GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions.
76c787a955f9e6e0ead47c9be700bfb9d454f955a7b7c7e697aa719bac7b11d8
CA Technologies Support is alerting customers to a potential risk with CA Privileged Access Manager. A vulnerability exists that can allow a remote attacker to access sensitive information or modify configuration. CA published solutions to address the vulnerabilities. CVE-2019-7392 describes a vulnerability resulting from inadequate access controls for the components jk-manager and jk-status web service allowing a remote attacker to access the CA PAM Web-UI without authentication. Affected versions include 3.2.1 and below, 3.1.2 and below, and 3.0.x releases.
9c5a5f6ca2aa8a6ce81a83bde72cb11f97523d34decd86e6c4c47a10af0cb17a
A denial of service issue has been discovered in the Gecko component of KaiOS 2.5 10.05 (platform 48.0.a2) on Nokia 8810 4G devices. When a crafted web page is visited with the internal browser, the Gecko process crashes with a segfault. Successful exploitation could lead to the remote code execution on the device.
41ed47df5f0cb6c76f6d18138f1661d9ed68c2bbe0c204c4e5369cd7ff9e62fd
Raisecom Technology GPON-ONU HT803G-07 suffers from an authenticated command injection vulnerability in the newpass and confpass parameters in /bin/WebMGR.
e7ecf5fa2c6f869e62d82c9df7399dbcbd72c48e427d4b22e50975a3e101f661
Raisecom Technology GPON-ONU HT803G-07 suffers from an authenticated command injection vulnerability in the fmgpon_loid parameter.
20c807e8e9b1420883bb9554d5567b9aa797cbf1aa083b30b34637600361e93f
SYSTORME ISG products ISG-600C, ISG-600H, and ISG-800W suffer from an authenticated command injection vulnerability.
74184a70ebca4b40a63ba803ab0d7c6c1d3778f3752608a8f155df9f97e121c8
SYSTORME ISG products ISG-600C, ISG-600H, and ISG-800W suffer from a cross site request forgery vulnerability.
3afd770ed7f96641d003de944e95ad53a06c7f7713c9c607fef61adfddd70330
Red Hat Security Advisory 2019-0342-01 - The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include stack overflow vulnerabilities.
5592009185b8f2475f7dbf638898a17554a141582bcb0a280f2b2ccb019188a1
Ubuntu Security Notice 3889-1 - A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
dda1787f0dbfd98283d7284bdc4f36afc988fdec66d6832930b9aeff1f276394
Ubuntu Security Notice 3890-1 - It was discovered that Django incorrectly handled formatting certain numbers. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.
6a9ddeb0d8050182dcbf58c517074dc7932f8a78f1922ff4d59ae8f466c11875
Slackware Security Advisory - New lxc packages are available for Slackware 14.2 and -current to fix a security issue.
ba294a2305875c8a4e1604c8e41c7fa338799684c95c173cfb718806e4c207e6
Debian Linux Security Advisory 4390-1 - It was discovered that Flatpak, an application deployment framework for desktop apps, insufficiently restricted the execution of "apply_extra" scripts which could potentially result in privilege escalation.
07aae12fced57e1688a59c95ea4a77bd9cd170611dac207f050e3c18e2aa294b
Ubuntu Security Notice 3888-1 - It was discovered that GVfs incorrectly handled certain inputs. An attacker could possibly use this issue to access sensitive information.
afa4e465692d53d2ed4f9d41bb9be2201e4594674cfafc14c35965f9ae78c5cd
This exploit bypasses access control checks to use a restricted API function (POST /v2/snaps) of the local snapd service. This allows the installation of arbitrary snaps. Snaps in "devmode" bypass the sandbox and may include an "install hook" that is run in the context of root at install time. dirty_sockv2 leverages the vulnerability to install an empty "devmode" snap including a hook that adds a new user to the local system. This user will have permissions to execute sudo commands. As opposed to version one, this does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments. This exploit should also be effective on non-Ubuntu systems that have installed snapd but that do not support the "create-user" API due to incompatible Linux shell syntax. Some older Ubuntu systems (like 16.04) may not have the snapd components installed that are required for sideloading. If this is the case, this version of the exploit may trigger it to install those dependencies. During that installation, snapd may upgrade itself to a non-vulnerable version. Testing shows that the exploit is still successful in this scenario. This is the second of two proof of concepts related to this issue. Versions below 2.37.1 are affected.
09f311cd0808169606fe8f6d82efa2f6d9976ca93655f776e6a68b99bcab8228
This exploit bypasses access control checks to use a restricted API function (POST /v2/create-user) of the local snapd service. This queries the Ubuntu SSO for a username and public SSH key of a provided email address, and then creates a local user based on these value. Successful exploitation for this version requires an outbound Internet connection and an SSH service accessible via localhost. This is one of two proof of concepts related to this issue. Versions below 2.37.1 are affected.
1d020fdf71d65c1855e5e714df0baf4d63b98521c65f6d1cbc13110479244d5a
runc versions prior to 1.0-rc6 (Docker < 18.09.2 host command execution proof of concept exploit.
58916ca55bef8e91b57754a95171d834f060a1120be8c793a1c442c3724d99cb