Jacob Vosmaer | 25 Nov 16:28 2015

CVE request: RCE in gitlab-shell 2.6.6-2.6.7


I would like to request one (1) CVE for the vulnerability in
gitlab-shell described below. Thanks in advance.

We have found a remote code execution vulnerability in gitlab-shell
2.6.6 and 2.6.7. This affects GitLab Community Edition 8.2.0 and
GitLab Enterprise Edition 8.2.0. GitLab 8.1.4 and earlier versions
are not affected by this vulnerability.

GitLab allows users to push and pull Git data over SSH. To prevent
full system access via SSH we use gitlab-shell, a program that
sanitizes and validates SSH commands that run on the GitLab server
to send and receive Git data. Due to a change in gitlab-shell
2.6.6-2.6.7, an attacker who has a user account on a GitLab server
can bypass the sanitization in gitlab-shell and run arbitrary
commands on the GitLab server.

The only versions of GitLab that include a vulnerable version of
gitlab-shell  are GitLab Community Edition 8.2.0 and GitLab Enterprise
Edition 8.2.0. If you are still running GitLab 8.1 or earlier then
you are not affected by this vulnerability.  As an administrator
you can check your gitlab-shell version by going to
gitlab.example.com/admin and looking in the upper right corner in
the 'Components' section. Only gitlab-shell versions 2.6.6 and 2.6.7
are affected.

If you installed GitLab 8.2.0 on your server then you should  [upgrade
(Continue reading)

P J P | 25 Nov 09:56 2015

CVE request Qemu: net: eepro100: infinite loop in processing command block list


Qemu emulator built with the i8255x (PRO100) emulation support is vulnerable
to an infinite loop issue. It could occur while processing a chain of commands
located in the Command Block List(CBL). Each Command Block(CB) points to the
next command in the list. An infinite loop unfolds if the link to the next
CB points to the same block or there is a closed loop in the chain.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash
the Qemu instance resulting in DoS.

Upstream patch:
   -> https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html

This issue was discovered by Qinghao Tang of QIHU 360 Marvel Team.

Thank you.
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Kurt Seifried | 25 Nov 05:38 2015



The idea is to create a comprehensive list of shipped certs/keys/etc by
open source vendors/distributions/projects so that:

1) we have a list of secrets maintained by external parties that we rely
2) we can audit them and make sure we should be trusting them
3) also spot changes more easily (since the existing corpus is available)

I'm guessing there are some surprises waiting for us.

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...
Matthias Geerdsen | 24 Nov 23:09 2015

CVE request: Redmine - information disclosure on the time logging form


please assign a CVE ID for an information disclosure issue in the
latest Redmine releases (2.6.8, 3.0.6 and 3.1.2) [1]. The issue is
listed at [2] and a commit can be found at [3]. A private bug report
appears to exist at [4]


[1] <http://www.redmine.org/news/102>
[2] <http://www.redmine.org/projects/redmine/wiki/Security_Advisories>
[4] <https://www.redmine.org/issues/21150>
David Jorm | 24 Nov 18:19 2015

CVE request: DoS in ONOS when handling jumbo ethernet frames

It was found that ONOS would throw exceptions when handling jumbo ethernet
frames. The exceptions were not caught and handled, so a remote
unauthenticated attacker could use this flaw to perform a denial-of-service
attack against an ONOS system.

To exploit this issue, the attacker must be able to send a jumbo ethernet
frame to a switch controlled by ONOS. Only the connection between the
controller and the switch generating the packet-in message of the malicious
packet will be affected (disconnected). More details are available here:


An advisory is now live with no CVE ID:


Please assign a CVE ID to this issue. A request was sent to MITRE directly
9 days ago with no answer. We need a CVE ID within the next 24 hours.

David Jorm on behalf of the ONOS security response team
Salvatore Bonaccorso | 24 Nov 12:57 2015

CVE Request: IPTables-Parse: Use of predictable names for temporary files


IPTables-Parse up to 1.6 used temporary files in insecure way, since
it used predictable filenames. This issue was fixed in 1.6 with the
following commit:


Upstream Changelog:
> (Miloslav Trmač) Fixed a vulnerability to not use predictable names
> for temporary files. This vulnerability would allow an attacker on a
> multi- user system to set up symlinks to overwrite any file the
> current user has write access to. If a user manually overrides the
> temporary file locations with the 'iptout' and 'ipterr' hash keys,
> it is recommended to not use predictable names either.

Can a CVE be assigned for this issue?


Hanno Böck | 24 Nov 11:33 2015

Heap Overflow in PCRE


The Perl Compatible Regular Expressions (PCRE) library has just
released a new version which fixes a number of security issues.

Fuzzing the pcretest tool uncovered an input leading to a heap overflow
in the function pcre_exec. This bug was found with the help of american
fuzzy lop and address sanitizer.
https://bugs.exim.org/show_bug.cgi?id=1637 Upstream bug #1637 (PoC and
ASAN trace attached there)

This is fixed in PCRE 8.38. There are two variants of PCRE, the classic
one and PCRE2. PCRE2 is not affected.

Appart from that a couple of other vulnerabilities found by other
people have been fixed in this release:
Heap overflow in compile_regex
Stack overflow in compile_regex
Heap overflow in compile_regex

If you use PCRE to parse untrusted inputs you should update immediately.


Hanno Böck

(Continue reading)

Christofer Dutz | 23 Nov 15:17 2015

CVE-2015-5255: SSRF vulnerability in Apache Flex BlazeDS 4.7.1

CVE-2015-5255: SSRF vulnerability in Apache Flex BlazeDS 4.7.1
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: BlazeDS 4.7.0 and 4.7.1
Description: The code in BlazeDS to deserialize AMF XML datatypes allows
so-called SSRF Attacks
(Server Side Request Forgery) in which the server could contact a remote
service on
behalf of the attacker. The attacker could hereby circumvent firewall
Mitigation: 4.7.x users should upgrade to 4.7.2
Example: For XML object containing the following string representation:

"http://protected-server/protected-service"><foo>Some content</foo>
The server could access the url:

Even if directly accessing this resource is prevented by firewall rules.

Credit: This issue was discovered by James Kettle of PortSwigger Ltd.

Christofer Dutz

Yves-Alexis Perez | 21 Nov 14:52 2015

CVE request for LightDM - XDMCP denial of service


it seems that some versions of LightDM (1.14 and 1.16 series) are vulnerable
to a denial of service when XDMCP server is enabled. When that's the case, an
XDMCP request with no address will crash LightDM.

More information can be found in https://bugs.launchpad.net/lightdm/+bug/15168
31 and the bug is fixed with 1.14.4 and 1.16.6 (and development release

Can a CVE be assigned to this?

Thanks in advance,


Hanno Böck | 21 Nov 10:12 2015

Libxml2: Several out of bounds reads


Libxml2: Several out of bounds reads

I discovered several out of bounds read issues in Libxml2. The upstream
developers have just released version 2.9.3, which fixes all relevant

A malformed XML file can cause a heap out of bounds read access in the
function xmlParseXMLDecl.
Upstream bug #751603 (sample input attached)
Git commit / fix

A second, very similar issue in the same function xmlParseXMLDecl.
Upstream bug #751631 (sample input attached)
Git commit / fix

A malformed XML file can cause a global out of bounds read access in
the function xmlNextChar. This only affected the git code and was never
an issue in any release version. Upstream bug #751643 (sample input

All three issues above were found with american fuzzy lop and address

Some inputs can cause a stack out of bounds read. This was found by
(Continue reading)

Joe Bowser | 20 Nov 20:39 2015

CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions

CVE-2015-5256: Apache Cordova vulnerable to improper application of
whitelist restrictions

Severity: Medium

The Apache Software Foundation

Versions Affected:
Cordova Android 3.7.2 and earlier

Android applications created using Apache Cordova that use a remote server
contain a vulnerability where whitelist restrictions are not properly
Improperly crafted URIs could be used to circumvent the whitelist, allowing
for the execution of non-whitelisted Javascript.

Upgrade path:
Developers who are concerned about this should rebuild their applications
with Cordova Android 4.1.1 or later and use the new whitelist.  Developers
using remote content roots should also use SSL, as well as Content Security
Policy to further mitigate this issue.

Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc