A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2019-18391: Red Hat Customer Portal - Access to 24x7 support and knowledge

An out-of-bounds read in the vrend_blit_need_swizzle function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_BLIT commands.

CVE-2019-18390: Red Hat Customer Portal - Access to 24x7 support and knowledge

All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.

**CVE-2019-14870.html:**

\===========================================================
== Subject:     DelegationNotAllowed not being enforced
==              in protocol transition on Samba AD DC.
==
== CVE ID#:     CVE-2019-14870
==
== Versions:    All Samba versions since Samba 4.0
==
== Summary:     The DelegationNotAllowed Kerberos feature restriction
==              was not being applied when processing protocol
==              transition requests (S4U2Self), in the AD DC KDC.
===========================================================

===========
Description
===========

The S4U (MS-SFU) Kerberos delegation model includes a feature allowing
for a subset of clients to be opted out of constrained delegation in
any way, either S4U2Self or regular Kerberos authentication, by
forcing all tickets for these clients to be non-forwardable.  In AD
this is implemented by a user attribute delegation\_not\_allowed (aka
not-delegated), which translates to disallow-forwardable.

However the Samba AD DC does not do that for S4U2Self and does set the
forwardable flag even if the impersonated client has the not-delegated
flag set.

Note: while the experimental MIT AD-DC build does not support S4U, it
should still be patched due to a related bug in regular authentication.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

=========================
Workaround and mitigation
=========================

Only clients configured directly in LDAP or via a Windows tools
could have been marked as sensitive and so have been expected to have
this protection.  Therefore most Samba sites will not have been using
this feature and so are not impacted either way.

=======
Credits
=======

Originally reported by Isaac Boukris of Red Hat and the Samba Team.

Patches provided by Isaac Boukris of Red Hat and the Samba Team.

Advisory written by Andrew Bartlett of Catalyst and Isaac Boukris of
Red Hat and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2019-14870: Samba - Security Announcement Archive

In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29.

CVE-2019-19534

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

**Name**

CVE-2013-4235

**Description**

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

**Debian Bugs**

778950

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

shadow (PTS)

buster

1:4.5-1.1

vulnerable

bullseye

1:4.8.1-1

vulnerable

bookworm, sid

1:4.13+dfsg1-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

shadow

source

(unstable)

1:4.12.3+dfsg1-1

unimportant

778950

**Notes**

https://github.com/shadow-maint/shadow/issues/317  
https://github.com/shadow-maint/shadow/pull/545  
Fixed by: https://github.com/shadow-maint/shadow/commit/e9ae247cb14f977d8881f481488843b10665dba8 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/f6f8bcd2a57c06983296485cc028ebdf467ebfd7 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/dab764d0195fc16d1d39330eee8a33e8917826d8 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/1d281273b149f2bb992d893d8ca9ffffddc95cc8 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/f606314f0c22fb5d13e5af17a70860d57559e808 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/6cbec2d0aa29d6d25e9eed007ded4e79eb637519 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/faeab50e710131816b261de66141524898c2c487 (4.12.2)  
Regression fix: https://github.com/shadow-maint/shadow/commit/f3bdb28e57e5e38c1e89347976c7d61a181eec32 (4.13)  
Regression fix: https://github.com/shadow-maint/shadow/commit/10cd68e0f04b48363eb32d2c6e168b358fb27810 (4.13)  
Regression fix: https://github.com/shadow-maint/shadow/commit/cde221b8587193f9dc300c0799a530e846c75961 (4.13)

CVE-2013-4235: CVE-2013-4235

The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.

CVE-2019-10214: 1732508 – (CVE-2019-10214) CVE-2019-10214 containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

Description Laura Pardo 2019-04-26 14:17:51 UTC

A vulnerability was found in Infinispan before version 10.0.0 Final. The invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges.

Comment 3 Joshua Padman 2019-05-09 03:30:35 UTC

Statement:

Red Hat OpenStack Platform's OpenDaylight contains the vulnerable library. This library is a requirement of other dependencies (Karaf and Hibernate). Under supported deployments, the vulnerable functionality is not utilized. Based on this, no OpenDaylight versions will not be fixed.

Comment 8 Marek Novotny 2019-06-24 11:46:30 UTC

what product version of Infinispan includes this fix?

Comment 22 Kunjan Rathod 2019-11-19 05:03:44 UTC

Created infinispan tracking bugs for this issue:

Affects: fedora-all \[bug 1773842\]

Comment 29 Chess Hazlett 2020-02-12 05:01:33 UTC

Mitigation:

There is no known mitigation for this issue.

Comment 38 errata-xmlrpc 2020-05-11 20:33:04 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:2063 https://access.redhat.com/errata/RHSA-2020:2063

CVE-2019-10174: invokeAccessibly method from ReflectionUtil class allows to invoke private methods

Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.

**Name**CVE-2013-2093**Description**Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.**Source**CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

CVE-2013-2093: CVE-2013-2093

SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 14 May 2013 01:07:07 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: chevalier 3as <chevalier3as@...il.com>,
        Florian HENRY <florian.henry@...n-concept.pro>
Subject: Re: Re: CVE Request: Dolibarr - Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/11/2013 01:11 PM, chevalier 3as wrote:
> I've failed to mention command injection, fix can be found here:
> 
> https://github.com/Dolibarr/dolibarr/commit/526a80dd202bbca396687a502d52c27e06e97fff

Please
> 
use CVE-2013-2093 for Dolibarr command injection


> 2013/5/11 chevalier 3as <chevalier3as@...il.com>
> 
>> Hello Kurt, Steve, All,
>> 
>> I'd like to request a CVE for two vulnerabilties in Dolibarr 3.3
>> and 3.4:
>> 
>> 1- SQL injection in 'pays' parameter, correction details can be
>> found here:
>> 
>> 
>> https://github.com/Dolibarr/dolibarr/commit/9427e32e2ed54c1a2bc519a88c057207836df489

Please
>> 
use CVE-2013-2091 for Dolibarr SQL injection in 'pays' parameter

>> 
>> 2- XSS vulnerabilty in several parameters, correction details can
>> be found here:
>> 
>> 
>> https://github.com/Dolibarr/dolibarr/commit/8a90598b23e1b2689848187941f7a96b04907005

Please
>> 
use CVE-2013-2092 for Dolibarr XSS vulnerabilty in several
parameters

>> Cheers, Alaeddine Mesbahi



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRkeKbAAoJEBYNRVNeJnmTq0QQAJsGFL9tU9tldK8G4SZJmCo8
N6x8oVBY4GKNsXwrQWQyjmJTiSYDZG9JvjS9ZP7NtKQ+mO0Ujofy8+nySR76/55u
xuhUgzWasG/zWtbVVrlTTV8UXyjNKLRCv9xHu+O/5CqgHDDe4Sc5EswqR3XpiV12
3dVhpPyqaapkw3E5kkQYDQXnQdUsLznjtWbIngljjjQxGAlDN09I0bBszi1K/PRZ
TTj3J1qcT+oHjxSupWy4BftOe4A7nj/rSMHZ5jPRUOx58iR5h5t4k36jLPgYAzUX
muEkt51j4RE9XPyb/zQXa7RZLh8QpudpLElLxPPXY7fg1InUVNqKDjHDP+NG7eTX
ju0bDlkaTDyDf9JM/uCvg8mWHcS0rdxqOD6HSxizQmvadpGejzEcAzmSMk67XuuD
/RKgBpGs4A428hx3AApS7OxMMTIxyKXXkCl/Mj6Glu0IKtusCJaZzAy5yJc5s16v
9cISObNuNffzVS461k1TjHMlMftiI8/26I55KKNFZVXvijcGt9XR/ekF9puM/R/1
IMCz9lNSU4v+40ZhdoTpjToR7qiSD3EC05iPDICm9Vu79L7sIG4ZcBgkGXuUdiSp
Es5YXLqype+vqZvnJGYHlRS07OK9Q1fOBkIiSVS3BW/Xq044ukP1c/DgiLeWUKh0
1xzaw++50ZNDcevQ+U6q
=D+FC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2013-2091: oss-security - Re: Re: CVE Request: Dolibarr

Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections

Tag

#red_hat