CVE-2016-2173
https://notcve.org/view.php?id=CVE-2016-2173
org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code. org.springframework.core.serializer.DefaultDeserializer en Spring AMQP en versiones anteriores a 1.5.5 a los atacantes remotos ejecutar el código arbitrario. • https://github.com/HaToan/CVE-2016-2173 http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182551.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182850.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182959.html https://bugzilla.redhat.com/show_bug.cgi?id=1326205 https://pivotal.io/security/cve-2016-2173 • CWE-20: Improper Input Validation •
CVE-2016-6299
https://notcve.org/view.php?id=CVE-2016-6299
The scm plug-in in mock might allow attackers to bypass the intended chroot protection mechanism and gain root privileges via a crafted spec file. El complemento scm en mock puede permitir a los atacantes pasar por alto el mecanismo de protección chroot previsto y obtener privilegios de root a través de un archivo de especificaciones manipulado. • http://www.openwall.com/lists/oss-security/2016/09/13/2 http://www.securityfocus.com/bid/92948 https://bugzilla.redhat.com/show_bug.cgi?id=1375490 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFC4LU6GYYEVUK6LQ2FKUGMZXRTLLL5A https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VYLMPA5VLLX67DUJ6XLJ2TIW6CX2CFL4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5PH2YGYWYUAYPHK32SGUZGZXQEBEYNK • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2016-8884 – jasper: missing jas_matrix_create() parameter checks
https://notcve.org/view.php?id=CVE-2016-8884
The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8690. La función bmp_getdata en libjasper/bmp/bmp_dec.c en JasPer 1.900.5 permite a atacantes remotos provocar una denegación de servicio (referencia a puntero NULL) llamando al comando imginfo con una imagen BMP manipulada. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2016-8690. • http://www.openwall.com/lists/oss-security/2016/10/23/1 http://www.openwall.com/lists/oss-security/2016/10/23/9 http://www.securityfocus.com/bid/93834 https://access.redhat.com/errata/RHSA-2017:1208 https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690 https://bugzilla.redhat.com/show_bug.cgi?id=1385499 https://github.com/mdadams/jasper/commit/5d66894d2313e3f3469f19066e149e08ff076698 https://lists • CWE-20: Improper Input Validation CWE-476: NULL Pointer Dereference •
CVE-2016-8887
https://notcve.org/view.php?id=CVE-2016-8887
The jp2_colr_destroy function in libjasper/jp2/jp2_cod.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (NULL pointer dereference). La función jp2_colr_destroy en libjasper/jp2/jp2_cod.c en JasPer en versiones anteriores a 1.900.10 permite a atacantes remotos provocar una denegación de servicio (referencia de puntero NULL). • http://www.openwall.com/lists/oss-security/2016/10/23/3 http://www.openwall.com/lists/oss-security/2016/10/23/6 http://www.securityfocus.com/bid/93835 https://blogs.gentoo.org/ago/2016/10/18/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c https://bugzilla.redhat.com/show_bug.cgi?id=1388828 https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5 • CWE-476: NULL Pointer Dereference •
CVE-2016-6225
https://notcve.org/view.php?id=CVE-2016-6225
xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394. xbcrypt en Percona XtraBackup en versiones anteriores a 2.3.6 y 2.4.x en versiones anteriores a 2.4.5 no establece apropiadamente el vector de inicialización (IV) para cifrado, lo que hace más fácil a atacantes dependientes del contexto obtener información sensible de archivos backup cifrados a través de un ataque de texto plano escogido. NOTA: esta vulnerabilidad existe debido a una corrección incompleta para CVE-2013-6394. • http://lists.opensuse.org/opensuse-updates/2017-01/msg00125.html http://lists.opensuse.org/opensuse-updates/2017-01/msg00126.html https://bugs.launchpad.net/percona-xtrabackup/+bug/1643949 https://github.com/percona/percona-xtrabackup/pull/266 https://github.com/percona/percona-xtrabackup/pull/267 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAHI6ETS22FJCMLW7A6SICFKQXF5G2VI https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message • CWE-326: Inadequate Encryption Strength •