CVE-2017-12904
https://notcve.org/view.php?id=CVE-2017-12904
Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL. Una neutralización incorrecta de elementos especiales en un comando del sistema operativo en la función de marcado de Newsbeuter en sus versiones de la 0.7 hasta la 2.9 permite que atacantes remotos realicen una ejecución de código asistidos por usuarios mediante la manipulación de un elemento RSS que incluya código shell en su título y/o URL. • http://www.debian.org/security/2017/dsa-3947 https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307 https://github.com/akrennmair/newsbeuter/issues/591 https://groups.google.com/forum/#%21topic/newsbeuter/iFqSE7Vz-DE https://usn.ubuntu.com/4585-1 • CWE-943: Improper Neutralization of Special Elements in Data Query Logic •
CVE-2016-3062
https://notcve.org/view.php?id=CVE-2016-3062
The mov_read_dref function in libavformat/mov.c in Libav before 11.7 and FFmpeg before 0.11 allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via the entries value in a dref box in an MP4 file. La función mov_read_dref en libavformat/mov.c en Libav en versiones anteriores a 11.7 y FFmpeg en versiones anteriores a 0.11 permite a atacantes remotos provocar una denegación de srevicio (corrupción de memoria) o ejecutar código arbitrario a través de valores de entrada en una caja dref en un archivo MP4. • http://lists.opensuse.org/opensuse-updates/2016-06/msg00105.html http://www.debian.org/security/2016/dsa-3603 https://bugzilla.libav.org/show_bug.cgi?id=929 https://ffmpeg.org/security.html https://git.libav.org/?p=libav.git%3Ba=commit%3Bh=7e01d48cfd168c3dfc663f03a3b6a98e0ecba328 https://github.com/FFmpeg/FFmpeg/commit/689e59b7ffed34eba6159dcc78e87133862e3746 https://libav.org/releases/libav-11.7.changelog https://security.gentoo.org/glsa/201705-08 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2015-4000 – LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
https://notcve.org/view.php?id=CVE-2015-4000
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. El protocolo TLS 1.2 y anteriores, cuando una suite de cifrado DHE_EXPORT está habilitada en un servidor pero no en un cliente, no transporta una elección DHE_EXPORT, lo que permite a atacantes man-in-the-middle realizar ataques de degradación del cifrado mediante la rescritura de un ClientHello con DHE remplazado por DHE_EXPORT y posteriormente la rescritura de un ServerHello con DHE_EXPORT remplazado por DHE, también conocido como el problema 'Logjam'. A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. • http://aix.software.ibm.com/aix/efixes/security/sendmail_advisory2.asc http://fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-008.txt.asc http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04876402 http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04949778 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10681 http://kb.juniper.net/InfoC • CWE-310: Cryptographic Issues CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVE-2015-1863 – wpa_supplicant: P2P SSID processing vulnerability
https://notcve.org/view.php?id=CVE-2015-1863
Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (crash), read memory, or possibly execute arbitrary code via crafted SSID information in a management frame when creating or updating P2P entries. Desbordamiento de buffer basado en memoria dinámica en wpa_supplicant 1.0 hasta 2.4 permite a atacantes remotos causar una denegación de servicio (caída), leer la memoria o posiblemente ejecutar código arbitrario a través de información SSID manipulada en un Frame de gestión cuando se crea o actualiza las entradas P2P. A buffer overflow flaw was found in the way wpa_supplicant handled SSID information in the Wi-Fi Direct / P2P management frames. A specially crafted frame could allow an attacker within Wi-Fi radio range to cause wpa_supplicant to crash or, possibly, execute arbitrary code. • http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00000.html http://packetstormsecurity.com/files/131598/Android-wpa_supplicant-Heap-Overflow.html http://rhn.redhat.com/errata/RHSA-2015-1090.html http://seclists.org/fulldisclosure/2015/Apr/82 http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19 http://w1.fi/security/2015-1/wpa_supplicant-p2p-ssid-overflow.txt http://www.debian.org/security/2015/dsa-3233 http://www.securityfocus.com/archive/1/535353& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVE-2013-6435 – rpm: race condition during the installation process
https://notcve.org/view.php?id=CVE-2013-6435
Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory. Condición de carrera en RPM 4.11.1 y anteriores permite a atacantes remotos ejecutar código arbitrario a través de un fichero RPM manipulado cuyo instalación extrae los contenidos de ficheros temporales antes de validar la firma, tal y como fue demostrado mediante la instalación de un fichero en el directorio /etc/cron.d. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. • http://advisories.mageia.org/MGASA-2014-0529.html http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://rhn.redhat.com/errata/RHSA-2014-1974.html http://rhn.redhat.com/errata/RHSA-2014-1975.html http://rhn.redhat.com/errata/RHSA-2014-1976.html http://www.debian.org/security/2015/dsa-3129 http://www.mandriva.com/security/advisories?name=MDVSA-2014:251 http://www.mandriva.com/security/advisories?name=MDVSA-2015:056 http://www.oracle.com/technetwork/topics/ • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •