2020-04-27
ALT-BU-2020-3782-3
Branch sisyphus update bulletin.
Closed vulnerabilities
Published: 2020-05-11
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-11863
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 1 of 2).
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DFYDSKWFM2R5NKZOO2IN6X7SM3T2PWL/
- https://sourceforge.net/p/libemf/code/commit_browser
- https://sourceforge.net/p/libemf/mailman/libemf-devel/
- https://sourceforge.net/p/libemf/news/2020/05/re-release-of-libemf-1012/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DFYDSKWFM2R5NKZOO2IN6X7SM3T2PWL/
- https://sourceforge.net/p/libemf/code/commit_browser
- https://sourceforge.net/p/libemf/mailman/libemf-devel/
- https://sourceforge.net/p/libemf/news/2020/05/re-release-of-libemf-1012/
Published: 2020-05-11
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-11864
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 2 of 2).
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Severity: MEDIUM (5.5)Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DFYDSKWFM2R5NKZOO2IN6X7SM3T2PWL/
- https://sourceforge.net/p/libemf/code/commit_browser
- https://sourceforge.net/p/libemf/mailman/libemf-devel/
- https://sourceforge.net/p/libemf/news/2020/05/re-release-of-libemf-1012/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DFYDSKWFM2R5NKZOO2IN6X7SM3T2PWL/
- https://sourceforge.net/p/libemf/code/commit_browser
- https://sourceforge.net/p/libemf/mailman/libemf-devel/
- https://sourceforge.net/p/libemf/news/2020/05/re-release-of-libemf-1012/
Published: 2020-05-11
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-11865
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows out-of-bounds memory access.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8)Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DFYDSKWFM2R5NKZOO2IN6X7SM3T2PWL/
- https://sourceforge.net/p/libemf/code/commit_browser
- https://sourceforge.net/p/libemf/mailman/libemf-devel/
- https://sourceforge.net/p/libemf/news/2020/05/re-release-of-libemf-1012/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DFYDSKWFM2R5NKZOO2IN6X7SM3T2PWL/
- https://sourceforge.net/p/libemf/code/commit_browser
- https://sourceforge.net/p/libemf/mailman/libemf-devel/
- https://sourceforge.net/p/libemf/news/2020/05/re-release-of-libemf-1012/
Published: 2020-05-11
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2020-11866
libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-after-free.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (7.8)Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DFYDSKWFM2R5NKZOO2IN6X7SM3T2PWL/
- https://sourceforge.net/p/libemf/code/commit_browser
- https://sourceforge.net/p/libemf/mailman/libemf-devel/
- https://sourceforge.net/p/libemf/news/2020/05/re-release-of-libemf-1012/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DFYDSKWFM2R5NKZOO2IN6X7SM3T2PWL/
- https://sourceforge.net/p/libemf/code/commit_browser
- https://sourceforge.net/p/libemf/mailman/libemf-devel/
- https://sourceforge.net/p/libemf/news/2020/05/re-release-of-libemf-1012/
Closed vulnerabilities
Published: 2019-04-25
Modified: 2021-03-23
Modified: 2021-03-23
BDU:2019-01544
Уязвимость серверного компонента Murmur программного средства для реализации IP-телефонии Mumble, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
References:
Published: 2019-01-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-20743
murmur in Mumble through 1.2.19 before 2018-08-31 mishandles multiple concurrent requests that are persisted in the database, which allows remote attackers to cause a denial of service (daemon hang or crash) via a message flood.
Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00045.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00058.html
- https://bugs.debian.org/919249
- https://github.com/mumble-voip/mumble/issues/3505
- https://github.com/mumble-voip/mumble/pull/3510
- https://github.com/mumble-voip/mumble/pull/3512
- https://lists.debian.org/debian-lts-announce/2019/02/msg00006.html
- https://www.debian.org/security/2019/dsa-4402
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00045.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00058.html
- https://bugs.debian.org/919249
- https://github.com/mumble-voip/mumble/issues/3505
- https://github.com/mumble-voip/mumble/pull/3510
- https://github.com/mumble-voip/mumble/pull/3512
- https://lists.debian.org/debian-lts-announce/2019/02/msg00006.html
- https://www.debian.org/security/2019/dsa-4402
Closed vulnerabilities
Published: 2019-08-20
Modified: 2023-11-21
Modified: 2023-11-21
BDU:2019-02944
Уязвимость реализации функции контроля доступа на основе ролей Role Based Access Control (RBAC) хранилища параметров конфигурации Etcd, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Severity: HIGH (8.1)Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (9.3)Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
References:
Published: 2018-04-03
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-1098
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (8.8)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- https://bugzilla.redhat.com/show_bug.cgi?id=1552714
- https://github.com/coreos/etcd/issues/9353
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/
- https://bugzilla.redhat.com/show_bug.cgi?id=1552714
- https://github.com/coreos/etcd/issues/9353
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/
Published: 2018-04-03
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-1099
DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
Severity: LOW (2.1)Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References:
- https://bugzilla.redhat.com/show_bug.cgi?id=1552717
- https://github.com/coreos/etcd/issues/9353
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/
- https://bugzilla.redhat.com/show_bug.cgi?id=1552717
- https://github.com/coreos/etcd/issues/9353
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/
Published: 2019-01-14
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2018-16886
etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.
Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://www.securityfocus.com/bid/106540
- https://access.redhat.com/errata/RHSA-2019:0237
- https://access.redhat.com/errata/RHSA-2019:1352
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16886
- https://github.com/etcd-io/etcd/blob/1eee465a43720d713bb69f7b7f5e120135fdb1ac/CHANGELOG-3.2.md#security-authentication
- https://github.com/etcd-io/etcd/blob/1eee465a43720d713bb69f7b7f5e120135fdb1ac/CHANGELOG-3.3.md#security-authentication
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/
- http://www.securityfocus.com/bid/106540
- https://access.redhat.com/errata/RHSA-2019:0237
- https://access.redhat.com/errata/RHSA-2019:1352
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16886
- https://github.com/etcd-io/etcd/blob/1eee465a43720d713bb69f7b7f5e120135fdb1ac/CHANGELOG-3.2.md#security-authentication
- https://github.com/etcd-io/etcd/blob/1eee465a43720d713bb69f7b7f5e120135fdb1ac/CHANGELOG-3.3.md#security-authentication
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/
Published: 2022-02-15
Modified: 2023-09-15
Modified: 2023-09-15
GHSA-5gjm-fj42-x983
etcd Cross-site Request Forgery (CSRF)
Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1098
- https://github.com/coreos/etcd/issues/9353
- https://github.com/coreos/etcd/commit/a7e5790c82039945639798ae9a3289fe787f5e56
- https://bugzilla.redhat.com/show_bug.cgi?id=1552714
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS
Published: 2022-04-13
Modified: 2023-08-30
Modified: 2023-08-30
GHSA-h6xx-pmxh-3wgp
go.etcd.io/etcd Authentication Bypass
Severity: HIGH (8.1)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16886
- https://github.com/etcd-io/etcd/pull/10366
- https://github.com/etcd-io/etcd/commit/0191509637546621d6f2e18e074e955ab8ef374d
- https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2
- https://access.redhat.com/errata/RHSA-2019:0237
- https://access.redhat.com/errata/RHSA-2019:1352
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16886
- https://github.com/etcd-io/etcd
- https://github.com/etcd-io/etcd/blob/1eee465a43720d713bb69f7b7f5e120135fdb1ac/CHANGELOG-3.2.md#security-authentication
- https://github.com/etcd-io/etcd/blob/1eee465a43720d713bb69f7b7f5e120135fdb1ac/CHANGELOG-3.3.md#security-authentication
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS
- https://pkg.go.dev/vuln/GO-2021-0077
- http://www.securityfocus.com/bid/106540
Published: 2022-02-15
Modified: 2021-05-20
Modified: 2021-05-20
GHSA-wf43-55jj-vwq8
DNS Rebinding in etcd
Severity: MEDIUM (5.5)Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1099
- https://github.com/coreos/etcd/issues/9353
- https://github.com/coreos/etcd/commit/a7e5790c82039945639798ae9a3289fe787f5e56
- https://bugzilla.redhat.com/show_bug.cgi?id=1552717
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS
Closed bugs
pam: can't login, pam_motd failed