091f3
Notes
CVE-2019-6977 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.
References
+ https://bugs.php.net/bug.php?id=77270
+ https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
Notes
CVE-2019-6978 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c.
References
+ https://github.com/libgd/libgd/issues/492
+ https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0
Notes