The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Solaris

computer vulnerability announce CVE-2017-3142 CVE-2017-3143

ISC BIND: two vulnerabilities via TSIG Authentication

Synthesis of the vulnerability

An attacker can use several vulnerabilities via TSIG Authentication of ISC BIND.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, AIX, BIND, Junos OS, SRX-Series, NetBSD, openSUSE Leap, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Creation date: 30/06/2017.
Revision date: 07/07/2017.
Identifiers: AA-01503, AA-01504, bulletinjan2018, CERTFR-2017-AVI-199, CVE-2017-3142, CVE-2017-3143, DLA-1025-1, DLA-1025-2, DSA-3904-1, DSA-3904-2, FEDORA-2017-001f135337, FEDORA-2017-167cfa7b09, FEDORA-2017-59127a606c, FEDORA-2017-d04f7ddd73, HPESBUX03772, JSA10875, K02230327, K59448931, openSUSE-SU-2017:1809-1, RHSA-2017:1679-01, RHSA-2017:1680-01, SSA:2017-180-02, SUSE-SU-2017:1736-1, SUSE-SU-2017:1737-1, SUSE-SU-2017:1738-1, USN-3346-1, USN-3346-2, USN-3346-3, VIGILANCE-VUL-23107.

Description of the vulnerability

Several vulnerabilities were announced in ISC BIND.

An attacker can use a Zone Transfer, in order to obtain sensitive information. [severity:2/4; AA-01504, CVE-2017-3142]

An attacker can use a Dynamic Update, in order to alter a zone. [severity:3/4; AA-01503, CERTFR-2017-AVI-199, CVE-2017-3143]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2017-11142 CVE-2017-11143 CVE-2017-11144

PHP: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP.
Impacted products: Debian, Fedora, openSUSE Leap, Solaris, PHP, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 05/07/2017.
Identifiers: 73807, 74145, 74651, 74819, bulletinapr2018, CERTFR-2017-AVI-204, CVE-2017-11142, CVE-2017-11143, CVE-2017-11144, CVE-2017-11145, CVE-2017-11146-REJECT, DLA-1034-1, DSA-4080-1, DSA-4081-1, FEDORA-2017-5ade380ab2, FEDORA-2017-b674dc22ad, FEDORA-2017-b8bb4b86e2, openSUSE-SU-2017:2337-1, openSUSE-SU-2017:2366-1, RHSA-2018:1296-01, SUSE-SU-2017:2303-1, USN-3382-1, USN-3382-2, VIGILANCE-VUL-23133.

Description of the vulnerability

Several vulnerabilities were announced in PHP.

An attacker can generate a memory corruption via an ill formed X.509 certificate, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 74651, CVE-2017-11144]

An attacker can read a memory fragment via php_parse_date(), in order to obtain sensitive information. [severity:1/4; 74819, CVE-2017-11145, CVE-2017-11146-REJECT]

An attacker can trigger server overload with POST requests over 2Mb. [severity:1/4; 73807, CVE-2017-11142]

An attacker can trigger a wrong memory free which leads to a fatal exception. [severity:2/4; 74145, CVE-2017-11143]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2017-10788 CVE-2017-10789

Perl DBD-mysql: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Perl DBD-mysql.
Impacted products: Debian, Fedora, openSUSE Leap, Solaris, Perl Module ~ not comprehensive, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 03/07/2017.
Identifiers: bulletinjul2018, CVE-2017-10788, CVE-2017-10789, DLA-1079-1, FEDORA-2017-42e41e9d25, FEDORA-2017-486371ff24, FEDORA-2017-874bd165c0, openSUSE-SU-2018:1463-1, SUSE-SU-2018:1449-1, SUSE-SU-2018:1450-1, VIGILANCE-VUL-23116.

Description of the vulnerability

Several vulnerabilities were announced in Perl DBD-mysql.

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2017-10788]

The module may not use TLS without failure notification even when requested by the application. [severity:1/4; CVE-2017-10789]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2017-3140 CVE-2017-3141

ISC BIND: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of ISC BIND.
Impacted products: Fedora, HP-UX, BIND, Data ONTAP, Solaris, Slackware.
Severity: 3/4.
Creation date: 15/06/2017.
Identifiers: bulletinjul2018, CERTFR-2017-AVI-184, CVE-2017-3140, CVE-2017-3141, FEDORA-2017-001f135337, FEDORA-2017-167cfa7b09, FEDORA-2017-59127a606c, FEDORA-2017-d04f7ddd73, HPESBUX03772, NTAP-20180926-0001, NTAP-20180926-0002, NTAP-20180926-0003, NTAP-20180926-0004, NTAP-20180926-0005, NTAP-20180927-0001, SSA:2017-165-01, VIGILANCE-VUL-22980.

Description of the vulnerability

Several vulnerabilities were announced in ISC BIND.

An attacker can trigger an endless loop when Response Policy Zones are used, in order to trigger a denial of service. [severity:3/4; CVE-2017-3140]

On MS-Windows, an attacker can make Windows run his own program as the BIND service, thanks to a mishandling of spaces in paths. [severity:2/4; CVE-2017-3141]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2017-4965 CVE-2017-4967

RabbitMQ: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of RabbitMQ.
Impacted products: Solaris, RabbitMQ.
Severity: 2/4.
Creation date: 14/06/2017.
Identifiers: bulletinapr2017, CVE-2017-4965, CVE-2017-4967, VIGILANCE-VUL-22976.

Description of the vulnerability

Several vulnerabilities were announced in RabbitMQ.

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2017-4965, CVE-2017-4967]

An attacker can retrieve credentials in the browser storage area which is managed by the Web application. [severity:2/4]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2017-5664

Apache Tomcat: error page tampering

Synthesis of the vulnerability

An attacker can trigger an HTTP error in Apache Tomcat, in order to corrupt the error page documents.
Impacted products: Tomcat, Blue Coat CAS, Debian, Fedora, HP-UX, Junos Space, MySQL Community, MySQL Enterprise, openSUSE Leap, Oracle Fusion Middleware, Solaris, Tuxedo, WebLogic, Percona Server, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, Ubuntu.
Severity: 2/4.
Creation date: 06/06/2017.
Identifiers: bulletinjul2017, cpuapr2018, CVE-2017-5664, DLA-996-1, DSA-3891-1, DSA-3892-1, FEDORA-2017-63789c8c29, FEDORA-2017-e4638a345c, HPESBUX03828, JSA10838, openSUSE-SU-2017:3069-1, RHSA-2017:1801-01, RHSA-2017:1802-01, RHSA-2017:1809-01, RHSA-2017:2493-01, RHSA-2017:2494-01, RHSA-2017:2633-01, RHSA-2017:2635-01, RHSA-2017:2636-01, RHSA-2017:2637-01, RHSA-2017:2638-01, RHSA-2017:3080-01, RHSA-2017:3081-01, SA156, SUSE-SU-2017:3039-1, SUSE-SU-2017:3059-1, SUSE-SU-2017:3279-1, SUSE-SU-2018:1847-1, USN-3519-1, VIGILANCE-VUL-22907.

Description of the vulnerability

The Apache Tomcat product offers a web service.

HTTP error pages may be customized. However, when the page content is provided by a static document instead of a servlet output, Tomcat allows to tamper with this source document.

An attacker can therefore trigger an HTTP error in Apache Tomcat, in order to corrupt the error page documents.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2017-9343 CVE-2017-9344 CVE-2017-9345

Wireshark: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Wireshark.
Impacted products: Fedora, openSUSE Leap, Solaris, Wireshark.
Severity: 2/4.
Creation date: 02/06/2017.
Identifiers: bulletinjul2017, CVE-2017-9343, CVE-2017-9344, CVE-2017-9345, CVE-2017-9346, CVE-2017-9347, CVE-2017-9348, CVE-2017-9349, CVE-2017-9350, CVE-2017-9351, CVE-2017-9352, CVE-2017-9353, CVE-2017-9354, FEDORA-2017-5f15bf15cf, FEDORA-2017-f0509fbf37, openSUSE-SU-2017:1534-1, openSUSE-SU-2017:1958-1, VIGILANCE-VUL-22886, wnpa-sec-2017-22, wnpa-sec-2017-23, wnpa-sec-2017-24, wnpa-sec-2017-25, wnpa-sec-2017-26, wnpa-sec-2017-27, wnpa-sec-2017-28, wnpa-sec-2017-29, wnpa-sec-2017-30, wnpa-sec-2017-31, wnpa-sec-2017-32, wnpa-sec-2017-33.

Description of the vulnerability

Several vulnerabilities were announced in Wireshark.

An attacker can generate an infinite loop via Bazaar, in order to trigger a denial of service. [severity:2/4; CVE-2017-9352, wnpa-sec-2017-22]

An attacker can force a read at an invalid address via DOF, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2017-9348, wnpa-sec-2017-23]

An attacker can force a read at an invalid address via DHCP, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2017-9351, wnpa-sec-2017-24]

An attacker can generate an infinite loop via SoulSeek, in order to trigger a denial of service. [severity:2/4; CVE-2017-9346, wnpa-sec-2017-25]

An attacker can generate an infinite loop via DNS, in order to trigger a denial of service. [severity:2/4; CVE-2017-9345, wnpa-sec-2017-26]

An attacker can generate an infinite loop via DICOM, in order to trigger a denial of service. [severity:2/4; CVE-2017-9349, wnpa-sec-2017-27]

An attacker can create a memory leak via openSAFETY, in order to trigger a denial of service. [severity:2/4; CVE-2017-9350, wnpa-sec-2017-28]

An attacker can trigger a fatal error via BT L2CAP, in order to trigger a denial of service. [severity:2/4; CVE-2017-9344, wnpa-sec-2017-29]

An attacker can send malicious MSNIP packets, in order to trigger a denial of service. [severity:2/4; CVE-2017-9343, wnpa-sec-2017-30]

An attacker can send malicious ROS packets, in order to trigger a denial of service. [severity:2/4; CVE-2017-9347, wnpa-sec-2017-31]

An attacker can send malicious RGMP packets, in order to trigger a denial of service. [severity:2/4; CVE-2017-9354, wnpa-sec-2017-32]

An attacker can send malicious IPv6 packets, in order to trigger a denial of service. [severity:1/4; CVE-2017-9353, wnpa-sec-2017-33]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2017-8343 CVE-2017-8344 CVE-2017-8345

GraphicsMagick, ImageMagick: fifteen vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of GraphicsMagick/ImageMagick.
Impacted products: Debian, Fedora, openSUSE Leap, Solaris, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 29/05/2017.
Revision date: 29/05/2017.
Identifiers: bulletinapr2017, CVE-2017-8343, CVE-2017-8344, CVE-2017-8345, CVE-2017-8346, CVE-2017-8347, CVE-2017-8348, CVE-2017-8349, CVE-2017-8350, CVE-2017-8351, CVE-2017-8352, CVE-2017-8353, CVE-2017-8354, CVE-2017-8355, CVE-2017-8356, CVE-2017-8357, DLA-1081-1, DLA-960-1, DSA-3863-1, FEDORA-2017-3a568adb31, FEDORA-2017-8f27031c8f, openSUSE-SU-2017:1413-1, openSUSE-SU-2017:1560-1, openSUSE-SU-2017:1798-1, SUSE-SU-2017:2229-1, USN-3302-1, VIGILANCE-VUL-22818.

Description of the vulnerability

Several vulnerabilities were announced in GraphicsMagick/ImageMagick.

An attacker can create a memory leak via ReadAAIImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8343]

An attacker can create a memory leak via ReadPCXImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8344]

An attacker can create a memory leak via ReadMNGImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8345]

An attacker can create a memory leak via ReadDCMImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8346]

An attacker can create a memory leak via ReadEXRImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8347]

An attacker can create a memory leak via ReadMATImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8348]

An attacker can create a memory leak via ReadSFWImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8349]

An attacker can create a memory leak via ReadJNGImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8350]

An attacker can create a memory leak via ReadPCDImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8351]

An attacker can create a memory leak via ReadXWDImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8352]

An attacker can create a memory leak via ReadPICTImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8353]

An attacker can create a memory leak via ReadBMPImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8354]

An attacker can create a memory leak via ReadMTVImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8355]

An attacker can create a memory leak via ReadSUNImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8356]

An attacker can create a memory leak via ReadEPTImage(), in order to trigger a denial of service. [severity:2/4; CVE-2017-8357]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2017-2292 CVE-2017-2293 CVE-2017-2294

Puppet Labs Puppet: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Puppet Labs Puppet.
Impacted products: Debian, Fedora, openSUSE Leap, Solaris, Puppet, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 3/4.
Creation date: 12/05/2017.
Identifiers: bulletinjul2018, CVE-2017-2292, CVE-2017-2293, CVE-2017-2294, CVE-2017-2295, CVE-2017-2297, DLA-1012-1, DSA-3862-1, FEDORA-2017-8ad8d1bd86, FEDORA-2017-b9b66117bb, openSUSE-SU-2017:1948-1, SUSE-SU-2017:2113-1, USN-3308-1, VIGILANCE-VUL-22719.

Description of the vulnerability

Several vulnerabilities were announced in Puppet Labs Puppet.

An attacker can use a vulnerability of the YAML parser, in order to run code in MCollective. [severity:3/4; CVE-2017-2292]

An attacker can tamper with the MCollective server to deploy arbitrary programs. [severity:2/4; CVE-2017-2293]

An attacker can bypass security features via MCollective Private Keys, in order to obtain sensitive information. [severity:2/4; CVE-2017-2294]

An attacker can use a vulnerability of the YAML parser, in order to run code in the Puppet server. [severity:3/4; CVE-2017-2295]

An attacker can get the access rights of another user. [severity:3/4; CVE-2017-2297]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2017-7960 CVE-2017-7961

libcroco: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of libcroco.
Impacted products: Debian, Solaris.
Severity: 2/4.
Creation date: 24/04/2017.
Identifiers: bulletinjul2017, CVE-2017-7960, CVE-2017-7961, DLA-909-1, VIGILANCE-VUL-22536.

Description of the vulnerability

Several vulnerabilities were announced in libcroco.

An attacker can force a read at an invalid address via CSS File, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2017-7960]

An attacker can trigger a fatal error via Outside Range, in order to trigger a denial of service. [severity:1/4; CVE-2017-7961]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Solaris: