NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=22851
• http://www.securityfocus.com/bid/109167
• https://ubuntu.com/security/CVE-2019-1010023
• https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream icu package and not the icu package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

Remediation

Upgrade Debian:8 icu to version 52.1-8+deb8u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-10531
• https://www.debian.org/security/2020/dsa-4646
• https://lists.debian.org/debian-lts-announce/2020/03/msg00024.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
• https://security.gentoo.org/glsa/202003-15
• https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca
• https://github.com/unicode-org/icu/pull/971
• https://bugs.chromium.org/p/chromium/issues/detail?id=1044570
• https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html
• https://chromium.googlesource.com/chromium/deps/icu/+/9f4020916eb1f28f3666f018fdcbe6c9a37f0e08
• https://unicode-org.atlassian.net/browse/ICU-20958
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://access.redhat.com/errata/RHSA-2020:0738
• http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00004.html
• https://usn.ubuntu.com/4305-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10531
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Remediation

Upgrade Debian:8 libssh2 to version 1.4.3-4.1+deb8u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2019-3856
• https://seclists.org/bugtraq/2019/Apr/25
• https://www.debian.org/security/2019/dsa-4431
• https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
• https://www.libssh2.org/CVE-2019-3856.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• https://security.netapp.com/advisory/ntap-20190327-0005/
• http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html
• https://access.redhat.com/errata/RHSA-2019:1652
• https://access.redhat.com/errata/RHSA-2019:1791
• https://access.redhat.com/errata/RHSA-2019:1943
• https://access.redhat.com/errata/RHSA-2019:2399
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3856
• https://access.redhat.com/errata/RHSA-2019:0679
• https://access.redhat.com/errata/RHSA-2019:1175
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-3856
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.

Remediation

Upgrade Debian:8 libssh2 to version 1.4.3-4.1+deb8u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2019-3863
• https://seclists.org/bugtraq/2019/Apr/25
• https://www.debian.org/security/2019/dsa-4431
• https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
• https://www.libssh2.org/CVE-2019-3863.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• https://security.netapp.com/advisory/ntap-20190327-0005/
• http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html
• https://access.redhat.com/errata/RHSA-2019:1652
• https://access.redhat.com/errata/RHSA-2019:1791
• https://access.redhat.com/errata/RHSA-2019:1943
• https://access.redhat.com/errata/RHSA-2019:2399
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863
• https://access.redhat.com/errata/RHSA-2019:0679
• https://access.redhat.com/errata/RHSA-2019:1175
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-3863
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Remediation

Upgrade Debian:8 libssh2 to version 1.4.3-4.1+deb8u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2019-3857
• https://seclists.org/bugtraq/2019/Apr/25
• https://www.debian.org/security/2019/dsa-4431
• https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
• https://www.libssh2.org/CVE-2019-3857.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• https://security.netapp.com/advisory/ntap-20190327-0005/
• http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html
• https://access.redhat.com/errata/RHSA-2019:1652
• https://access.redhat.com/errata/RHSA-2019:1791
• https://access.redhat.com/errata/RHSA-2019:1943
• https://access.redhat.com/errata/RHSA-2019:2399
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3857
• https://access.redhat.com/errata/RHSA-2019:0679
• https://access.redhat.com/errata/RHSA-2019:1175
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-3857
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

Remediation

Upgrade Debian:8 libssh2 to version 1.4.3-4.1+deb8u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2019-3855
• https://seclists.org/bugtraq/2019/Sep/49
• https://seclists.org/bugtraq/2019/Apr/25
• https://seclists.org/bugtraq/2019/Mar/25
• https://support.apple.com/kb/HT210609
• https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767
• https://www.debian.org/security/2019/dsa-4431
• https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6LUNHPW64IGCASZ4JQ2J5KDXNZN53DWW/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7IF3LNHOA75O4WZWIHJLIRMA5LJUED3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/
• http://seclists.org/fulldisclosure/2019/Sep/42
• http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html
• https://www.libssh2.org/CVE-2019-3855.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• https://security.netapp.com/advisory/ntap-20190327-0005/
• http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html
• http://www.openwall.com/lists/oss-security/2019/03/18/3
• https://access.redhat.com/errata/RHSA-2019:1652
• https://access.redhat.com/errata/RHSA-2019:1791
• https://access.redhat.com/errata/RHSA-2019:1943
• https://access.redhat.com/errata/RHSA-2019:2399
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3855
• https://access.redhat.com/errata/RHSA-2019:0679
• https://access.redhat.com/errata/RHSA-2019:1175
• http://www.securityfocus.com/bid/107485
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-3855
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6LUNHPW64IGCASZ4JQ2J5KDXNZN53DWW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M7IF3LNHOA75O4WZWIHJLIRMA5LJUED3/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.

Remediation

Upgrade Debian:8 systemd to version 215-17+deb8u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2018-15688
• https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html
• https://security.gentoo.org/glsa/201810-10
• https://github.com/systemd/systemd/pull/10518
• https://access.redhat.com/errata/RHBA-2019:0327
• https://access.redhat.com/errata/RHSA-2018:3665
• https://access.redhat.com/errata/RHSA-2019:0049
• http://www.securityfocus.com/bid/105745
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-15688
• https://usn.ubuntu.com/3806-1/
• https://usn.ubuntu.com/3807-1/

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

Remediation

Upgrade Debian:8 zlib to version 1:1.2.8.dfsg-2+deb8u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2016-9842
• https://support.apple.com/HT208112
• https://support.apple.com/HT208113
• https://support.apple.com/HT208115
• https://support.apple.com/HT208144
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842
• https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html
• https://security.gentoo.org/glsa/202007-54
• https://security.gentoo.org/glsa/201701-56
• https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958
• https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
• https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html
• http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html
• http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html
• http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.openwall.com/lists/oss-security/2016/12/05/21
• https://bugzilla.redhat.com/show_bug.cgi?id=1402348
• https://access.redhat.com/errata/RHSA-2017:1220
• https://access.redhat.com/errata/RHSA-2017:1221
• https://access.redhat.com/errata/RHSA-2017:1222
• https://access.redhat.com/errata/RHSA-2017:2999
• https://access.redhat.com/errata/RHSA-2017:3046
• https://access.redhat.com/errata/RHSA-2017:3047
• https://access.redhat.com/errata/RHSA-2017:3453
• http://www.securityfocus.com/bid/95131
• http://www.securitytracker.com/id/1039427
• https://usn.ubuntu.com/4246-1/
• https://usn.ubuntu.com/4292-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9842

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

Remediation

Upgrade Debian:8 zlib to version 1:1.2.8.dfsg-2+deb8u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2016-9840
• https://support.apple.com/HT208112
• https://support.apple.com/HT208113
• https://support.apple.com/HT208115
• https://support.apple.com/HT208144
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840
• https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html
• https://security.gentoo.org/glsa/202007-54
• https://security.gentoo.org/glsa/201701-56
• https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
• https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
• https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html
• http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html
• http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html
• http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.openwall.com/lists/oss-security/2016/12/05/21
• https://bugzilla.redhat.com/show_bug.cgi?id=1402345
• https://access.redhat.com/errata/RHSA-2017:1220
• https://access.redhat.com/errata/RHSA-2017:1221
• https://access.redhat.com/errata/RHSA-2017:1222
• https://access.redhat.com/errata/RHSA-2017:2999
• https://access.redhat.com/errata/RHSA-2017:3046
• https://access.redhat.com/errata/RHSA-2017:3047
• https://access.redhat.com/errata/RHSA-2017:3453
• http://www.securityfocus.com/bid/95131
• http://www.securitytracker.com/id/1039427
• https://usn.ubuntu.com/4246-1/
• https://usn.ubuntu.com/4292-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9840

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

Remediation

There is no fixed version for Debian:8 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2020-10878
• https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
• https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8
• https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c
• https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
• https://security.netapp.com/advisory/ntap-20200611-0001/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://security.gentoo.org/glsa/202006-03
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10878
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Privilege Escalation under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH variable hijacking and DLL hijacking.

Remediation

Upgrade node to version 16.4.1, 14.17.2, 12.22.2 or higher.

References

• GitHub Commit
• GitHub Release
• GitHub Release
• GitHub Release
• HackerOne Report
• Node.js Security Releases

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Out-of-bounds Read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes.

Remediation

Upgrade node to version 16.4.1, 14.17.2, 12.22.2 or higher.

References

• GitHub Commit
• GitHub Release
• GitHub Release
• GitHub Release
• HackerOne Report
• Node.js Security Releases

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Prototype Pollution via console.table properties. Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. Note: This vulnerability only allows an empty string to be assigned numerical keys of the object prototype.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade node to version 12.22.9, 14.18.3, 16.13.2, 17.3.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

Remediation

There is no fixed version for Debian:8 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2020-10543
• https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
• https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed
• https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
• https://security.netapp.com/advisory/ntap-20200611-0001/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://security.gentoo.org/glsa/202006-03
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10543
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/

NVD Description

Note: Versions mentioned in the description apply only to the upstream apt package and not the apt package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.

Remediation

Upgrade Debian:8 apt to version 1.0.9.8.5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2019-3462
• https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E
• https://www.debian.org/security/2019/dsa-4371
• https://lists.debian.org/debian-lts-announce/2019/01/msg00013.html
• https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html
• https://security.netapp.com/advisory/ntap-20190125-0002/
• http://www.securityfocus.com/bid/106690
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-3462
• https://usn.ubuntu.com/3863-1/
• https://usn.ubuntu.com/3863-2/
• https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-4.8 package and not the gcc-4.8 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.

Remediation

There is no fixed version for Debian:8 gcc-4.8.

References

• https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/config/arm/arm-protos.h?revision=266379&view=markup
• https://security-tracker.debian.org/tracker/CVE-2018-12886
• https://www.gnu.org/software/gcc/gcc-8/changes.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-4.9 package and not the gcc-4.9 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.

Remediation

There is no fixed version for Debian:8 gcc-4.9.

References

• https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/config/arm/arm-protos.h?revision=266379&view=markup
• https://security-tracker.debian.org/tracker/CVE-2018-12886
• https://www.gnu.org/software/gcc/gcc-8/changes.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

Remediation

Upgrade Debian:8 libssh2 to version 1.4.3-4.1+deb8u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2019-17498
• https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22H4Q5XMGS3QNSA7OCL3U7UQZ4NXMR5O/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/
• https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498
• https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94
• https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/
• https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c#L480
• https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
• http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00026.html
• https://lists.debian.org/debian-lts-announce/2021/12/msg00013.html
• https://security.netapp.com/advisory/ntap-20220909-0004/
• http://packetstormsecurity.com/files/172835/libssh2-1.9.0-Out-Of-Bounds-Read.html
• https://lists.debian.org/debian-lts-announce/2023/09/msg00006.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22H4Q5XMGS3QNSA7OCL3U7UQZ4NXMR5O/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TY7EEE34RFKCTXTMBQQWWSLXZWSCXNDB/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.

Remediation

Upgrade Debian:8 libssh2 to version 1.4.3-4.1+deb8u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2019-13115
• https://security.netapp.com/advisory/ntap-20190806-0002/
• https://support.f5.com/csp/article/K13322484
• https://support.f5.com/csp/article/K13322484?utm_source=f5support&utm_medium=RSS
• https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6LUNHPW64IGCASZ4JQ2J5KDXNZN53DWW/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7IF3LNHOA75O4WZWIHJLIRMA5LJUED3/
• https://github.com/libssh2/libssh2/compare/02ecf17...42d37aa
• https://github.com/libssh2/libssh2/pull/350
• https://blog.semmle.com/libssh2-integer-overflow/
• https://libssh2.org/changes.html
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-13115
• https://lists.debian.org/debian-lts-announce/2021/12/msg00013.html
• http://packetstormsecurity.com/files/172834/libssh2-1.8.2-Out-Of-Bounds-Read.html
• https://lists.debian.org/debian-lts-announce/2023/09/msg00006.html
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6LUNHPW64IGCASZ4JQ2J5KDXNZN53DWW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M7IF3LNHOA75O4WZWIHJLIRMA5LJUED3/
• https://support.f5.com/csp/article/K13322484?utm_source=f5support&amp%3Butm_medium=RSS

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Code Injection due to the incorrect handling of environment variables on Linux when the process is running with elevated privileges that the current user lacks (does not apply to CAP_NET_BIND_SERVICE).

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.

Remediation

Upgrade Debian:8 wget to version 1.16-1+deb8u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2016-7098
• https://www.exploit-db.com/exploits/40824/
• http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00083.html
• http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00134.html
• https://lists.debian.org/debian-lts-announce/2020/01/msg00031.html
• http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html
• http://lists.opensuse.org/opensuse-updates/2017-01/msg00007.html
• http://www.openwall.com/lists/oss-security/2016/08/27/2
• http://www.securityfocus.com/bid/93157
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7098
• https://www.exploit-db.com/exploits/40824

NVD Description

Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

Remediation

There is no fixed version for Debian:8 bash.

References

• https://security-tracker.debian.org/tracker/CVE-2019-18276
• https://security.netapp.com/advisory/ntap-20200430-0003/
• https://security.gentoo.org/glsa/202105-34
• https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff
• http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html
• https://www.youtube.com/watch?v=-wGtxJ8opa8
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18276
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
• https://www.exploit-db.com/exploits/47726

NVD Description

Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Remediation

Upgrade Debian:8 bash to version 4.3-11+deb8u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2019-9924
• https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html
• http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65
• https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441
• https://security.netapp.com/advisory/ntap-20190411-0001/
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00049.html
• https://usn.ubuntu.com/4058-1/
• https://usn.ubuntu.com/4058-2/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9924

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.

Remediation

There is no fixed version for Debian:8 curl.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-8177
• https://security-tracker.debian.org/tracker/CVE-2020-8177
• https://www.debian.org/security/2021/dsa-4881
• https://curl.se/docs/CVE-2020-8177.html
• https://hackerone.com/reports/887462
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://www.oracle.com/security-alerts/cpujan2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.

Remediation

Upgrade Debian:8 curl to version 7.38.0-4+deb8u15 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2019-5436
• https://seclists.org/bugtraq/2020/Feb/36
• https://curl.haxx.se/docs/CVE-2019-5436.html
• https://support.f5.com/csp/article/K55133295
• https://support.f5.com/csp/article/K55133295?utm_source=f5support&utm_medium=RSS
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436
• https://www.debian.org/security/2020/dsa-4633
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/
• https://security.gentoo.org/glsa/202003-29
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• http://www.openwall.com/lists/oss-security/2019/09/11/6
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://security.netapp.com/advisory/ntap-20190606-0004/
• http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html
• http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5436
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/
• https://support.f5.com/csp/article/K55133295?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-6488
• https://security.gentoo.org/glsa/202006-04
• https://sourceware.org/bugzilla/show_bug.cgi?id=24097
• http://www.securityfocus.com/bid/106671

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2017-1000408
• https://www.exploit-db.com/exploits/43331/
• https://security.netapp.com/advisory/ntap-20190404-0003/
• http://seclists.org/oss-sec/2017/q4/385
• http://www.openwall.com/lists/oss-security/2019/06/27/7
• http://www.openwall.com/lists/oss-security/2019/06/28/1
• http://www.openwall.com/lists/oss-security/2019/06/28/2
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000408

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2018-1000001
• https://www.exploit-db.com/exploits/43775/
• https://www.exploit-db.com/exploits/44889/
• https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
• https://security.netapp.com/advisory/ntap-20190404-0003/
• http://seclists.org/oss-sec/2018/q1/38
• https://access.redhat.com/errata/RHSA-2018:0805
• http://www.securityfocus.com/bid/102525
• http://www.securitytracker.com/id/1040162
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000001
• https://usn.ubuntu.com/3534-1/
• https://usn.ubuntu.com/3536-1/
• https://www.exploit-db.com/exploits/44889

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2018-11237
• https://www.exploit-db.com/exploits/44750/
• https://sourceware.org/bugzilla/show_bug.cgi?id=23196
• https://security.netapp.com/advisory/ntap-20190329-0001/
• https://security.netapp.com/advisory/ntap-20190401-0001/
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://access.redhat.com/errata/RHBA-2019:0327
• https://access.redhat.com/errata/RHSA-2018:3092
• http://www.securityfocus.com/bid/104256
• https://usn.ubuntu.com/4416-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-11237

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2017-16997
• https://sourceware.org/bugzilla/show_bug.cgi?id=22625
• https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html
• https://bugs.debian.org/884615
• https://access.redhat.com/errata/RHBA-2019:0327
• https://access.redhat.com/errata/RHSA-2018:3092
• http://www.securityfocus.com/bid/102228
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16997

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• https://security-tracker.debian.org/tracker/CVE-2017-7245
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7245
• https://security.gentoo.org/glsa/201710-25
• https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/
• https://access.redhat.com/errata/RHSA-2018:2486
• http://www.securityfocus.com/bid/97067
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7245

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• https://security-tracker.debian.org/tracker/CVE-2017-7246
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7246
• https://security.gentoo.org/glsa/201710-25
• https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/
• https://access.redhat.com/errata/RHSA-2018:2486
• http://www.securityfocus.com/bid/97067
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7246

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).

Remediation

There is no fixed version for Debian:8 shadow.

References

• https://security-tracker.debian.org/tracker/CVE-2019-19882
• https://security.gentoo.org/glsa/202008-09
• https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75
• https://github.com/shadow-maint/shadow/pull/199
• https://github.com/void-linux/void-packages/pull/17580
• https://bugs.archlinux.org/task/64836
• https://bugs.gentoo.org/702252

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable.

Remediation

Upgrade Debian:8 systemd to version 215-17+deb8u9 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2018-16864
• https://www.debian.org/security/2019/dsa-4367
• https://lists.debian.org/debian-lts-announce/2019/01/msg00016.html
• https://security.gentoo.org/glsa/201903-07
• https://www.qualys.com/2019/01/09/system-down/system-down.txt
• https://security.netapp.com/advisory/ntap-20190117-0001/
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://access.redhat.com/errata/RHBA-2019:0327
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16864
• https://access.redhat.com/errata/RHSA-2019:0049
• https://access.redhat.com/errata/RHSA-2019:0204
• https://access.redhat.com/errata/RHSA-2019:0271
• https://access.redhat.com/errata/RHSA-2019:0342
• https://access.redhat.com/errata/RHSA-2019:0361
• https://access.redhat.com/errata/RHSA-2019:2402
• http://www.securityfocus.com/bid/106523
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-16864
• https://usn.ubuntu.com/3855-1/
• https://access.redhat.com/security/cve/CVE-2018-16864
• https://bugzilla.redhat.com/show_bug.cgi?id=1653855
• http://www.openwall.com/lists/oss-security/2021/07/20/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.

Remediation

Upgrade Debian:8 systemd to version 215-17+deb8u9 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2018-16865
• https://seclists.org/bugtraq/2019/May/25
• https://www.debian.org/security/2019/dsa-4367
• https://lists.debian.org/debian-lts-announce/2019/01/msg00016.html
• https://security.gentoo.org/glsa/201903-07
• http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html
• https://www.qualys.com/2019/01/09/system-down/system-down.txt
• https://security.netapp.com/advisory/ntap-20190117-0001/
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• http://www.openwall.com/lists/oss-security/2019/05/10/4
• https://access.redhat.com/errata/RHBA-2019:0327
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16865
• https://access.redhat.com/errata/RHSA-2019:0049
• https://access.redhat.com/errata/RHSA-2019:0204
• https://access.redhat.com/errata/RHSA-2019:0271
• https://access.redhat.com/errata/RHSA-2019:0342
• https://access.redhat.com/errata/RHSA-2019:0361
• https://access.redhat.com/errata/RHSA-2019:2402
• http://seclists.org/fulldisclosure/2019/May/21
• http://www.securityfocus.com/bid/106525
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-16865
• https://usn.ubuntu.com/3855-1/
• https://access.redhat.com/security/cve/CVE-2018-16865
• https://bugzilla.redhat.com/show_bug.cgi?id=1653861
• http://www.openwall.com/lists/oss-security/2021/07/20/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.

Remediation

There is no fixed version for Debian:8 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2018-6954
• https://github.com/systemd/systemd/issues/7986
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6954
• https://usn.ubuntu.com/3816-1/
• https://usn.ubuntu.com/3816-2/
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.

Remediation

Upgrade Debian:8 systemd to version 215-17+deb8u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2018-15686
• https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html
• https://www.exploit-db.com/exploits/45714/
• https://security.gentoo.org/glsa/201810-10
• https://github.com/systemd/systemd/pull/10519
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://access.redhat.com/errata/RHSA-2019:3222
• https://access.redhat.com/errata/RHSA-2020:0593
• https://access.redhat.com/errata/RHSA-2019:2091
• http://www.securityfocus.com/bid/105747
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-15686
• https://usn.ubuntu.com/3816-1/
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.

Remediation

Upgrade Debian:8 systemd to version 215-17+deb8u12 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2017-18078
• https://lists.debian.org/debian-lts-announce/2019/04/msg00022.html
• https://www.exploit-db.com/exploits/43935/
• https://github.com/systemd/systemd/issues/7736
• http://packetstormsecurity.com/files/146184/systemd-Local-Privilege-Escalation.html
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• http://lists.opensuse.org/opensuse-updates/2018-02/msg00109.html
• https://www.openwall.com/lists/oss-security/2018/01/29/4
• http://www.openwall.com/lists/oss-security/2018/01/29/3
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Debian:8 util-linux.

References

• https://security-tracker.debian.org/tracker/CVE-2016-2779
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
• http://www.openwall.com/lists/oss-security/2016/02/27/1
• http://www.openwall.com/lists/oss-security/2016/02/27/2
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2779

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.

Remediation

There is no fixed version for Debian:8 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2016-8625
• https://curl.haxx.se/CVE-2016-8625.patch
• https://curl.haxx.se/docs/adv_20161102K.html
• https://www.tenable.com/security/tns-2016-21
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625
• https://security.gentoo.org/glsa/201701-47
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625
• https://access.redhat.com/errata/RHSA-2018:2486
• https://access.redhat.com/errata/RHSA-2018:3558
• http://www.securityfocus.com/bid/94107
• http://www.securitytracker.com/id/1037192
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8625
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtp_endofresp() isn't NUL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol() call reads beyond the allocated buffer. The read contents will not be returned to the caller.

Remediation

Upgrade Debian:8 curl to version 7.38.0-4+deb8u14 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2019-3823
• https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E
• https://cert-portal.siemens.com/productcert/pdf/ssa-936080.pdf
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823
• https://www.debian.org/security/2019/dsa-4386
• https://security.gentoo.org/glsa/201903-03
• https://curl.haxx.se/docs/CVE-2019-3823.html
• https://security.netapp.com/advisory/ntap-20190315-0001/
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
• https://access.redhat.com/errata/RHSA-2019:3701
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3823
• http://www.securityfocus.com/bid/106950
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-3823
• https://usn.ubuntu.com/3882-1/
• https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

Remediation

Upgrade Debian:8 curl to version 7.38.0-4+deb8u14 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2018-16890
• https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E
• https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf
• https://support.f5.com/csp/article/K03314397?utm_source=f5support&utm_medium=RSS
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890
• https://www.debian.org/security/2019/dsa-4386
• https://curl.haxx.se/docs/CVE-2018-16890.html
• https://security.netapp.com/advisory/ntap-20190315-0001/
• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
• https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
• https://access.redhat.com/errata/RHSA-2019:3701
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890
• http://www.securityfocus.com/bid/106947
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-16890
• https://usn.ubuntu.com/3882-1/
• https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E
• https://support.f5.com/csp/article/K03314397?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream cyrus-sasl2 package and not the cyrus-sasl2 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.

Remediation

Upgrade Debian:8 cyrus-sasl2 to version 2.1.26.dfsg1-13+deb8u2 or higher.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
• https://security-tracker.debian.org/tracker/CVE-2019-19906
• https://seclists.org/bugtraq/2019/Dec/42
• https://support.apple.com/kb/HT211288
• https://support.apple.com/kb/HT211289
• https://www.debian.org/security/2019/dsa-4591
• https://lists.debian.org/debian-lts-announce/2019/12/msg00027.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MW6GZCLECGL2PBNHVNPJIX4RPVRVFR7R/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OB4GSVOJ6ESHQNT5GSV63OX5D4KPSTGT/
• http://seclists.org/fulldisclosure/2020/Jul/23
• http://seclists.org/fulldisclosure/2020/Jul/24
• https://github.com/cyrusimap/cyrus-sasl/issues/587
• https://www.openldap.org/its/index.cgi/Incoming?id=9123
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19906
• https://usn.ubuntu.com/4256-1/
• http://www.openwall.com/lists/oss-security/2022/02/23/4
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MW6GZCLECGL2PBNHVNPJIX4RPVRVFR7R/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OB4GSVOJ6ESHQNT5GSV63OX5D4KPSTGT/

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2009-5155
• https://support.f5.com/csp/article/K64119434
• https://support.f5.com/csp/article/K64119434?utm_source=f5support&utm_medium=RSS
• http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238
• https://sourceware.org/bugzilla/show_bug.cgi?id=11053
• https://sourceware.org/bugzilla/show_bug.cgi?id=18986
• https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://security.netapp.com/advisory/ntap-20190315-0002/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-5155
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=eb04c21373e2a2885f3d52ff192b0499afe3c672
• https://support.f5.com/csp/article/K64119434?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2015-5180
• https://security.gentoo.org/glsa/201706-19
• https://sourceware.org/bugzilla/attachment.cgi?id=8492
• https://sourceware.org/bugzilla/show_bug.cgi?id=18784
• https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fc82b0a2dfe7dbd35671c10510a8da1043d746a5
• https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html
• https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1249603
• https://access.redhat.com/errata/RHSA-2018:0805
• http://www.securityfocus.com/bid/99324
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-5180
• http://www.ubuntu.com/usn/USN-3239-1
• http://www.ubuntu.com/usn/USN-3239-2
• https://access.redhat.com/security/cve/CVE-2015-5180
• https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=fc82b0a2dfe7dbd35671c10510a8da1043d746a5

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://sourceware.org/bugzilla/show_bug.cgi?id=24269
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS
• https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
• https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
• https://security.netapp.com/advisory/ntap-20190315-0002/
• http://www.securityfocus.com/bid/107160
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796
• https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg package and not the gnupg package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

Remediation

There is no fixed version for Debian:8 gnupg.

References

• https://security-tracker.debian.org/tracker/CVE-2018-6829
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
• https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
• https://www.oracle.com/security-alerts/cpujan2020.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg package and not the gnupg package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.

Remediation

There is no fixed version for Debian:8 gnupg.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14855
• https://security-tracker.debian.org/tracker/CVE-2019-14855
• https://dev.gnupg.org/T4755
• https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html
• https://rwc.iacr.org/2020/slides/Leurent.pdf
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855
• https://usn.ubuntu.com/4516-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-14855

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Remediation

There is no fixed version for Debian:8 krb5.

References

• https://security-tracker.debian.org/tracker/CVE-2018-5709
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5709
• https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5709
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

Remediation

There is no fixed version for Debian:8 libgcrypt20.

References

• https://security-tracker.debian.org/tracker/CVE-2018-6829
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal
• https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
• https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
• https://www.oracle.com/security-alerts/cpujan2020.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.

Remediation

Upgrade Debian:8 libtasn1-6 to version 4.2-3+deb8u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2017-10790
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790
• https://www.debian.org/security/2018/dsa-4106
• https://security.gentoo.org/glsa/201710-11
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/06/msg00026.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1464141
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-10790
• https://usn.ubuntu.com/3547-1/
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which allows an attacker to cause denial of service via CPU and network bandwidth exhaustion.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a race condition in Http2Session when nghttp2 data is left in memory after a connection is reset while processing HTTP/2 CONTINUATION frames. An attacker can cause denial of service by sending such frames then triggering the Http2Session destructor.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.20.1, 20.12.1, 21.7.2 or higher.

References

• CERT/CC Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit
• Node.js Release Notes
• RedHat Bugzilla Bug
• Vulnerability Report

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS). By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

• A The string must start with the letter 'A'
• (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
• D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1. CCC
2. CC+C
3. C+CC
4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade node to version 6.15.0, 8.14.0, 10.14.0, 11.3.0 or higher.

References

• Nodejs Security Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker could cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

• A The string must start with the letter 'A'
• (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
• D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

1. CCC
2. CC+C
3. C+CC
4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade node to version 6.15.0, 8.14.0, 10.14.0, 11.3.0 or higher.

References

• Nodejs Security Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Two copies of a header field are allowed in a HTTP request, which causes Node.js to identifiy the first header and ignore the second.

Remediation

Upgrade node to version 10.23.1, 12.20.1, 14.15.4, 15.5.1 or higher.

References

• GitHub Commit
• HTTP Request Smuggling Demystified - Snyk Blog
• NodeJS Security Release Notes
• progfay's PoC
• RedHat Bugzilla Bug

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Key Management Errors. During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.

Remediation

Upgrade node to version 10.9.0 or higher.

References

• GitHub Commit
• GitHub PR
• Node.js Advisory
• Openssl.org

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.

Remediation

There is no fixed version for Debian:8 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2015-3276
• http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1238322
• http://rhn.redhat.com/errata/RHSA-2015-2131.html
• http://www.securitytracker.com/id/1034221
• https://access.redhat.com/errata/RHSA-2015:2131
• https://access.redhat.com/security/cve/CVE-2015-3276

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.

Remediation

Upgrade Debian:8 openldap to version 2.4.40+dfsg-1+deb8u5 or higher.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13565
• https://security-tracker.debian.org/tracker/CVE-2019-13565
• https://seclists.org/bugtraq/2019/Dec/23
• https://support.apple.com/kb/HT210788
• https://support.f5.com/csp/article/K98008862?utm_source=f5support&utm_medium=RSS
• https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
• https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html
• http://seclists.org/fulldisclosure/2019/Dec/26
• https://www.openldap.org/its/index.cgi/?findid=9052
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://www.oracle.com/security-alerts/cpuapr2020.html
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-13565
• https://usn.ubuntu.com/4078-1/
• https://usn.ubuntu.com/4078-2/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://support.f5.com/csp/article/K98008862?utm_source=f5support&amp%3Butm_medium=RSS

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.

Remediation

There is no fixed version for Debian:8 openldap.

References

• https://security-tracker.debian.org/tracker/CVE-2017-17740
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740
• http://www.openldap.org/its/index.cgi/Incoming?id=8759
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html
• http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html
• https://kc.mcafee.com/corporate/index?page=content&id=SB10365
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).

Remediation

Upgrade Debian:8 openldap to version 2.4.40+dfsg-1+deb8u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-12243
• https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_4/CHANGES
• https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440
• https://support.apple.com/kb/HT211289
• https://www.debian.org/security/2020/dsa-4666
• https://lists.debian.org/debian-lts-announce/2020/05/msg00001.html
• https://bugs.openldap.org/show_bug.cgi?id=9202
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://security.netapp.com/advisory/ntap-20200511-0003/
• http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00016.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-12243
• https://usn.ubuntu.com/4352-1/
• https://usn.ubuntu.com/4352-2/
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• https://security-tracker.debian.org/tracker/CVE-2017-7186
• https://bugs.exim.org/show_bug.cgi?id=2052
• https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_internal.h?r1=600&r2=670&sortby=date
• https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_ucd.c?r1=316&r2=670&sortby=date
• https://vcs.pcre.org/pcre/code/trunk/pcre_internal.h?r1=1649&r2=1688&sortby=date
• https://vcs.pcre.org/pcre/code/trunk/pcre_ucd.c?r1=1490&r2=1688&sortby=date
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7186
• https://security.gentoo.org/glsa/201710-09
• https://security.gentoo.org/glsa/201710-25
• https://blogs.gentoo.org/ago/2017/03/14/libpcre-invalid-memory-read-in-match-pcre_exec-c/
• https://access.redhat.com/errata/RHSA-2018:2486
• http://www.securityfocus.com/bid/97030
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7186

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\.|([^\\W_])?)+)+$/.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• https://security-tracker.debian.org/tracker/CVE-2015-3217
• https://bugs.exim.org/show_bug.cgi?id=1638
• http://vcs.pcre.org/pcre?view=revision&revision=1566
• http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886
• http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
• http://www.openwall.com/lists/oss-security/2015/06/03/7
• https://bugzilla.redhat.com/show_bug.cgi?id=1228283
• http://rhn.redhat.com/errata/RHSA-2016-1025.html
• http://rhn.redhat.com/errata/RHSA-2016-2750.html
• https://access.redhat.com/errata/RHSA-2016:1132
• http://www.securityfocus.com/bid/75018

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-20838
• https://security-tracker.debian.org/tracker/CVE-2019-20838
• https://support.apple.com/kb/HT211931
• https://support.apple.com/kb/HT212147
• http://seclists.org/fulldisclosure/2020/Dec/32
• http://seclists.org/fulldisclosure/2021/Feb/14
• https://bugs.gentoo.org/717920
• https://www.pcre.org/original/changelog.txt
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Remediation

There is no fixed version for Debian:8 pcre3.

References

• https://security-tracker.debian.org/tracker/CVE-2017-11164
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• http://openwall.com/lists/oss-security/2017/07/11/3
• http://www.securityfocus.com/bid/99575
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11164
• http://www.openwall.com/lists/oss-security/2023/04/11/1
• http://www.openwall.com/lists/oss-security/2023/04/12/1
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

Remediation

There is no fixed version for Debian:8 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2020-12723
• https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
• https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a
• https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
• https://security.netapp.com/advisory/ntap-20200611-0001/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://security.gentoo.org/glsa/202006-03
• https://github.com/Perl/perl5/issues/16947
• https://github.com/Perl/perl5/issues/17743
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-12723
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

Remediation

There is no fixed version for Debian:8 perl.

References

• https://security-tracker.debian.org/tracker/CVE-2011-4116
• https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14
• https://rt.cpan.org/Public/Bug/Display.html?id=69106
• https://seclists.org/oss-sec/2011/q4/238
• http://www.openwall.com/lists/oss-security/2011/11/04/2
• http://www.openwall.com/lists/oss-security/2011/11/04/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

Remediation

There is no fixed version for Debian:8 tar.

References

• https://security-tracker.debian.org/tracker/CVE-2019-9923
• http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120
• http://savannah.gnu.org/bugs/?55369
• https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9923
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Certificate Validation. There is insufficient verification of a certificate chain when using the X509_V_FLAG_X509_STRICT flag.

Remediation

Upgrade node to version 15.14.0, 14.16.1, 12.22.1, 10.24.1 or higher.

References

• GitHub Commit
• NodeJS Security Release

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Use After Free on close http2 on stream canceling. An attacker might be able to exploit the memory corruption to change process behaviour.

The issue follows on from CVE-2021-22930 as the fix for it did not completely resolve the vulnerability.

Remediation

Upgrade node to version 16.6.2, 14.17.5, 12.22.5 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• NodeJS Security Release
• RedHat Bugzilla Bug

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Unprotected Primary Channel. Debugger port 5858 listens on any interface by default: When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript

Remediation

Upgrade node to version 6.15.0 or higher.

References

• Nodejs Security Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') due to the improper handling of batch files in child_process.spawn or child_process.spawnSync. An attacker can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Note: This vulnerability only affects Windows machines.

Remediation

Upgrade node to version 18.20.2, 20.12.2, 21.7.3 or higher.

References

• GitHub Commit
• Node.js

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.

Remediation

There is no fixed version for Debian:8 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2017-1000409
• https://www.exploit-db.com/exploits/43331/
• https://security.netapp.com/advisory/ntap-20190404-0003/
• http://seclists.org/oss-sec/2017/q4/385
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000409
• https://www.exploit-db.com/exploits/43331

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:8 relevant fixed versions and status.

An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Debian:8 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751
• https://security-tracker.debian.org/tracker/CVE-2020-1751
• https://security.gentoo.org/glsa/202006-04
• https://sourceware.org/bugzilla/show_bug.cgi?id=25423
• https://security.netapp.com/advisory/ntap-20200430-0002/
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751
• https://usn.ubuntu.com/4416-1/