Log

CVE-2018-16865 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ A memory corruption vulnerability has been found in the journald component of systemd >= v201 and <= v240, in the journal_file_append_entry() function. Sending a large "native" message to /run/systemd/journal/socket led to an attacker-controlled alloca(), which could be used to override the content of the memory, in the stack-clash fashion.
References
+ https://www.qualys.com/2019/01/09/system-down/system-down.txt
+ https://github.com/systemd/systemd/pull/11374
+ https://github.com/systemd/systemd/pull/11374/commits/052c57f132f04a3cf4148f87561618da1a6908b4
Notes
CVE-2018-16866 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Local
Type
+ Information disclosure
Description
+ An out-of-bounds read has been found in the journald component of systemd >= v221 and < v240, in the syslog_parse_identifier() function in journald-syslog.c. A crafted syslog message whose last character is ':' can trigger this vulnerability to leak information about the content of the memory.
References
+ https://www.qualys.com/2019/01/09/system-down/system-down.txt
+ https://www.openwall.com/lists/oss-security/2019/01/09/3
+ https://github.com/systemd/systemd/commit/a6aadf4ae0bae185dc4c414d492a4a781c80ffe5
+ https://github.com/systemd/systemd/commit/8595102d3ddde6d25c282f965573a6de34ab4421
Notes
CVE-2018-16873 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary command execution
Description
+ In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".
References
+ https://groups.google.com/forum/#!msg/golang-announce/Kw31K8G7Fi0/z2olKn-QCAAJ
+ https://github.com/golang/go/issues/29230
+ https://github.com/golang/go/commit/8954addb3294a5e664a9833354bafa58f163fe8f
+ https://github.com/golang/go/commit/5aedc8af94c0a8ffc58cbd09993192dea9b238db
Notes
CVE-2018-16874 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Directory traversal
Description
+ In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
References
+ https://github.com/golang/go/issues/29231
+ https://github.com/golang/go/commit/8954addb3294a5e664a9833354bafa58f163fe8f
+ https://github.com/golang/go/commit/90d609ba6156299642d08afc06d85ab770a03972
Notes
CVE-2018-16875 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
References
+ https://github.com/golang/go/issues/29233
+ https://github.com/golang/go/commit/df523969435b8945d939c7e2a849b50910ef4c25
Notes
CVE-2018-16890 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.
References
+ https://curl.haxx.se/docs/CVE-2018-16890.html
+ https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb
Notes
CVE-2018-16984 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view (but not change) permission to the user model were displayed the entire hash. While it's typically infeasible to reverse a strong password hash, if your site uses weaker password hashing algorithms such as MD5 or SHA1, it could be a problem.
References
+ https://www.djangoproject.com/weblog/2018/oct/01/security-release/
+ https://github.com/django/django/commit/c4bd5b597e0aa2432e4c867b86650f18af117851
Notes
CVE-2018-17144 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input.
+ Any attempts to double-spend a transaction output within a single transaction inside of a block where the output being spent was created in the same block, the same assertion failure will occur (as exists in the test case which was included in the 0.16.3 patch). However, if the output being double-spent was created in a previous block, an entry will still remain in the CCoin map with the DIRTY flag set and having been marked as spent, resulting in no such assertion. This could allow a miner to inflate the supply of Bitcoin as they would then be able to claim the value being spent twice.
References
+ https://bitcoincore.org/en/2018/09/20/notice/
Notes
CVE-2018-17182 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Privilege escalation
Description
+ An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.
References
+ https://www.exploit-db.com/exploits/45497/
+ http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7a9cdebdcc17e426fb5287e4a82db1dfe86339b2
+ https://github.com/torvalds/linux/commit/7a9cdebdcc17e426fb5287e4a82db1dfe86339b2
Notes
CVE-2018-17189 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Denial of service
Description
+ By sending request bodies in a slow loris way to plain resources, the h2 stream of Apache HTTP Server before 2.4.38 for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
References
+ https://httpd.apache.org/security/vulnerabilities_24.html#2.4.38
Notes