The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of CentOS

vulnerability note CVE-2018-12232

Linux kernel: NULL pointer dereference via sock_close/sockfs_setattr

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via sock_close/sockfs_setattr of the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, Linux, RHEL, Ubuntu.
Severity: 1/4.
Creation date: 13/06/2018.
Identifiers: CERTFR-2018-AVI-408, CERTFR-2018-AVI-413, CVE-2018-12232, FEDORA-2018-bb7aab12cb, RHSA-2018:2948-01, USN-3752-1, USN-3752-2, USN-3752-3, VIGILANCE-VUL-26414.

Description of the vulnerability

The Noyau Linux product offers a web service.

However, it does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced via sock_close/sockfs_setattr of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2017-13166

Linux kernel: privilege escalation via the ioctl system call

Synthesis of the vulnerability

An attacker can bypass restrictions to the Linux kernel memory via an ioctl system call, in order to escalate his privileges.
Impacted products: Debian, Android OS, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 23/02/2018.
Identifiers: CERTFR-2018-AVI-009, CERTFR-2018-AVI-014, CERTFR-2018-AVI-018, CERTFR-2018-AVI-048, CERTFR-2018-AVI-147, CERTFR-2018-AVI-161, CERTFR-2018-AVI-196, CERTFR-2018-AVI-197, CERTFR-2018-AVI-206, CERTFR-2018-AVI-224, CERTFR-2018-AVI-228, CERTFR-2018-AVI-241, CVE-2017-13166, DLA-1349-1, DLA-1369-1, DSA-4082-1, DSA-4120-1, DSA-4120-2, DSA-4179-1, DSA-4187-1, openSUSE-SU-2018:0781-1, RHSA-2018:0676-01, RHSA-2018:1062-01, RHSA-2018:1130-01, RHSA-2018:1170-01, RHSA-2018:1319-01, RHSA-2018:2948-01, SUSE-SU-2018:0031-1, SUSE-SU-2018:0040-1, SUSE-SU-2018:0171-1, SUSE-SU-2018:0785-1, SUSE-SU-2018:0786-1, SUSE-SU-2018:0834-1, SUSE-SU-2018:0848-1, SUSE-SU-2018:0986-1, SUSE-SU-2018:1080-1, SUSE-SU-2018:1172-1, SUSE-SU-2018:1309-1, VIGILANCE-VUL-25359.

Description of the vulnerability

An attacker can bypass restrictions to the Linux kernel memory via an ioctl system call, in order to escalate his privileges.

A detailed analysis was not performed for this bulletin.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-1000026

Linux kernel: denial of service via the bnx2x driver

Synthesis of the vulnerability

An attacker can block the netword card drived by the bnx2x module of the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, Linux, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 12/02/2018.
Identifiers: CERTFR-2018-AVI-147, CERTFR-2018-AVI-165, CERTFR-2018-AVI-170, CERTFR-2018-AVI-196, CERTFR-2018-AVI-198, CVE-2018-1000026, FEDORA-2018-03a6606cb5, FEDORA-2018-7a62047e30, FEDORA-2018-884a105c04, openSUSE-SU-2018:0781-1, RHSA-2018:2948-01, RHSA-2018:3083-01, RHSA-2018:3096-01, SUSE-SU-2018:0785-1, SUSE-SU-2018:0786-1, SUSE-SU-2018:0986-1, USN-3617-1, USN-3617-2, USN-3617-3, USN-3619-1, USN-3619-2, USN-3620-1, USN-3620-2, USN-3632-1, VIGILANCE-VUL-25279.

Description of the vulnerability

An attacker can block the netword card drived by the bnx2x module of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2018-1053

PostgreSQL: password disclosure via pg_upgrade

Synthesis of the vulnerability

The tool "pg_upgrade" creates world readable temporary files including passwords.
Impacted products: Debian, openSUSE Leap, PostgreSQL, RHEL, Ubuntu, WindRiver Linux.
Severity: 2/4.
Creation date: 08/02/2018.
Identifiers: CVE-2018-1053, DLA-1271-1, openSUSE-SU-2018:0523-1, openSUSE-SU-2018:0529-1, openSUSE-SU-2018:0688-1, RHSA-2018:2511-01, RHSA-2018:2566-01, USN-3564-1, VIGILANCE-VUL-25242.

Description of the vulnerability

The tool "pg_upgrade" creates world readable temporary files including passwords.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2018-5750

Linux kernel: adress disclosure via the boot log

Synthesis of the vulnerability

A local attacker can read the log file for kernel boot messages, in order to get kernel addresses.
Impacted products: Debian, Fedora, Linux, RHEL, Ubuntu.
Severity: 1/4.
Creation date: 29/01/2018.
Identifiers: CERTFR-2018-AVI-198, CERTFR-2018-AVI-321, CVE-2018-5750, DLA-1349-1, DLA-1369-1, DSA-4120-1, DSA-4120-2, DSA-4179-1, DSA-4187-1, FEDORA-2018-884a105c04, FEDORA-2018-d09a73ce72, FEDORA-2018-d82b617d6c, RHSA-2018:0676-01, RHSA-2018:1062-01, RHSA-2018:2948-01, USN-3631-1, USN-3631-2, USN-3697-1, USN-3697-2, USN-3698-1, USN-3698-2, VIGILANCE-VUL-25170.

Description of the vulnerability

A local attacker can read the log file for kernel boot messages, in order to get kernel addresses.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2017-12193

Linux kernel: NULL pointer dereference via assoc_array_apply_edit

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced via assoc_array_apply_edit() of the Linux kernel, in order to trigger a denial of service.
Impacted products: Fedora, Linux, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 1/4.
Creation date: 02/11/2017.
Identifiers: CERTFR-2017-AVI-448, CERTFR-2017-AVI-454, CERTFR-2017-AVI-458, CERTFR-2018-AVI-321, CVE-2017-12193, FEDORA-2017-38b37120a2, FEDORA-2017-9fbb35aeda, FEDORA-2018-884a105c04, openSUSE-SU-2017:3358-1, openSUSE-SU-2017:3359-1, RHSA-2018:0151-01, SUSE-SU-2017:3210-1, SUSE-SU-2017:3249-1, SUSE-SU-2017:3398-1, SUSE-SU-2017:3410-1, USN-3507-1, USN-3507-2, USN-3509-1, USN-3509-2, USN-3509-3, USN-3509-4, USN-3698-1, USN-3698-2, VIGILANCE-VUL-24308.

Description of the vulnerability

The Noyau Linux product offers a web service.

However, it does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced via assoc_array_apply_edit() of the Linux kernel, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2017-12171

RHEL 6.9: Apache httpd Allow bypassed via hash

Synthesis of the vulnerability

An attacker can bypass Allow rules of RHEL 6.9 Apache httpd, in order to access to forbidden resources.
Impacted products: RHEL.
Severity: 3/4.
Creation date: 20/10/2017.
Identifiers: 1493056, CVE-2017-12171, RHSA-2017:2972-01, VIGILANCE-VUL-24191.

Description of the vulnerability

The RHEL 6.9 product offers a specific version of Apache httpd.

However, in this version, '#' characters in the Allow directives are converted to "Allow All".

An attacker can therefore bypass Allow rules of RHEL 6.9 Apache httpd, in order to access to forbidden resources.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2017-5121 CVE-2017-5122

Google Chrome: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Google Chrome.
Impacted products: Debian, Fedora, Chrome, openSUSE Leap, Opera, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Creation date: 22/09/2017.
Identifiers: CERTFR-2017-AVI-318, CVE-2017-5121, CVE-2017-5122, DSA-3985-1, FEDORA-2017-efeb59171d, openSUSE-SU-2017:2557-1, openSUSE-SU-2017:2558-1, RHSA-2017:2792-01, VIGILANCE-VUL-23907.

Description of the vulnerability

Several vulnerabilities were announced in Google Chrome.

An attacker can generate a memory corruption via V8, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2017-5121]

An attacker can generate a memory corruption via V8, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2017-5122]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2017-0899 CVE-2017-0900 CVE-2017-0901

Ruby: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Ruby.
Impacted products: Debian, Fedora, RHEL, Slackware, Ubuntu.
Severity: 2/4.
Creation date: 06/09/2017.
Identifiers: CVE-2017-0899, CVE-2017-0900, CVE-2017-0901, CVE-2017-0902, DLA-1112-1, DLA-1114-1, DLA-1421-1, DSA-3966-1, FEDORA-2017-20214ad330, FEDORA-2017-e136d63c99, RHSA-2017:3485-01, RHSA-2018:0378-01, RHSA-2018:0583-01, RHSA-2018:0585-01, SSA:2017-261-03, USN-3439-1, USN-3553-1, USN-3685-1, VIGILANCE-VUL-23733.

Description of the vulnerability

Several vulnerabilities were announced in Ruby.

An unknown vulnerability was announced via Terminal Escape Sequences. [severity:1/4; CVE-2017-0899]

An attacker can trigger a fatal error via RubyGems Client, in order to trigger a denial of service. [severity:2/4; CVE-2017-0900]

An attacker can bypass access restrictions via RubyGems Client, in order to overwrite a file. [severity:2/4; CVE-2017-0901]

An attacker can bypass access restrictions via DNS Hijacking, in order to read or alter data. [severity:2/4; CVE-2017-0902]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2017-13738 CVE-2017-13739 CVE-2017-13740

Liblouis: seven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Liblouis.
Impacted products: Fedora, openSUSE Leap, Solaris, RHEL, Ubuntu.
Severity: 3/4.
Creation date: 05/09/2017.
Identifiers: bulletinjul2018, CVE-2017-13738, CVE-2017-13739, CVE-2017-13740, CVE-2017-13741, CVE-2017-13742, CVE-2017-13743, CVE-2017-13744, FEDORA-2017-2c9852dd05, FEDORA-2017-f9f6398158, openSUSE-SU-2017:2639-1, RHSA-2017:3111-01, USN-3408-1, VIGILANCE-VUL-23726.

Description of the vulnerability

Several vulnerabilities were announced in Liblouis.

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2017-13738]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2017-13739]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2017-13740]

An attacker can force the usage of a freed memory area via compileBrailleIndicator(), in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2017-13741]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2017-13742]

An attacker can generate a buffer overflow via _lou_showString(), in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2017-13743]

An attacker can bypass security features, in order to obtain sensitive information. [severity:2/4; CVE-2017-13744]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about CentOS: