Red Hat Security Advisory 2017-2636-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.
663a2493f3c4baf7ce5bce2b9d8739a6d8a826cda959588e5ca84f3b72ef6ffb
Ultimate HR System versions 1.2 and below suffer from cross site scripting and directory traversal vulnerabilities.
121f90d302b157a4a5d79c0a56d2de6f02e96ff117a010953e399d844e75cd08
Red Hat Security Advisory 2017-2633-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.
4d514d885da4ae600f33a47db39df855d9250c6c94bd6ec0c6bcf7ec8f75d657
NEC EXPRESS CLUSTER comes with Cluster Manager, a Java applet for cluster configuration and management. The underlying webserver 'clpwebmc' runs as root and accepts connections on TCP port 29003 which can be initiated without authentication in the default installation.
abde48e9edefd36c2ec573273e99f18d26d4f0dfab188cdf694470a165b164e5
Mongoose Web Server version 6.5 suffers from cross site request forgery and remote command execution vulnerabilities.
af456e0cd4668089706869d568399d104a8362a32934e00fb6ba9bc503227ed0
Debian Linux Security Advisory 3963-1 - Several issues were discovered in Mercurial, a distributed revision control system.
bd83f96fa1efaaffc2eddb423ae1e6ba6e4a8cbc1d79385bf890c4e6dae763ba
Debian Linux Security Advisory 3962-1 - A denial of service vulnerability was identified in strongSwan, an IKE/IPsec suite, using Google's OSS-Fuzz fuzzing project.
eff6d1649f5091aad2f276aede94f2583740dbbe41e9fcf576b18f39dcf94a86
Debian Linux Security Advisory 3961-1 - A double-free vulnerability was discovered in the gdImagePngPtr() function in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a specially crafted file is processed.
5c66a00f74bd22b623046c9ead5e2049dc90b4d806dcc032db94d263bb01d035
Red Hat Security Advisory 2017-2628-01 - KVM is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix: An assertion-failure flaw was found in the Network Block Device server's initial connection negotiation, where the I/O co-routine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.
75b298627d6f200a5b756f402cae048368fa86310fff1458bbdbf8f8af9fa07f
Red Hat Security Advisory 2017-2585-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix: A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.
48195bf02672025f10f5c377258fedd33fea4c5f4758ecdcfa5a616f8ed58651
Red Hat Security Advisory 2017-2569-01 - 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. Security Fix: A flaw was found in the way 389-ds-base handled authentication attempts against locked accounts. A remote attacker could potentially use this flaw to continue password brute-forcing attacks against LDAP accounts, thereby bypassing the protection offered by the directory server's password lockout policy.
fa3bf472456bad482412cbb08b1c30a0152332001dde37d283b871ab7055f584
Red Hat Security Advisory 2017-2603-01 - The docker-distribution package provides the tool set to support the Docker Registry version 2. The following packages have been upgraded to a later upstream version: docker-distribution. Security Fix: It was found that docker-distribution did not properly restrict memory allocation size for a registry instance through the manifest endpoint. An attacker could send a specially crafted request that would exhaust the memory of the docker-distribution service.
53ec734f6192f5f8bc52081327df866de68ca105552e577631b99de82e6ea719
Gentoo Linux Security Advisory 201709-1 - A vulnerability in MCollective might allow remote attackers to execute arbitrary code. Versions less than 2.11.0 are affected.
096f887c451f05178ec966e35f11099ed229d3792721248cab5584ed70de33df
Ubuntu Security Notice 3409-1 - It was discovered that FontForge was vulnerable to a heap-based buffer over-read. A remote attacker could use a crafted file to DoS or execute arbitrary code. It was discovered that FontForge was vulnerable to a stack-based buffer overflow. A remote attacker could use a crafted file to DoS or execute arbitrary code. It was discovered that FontForge was vulnerable to a heap-based buffer overflow. A remote attacker could use a crafted file to DoS or execute arbitrary code. Various other issues were also addressed.
b707a7fbddf35376abb28fb508eb60d56bb5277e021b887f3b6bedc1006066d5
A2billing version 2.x suffers from backup disclosure, remote code execution, and remote SQL injection vulnerabilities.
8d2bbaa0926ceb30a7440d40f355fe312c328ef5393093dc1eea4fc8bef1da29
A2billing versions 2.1.1 and below suffer from a remote SQL injection vulnerability.
fa58d2fa74434d882588706eabcad575be12498aed58f946dec844055a68ab1a