CVE-2019-10126 – kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c
https://notcve.org/view.php?id=CVE-2019-10126
A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences. Se encontró un defecto en el kernel de Linux. Un desbordamiento de búfer en la región heap de la memoria en la función mwifiex_uap_parse_tail_ies en el archivo drivers/net/wireless/marvell/mwifiex/ie.c, podría provocar corrupción de la memoria y posiblemente otras consecuencias. A flaw was found in the mwifiex implementation in the Linux kernel. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00025.html http://packetstormsecurity.com/files/153702/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html http://packetstormsecurity.com/files/154245/Kernel-Live-Patch-Security-Notice-LSN-0054-1.html http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html http://www.securityfocus.com/bid/108817 https://access.redhat.com/errat • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2019-11356 – cyrus-imapd: buffer overflow in CalDAV request handling triggered by a long iCalendar property name
https://notcve.org/view.php?id=CVE-2019-11356
The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name. La función CalDAV en httpd en Cyrus IMAP 2.5.x a 2.5.12 y 3.0.x a 3.0.9 permite a los atacantes remotos ejecutar código arbitrario a través de una operación HTTP PUT diseñada para un evento con un nombre de propiedad largo de iCalendar. A flaw was found in the CalDAV feature in httpd in Cyrus IMAP. This flaw allows a remote attacker to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name. • https://access.redhat.com/errata/RHSA-2019:1771 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGO43JS7IFDNITHXOOHOP6JHRKRDIYY6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PICSZDC3UGEUZ27VXGGM6OFI67D3KKLZ https://seclists.org/bugtraq/2019/Jun/9 https://usn.ubuntu.com/4566-1 https://www.cyrusimap.org/imap/download/release-notes/2.5/index.html https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.13& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2019-12450 – glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress
https://notcve.org/view.php?id=CVE-2019-12450
file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. La función file_copy_fallback en el archivo gio/gfile.c en GNOME GLib versión 2.15.0 hasta la 2.61.1, no restringe apropiadamente los permisos de los archivos durante una operación de copia en progreso. En su lugar, se utilizan los permisos por defecto. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00076.html https://access.redhat.com/errata/RHSA-2019:3530 https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174 https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI https://security.netapp.com/advisory/ntap-20190606-0003 https://usn.ubuntu.com/4014-1 https://usn.ubuntu.com/4014- • CWE-276: Incorrect Default Permissions CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-552: Files or Directories Accessible to External Parties •
CVE-2019-0820 – dotnet: timeouts for regular expressions are not enforced
https://notcve.org/view.php?id=CVE-2019-0820
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981. Existe una vulnerabilidad de Denegación de Servicio (DoS) cuando .NET Framework y .NET Core procesan inapropiadamente cadenas RegEx, conocidas como ".NET Framework y .NET Core Denial of Service Vulnerability". Este ID de CVE es diferente de CVE-2019-0980, CVE-2019-0981. • https://access.redhat.com/errata/RHSA-2019:1259 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0820 https://access.redhat.com/security/cve/CVE-2019-0820 https://bugzilla.redhat.com/show_bug.cgi?id=1705506 • CWE-400: Uncontrolled Resource Consumption •
CVE-2019-11833 – kernel: fs/ext4/extents.c leads to information disclosure
https://notcve.org/view.php?id=CVE-2019-11833
fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem. fs / ext4 / extents.c en el kernel de Linux hasta 5.1.2 no pone a cero la región de memoria no utilizada en el bloque del árbol de extensión, lo que podría permitir a los usuarios locales obtener información confidencial al leer datos no inicializados en el sistema de archivos. A flaw was found in the Linux kernel's implementation of ext4 extent management. The kernel doesn't correctly initialize memory regions in the extent tree block which may be exported to a local user to obtain sensitive information by reading empty/uninitialized data from the filesystem. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00071.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00048.html http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html http://www.securityfocus.com/bid/108372 https://access.redhat.com/errata/RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-908: Use of Uninitialized Resource •