OpenBSD erratum 045:
A kernel executable address was leaked to userland.
OpenBSD erratum 044:
An unprivileged user can cause a kernel crash.
OpenBSD erratum 043:
Out of bounds TCB settings may result in a kernel panic.
OpenBSD erratum 042:
A buffer over-read and heap overflow in perl's regexp may result in a crash or memory leak.
OpenBSD erratum 041:
State transition errors could cause reinstallation of old WPA keys.
OpenBSD erratum 040:
SMAP enforcement could be bypassed by userland code.
This package fixes several security issues. Please refer to the individual CVEs for more information
A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
Subversion:
A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server.
Avoid an assertion failure bug affecting our implementation of inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() handling of "0xfoo" differs from what we had expected. Also tracked as TROVE-2017-007.
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
OpenBSD erratum 039:
An out of bounds read could occur during processing of EAPOL frames in the wireless stack. Information from kernel memory could be leaked to root in userland via an ieee80211(9) ioctl.
OpenBSD erratum 038:
A race condition may result in a kernel memory leak.
OpenBSD erratum 037:
An integer overflow in wsdisplay_cfg_ioctl() may result in an out-of-bounds read.
OpenBSD erratum 036:
An uninitialized variable in fcntl() may result in an info leak.
OpenBSD erratum 035:
An uninitialized variable in ptrace() may result in an info leak.
OpenBSD erratum 034:
Missing socket address validation from userland may result in an info leak.
OpenBSD erratum 033:
With an invalid address family, tcp_usrreq() may take an unintended code path.
OpenBSD erratum 032:
An alignment issue in recv() may result in an info leak via ktrace().
OpenBSD erratum 031:
An out-of-bound read in vfs_getcwd_scandir() (mainly used for FUSE) may result in a kernel panic or info leak.
OpenBSD erratum 030:
A missing length check in sendsyslog() may result in a kernel panic.
OpenBSD erratum 029:
A SIGIO-related use-after-free can occur in two drivers.
librsvg:
Fix a division-by-zero in the Gaussian blur code.
Heimdal:
Fix for Orpheus' Lyre KDC-REP service name validation.
Samba:
A MITM attacker may impersonate a trusted server and thus gain elevated access to the domain by returning malicious replication or authorization data.
ISC:
This release addresses a TSIG regression.
Subversion:
Update to Apache Subversion 1.9.6. Contains a server-side SHA1 collision fix.
Knot:
Improper TSIG validity period check can allow TSIG forgery.
Fix a security issue. Please refer to the URL above for more information.
ISC:
This release fixes several security issues, please refer to the release notes for more information.
Fix multiple denial of service vulnerabilities.
GnuTLS-SA-2017-4
Decoding a status response TLS extension with valid contents could lead to a crash due to a null pointer dereference.
Fix multiple CVEs.
Fixes a pair of bugs that would allow an attacker to remotely crash a hidden service with an assertion failure.
Multiple security issues have been fixed.
OpenBSD erratum 028:
An unprivileged user can cause a kernel crash.
OpenBSD erratum 026:
Use fchmod to avoid a race condition in File::Path.
PostgreSQL:
This update fixes several security issues. Please refer to the individual CVE's.
Samba:
Malicious clients can upload and cause the smbd server to execute a shared library from a writable share.
OpenBSD erratum 025:
The kernel could leak memory when processing ICMP packets with IP options. Note that pf(4) blocks such packets by default.
OpenBSD erratum 024:
Add a gap of 1MB between the stack and mmap spaces.
OpenBSD erratum 023:
Heap-based buffer overflows in freetype can result in out-of-bounds writes.
OpenBSD erratum 022:
Incorrect DTLS cookie handling can result in a NULL pointer dereference.
OpenBSD erratum 021:
softraid was unable to create usable concat volumes because it always set the size of the volume to zero sectors.
Give ftpsesame its own uid; it was sharing "proxy" (removed from base).
ISC:
This release fixes several security issues, please refer to the release notes for more information.
Heimdal:
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations.
Minicom:
This release fixes a an out of bounds data access that can lead to remote code execution.
owncloud:
This is a maintaincance update of owncloud to release 9.1.5.
SECURITY: "hg serve --stdio could be tricked into granting authorized users access to the Python debugger" "dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it."
weechat:
This release fixes a buffer overflow when removing quotes in DCC filename.
Samba:
Symlink race allows access outside share definition.
This update fixes several security issues. Please refer to the individual CVEs for more information.
Apply a bunch of CVE and other fixes for unzip from debian and redhat bug tracker. Add the links to the patch files. The fix for CVE-2014-9636 was improved.
OpenBSD erratum 020:
ELF auxiliary vector storage leaks piece of kernel stack.
Multiple security issues were addressed, please refer to the botan security site for more information.
pycrypto:
A heap-buffer overflow vulnerability was discovered in cryptopp. This vulnerability can be used to remotely gain access to shell.
MariaDB:
This release of MariaDB fixes several security vulnerabilites.
OpenBSD erratum 019:
Prevent integer overflow in PF when calculating the adaptive timeout, causing spuriously expired states under pressure.
OpenBSD erratum 018:
WiFi clients using WPA1 or WPA2 are vulnerable to a man-in-the-middle attack by rouge access points.
Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality.
This update addresses a security vulnerability, which allows a remote attacker with access to the web interface to execute arbitrary commands on the host operating system.
ISC:
If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash.
MariaDB:
This release of MariaDB fixes several security vulnerabilites.
OpenBSD erratum 017:
A bug in the processing of range headers in httpd can lead to memory exhaustion. This patch disables range header processing.
Crafted queries can cause unexpected backend load.
A man in the middle attack was fixed due to the fact that mcabber doesn't verify the origin of roster pushes thus allowing third parties to modify the roster.
ISC:
Multiple security issues were addressed. Please refer to the individual CVEs for a detailed description of these issues
GNOME
Use-after-free vulnerability in libxml2 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.
Fix a printf floating point buffer overflow.
A null-pointer-dereference bug was fixed in png_set_text_2() when an image-editing application adds, removes, and re-adds text chunks to a PNG image. This bug does not affect pure viewers, nor are there any known editors that could trigger it without interactive user input.
OpenBSD erratum 016:
Avoid possible side-channel leak of ECDSA private keys when signing.
Samba:
Numerous CVEs have been fixed. Please see the announcements for details.
Multiple Vulnerabilities in Network Time Protocol Daemon (ntp) have been fixed.
Subversion:
Subversion's mod_dontdothat module and clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack, otherwise known as the "billion laughs attack", targets XML parsers and can cause the targeted process to consume an excessive amount of CPU resources or memory. There are no known instances of this problem being exploited in the wild.
It was reported that the REPL server is vulnerable to the HTTP inter-protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected.
Security bug fixed: Don't load or render the content of "407 Proxy Authentication Required" reply when using https proxy. This avoids the FalseCONNECT attack. Also, don't allow 401 and 407 responses to set cookies.
There is a vulnerability of type use-after-free affecting DBD::mysql (aka DBD-mysql or the Database Interface (DBI) MySQL driver for Perl) 3.x and 4.x before 4.041 when used with mysql_server_prepare=1.
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Multiple security fixes, were fixed in tiff
Fixes a null pointer dereference
Add a hack for topology subnet setups. Previously route insertion failed with ELOOP because the gateway wasn't directly connected.
Multiple vulnerabilities have been discovered in memcached.
OpenBSD erratum 015:
Avoid continual processing of an unlimited number of TLS records.
This release of curl fixes several security vulnerabilities.
MariaDB:
This release of MariaDB fixes several security vulnerabilites.
Fix an out-of-bounds memory read in the ID3v2 parser for tags that claim an unrealistically small length.
Multiple security issues were addressed.
ISC:
A problem handling responses containing a DNAME answer can lead to an assertion failure
Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur.
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
OpenBSD erratum 014:
A logic issue in smtpd's header parsing can cause SMTP sessions to hang.
OpenBSD erratum 013:
A protocol parsing bug in sshd can lead to unauthenticated memory and CPU consumption.
OpenBSD erratum 012:
Allocation of an amap with at least 131072 slots causes an integer overflow that leads to an infinite loop.
OpenBSD erratum 011:
Fix a number of issues in the way various X client libraries handle server responses.
OpenBSD erratum 010:
A bug in the smtp session logic can lead to a server crash.
PostgreSQL:
This release fixes a security issue where crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations.
A heap overflow in pdf_load_mesh_params() and a use-after-free have been discovered in mupdf.
MariaDB:
A vulnerability has been found that can allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib.
ISC:
An error has been discovered in the BIND implementation of the lightweight resolver protocol affecting systems which use this alternate method to do name resolution.
Fix multimple CVEs.
Memory allocation integer overflow in gdk_cairo_set_source_pixbuf on large pixbufs.
GnuTLS-SA-2016-3
GnuPG:
Fix critical security bug in the RNG [CVE-2016-6313]. An attacker who obtains 580 bytes from the standard RNG can trivially predict the next 20 bytes of output.
The four libcurl functions curl_escape(), curl_easy_escape(), curl_unescape and curl_easy_unescape perform string URL percent escaping and unescaping. They accept custom string length inputs in signed integer arguments. (The functions having names without "easy" being the deprecated versions of the others.)
OpenBSD erratum 009:
Avoid falling back to a weak digest for (EC)DH when using SNI with libssl.
OpenBSD erratum 008:
Avoid unbounded memory growth in libssl, which can be triggered by a TLS client repeatedly renegotiating and sending OCSP Status Request TLS extensions.
OpenBSD erratum 007:
Revert change that cleans up the EVP cipher context in EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the previous behaviour.
OpenBSD erratum 006:
During parsing of the iked(8) configuration, a variable is set to 0 by mistake, disabling Pre-Shared Key authentication.
OpenBSD erratum 005:
Limit the number of wscons fonts that can be loaded into the kernel.
OpenBSD erratum 004:
A missing initialization can prevent mail headers from being altered as intended, resulting in mail being sent to incorrect addresses.
OpenBSD erratum 003:
Improve relayd's parsing of the Host-header by following RFC 7230 Section 5.4 more strictly.
OpenBSD erratum 002:
Fixes IO::Socket::IP complaining about non-numeric version numbers.
OpenBSD erratum 001:
Missing overflow checks in uvm may result in panics.