Reed Loden | 1 Aug 08:45 2015

CVE request: Multiple XSS and CSRF vulnerabilities in sidekiq ruby gem

Sidekiq is "Simple, efficient background processing for Ruby" (a gem)
* http://sidekiq.org
* https://github.com/mperham/sidekiq/
* https://rubygems.org/gems/sidekiq

Was going through Sidekiq's changelog and its commits, and I came across
several security issues that lack CVEs.

XSS via queue name in Sidekiq::Web
* Reported via https://github.com/mperham/sidekiq/issues/2330
* Fixed by
https://github.com/mperham/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828
* Fix released in sidekiq 3.4.0

XSS via job arguments display class in Sidekiq::Web
* Reported via https://github.com/mperham/sidekiq/pull/2309
* Fixed by
https://github.com/mperham/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61
* Fix released in sidekiq 3.4.0

Sidekiq::Web lacks CSRF protection
* Reported via https://github.com/mperham/sidekiq/pull/2422
* Fixed by
https://github.com/mperham/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad
* Fix released in sidekiq 3.4.2
* Follow-up fix in
https://github.com/mperham/sidekiq/commit/75a3524c919857aac16e0541b0cb107f48d00694
to enable sessions in Sinatra, plus mention of a possible monkey patch
needed to make Rails work correctly (neither change is in a release yet).

(Continue reading)

Salvatore Bonaccorso | 1 Aug 07:00 2015
Picon

CVE Request: devscripts: licensecheck: arbitrary shell command injection

Hi

devscripts[0,1] contains a utility licensecheck, a simple license
checker for source files. It is as well included at least in Ubuntu
and Fedora[2].

Jonas Smedegaard[3] (and Jakub Wilk with a follow-up message) reported
that licensecheck is prone to arbitrary shell command injection via
shell metacharacters in filenames. The issue was introduced in
devscripts v2.15.5[4] and fixed in v2.15.7[5].

Could you please assign a CVE to identify this issue?

Regards,
Salvatore

 [0] https://packages.debian.org/devscripts
 [1] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/
 [2] http://pkgs.fedoraproject.org/cgit/devscripts.git/
 [3] https://bugs.debian.org/794260
 [4]
https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0 
 [5] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8

Adam Maris | 31 Jul 14:47 2015
Picon

CVE for crypto_get_random() from libsrtp

Hello,

I've got question whether this bug 
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793971) is 
CVE-worthy? Could it be classified as CWE-330: Use of Insufficiently 
Random Values?

According to the SRTP documentation

(http://srtp.sourcearchive.com/documentation/1.4.2.dfsg/group__SRTP_g1d4c228c6a58096dfab3cefbabd66f17.html), 
it provides 80 bits of random data, which is quite a borderline.

Thanks.

--

-- 
Adam Maris / Red Hat Product Security

Huzaifa Sidhpurwala | 31 Jul 08:34 2015
Picon

CVE Request: freeradius: the EAP-PWD module performs insufficient validation on packets received from an EAP peer

The FreeRADIUS project has reported a flaw that affects the EAP-PWD
module of the freeradius package versions 3.0 up to 3.0.8. This module
is not enabled by default, so administrators must have manually enabled
it for their servers to be vulnerable.

Reference:
http://freeradius.org/security.html#eap-pwd-2015

Can a CVE id be please assigned to this flaw?

--

-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Kurt Seifried | 30 Jul 17:33 2015
Picon

A new class of security vulns?

So in past we have had vulns around injection of terminal control
characters into log files:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=terminal+escape

However now I'm seeing flaws around printing/display of user data, e.g.
systems where a user can set their own name, but fills it with backspace
characters, so when an admin looks at the text record it is
mangled/shows something the attacker wants them to see and not the
"True" data.

An example of this is:

https://fedorahosted.org/freeipa/ticket/5153

assuming there are no actual terminal escape sequences allowed, but just
backspace characters/etc, is this worthy of a CVE? Right now it
definitely allows manipulation of displayed data, and if an admin cuts
and pastes it would potentially be just the modified data, so I'm
thinking there is an integrity impact (not a very big one mind you), but
it's quite limited (at least as I understand the issue right now).

--

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...

Fourny Dimitri | 30 Jul 13:16 2015
Picon

CVE Request: PHP v7 - Code execution vulnerability

Hello,

An arbitrary code execution is possible in the function str_ireplace()
with PHP 7.
The vulnerability is in the function php_string_tolower().

Patch: http://git.php.net/?p=php-src.git;a=commit;h=6aeee47b2cd47915ccfa3b41433a3f57aea24dd5

Report: https://bugs.php.net/bug.php?id=70140

Could you please assign a CVE for this vulnerability? Thank you.

Regards, Dimitri Fourny.

Adam Maris | 30 Jul 14:05 2015
Picon

CVE-2015-1416: vulnerability in patch(1)

Hello,

I'd like to know whether CVE-2015-1416 is BSD-only issue 
(https://www.freebsd.org/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc) 
or does it also affect upstream patch(1) utility?
In that case, is it tracked in upstream?

Thank you

--

-- 
Adam Maris / Red Hat Product Security

Sam Pizzey | 30 Jul 02:30 2015

[CVE Request] WP Slimstat < 4.1.6 - Referer Header XSS

Hi,

Wordpress plugin 'Slimstat' versions < 4.1.6 fail to neutralize untrusted
input from both the Referer header and the endpoint used by their Javascript
tracking code to report the referrer, if enabled. Since this output is
displayed by default on the front page of the Wordpress admin panel,
the XSS here leads to very easy administrator account compromise.

Reported privately via vendor and fixed in current release.

==
Vendor: http://www.wp-slimstat.com
Reported: 22/7/2015
Patched:  22/7/2015 as per https://plugins.trac.wordpress.org/changeset/1204104
==

Regards,
Sam Pizzey

oss | 29 Jul 16:53 2015
Picon

CVE request: Froxlor - information leak

Hello,
Please assign a CVE-ID for the following 'Information Leak':

Affects
=====
- Froxlor 0.9.33.1 and earlier

Fixed
====
- Froxlor 0.9.33.2

Summary
========
An unauthenticated remote attacker is able to get the database password 
via webaccess due to wrong file permissions of the /logs/ folder in 
froxlor version 0.9.33.1 and earlier. The plain SQL password and 
username may be stored in the /logs/sql-error.log file. This directory 
is publicly reachable under the default configuration/setup.

Notes
=====
Some default URLs are:
http://website.tld/froxlor/logs/sql-error.log
http://cp.website.tld/logs/sql-error.log
http://froxlor.website.tld/logs/sql-error.log

The certain section looks like this:

/var/www/froxlor/lib/classes/database/class.Database.php(279): 
PDO->__construct('mysql:host=127....', 'DATABASE_USER', 
(Continue reading)

Jason Buberel | 29 Jul 17:15 2015
Picon

CVE Request - Go net/http library - HTTP smuggling

Hello OSS Security Community,

The Go open source project has received notification of an HTTP request
smuggling vulnerability in the net/http library (
http://golang.org/pkg/net/http/). The vulnerability was identified in the
1.4.2 release version (http://golang.org/dl) and in the 1.5 release branch.

Patches have already been applied to the 1.5 release branch, and will be
ported to the 1.4.2 release branch. We will then create a 1.4.3 release.

We are requesting a CVE ID in order to coordinate updates with
distributions that include binary packages for the Go programming language.
We will also announce and request that all Go programs using the net/http
package that were compiled with version 1.4.2 or earlier be recompiled with
1.4.3 or 1.5 (when released) due to the static linking nature of the Go
toolchain.

Please let me know if you need additional information.

Regards,
Jason Buberel
Product Manager, Go
Google, Inc.
Michael McNally | 29 Jul 05:52 2015

[BIND] CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure

A deliberately constructed packet can exploit an error in the
handling of queries for TKEY records, permitting denial of service.

CVE:                 CVE-2015-5477
Document Version:    1.0
Posting date:        28 July 2015
Program Impacted:    BIND
Versions affected:   9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2
Severity:            Critical
Exploitable:         Remotely

Description:

   An error in the handling of TKEY queries can be exploited by an
   attacker for use as a denial-of-service vector, as a constructed
   packet can use the defect to trigger a REQUIRE assertion failure,
   causing BIND to exit.

Impact:

   Both recursive and authoritative servers are vulnerable to this
   defect.  Additionally, exposure is not prevented by either ACLs
   or configuration options limiting or denying service because the
   exploitable code occurs early in the packet handling, before
   checks enforcing those boundaries.

   All versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND
   9.9.7-P1 and BIND 9.10.2-P2 are vulnerable.

   Operators should take steps to upgrade to a patched version as
(Continue reading)


Gmane