Log

CVE-2019-10691 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ JSON encoder in Dovecot 2.3 incorrectly assert-crashes when encountering invalid UTF-8 characters. This can be used to crash dovecot in two ways. Attacker can repeatedly crash Dovecot authentication process by logging in using invalid UTF-8 sequence in username. This requires that auth policy is enabled. Crash can also occur if OX push notification driver is enabled and an email is delivered with invalid UTF-8 sequence in From or Subject header. In 2.2, malformed UTF-8 sequences are forwarded "as-is", and thus do not cause problems in Dovecot itself. Target systems should be checked for possible problems in dealing with such sequences.
References
+ https://wiki.dovecot.org/Authentication/Policy
Notes
CVE-2019-11358 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Cross-site scripting
Description
+ jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
+
+ The bundled version of jQuery used by the Django admin has been patched to allow for the select2 library's use of jQuery.extend().
References
Notes
CVE-2019-11461 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Sandbox escape
Description
+ An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI ioctl to push characters into the input buffer of the thumbnailer's controlling terminal, allowing an attacker to escape the sandbox if the thumbnailer has a controlling terminal. This is due to improper filtering of the TIOCSTI ioctl on 64-bit systems, similar to CVE-2019-10063.
References
+ https://gitlab.gnome.org/GNOME/nautilus/issues/987
+ https://gitlab.gnome.org/GNOME/nautilus/commit/2ddba428ef2b13d0620bd599c3635b9c11044659
Notes
CVE-2019-11477 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Denial of service
Description
+ An integer overflow has been discovered in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A sequence of SACKs may be crafted such that one can trigger a kernel panic. A remote attacker could use this to cause a denial of service (system crash).
References
+ https://www.openwall.com/lists/oss-security/2019/06/17/5
+ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+ https://access.redhat.com/security/vulnerabilities/tcpsack
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b4929f65b0d8249f19a50245cd88ed1a2f78cff
Notes
+ Workaround:
+
+ $ sudo sysctl -w net.ipv4.tcp_sack=0
+ net.ipv4.tcp_sack = 0
+
+ IMPORTANT: The sysctl modification shown above is not persistent across reboots
CVE-2019-11478 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Denial of service
Description
+ An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel's socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection.
References
+ https://www.openwall.com/lists/oss-security/2019/06/17/5
+ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+ https://access.redhat.com/security/vulnerabilities/tcpsack
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e
Notes
+ Workaround:
+
+ $ sudo sysctl -w net.ipv4.tcp_sack=0
+ net.ipv4.tcp_sack = 0
+
+ IMPORTANT: The sysctl modification shown above is not persistent across reboots
CVE-2019-11479 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.
References
+ https://www.openwall.com/lists/oss-security/2019/06/17/5
+ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+ https://access.redhat.com/security/vulnerabilities/tcpsack
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6
Notes
+ Workaround:
+
+ $ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
+
+ IMPORTANT: The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when using the iptables rules shown above. Ensure it is disabled using the following command:
+
+ $ sysctl net.ipv4.tcp_mtu_probing
+ net.ipv4.tcp_mtu_probing = 0
CVE-2019-11494 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ Submission-login crashes with signal 11 due to null pointer access when authentication is aborted by disconnecting. This can lead to denial-of service attack by persistent attacker(s).
References
+ https://www.mail-archive.com/fulldisclosure@seclists.org/msg06126.html
+ https://dovecot.org/pipermail/dovecot/2019-April/115757.html
Notes
CVE-2019-11499 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ Submission-login crashes when authentication is started over TLS secured channel and invalid authentication message is sent. This can lead to denial-of-service attack by persistent attacker(s).
References
+ https://www.mail-archive.com/fulldisclosure@seclists.org/msg06126.html
+ https://dovecot.org/pipermail/dovecot/2019-April/115758.html
Notes
CVE-2019-11500 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ IMAP and ManageSieve protocol parsers in Dovecot before 2.3.7.2 and Pigeonhole before 0.5.7.2 do not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes.
References
+ https://dovecot.org/pipermail/dovecot-news/2019-August/000418.html
+ https://github.com/dovecot/core/commit/85fcb895ca7f0bcb8ee72047fe0e1e78532ff90b
+ https://github.com/dovecot/core/commit/f904cbdfec25582bc5e2a7435bf82ff769f2526a
+ https://github.com/dovecot/pigeonhole/commit/7ce9990a5e6ba59e89b7fe1c07f574279aed922c
+ https://github.com/dovecot/pigeonhole/commit/4a299840cdb51f61f8d1ebc0210b19c40dfbc1cc
Notes
CVE-2019-11683 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x through 5.0.11 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have unspecified other impact via UDP packets with a 0 payload, because of mishandling of padded packets, aka the "GRO packet of death" issue.
References
+ https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=4dd2b82d5adfbe0b1587ccad7a8f76d826120f37
+ http://www.securityfocus.com/bid/108142
+ http://www.openwall.com/lists/oss-security/2019/05/05/4
+ http://www.openwall.com/lists/oss-security/2019/05/02/1
Notes