The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Slackware

computer vulnerability alert CVE-2017-13721

X.Org Server: memory corruption via Xext/shm Shmseg Resource Id

Synthesis of the vulnerability

An attacker can generate a memory corruption via Xext/shm Shmseg Resource Id of X.Org Server, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Solaris, Slackware, Ubuntu, XOrg Bundle ~ not comprehensive.
Severity: 2/4.
Creation date: 05/10/2017.
Identifiers: bulletinjan2018, CVE-2017-13721, DSA-4000-1, SSA:2017-279-03, USN-3453-1, VIGILANCE-VUL-24026.

Description of the vulnerability

An attacker can generate a memory corruption via Xext/shm Shmseg Resource Id of X.Org Server, in order to trigger a denial of service, and possibly to run code.

A detailed analysis was not performed for this bulletin.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2017-0899 CVE-2017-0900 CVE-2017-0901

Ruby: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Ruby.
Impacted products: Debian, Fedora, RHEL, Slackware, Ubuntu.
Severity: 2/4.
Creation date: 06/09/2017.
Identifiers: CVE-2017-0899, CVE-2017-0900, CVE-2017-0901, CVE-2017-0902, DLA-1112-1, DLA-1114-1, DLA-1421-1, DSA-3966-1, FEDORA-2017-20214ad330, FEDORA-2017-e136d63c99, RHSA-2017:3485-01, RHSA-2018:0378-01, RHSA-2018:0583-01, RHSA-2018:0585-01, SSA:2017-261-03, USN-3439-1, USN-3553-1, USN-3685-1, VIGILANCE-VUL-23733.

Description of the vulnerability

Several vulnerabilities were announced in Ruby.

An unknown vulnerability was announced via Terminal Escape Sequences. [severity:1/4; CVE-2017-0899]

An attacker can trigger a fatal error via RubyGems Client, in order to trigger a denial of service. [severity:2/4; CVE-2017-0900]

An attacker can bypass access restrictions via RubyGems Client, in order to overwrite a file. [severity:2/4; CVE-2017-0901]

An attacker can bypass access restrictions via DNS Hijacking, in order to read or alter data. [severity:2/4; CVE-2017-0902]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101

curl: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of curl.
Impacted products: OpenOffice, Mac OS X, curl, Debian, Fedora, Android OS, Juniper EX-Series, Junos OS, SRX-Series, openSUSE Leap, Solaris, RHEL, Slackware, Ubuntu, WindRiver Linux, VxWorks.
Severity: 3/4.
Creation date: 09/08/2017.
Identifiers: 2011879, bulletinapr2018, CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101, DLA-1062-1, DSA-3992-1, FEDORA-2017-f1ffd18079, FEDORA-2017-f2df9d7772, HT208221, JSA10874, K-511316, openSUSE-SU-2017:2205-1, RHSA-2018:3558-01, SSA:2017-221-01, USN-3441-1, USN-3441-2, VIGILANCE-VUL-23481.

Description of the vulnerability

Several vulnerabilities were announced in curl.

An attacker can force a read at an invalid address via Globbing, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2017-1000101]

An attacker can generate a buffer overflow via TFTP, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2017-1000100]

An attacker can force a read at an invalid address via FILE, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2017-1000099]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2017-3142 CVE-2017-3143

ISC BIND: two vulnerabilities via TSIG Authentication

Synthesis of the vulnerability

An attacker can use several vulnerabilities via TSIG Authentication of ISC BIND.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, AIX, BIND, Junos OS, SRX-Series, NetBSD, openSUSE Leap, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Creation date: 30/06/2017.
Revision date: 07/07/2017.
Identifiers: AA-01503, AA-01504, bulletinjan2018, CERTFR-2017-AVI-199, CVE-2017-3142, CVE-2017-3143, DLA-1025-1, DLA-1025-2, DSA-3904-1, DSA-3904-2, FEDORA-2017-001f135337, FEDORA-2017-167cfa7b09, FEDORA-2017-59127a606c, FEDORA-2017-d04f7ddd73, HPESBUX03772, JSA10875, K02230327, K59448931, openSUSE-SU-2017:1809-1, RHSA-2017:1679-01, RHSA-2017:1680-01, SSA:2017-180-02, SUSE-SU-2017:1736-1, SUSE-SU-2017:1737-1, SUSE-SU-2017:1738-1, USN-3346-1, USN-3346-2, USN-3346-3, VIGILANCE-VUL-23107.

Description of the vulnerability

Several vulnerabilities were announced in ISC BIND.

An attacker can use a Zone Transfer, in order to obtain sensitive information. [severity:2/4; AA-01504, CVE-2017-3142]

An attacker can use a Dynamic Update, in order to alter a zone. [severity:3/4; AA-01503, CERTFR-2017-AVI-199, CVE-2017-3143]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2017-1000367 CVE-2017-1000368

sudo: privilege escalation via the parsing of /proc/pid/stat

Synthesis of the vulnerability

A local attacker can tamper with the parsing of /proc/[pid]/stat by sudo, in order to escalate his privileges.
Impacted products: Debian, Fedora, Junos Space, McAfee Web Gateway, openSUSE Leap, RHEL, Slackware, Sudo, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, InterScan Messaging Security Suite, Ubuntu, WindRiver Linux.
Severity: 2/4.
Creation date: 30/05/2017.
Revision date: 15/06/2017.
Identifiers: 1117723, CERTFR-2017-AVI-238, CERTFR-2017-AVI-365, CVE-2017-1000367, CVE-2017-1000368, DLA-1011-1, DLA-970-1, DSA-3867-1, FEDORA-2017-54580efa82, FEDORA-2017-8b250ebe97, FEDORA-2017-facd994774, JSA10824, JSA10826, openSUSE-SU-2017:1455-1, openSUSE-SU-2017:1697-1, RHSA-2017:1381-01, RHSA-2017:1382-01, RHSA-2017:1574-01, SB10205, SSA:2017-150-01, SUSE-SU-2017:1446-1, SUSE-SU-2017:1450-1, SUSE-SU-2017:1626-1, SUSE-SU-2017:1627-1, SUSE-SU-2017:1778-1, Synology-SA-17:19, USN-3304-1, VIGILANCE-VUL-22865.

Description of the vulnerability

The sudo product looks for its controlling tty.

Fot that, it reads the file /proc/pid/stat. However, the parsing of this file is wrong. An attacker can tamper with the program path to make sudo write into any file with root privileges.

A local attacker can therefore tamper with the parsing of /proc/[pid]/stat by sudo, in order to escalate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2017-3140 CVE-2017-3141

ISC BIND: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of ISC BIND.
Impacted products: Fedora, HP-UX, BIND, Data ONTAP, Solaris, Slackware.
Severity: 3/4.
Creation date: 15/06/2017.
Identifiers: bulletinjul2018, CERTFR-2017-AVI-184, CVE-2017-3140, CVE-2017-3141, FEDORA-2017-001f135337, FEDORA-2017-167cfa7b09, FEDORA-2017-59127a606c, FEDORA-2017-d04f7ddd73, HPESBUX03772, NTAP-20180926-0001, NTAP-20180926-0002, NTAP-20180926-0003, NTAP-20180926-0004, NTAP-20180926-0005, NTAP-20180927-0001, SSA:2017-165-01, VIGILANCE-VUL-22980.

Description of the vulnerability

Several vulnerabilities were announced in ISC BIND.

An attacker can trigger an endless loop when Response Policy Zones are used, in order to trigger a denial of service. [severity:3/4; CVE-2017-3140]

On MS-Windows, an attacker can make Windows run his own program as the BIND service, thanks to a mishandling of spaces in paths. [severity:2/4; CVE-2017-3141]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2017-5461 CVE-2017-5462

Mozilla NSS: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Mozilla NSS.
Impacted products: Blue Coat CAS, Debian, Fedora, Firefox, NSS, Thunderbird, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Identity Management, Oracle iPlanet Web Server, Solaris, Tuxedo, WebLogic, Oracle Web Tier, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, Ubuntu.
Severity: 4/4.
Creation date: 20/04/2017.
Identifiers: bulletinapr2017, CERTFR-2017-AVI-126, CERTFR-2017-AVI-134, cpujan2018, cpuoct2017, CVE-2017-5461, CVE-2017-5462, DLA-906-1, DLA-946-1, DSA-3831-1, DSA-3872-1, FEDORA-2017-31c64a0bbf, FEDORA-2017-82265ed89e, FEDORA-2017-87e23bcc34, FEDORA-2017-9042085060, MFSA-2017-10, MFSA-2017-11, MFSA-2017-12, MFSA-2017-13, openSUSE-SU-2017:1099-1, openSUSE-SU-2017:1196-1, openSUSE-SU-2017:1268-1, RHSA-2017:1100-01, RHSA-2017:1101-01, RHSA-2017:1102-01, RHSA-2017:1103-01, SA150, SSA:2017-112-01, SSA:2017-114-01, SUSE-SU-2017:1175-1, SUSE-SU-2017:1248-1, SUSE-SU-2017:1669-1, SUSE-SU-2017:2235-1, USN-3260-1, USN-3260-2, USN-3270-1, USN-3278-1, USN-3372-1, VIGILANCE-VUL-22505.

Description of the vulnerability

An attacker can use several vulnerabilities of Mozilla NSS.

An attacker can generate a buffer overflow via Base64 Decoding, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2017-5461]

An attacker can bypass security features via DRBG Number Generation, in order to obtain sensitive information. [severity:2/4; CVE-2017-5462]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2017-3136 CVE-2017-3137 CVE-2017-3138

ISC BIND: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of ISC BIND.
Impacted products: Debian, Fedora, HP-UX, BIND, Juniper J-Series, Junos OS, SRX-Series, openSUSE Leap, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Creation date: 13/04/2017.
Identifiers: bulletinjul2018, CERTFR-2017-AVI-112, CVE-2017-3136, CVE-2017-3137, CVE-2017-3138, DLA-957-1, DSA-3854-1, FEDORA-2017-0a876b0ba5, FEDORA-2017-44e494db1e, FEDORA-2017-edce28f24b, FEDORA-2017-ee4b0f53cb, HPESBUX03747, JSA10809, JSA10810, JSA10811, JSA10813, JSA10814, JSA10816, JSA10817, JSA10818, JSA10820, JSA10821, JSA10822, JSA10825, JSA10875, openSUSE-SU-2017:1063-1, RHSA-2017:1095-01, RHSA-2017:1105-01, RHSA-2017:1582-01, RHSA-2017:1583-01, SSA:2017-103-01, SUSE-SU-2017:0998-1, SUSE-SU-2017:0999-1, SUSE-SU-2017:1027-1, USN-3259-1, VIGILANCE-VUL-22445.

Description of the vulnerability

Several vulnerabilities were announced in ISC BIND.

An attacker can force an assertion error via DNS64 break-dnssec, in order to trigger a denial of service. [severity:3/4; CVE-2017-3136]

An attacker can trigger a fatal error via CNAME Response Ordering, in order to trigger a denial of service. [severity:3/4; CVE-2017-3137]

An attacker can force an assertion error via Null Command String, in order to trigger a denial of service. [severity:2/4; CVE-2017-3138]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2014-3694 CVE-2014-3695 CVE-2014-3696

Pidgin: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Pidgin.
Impacted products: Debian, Fedora, openSUSE, openSUSE Leap, Solaris, RHEL, Slackware, Ubuntu.
Severity: 2/4.
Creation date: 05/04/2017.
Identifiers: CVE-2014-3694, CVE-2014-3695, CVE-2014-3696, CVE-2014-3697, CVE-2014-3698, DSA-3055-1, FEDORA-2014-14069, openSUSE-SU-2014:1376-1, openSUSE-SU-2014:1397-1, openSUSE-SU-2017:0925-1, RHSA-2017:1854-01, SSA:2014-296-02, USN-2390-1, VIGILANCE-VUL-22333.

Description of the vulnerability

Several vulnerabilities were announced in Pidgin.

An attacker can act as a Man-in-the-Middle via SSL/TLS, in order to read or write data in the session. [severity:2/4; CVE-2014-3694]

An attacker can trigger a fatal error via MXit Protocol, in order to trigger a denial of service. [severity:2/4; CVE-2014-3695]

An attacker can trigger a fatal error via Groupwise Server Message, in order to trigger a denial of service. [severity:2/4; CVE-2014-3696]

An attacker can traverse directories via untar_block, in order to read a file outside the root path. [severity:2/4; CVE-2014-3697]

An attacker can bypass security features via jabber_idn_validate(), in order to obtain sensitive information. [severity:2/4; CVE-2014-3698]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2016-9042 CVE-2017-6451 CVE-2017-6452

NTP.org: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of NTP.org.
Impacted products: Mac OS X, Blue Coat CAS, BIG-IP Hardware, TMOS, Fedora, FreeBSD, AIX, McAfee Web Gateway, Meinberg NTP Server, NetBSD, NTP.org, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, RHEL, Slackware, Spectracom SecureSync, Symantec Content Analysis, Synology DSM, Synology DS***, Synology RS***, Ubuntu, VxWorks.
Severity: 2/4.
Creation date: 22/03/2017.
Revision date: 30/03/2017.
Identifiers: APPLE-SA-2017-09-25-1, bulletinapr2017, CVE-2016-9042, CVE-2017-6451, CVE-2017-6452, CVE-2017-6455, CVE-2017-6458, CVE-2017-6459, CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, FEDORA-2017-5ebac1c112, FEDORA-2017-72323a442f, FreeBSD-SA-17:03.ntp, HT208144, K02951273, K07082049, K32262483, K-511308, K99254031, NTP-01-002, NTP-01-003, NTP-01-004, NTP-01-007, NTP-01-008, NTP-01-009, NTP-01-012, NTP-01-014, NTP-01-016, PAN-SA-2017-0022, RHSA-2017:3071-01, RHSA-2018:0855-01, SA147, SB10201, SSA:2017-112-02, TALOS-2016-0260, USN-3349-1, VIGILANCE-VUL-22217, VU#633847.

Description of the vulnerability

Several vulnerabilities were announced in NTP.org.

An attacker can tamper with packet timestamp, in order to make target trafic dropped. [severity:2/4; CVE-2016-9042]

An attacker can generate a buffer overflow via ntpq, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2017-6460, NTP-01-002]

An attacker can generate a buffer overflow via mx4200_send(), in order to trigger a denial of service, and possibly to run code. [severity:1/4; CVE-2017-6451, NTP-01-003]

An attacker can generate a buffer overflow via ctl_put(), in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2017-6458, NTP-01-004]

An attacker can generate a buffer overflow via addKeysToRegistry(), in order to trigger a denial of service, and possibly to run code. [severity:1/4; CVE-2017-6459, NTP-01-007]

An attacker can generate a buffer overflow in the MS-Windows installer, in order to trigger a denial of service, and possibly to run code. [severity:1/4; CVE-2017-6452, NTP-01-008]

An attacker can define the PPSAPI_DLLS environment variable, in order to make the server run a library with hight privileges. [severity:2/4; CVE-2017-6455, NTP-01-009]

An authenticated attacker can submit an invalid configuration directive, to trigger a denial of service. [severity:2/4; CVE-2017-6463, NTP-01-012]

A privileged attacker can generate a buffer overflow via datum_pts_receive(), in order to trigger a denial of service, and possibly to run code. [severity:1/4; CVE-2017-6462, NTP-01-014]

An authenticated attacker can submit an invalid configuration directive "mode", to trigger a denial of service. [severity:2/4; CVE-2017-6464, NTP-01-016]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Slackware: