2019-09-21
ALT-BU-2019-3961-2
Branch p9 update bulletin.
Closed vulnerabilities
Published: 2019-08-28
BDU:2019-03643
Уязвимость библиотеки для анализа XML-файлов libexpat, связанная с неверным ограничением xml-ссылок на внешние объекты, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2018-01-03
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2017-1000472
The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO C++ Libraries before 1.8 does not properly restrict the filename value in the ZIP header, which allows attackers to conduct absolute path traversal attacks during the ZIP decompression, and possibly create or overwrite arbitrary files, via a crafted ZIP file, related to a "file path injection vulnerability".
Severity: MEDIUM (6.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References:
Published: 2019-09-04
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-15903
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- openSUSE-SU-2019:2204
- openSUSE-SU-2019:2204
- openSUSE-SU-2019:2205
- openSUSE-SU-2019:2205
- openSUSE-SU-2019:2420
- openSUSE-SU-2019:2420
- openSUSE-SU-2019:2424
- openSUSE-SU-2019:2424
- openSUSE-SU-2019:2425
- openSUSE-SU-2019:2425
- openSUSE-SU-2019:2447
- openSUSE-SU-2019:2447
- openSUSE-SU-2019:2451
- openSUSE-SU-2019:2451
- openSUSE-SU-2019:2459
- openSUSE-SU-2019:2459
- openSUSE-SU-2019:2452
- openSUSE-SU-2019:2452
- openSUSE-SU-2019:2464
- openSUSE-SU-2019:2464
- openSUSE-SU-2020:0010
- openSUSE-SU-2020:0010
- openSUSE-SU-2020:0086
- openSUSE-SU-2020:0086
- http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html
- http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html
- http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
- http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html
- http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html
- http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html
- 20191213 APPLE-SA-2019-12-10-1 iOS 13.3 and iPadOS 13.3
- 20191213 APPLE-SA-2019-12-10-1 iOS 13.3 and iPadOS 13.3
- 20191213 APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
- 20191213 APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
- 20191213 APPLE-SA-2019-12-10-5 tvOS 13.3
- 20191213 APPLE-SA-2019-12-10-5 tvOS 13.3
- 20191213 APPLE-SA-2019-12-10-8 watchOS 6.1.1
- 20191213 APPLE-SA-2019-12-10-8 watchOS 6.1.1
- RHSA-2019:3210
- RHSA-2019:3210
- RHSA-2019:3237
- RHSA-2019:3237
- RHSA-2019:3756
- RHSA-2019:3756
- https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
- https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43
- https://github.com/libexpat/libexpat/issues/317
- https://github.com/libexpat/libexpat/issues/317
- https://github.com/libexpat/libexpat/issues/342
- https://github.com/libexpat/libexpat/issues/342
- https://github.com/libexpat/libexpat/pull/318
- https://github.com/libexpat/libexpat/pull/318
- [debian-lts-announce] 20191110 [SECURITY] [DLA 1987-1] firefox-esr security update
- [debian-lts-announce] 20191110 [SECURITY] [DLA 1987-1] firefox-esr security update
- [debian-lts-announce] 20191118 [SECURITY] [DLA 1997-1] thunderbird security update
- [debian-lts-announce] 20191118 [SECURITY] [DLA 1997-1] thunderbird security update
- FEDORA-2019-9505c6b555
- FEDORA-2019-9505c6b555
- FEDORA-2019-613edfe68b
- FEDORA-2019-613edfe68b
- FEDORA-2019-672ae0f060
- FEDORA-2019-672ae0f060
- 20191211 APPLE-SA-2019-12-10-8 watchOS 6.1.1
- 20191211 APPLE-SA-2019-12-10-8 watchOS 6.1.1
- 20191211 APPLE-SA-2019-12-10-5 tvOS 13.3
- 20191211 APPLE-SA-2019-12-10-5 tvOS 13.3
- 20191211 APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
- 20191211 APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
- 20191101 [SECURITY] [DSA 4549-1] firefox-esr security update
- 20191101 [SECURITY] [DSA 4549-1] firefox-esr security update
- 20191118 [SECURITY] [DSA 4571-1] thunderbird security update
- 20191118 [SECURITY] [DSA 4571-1] thunderbird security update
- 20191021 [slackware-security] python (SSA:2019-293-01)
- 20191021 [slackware-security] python (SSA:2019-293-01)
- 20190917 [slackware-security] expat (SSA:2019-259-01)
- 20190917 [slackware-security] expat (SSA:2019-259-01)
- 20190923 [SECURITY] [DSA 4530-1] expat security update
- 20190923 [SECURITY] [DSA 4530-1] expat security update
- GLSA-201911-08
- GLSA-201911-08
- https://security.netapp.com/advisory/ntap-20190926-0004/
- https://security.netapp.com/advisory/ntap-20190926-0004/
- https://support.apple.com/kb/HT210785
- https://support.apple.com/kb/HT210785
- https://support.apple.com/kb/HT210788
- https://support.apple.com/kb/HT210788
- https://support.apple.com/kb/HT210789
- https://support.apple.com/kb/HT210789
- https://support.apple.com/kb/HT210790
- https://support.apple.com/kb/HT210790
- https://support.apple.com/kb/HT210793
- https://support.apple.com/kb/HT210793
- https://support.apple.com/kb/HT210794
- https://support.apple.com/kb/HT210794
- https://support.apple.com/kb/HT210795
- https://support.apple.com/kb/HT210795
- USN-4132-1
- USN-4132-1
- USN-4132-2
- USN-4132-2
- USN-4165-1
- USN-4165-1
- USN-4202-1
- USN-4202-1
- USN-4335-1
- USN-4335-1
- DSA-4530
- DSA-4530
- DSA-4549
- DSA-4549
- DSA-4571
- DSA-4571
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.tenable.com/security/tns-2021-11
- https://www.tenable.com/security/tns-2021-11
Published: 2024-01-27
Modified: 2025-01-20
Modified: 2025-01-20
CVE-2023-52389
UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow and resultant stack buffer overflow because Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() may return a negative integer if a UTF-32 byte sequence evaluates to a value of 0x80000000 or higher. This is fixed in 1.11.8p2, 1.12.5p2, and 1.13.0.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://github.com/pocoproject/poco/compare/poco-1.12.5p2-release...poco-1.13.0-release
- https://github.com/pocoproject/poco/compare/poco-1.12.5p2-release...poco-1.13.0-release
- https://github.com/pocoproject/poco/issues/4320
- https://github.com/pocoproject/poco/issues/4320
- https://lists.debian.org/debian-lts-announce/2025/01/msg00017.html
- https://pocoproject.org/blog/?p=1226
- https://pocoproject.org/blog/?p=1226