Red Hat Security Advisory 2019-1591-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. An issue was addressed where OAuth access tokens were written in plaintext to the API server audit logs.
875ed960bd02e2d6da0aadd2d47f0640ff931c963517d678060c39a77a556906
GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP (IPv4 and IPv6), TCP (IPv4 and IPv6), HTTP, or SMTP messages. GNUnet supports accounting to provide contributing nodes with better service. The primary service build on top of the framework is anonymous file sharing.
98e0355ff0627bf88112b3b92a7522e98c0ae6071fc45efda5a33daed28199b3
Coldfusion versions 2016 and 2018 along with all current versions of JNBridge suffer from a remote code execution vulnerability.
f87b353777ae773d0c72b225ac02ae458075bc752b4b21bb6aaa070c2db3e58d
Ubuntu Security Notice 4038-2 - USN-4038-1 fixed several vulnerabilities in bzip2. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Aladdin Mubaied discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. Various other issues were also addressed.
5af3e4ba4c76321d949ac85669ff8c915024913a50dfa3112a979a45608c3dbe
Ubuntu Security Notice 4038-1 - Aladdin Mubaied discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. It was discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.
674256554b4a99a71c6d4e0f37049b77acba8fba7440b2a3d70deab7378c171b
AMD Secure Encrypted Virtualization (SEV) is a hardware memory encryption feature. SEV protects guest virtual machines from the hypervisor, provides confidentiality guarantees at runtime and remote attestation at launch time. The SEV elliptic-curve (ECC) implementation was found to be vulnerable to an invalid curve attack. At launch-start command, an attacker can send small order ECC points not on the official NIST curves, and force the SEV firmware to multiply a small order point by the firmware's private DH scalar. By collecting enough modular residues, an attacker can recover the complete PDH private key. With the PDH, an attacker can recover the session key and the VM's launch secret. This breaks the confidentiality guarantees offered by SEV.
54e8e560ed6f2e12e8bd0223096ce8c586842a0a89aebf2c3ac2adafd44af784
D-Link models DIR-652, DIR-615, DIR-827, DIR-615, DIR-657, and DIR-825 suffer from an administrative password disclosure vulnerability.
836a2a284ed2a9985417986d306b4db1f5742beca7f44da2a471cb893fd99d6c
WebEx appears to suffer from man-in-the-middle attacks due to accepting any TLS certificates as valid.
22e3cd7a64dcb66910ad59f0e79c228bad57d0d9720924bbaa649a7da3e814a8
This Metasploit module exploits two vulnerabilities in Nagios XI 5.5.6. One allows for unauthenticated remote code execution and another allows for local privilege escalation. When combined, these two vulnerabilities give us a root reverse shell.
497ccf076e88aa8797c172933964fb4ad92dddf4ca42816ab9c5f28af82b486b
Red Hat Security Advisory 2019-1603-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.7.2 ESR.
1c3f2ab92856bea753598266e0cc7112742e48a1357ca4f5bcdf1245036a66c2
Red Hat Security Advisory 2019-1604-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.7.2 ESR.
efd19650a5c49f811bbd4c75bac4c43febd3026a5a92342fc9aa1c76b748f966
Red Hat Security Advisory 2019-1602-01 - The kernel-alt packages provide the Linux kernel version 4.x. Issues addressed include a denial of service vulnerability.
44681c017f6cb6453545b8a6d66047878734200ddb425c65cba895080004b65a
Debian Linux Security Advisory 4471-1 - Multiple security issues have been found in Thunderbird which may lead to the execution of arbitrary code if malformed email messages are read.
4efa717e1288d15a4d933ab0a6403d42fc7d8662286f3a6e0d8b5818ccf16912
Ubuntu Security Notice 4035-1 - It was discovered that Ceph incorrectly handled read only permissions. An authenticated attacker could use this issue to obtain dm-crypt encryption keys. This issue only affected Ubuntu 16.04 LTS. It was discovered that Ceph incorrectly handled certain OMAPs holding bucket indices. An authenticated attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. Various other issues were also addressed.
85436c925c63103095d0ad444af8d9ef4922926097f5c1fdde3ab59dcf521e93
Ubuntu Security Notice 4036-1 - Erik Olof Gunnar Andersson discovered that OpenStack Neutron incorrectly handled certain security group rules in the iptables firewall module. An authenticated attacker could possibly use this issue to block further application of security group rules for other instances.
e4e59fbad634306202b9b1275923fc716c0b615791f01c6e7aa73e2b89177a0b
Ubuntu Security Notice 4034-1 - It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. Due to a large number of issues discovered in GhostScript that prevent it from being used by ImageMagick safely, the update for Ubuntu 18.10 and Ubuntu 19.04 includes a default policy change that disables support for the Postscript and PDF formats in ImageMagick. This policy can be overridden if necessary by using an alternate ImageMagick policy configuration. Various other issues were also addressed.
ecf3a57b2183bd65d70fdbbe614267c9c6cd7c405ee6f4ce6e0d3d339ad01411
Ubuntu Security Notice 4037-1 - The policykit-desktop-privileges Startup Disk Creator policy allowed administrative users to overwrite disks. As a security improvement, this operation now requires authentication.
c5f3ca2d62880c10f006e915b63814648747d70ea633f8c5229865fda1477d3e
Red Hat Security Advisory 2019-1594-01 - The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include a denial of service vulnerability.
42cc94d32edd63d60d4201b04d197d324050b9d1d3c45b0f2c6a12cc47a4bf7f
Ubuntu Security Notice 4033-1 - It was discovered that a libmysofa component does not properly validate multiplications and additions, and may crash with some specific input.
09c6ad3c40f1db2d8e16728433af45b79bd7368acb7ca9b9293a6890e680a595
BlogEngine.NET versions 3.3.6 and 3.3.7 suffer from a path directory traversal vulnerability.
6a2c42641d4296f9a21aee848c4725f2494a67b5f3c258c250034179e2a48cf2
Fortinet FCM-MB40 suffers from remote command execution and cross site request forgery vulnerabilities.
f3304438db41066a361a9c48682e8fe987bd5904a7ad099883d46442445cc1a3
WordPress Live Chat Unlimited plugin version 2.8.3 suffers from a persistent cross site scripting vulnerability.
ab8bc1948bcdc3f2bfb4fe1c92cd333ba1e13b7b2227e3a9a5462063b0160841
WordPress iLive plugin version 1.0.4 suffers from a cross site scripting vulnerability.
fd619811b05b204dfc56b440e51d9beff8359cf1c99ba855c68323667b6eb6f7
SAPIDO RB-1732 version 2.0.43 suffers from a remote command execution vulnerability.
8c2ffa8c45bd6258d34b73f2418379b89138a62e8600141be0baac10df62bde8
SuperDoctor5 implemented a remote command execution plugin in their implementation of NRPE that can be leveraged without authentication.
d6c0429243c969acaf8ffc7a427c26c5b9f2c01b2c9571c53034ba8870bba0d9