[security-announce] Security Update: Multiple CVE fixes in Enea Linux 7.0

Sona Sarmadi sona.sarmadi at enea.com
Fri Mar 2 15:24:40 CET 2018


                         Enea Linux Security Advisory

Following CVEs have been fixed in Enea Linux 7.0.

CVE-2017-1000380
Package: kernel
Score: 2.1 (Low)
Description: sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000380

CVE-2017-1000366
Package: glibc
Score: 7.2 (High)
Description: glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366

CVE-2017-1000365
Package: kernel
Score: 7.2 (High)
Description: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000365

CVE-2017-1000253
Package: kernel
Score: 8.0 (High)
Description: A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.Upstream patch:https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2017-1000253

CVE-2017-1000251
Package: kernel
Score: 8.3 (High)
Description: The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251

CVE-2017-1000250
Package: bluez5
Score: 3.3 (Minor)
Description: All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250 

CVE-2017-1000111 
Package: kernel
Score: 7.2 (High)
Description: Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000111 

CVE-2017-1000101 
Package: curl
Score: 4.0 (Medium)
Description: curl supports "globbing" of URLs, in which a user can pass a numerical rangeto have the tool iterate over those numbers to do a sequence of transfers.In the globbing function that parses the numerical range, there was anomission that made curl read a byte beyond the end of the URL if given acarefully crafted, or just wrongly written, URL. The URL is stored in a heapbased buffer, so it could then be made to wrongly read something else insteadof crashing.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101 

CVE-2017-1000100 
Package: curl
Score: 4.0 (Medium)
Description: When doing an TFTP upload and curl/libcurl is given a URL that contains a verylong file name (longer than about 515 bytes), the file name is truncated tofit within the buffer boundaries, but the buffer size is still wrongly updatedto use the untruncated length. This too large value is then used in the`send()` call, making curl attempt to send more data than what is actually putinto the buffer. The `send()` function will then read beyond the end of theheap based buffer.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100 

CVE-2017-1000082
Package: systemd
Score: 10.0 (High)
Description: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082

CVE-2017-18017
Package: kernel
Score: 5.0 (Medium)
Description: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18017

CVE-2017-14496
Package: dnsmasq 
Score: 7.0 (High)
Description: Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496

CVE-2017-14106
Package: kernel
Score: 4.9 (Medium)
Description: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14106

CVE-2017-13081
Package: linux-firmware
Score: 2.9 (Minor)
Description: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13081

CVE-2017-13080
Package: linux-firmware
Score: 2.9 (Minor)
Description: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13080

CVE-2017-12132
Package: glibc
Score: 4.3 (Medium)
Description: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132

CVE-2017-11176
Package: kernel
Score: 10.0 (High)
Description: The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176

CVE-2017-9955
Package: GNU Binutils
Score: 4.3 (Medium)
Description: The get_build_id function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file in which a certain size field is larger than a corresponding data field, as demonstrated by mishandling within the objdump program.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9955

CVE-2017-9954
Package: GNU Binutils
Score: 4.3 (Medium)
Description: The getvalue function in tekhex.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted tekhex file, as demonstrated by mishandling within the nm program.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9954

CVE-2017-9756
Package: GNU Binutils
Score: 6.8 (Medium)
Description: The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9756

CVE-2017-9755
Package: GNU Binutils (objdump)
Score: 6.8 (Medium)
Description: opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9755

CVE-2017-9753
Package: GNU Binutils
Score: 6.8 (Medium)
Description: The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9753

CVE-2017-9752
Package: GNU Binutils, libbfd
Score: 6.8 (Medium)
Description: bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9752

CVE-2017-9751
Package: GNU Binutils
Score: 6.8 (Medium)
Description: opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9751

CVE-2017-9750
Package: GNU Binutils
Score: 6.8 (Medium)
Description: opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9750

CVE-2017-9749

Package: GNU Binutils
Score: 6.8 (Medium)
Description: The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9749

CVE-2017-9748
Package: GNU Binutils
Score: 6.8 (Medium)
Description: The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9748

CVE-2017-9747
Package: GNU Binutils (libbfd)
Score: 6.8 (Medium)
Description: The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution. NOTE: this may be related to a compiler bug.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9747

CVE-2017-9746
Package: GNU Binutils
Score: 6.8 (Medium)
Description: The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9746

CVE-2017-9745
Package: GNU Binutils (libbfd)
Score: 6.8 (Medium)
Description: The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9745

CVE-2017-9744
Package: GNU Binutils (libbfd)
Score: 6.8 (Medium)
Description: The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9744

CVE-2017-9742
Package: GNU Binutils (objdump)
Score: 6.8 (Medium)
Description: The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during \"objdump -D\" execution.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9742

CVE-2017-9445
Package: systemd
Score: 5.0 (Medium)
Description: In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9445

CVE-2017-9050
Package: libxml2-native
Score: 5.0 (Medium)
Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050

CVE-2017-9049
Package: libxml2-native
Score: 5.0 (Medium)
Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049

CVE-2017-9048
Package: libxml2-native
Score: 5.0 (Medium)
Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048

CVE-2017-9047
Package: libxml2-native
Score: 5.0 (Medium)
Description: A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047

CVE-2017-9044
Package: GNU Binutils (readelf)
Score: 4.3 (Medium)
Description: The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9044

CVE-2017-9042
Package: GNU Binutils
Score: 6.8 (Medium)
Description: readelf.c in GNU Binutils 2017-04-12 has a \"cannot be represented in type long\" issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted ELF file.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9042

CVE-2017-9040
Package: GNU Binutils 
Score: 4.3 (Medium)
Description: GNU Binutils 2017-04-03 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash), related to the process_mips_specific function in readelf.c, via a crafted ELF file that triggers a large memory-allocation attempt.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9040

CVE-2017-9039
Package: GNU Binutils (readelf)
Score: 4.3 (Medium)
Description: GNU Binutils 2.28 allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file with many program headers, related to the get_program_headers function in readelf.c.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9039

CVE-2017-9038
Package: GNU Binutils (readelf)
Score: 4.3 (Medium)
Description: GNU Binutils 2.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file, related to the byte_get_little_endian function in elfcomm.c, the get_unwind_section_word function in readelf.c, and ARM unwind information that contains invalid word offsets.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9038

CVE-2017-8872
Package: libxml2-native
Score: 6.4 (Medium)
Description: The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872

CVE-2017-8831
Package: kernel
Score: 7.2 (High)
Description: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8831

CVE-2017-8804
Package: glibc
Score: 7.8 (High)
Description: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8804

CVE-2017-8779
Package: rpcbind
Score: 7.8 (High)
Description: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779

CVE-2017-8421
Package: GNU Binutils
Score: 7.1 (High)
Description: The function coff_set_alignment_hook in coffcode.h in Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a memory leak vulnerability which can cause memory exhaustion in objdump via a crafted PE file. Additional validation in dump_relocs_in_section in objdump.c can resolve this.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8421

CVE-2017-8398
Package: GNU Binutils
Score: 5.0 (Medium)
Description: dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size 1 during dumping of debug information from a corrupt binary. This vulnerability causes programs that conduct an analysis of binary programs, such as objdump and readelf, to crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8398

CVE-2017-8397
Package: GNU Binutils
Score: 5.0 (Medium)
Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 and an invalid write of size 1 during processing of a corrupt binary containing reloc(s) with negative addresses. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8397

CVE-2017-8396
Package: GNU Binutils
Score: 5.0 (Medium)
Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 1 because the existing reloc offset range tests didn't catch small negative offsets less than the size of the reloc field. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8396

CVE-2017-8395
Package: GNU Binutils
Score: 5.0 (Medium)
Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid write of size 8 because of missing a malloc() return-value check to see if memory had actually been allocated in the _bfd_generic_get_section_contents function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8395

CVE-2017-8394
Package: GNU Binutils
Score: 5.0 (Medium)
Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 4 due to NULL pointer dereferencing of _bfd_elf_large_com_section. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy, to crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8394

CVE-2017-8393
Package: GNU Binutils
Score: 5.0 (Medium)
Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a global buffer over-read error because of an assumption made by code that runs for objcopy and strip, that SHT_REL/SHR_RELA sections are always named starting with a .rel/.rela prefix. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objcopy and strip, to crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8393

CVE-2017-8392
Package: GNU Binutils
Score: 5.0 (Medium)
Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8392

CVE-2017-8283
Package: dpkg
Score: 7.5 (High)
Description: dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8283

CVE-2017-8105
Package: freetype
Score: 7.5 (High)
Description: FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105

CVE-2017-8072
Package: kernel
Score: 7.2 (High)
Description: The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8072

CVE-2017-8071
Package: kernel
Score: 2.1 (Low)
Description: drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8071

CVE-2017-8070
Package: kernel
Score: 7.2 (High)
Description: drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8070

CVE-2017-8069
Package: kernel
Score: 7.2 (High)
Description: drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8069

CVE-2017-8068
Package: kernel
Score: 7.2 (High)
Description: drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8068

CVE-2017-8067
Package: kernel
Score: 7.2 (High)
Description: drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8067

CVE-2017-8066
Package: kernel
Score: 7.2 (High)
Description: drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8066

CVE-2017-8065
Package: kernel
Score: 7.2 (High)
Description: rypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8065

CVE-2017-8064
Package: kernel
Score: 7.2 (High)
Description: drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8064

CVE-2017-8063
Package: kernel
Score: 7.2 (High)
Description: drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8063

CVE-2017-8062
Package: kernel
Score: 7.2 (High)
Description: drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8062

CVE-2017-8061
Package: kernel
Score: 7.2 (High)
Description: drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x and 4.10.x before 4.10.7 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8061

CVE-2017-7895
Package: kernel
Score: 10.0 (High)
Description: The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7895

CVE-2017-7869
Package: gnutls
Score: 5.0 (Medium)
Description: GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7869

CVE-2017-7645
Package: kernel
Score: 7.8 (High)
Description: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645

CVE-2017-7618 	
Package: kernel
Score: 7.8 (High)
Description: crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7618 	

CVE-2017-7614
Package: GNU Binutils
Score: 7.5 (High)
Description: elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a \"member access within null pointer\" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an \"int main() {return 0;}\" program.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7614

CVE-2017-7487
Package: kernel
Score: 7.2 (High)
Description: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7487

CVE-2017-7472
Package: kernel
Score: 4.9 (Medium)
Description: The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7472

CVE-2017-7468 
Package: curl
Score: 6.0 (Medium)
Description: libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate).
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7468 

CVE-2017-7407
Package: curl
Score: 2.1 (Low)
Description: The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407

CVE-2017-7304
Package: Binutils
Score: 5.0 (Medium)
Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304

CVE-2017-7223
Package: GNU Binutils 
Score: 5.0 (Medium)
Description: GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer overflow (of size 1) while attempting to unget an EOF character from the input stream, potentially leading to a program crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7223

CVE-2017-7210
Package: binutils
Score: 7.8 (High)
Description: objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210

CVE-2017-7209
Package: binutils
Score: 4.3 (Medium)
Description: The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209

CVE-2017-6969
Package: binutils
Score: 6.4 (Medium)
Description: readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969

CVE-2017-6966
Package: binutil
Score: 4.0 (Medium)
Description: readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6966

CVE-2017-6965 
Package: binutils
Score: 4.3 (Medium)
Description: readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6965 

CVE-2017-6874
Package: Kernel
Score: 7.0 (High)
Description: Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6874

CVE-2017-6353
Package: Kernel
Score: 5.0 (Medium)
Description: net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6353

CVE-2017-6348
Package: Kernel
Score: 5.0 (Medium)
Description: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6348

CVE-2017-6347
Package: Kernel
Score: 7.0 (High)
Description: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has incorrect expectations about skb data layout, which allows local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6347

CVE-2017-6346
Package: Kernel
Score: 7.0 (High)
Description: Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6346

CVE-2017-6345
Package: Kernel
Score: 5.0 (Medium)
Description: The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6345

CVE-2017-6214
Package: Kernel
Score: 5.0 (Medium)
Description: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6214

CVE-2017-6074 
Package: Kernel
Score: 8.0 (High)
Description: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074 

CVE-2017-6001
Package: Kernel
Score: 8.0 (High)
Description: Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6001

CVE-2017-5986
Package: Kernel
Score: 7.0 (High)
Description: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986

CVE-2017-5970
Package: Kernel
Score: 5.0 (Medium)
Description: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5970

CVE-2017-5969
Package: libxml2-native
Score: 2.6 (Low)
Description: libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document.  NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser."
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969

CVE-2017-5848
Package: gstreamer
Score: 5.0 (Medium)
Description: The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5848

CVE-2017-5847
Package: gstreamer
Score: 5.0 (Medium)
Description: The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5847

CVE-2017-5669
Package: Kernel
Score: 5.0 (Medium)
Description: The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5669

CVE-2017-5618
Package: GNU screen 
Score: 7.2 (High)
Description: GNU screen before 4.5.1 allows local users to modify arbitrary files and consequently gain root privileges by leveraging improper checking of logfile permissions. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618

CVE-2017-5601
Package: libarchive
Score: 5.0 (Medium)
Description: An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5601

CVE-2017-5577
Package: Kernel
Score: 5.0 (Medium)
Description: The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5577

CVE-2017-5576
Package: Kernel
Score: 7.0 (High)
Description: Integer overflow in the vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted size value in a VC4_SUBMIT_CL ioctl call.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5576

CVE-2017-5551
Package: Kernel
Score: 4.0 (Medium)
Description: The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5551

CVE-2017-5548
Package: Kernel
Score: 7.0 (High)
Description: drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5548

CVE-2017-5547
Package: Kernel
Score: 7.0 (High)
Description: drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5547

CVE-2017-5546
Package: Kernel
Score: 7.0 (High)
Description: The freelist-randomization feature in mm/slab.c in the Linux kernel 4.8.x and 4.9.x before 4.9.5 allows local users to cause a denial of service (duplicate freelist entries and system crash) or possibly have unspecified other impact in opportunistic circumstances by leveraging the selection of a large value for a random number.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5546

CVE-2017-5335
Package: GnuTLS
Score: 5.0 (Medium)
Description: The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335

CVE-2017-5225
Package: tiff
Score: 7.5 (High)
Description: LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225

CVE-2017-5029
Package: libxslt
Score: 6.8 (Medium)
Description: The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5029

CVE-2017-3731
Package: OpenSSL
Score: 5.0 (Medium)
Description: If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731

CVE-2017-3136 
Package: bind
Score: 5.9 (Medium)
Description: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136 

CVE-2017-3135
Package: bind
Score: 6.0 (Medium)
Description: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3135

CVE-2017-2636
Package: Kernel
Score: 7.2 (High)
Description: Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2636

CVE-2017-2628 
Package: curl
Score: 0.0 (Low)
Description: It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2628 

CVE-2016-10350
Package: libarchive
Score: 4.3 (Medium)
Description: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10350

CVE-2016-10349
Package: libarchive
Score: 4.2 (Medium)
Description: The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10349

CVE-2016-10229 
Package: kernel
Score: 10.0 (High)
Description: udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229 

CVE-2016-10228
Package: glibc
Score: 4.2 (Medium)
Description: The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10228

CVE-2016-10208
Package: Kernel
Score: 5.0 (Medium)
Description: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10208

CVE-2016-10200
Package: Kernel
Score: 7.0 (High)
Description: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10200

CVE-2016-10154
Package: Kernel
Score: 5.0 (Medium)
Description: The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a scatterlist.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10154

CVE-2016-10153
Package: Kernel
Score: 7.0 (High)
Description: The crypto scatterlist API in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging reliance on earlier net/ceph/crypto.c code.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10153

CVE-2016-10150
Package: KVM
Score: 10.0 (High)
Description: Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10150

CVE-2016-10147
Package: Kernel
Score: 5.0 (Medium)
Description: crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5).
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10147

CVE-2016-10044
Package: Kernel
Score: 7.0 (High)
Description: The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10044

CVE-2016-9844
Package: unzip
Score: 2.1 (Low)
Description: Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9844

CVE-2016-9754
Package: Kernel
Score: 7.0 (High)
Description: The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9754

CVE-2016-9444
Package: bind
Score: 7.0 (High)
Description: named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9444

CVE-2016-9401
Package: bash
Score: 2.0 (Low)
Description: ref to yocto patch: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=1b2857a781b6666feaf5d3c91dc02ac263d0c4f6
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401

CVE-2016-9318
Package: libxml2-native
Score: 6.8 (Medium)
Description: libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318

CVE-2016-9083 
Package: Kernel
Score: 8.0 (High)
Description: drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug."
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083 

CVE-2016-8864
Package: bind
Score: 5.0 (Medium)
Description: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864

CVE-2016-8858
Package: OpenSSL
Score: 7.8 (High)
Description: A memory exhaustion issue in OpenSSH that can be triggered before user authentication was found. An unauthenticated attacker could consume approx. 400 MB of memory per each connection. The attacker could set up multiple such connections to run out of server’s memory.   
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8858

CVE-2016-8655 
Package: Kernel
Score: 8.0 (High)
Description: Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655 

CVE-2016-8636
Package: Kernel
Score: 7.0 (High)
Description: Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the "RDMA protocol over infiniband" (aka Soft RoCE) technology.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8636

CVE-2016-8630
Package: Kernel
Score: 6.0 (Medium)
Description: The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel before 4.8.7, when KVM is enabled, allows local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8630

CVE-2016-8625
Package: curl
Score: 6.9 (Medium)
Description: When curl is built with libidn to handle International Domain Names (IDNA), ittranslates them to puny code for DNS resolving using the IDNA 2003 standard,while IDNA 2008 is the modern and up-to-date IDNA standard.This misalignment causes problems with for example domains using the German ßcharacter (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') whichis used at times in the .de TLD and is translated differently in the two IDNAstandards, leading to users potentially and unknowingly issuing networktransfer requests to the wrong host.For example, `straße.de` is translated into `strasse.de` using IDNA 2003 butis translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, thosehost names could very well resolve to different addresses and be twocompletely independent servers. IDNA 2008 is mandatory for .de domains.curl is not alone with this problem, as there's currently a big flux in theworld of network user-agents about which IDNA version to support and use.This name problem exists for DNS-using protocols in curl, but only when builtto use libidn.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625

CVE-2016-8624
Package: curl
Score: 6.9 (Medium)
Description: curl doesn't parse the authority component of the URL correctly when the hostname part ends with a '#' character, and could instead be tricked intoconnecting to a different host. This may have security implications if you forexample use an URL parser that follows the RFC to check for allowed domainsbefore using curl to request them.Passing in `http://example.com#@evil.com/x.txt` would wrongly make curl send arequest to evil.com while your browser would connect to example.com given thesame URL.The problem exists for most protocol schemes.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624

CVE-2016-8623
Package: curl
Score: 4.9 (Medium)
Description: libcurl explicitly allows users to share cookies between multiple easy handlesthat are concurrently employed by different threads.When cookies to be sent to a server are collected, the matching functioncollects all cookies to send and the cookie lock is released immediatelyafterwards. That function however only returns a list with *references* back tothe original strings for name, value, path and so on. Therefore, if anotherthread quickly takes the lock and frees one of the original cookie structstogether with its strings, a use-after-free can occur and lead to informationdisclosure. Another thread can also replace the contents of the cookies fromseparate HTTP responses or API calls.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623

CVE-2016-8622
Package: curl
Score: 4.9 (Medium)
Description: The URL percent-encoding decode function in libcurl is called`curl_easy_unescape`. Internally, even if this function would be made toallocate a unscape destination buffer larger than 2GB, it would return thatnew length in a signed 32 bit integer variable, thus the length would geteither just truncated or both truncated and turned negative. That could thenlead to libcurl writing outside of its heap based buffer.This can be triggered by a user on a 64bit system if the user can send in acustom (very large) URL to a libcurl using program.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622

CVE-2016-8621
Package: curl
Score: 4.9 (Medium)
Description: The `curl_getdate` converts a given date string into a numerical timestamp andit supports a range of different formats and possibilites to express a dateand time. The underlying date parsing function is also used internally whenparsing for example HTTP cookies (possibly received from remote servers) andit can be used when doing conditional HTTP requests.The date parser function uses the libc sscanf() function at two places, withthe parsing strings "%02d:%02d" and ""%02d:%02d:%02d". The intent being thatit would parse either a string with HH:MM (two digits colon two digits) orHH:MM:SS (two digits colon two digits colon two digits). If instead the pieceof time that was sent in had the final digit cut off, thus ending with asingle-digit, the date parser code would advance its read pointer one byte toomuch and end up reading out of bounds.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621

CVE-2016-8620
Package: curl
Score: 6.9 (Medium)
Description: The curl tool's "globbing" feature allows a user to specify a numerical rangethrough which curl will iterate. It is typically specified as [1-5],specifying the first and the last numbers in the range. Or with [a-z], usingletters.1. The curl code for parsing the second *unsigned* number did not check for aleading minus character, which allowed a user to specify `[1--1]` with nocomplaints and have the latter `-1` number get turned into the largestunsigned long value the system can handle. This would ultimately cause curl towrite outside the dedicated malloced buffer after no less than 100,000iterations, since it would have room for 5 digits but not 6.2. When the range is specified with letters, and the ending letter is left out`[L-]`, the code would still advance its read pointer 5 bytes even if thestring was just 4 bytes and end up reading outside the given buffer.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620

CVE-2016-8619
Package: curl
Score: 6.9 (Medium)
Description: In curl's implementation of the Kerberos authentication mechanism, thefunction `read_data()` in security.c is used to fill the necessary krb5structures. When reading one of the length fields from the socket, it fails toensure that the length parameter passed to realloc() is not set to 0.This would lead to realloc() getting called with a zero size and when doing sorealloc() returns NULL *and* frees the memory - in contrary to normalrealloc() fails where it only returns NULL - causing libcurl to free thememory *again* in the error path.This flaw could be triggered by a malicious or just otherwise ill-behavingserver.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619

CVE-2016-8618
Package: curl
Score: 6.9 (Medium)
Description: The libcurl API function called `curl_maprintf()` can be tricked into doing adouble-free due to an unsafe `size_t` multiplication, on systems using 32 bit`size_t` variables. The function is also used internallty in numeroussituations.The function doubles an allocated memory area with realloc() and allows thesize to wrap and become zero and when doing so realloc() returns NULL *and*frees the memory - in contrary to normal realloc() fails where it only returnsNULL - causing libcurl to free the memory *again* in the error path.Systems with 64 bit versions of the `size_t` type are not affected by thisissue.This behavior is triggable using the publicly exposed function.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618

CVE-2016-8617
Package: curl
Score: 6.9 (Medium)
Description: In libcurl's base64 encode function, the output buffer is allocated as followswithout any checks on insize:     malloc( insize * 4 / 3 + 4 )On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), themultiplication in the expression wraps around if insize is at least 1GB ofdata. If this happens, an undersized output buffer will be allocated, but thefull result will be written, thus causing the memory behind the output bufferto be overwritten.If a username is set directly via `CURLOPT_USERNAME` (or curl's `-u, --user`option), this vulnerability can be triggered. The name has to be at least512MB big in a 32bit system.Systems with 64 bit versions of the `size_t` type are not affected by thisissue.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617

CVE-2016-8616
Package: curl
Score: 3.9 (Low)
Description: When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections.This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.We are not aware of any exploit of this flaw.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616

CVE-2016-8615
Package: curl
Score: 6.9 (Medium)
Description: If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the fgets() function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server.We are not aware of any exploit of this flaw.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615

CVE-2016-7795
Package: systemd
Score: 4.9 (Medium)
Description: The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7795

CVE-2016-7097
Package: Kernel
Score: 3.6 (Low)
Description: The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7097

CVE-2016-6489
Package: nettle
Score: 5.0 (Medium)
Description: The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6489

CVE-2016-6480
Package: Kernel
Score: 4.7 (Medium)
Description: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480

CVE-2016-6354
Package: flex
Score: 7.5 (High)
Description: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354

CVE-2016-6323
Package: glibc
Score: 5.0 (Medium)
Description: The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6323

CVE-2016-6321
Package: Tar (Gnu)
Score: 5.0 (Medium)
Description: Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321

CVE-2016-6318
Package: cracklib
Score: 7.5 (High)
Description: Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318

CVE-2016-6301
Package: busybox
Score: 7.1 (High)
Description: The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6301

CVE-2016-6252
Package: shadow
Score: 5.0 (Medium)
Description: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. Patch: https://bugzilla.suse.com/attachment.cgi?id=684679&action=diff 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252

CVE-2016-6185
Package: Perl
Score: 5.0 (Medium)
Description: The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185

CVE-2016-6170
Package: bind
Score: 6.0 (Medium)
Description: DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone.  However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service).  A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.https://kb.isc.org/article/AA-01390
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6170

CVE-2016-6131
Package: gcc
Score: 4.9 (Medium)
Description: A stack overflow vulnerability in the libiberty demangler was found, which causes its host application to crash on a tainted branch instruction. The problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to an infinite recursion during the demangling.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131

CVE-2016-5636
Package: CPython
Score: 10.0 (High)
Description: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636

CVE-2016-5300
Package: expat
Score: 7.8 (High)
Description: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300

CVE-2016-5131
Package: libxml2
Score: 10.0 (High)
Description: Use-after-free vulnerability in libxml2 (used in chromium-browser) through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131

CVE-2016-4658
Package: libxml2
Score: 10.0 (High)
Description: libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658

CVE-2016-4448
Package: libxml2
Score: 10.0 (High)
Description: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448

CVE-2016-2775
Package: bind
Score: 4.3 (Medium)
Description: ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775

CVE-2016-2381
Package: Perl
Score: 5.0 (Medium)
Description: Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381

CVE-2016-2183
Package: OpenSSL
Score: 5.0 (Medium)
Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183

CVE-2016-2147
Package: busybox
Score: 5.0 (Medium)
Description: Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147

CVE-2016-0800
Package: OpenSSL
Score: 4.3 (Medium)
Description: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800

CVE-2016-0718
Package: expat
Score: 7.5 (High)
Description: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718

CVE-2016-0634 
Package: bash
Score: 5.0 (Medium)
Description: A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634 

CVE-2015-9019
Package: libxslt-native 
Score: 5.0 (Medium)
Description: In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9019

CVE-2015-5224
Package: util-linux
Score: 7.5 (High)
Description: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5224

CVE-2014-9365 
Package: python
Score: 5.8 (Medium)
Description: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. 
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-7.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-7.0
$ cd Enea-Linux-7.0
$ repo init -u git://git.enea.com/linux/el_manifests-standard.git -b
pyro -m <manifest file>
$ repo sync

The parameter <manifest file> depends on the target, e.g.:
RaspberryPi: raspberripi3-64/defult.xml

If you have any questions regarding this announcement please contact
security at enea.com.
For general security refer to Enea Linux Security page:
https://www.enea.com/products/security
For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/products/security/security-updates
For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20180302/4d2ccdc9/attachment-0001.sig>


More information about the security-announce mailing list