Updated security-report for nfv-access 1.1.1 release

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>

1 files changed, 1297 insertions, 1541 deletions

diff --git a/doc/book-enea-nfv-access-security-report b/doc/book-enea-nfv-access-security-report
index 8e498c3..3c8b3f1 100644
--- a/doc/book-enea-nfv-access-security-report
+++ b/doc/book-enea-nfv-access-security-report
@@ -1,1541 +1,1297 @@
-CVE name: CVE-2017-1000366
-Package: glibc
-Score: 7.2 (High)
-Description: glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366
-
-CVE name: CVE-2017-1000364
-Package: Kernel
-Score: 7.0 (High)
-Description: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
-
-CVE name: CVE-2017-1000253
-Package: kernel
-Score: 8.0 (High)
-Description: A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.Upstream patch:https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2017-1000253
-
-CVE name: CVE-2017-1000101 
-Package: curl
-Score: 4.0 (Medium)
-Description: curl supports "globbing" of URLs, in which a user can pass a numerical rangeto have the tool iterate over those numbers to do a sequence of transfers.In the globbing function that parses the numerical range, there was anomission that made curl read a byte beyond the end of the URL if given acarefully crafted, or just wrongly written, URL. The URL is stored in a heapbased buffer, so it could then be made to wrongly read something else insteadof crashing.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101 
-
-CVE name: CVE-2017-1000100 
-Package: curl
-Score: 4.0 (Medium)
-Description: When doing an TFTP upload and curl/libcurl is given a URL that contains a verylong file name (longer than about 515 bytes), the file name is truncated tofit within the buffer boundaries, but the buffer size is still wrongly updatedto use the untruncated length. This too large value is then used in the`send()` call, making curl attempt to send more data than what is actually putinto the buffer. The `send()` function will then read beyond the end of theheap based buffer.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100 
-
-CVE name: CVE-2017-1000082
-Package: systemd
-Score: 10.0 (High)
-Description: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082
-
-CVE name: CVE-2017-14496
-Package: dnsmasq 
-Score: 7.0 (High)
-Description: Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496
-
-CVE name: CVE-2017-14495
-Package: dnsmasq
-Score: 7.0 (High)
-Description: Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14495
-
-CVE name: CVE-2017-14494
-Package: dnsmasq
-Score: 7.0 (High)
-Description: dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14494
-
-CVE name: CVE-2017-14493
-Package: dnsmasq
-Score: 9.0 (High)
-Description: Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14493
-
-CVE name: CVE-2017-14492
-Package: dnsmasq
-Score: 9.0 (High)
-Description: Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14492
-
-CVE name: CVE-2017-14491
-Package: dnsmasq
-Score: 9.0 (High)
-Description: Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491
-
-CVE name: CVE-2017-12132
-Package: glibc
-Score: 4.3 (Medium)
-Description: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132
-
-CVE name: CVE-2017-9445
-Package: systemd
-Score: 5.0 (Medium)
-Description: In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9445
-
-CVE name: CVE-2017-9216
-Package: ghostscript
-Score: 4.3 (Medium)
-Description: libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9216
-
-CVE name: CVE-2017-9050
-Package: libxml2-native
-Score: 5.0 (Medium)
-Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050
-
-CVE name: CVE-2017-9049
-Package: libxml2-native
-Score: 5.0 (Medium)
-Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049
-
-CVE name: CVE-2017-9048
-Package: libxml2-native
-Score: 5.0 (Medium)
-Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048
-
-CVE name: CVE-2017-9047
-Package: libxml2-native
-Score: 5.0 (Medium)
-Description: A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047
-
-CVE name: CVE-2017-8872
-Package: libxml2-native
-Score: 6.4 (Medium)
-Description: The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872
-
-CVE name: CVE-2017-8831
-Package: kernel
-Score: 7.2 (High)
-Description: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8831
-
-CVE name: CVE-2017-8804
-Package: glibc
-Score: 7.8 (High)
-Description: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8804
-
-CVE name: CVE-2017-8779
-Package: rpcbind
-Score: 7.8 (High)
-Description: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
-
-CVE name: CVE-2017-8392
-Package: binutils
-Score: 5.0 (Medium)
-Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8392
-
-CVE name: CVE-2017-8309
-Package: Qemu
-Score: 7.8 (High)
-Description: Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309
-
-CVE name: CVE-2017-8105
-Package: freetype
-Score: 7.5 (High)
-Description: FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
-
-CVE-2017-8072
-Package: Kernel
-Score: 7.2 (High)
-Description: The cp2114_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux Kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors.
-Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8072
-
-CVE-2017-8070
-Package: Kernel
-Score: 7.2 (High)
-Description: drivers/net/usb/catc.c in the Linux Kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
-Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8070
-
-CVE name: CVE-2017-8069
-Package: kernel
-Score: 7.2 (High)
-Description: drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8069
-
-CVE name: CVE-2017-8068
-Package: kernel
-Score: 7.2 (High)
-Description: drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8068
-
-CVE name: CVE-2017-8067
-Package: kernel
-Score: 7.2 (High)
-Description: drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8067
-
-CVE name: CVE-2017-8066
-Package: kernel
-Score: 7.2 (High)
-Description: drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8066
-
-CVE name: CVE-2017-8065
-Package: kernel
-Score: 7.2 (High)
-Description: rypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8065
-
-CVE name: CVE-2017-8064
-Package: kernel
-Score: 7.2 (High)
-Description: drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8064
-
-CVE name: CVE-2017-8063
-Package: kernel
-Score: 7.2 (High)
-Description: drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8063
-
-CVE name: CVE-2017-8062
-Package: kernel
-Score: 7.2 (High)
-Description: drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8062
-
-CVE name: CVE-2017-7975
-Package: Ghostscript
-Score: 6.8 (Medium)
-Description: Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975
-
-CVE name: CVE-2017-7895
-Package: kernel
-Score: 10.0 (High)
-Description: The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7895
-
-CVE name: CVE-2017-7869
-Package: gnutls
-Score: 5.0 (Medium)
-Description: GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7869
-
-CVE name: CVE-2017-7645
-Package: kernel
-Score: 7.8 (High)
-Description: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645
-
-CVE name: CVE-2017-7618         
-Package: kernel
-Score: 7.8 (High)
-Description: crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7618       
-
-CVE name: CVE-2017-7487
-Package: kernel
-Score: 7.2 (High)
-Description: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7487
-
-CVE name: CVE-2017-7471
-Package: Qemu
-Score: 0.0 (Low)
-Description: Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory.A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7471
-
-CVE name: CVE-2017-7468 
-Package: curl
-Score: 6.0 (Medium)
-Description: libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate).
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7468 
-
-CVE name: CVE-2017-7304
-Package: Binutils
-Score: 5.0 (Medium)
-Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304
-
-CVE name: CVE-2017-7210
-Package: binutils
-Score: 7.8 (High)
-Description: objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210
-
-CVE name: CVE-2017-7209
-Package: binutils
-Score: 4.3 (Medium)
-Description: The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209
-
-CVE name: CVE-2017-7207
-Package: ghostscript
-Score: 4.3 (Medium)
-Description: The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PostScript document. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7207
-
-CVE name: CVE-2017-6969
-Package: binutils
-Score: 6.4 (Medium)
-Description: readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969
-
-CVE name: CVE-2017-6966
-Package: binutil
-Score: 4.0 (Medium)
-Description: readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6966
-
-CVE name: CVE-2017-6965 
-Package: binutils
-Score: 4.3 (Medium)
-Description: readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6965 
-
-CVE name: CVE-2017-6874
-Package: Kernel
-Score: 7.0 (High)
-Description: Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction between put_ucounts and get_ucounts.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6874
-
-CVE name: CVE-2017-6505
-Package: Qemu
-Score: 4.0 (Medium)
-Description: Quick Emulator built with the USB OHCI Emulation support is vulnerable to aninfinite loop issue. It could occur while processing an endpoint listdescriptor in ohci_service_ed_list().A guest user/process could use this flaw to crash Qemu process resulting in DoS.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6505
-
-CVE name: CVE-2017-6353
-Package: Kernel
-Score: 5.0 (Medium)
-Description: net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6353
-
-CVE name: CVE-2017-6348
-Package: Kernel
-Score: 5.0 (Medium)
-Description: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6348
-
-CVE name: CVE-2017-6347
-Package: Kernel
-Score: 7.0 (High)
-Description: The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has incorrect expectations about skb data layout, which allows local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6347
-
-CVE name: CVE-2017-6346
-Package: Kernel
-Score: 7.0 (High)
-Description: Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6346
-
-CVE name: CVE-2017-6345
-Package: Kernel
-Score: 5.0 (Medium)
-Description: The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6345
-
-CVE name: CVE-2017-6214
-Package: Kernel
-Score: 5.0 (Medium)
-Description: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6214
-
-CVE name: CVE-2017-6074 
-Package: Kernel
-Score: 8.0 (High)
-Description: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074 
-
-CVE name: CVE-2017-6058
-Package: Qemu
-Score: 5.0 (Medium)
-Description: Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6058
-
-CVE name: CVE-2017-6001
-Package: Kernel
-Score: 8.0 (High)
-Description: Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6001
-
-CVE name: CVE-2017-5986
-Package: Kernel
-Score: 7.0 (High)
-Description: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986
-
-CVE name: CVE-2017-5970
-Package: Kernel
-Score: 5.0 (Medium)
-Description: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5970
-
-CVE name: CVE-2017-5969
-Package: libxml2-native
-Score: 2.6 (Low)
-Description: libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document.  NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser."
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969
-
-CVE name: CVE-2017-5931
-Package: Qemu
-Score: 6.0 (Medium)
-Description: Quick Emulator(Qemu) built with the Virtio crypto device emulation support isvulnerable to an integer overflow issue. It could occur while handling dataencryption/decryption requests in 'virtio_crypto_handle_sym_req'.A privileged user inside guest could use this flaw to crash the Qemu processresulting in DoS or potentially execute arbitrary code on the host withprivileges of the Qemu process.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931
-
-CVE name: CVE-2017-5848
-Package: gstreamer
-Score: 5.0 (Medium)
-Description: The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5848
-
-CVE name: CVE-2017-5847
-Package: gstreamer
-Score: 5.0 (Medium)
-Description: The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5847
-
-CVE name: CVE-2017-5669
-Package: Kernel
-Score: 5.0 (Medium)
-Description: The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5669
-
-CVE name: CVE-2017-5618
-Package: GNU screen 
-Score: 7.2 (High)
-Description: GNU screen before 4.5.1 allows local users to modify arbitrary files and consequently gain root privileges by leveraging improper checking of logfile permissions. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618
-
-CVE name: CVE-2017-5601
-Package: ibarchive
-Score: 5.0 (Medium)
-Description: An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5601
-
-CVE name: CVE-2017-5577
-Package: Kernel
-Score: 5.0 (Medium)
-Description: The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5577
-
-CVE name: CVE-2017-5576
-Package: Kernel
-Score: 7.0 (High)
-Description: Integer overflow in the vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted size value in a VC4_SUBMIT_CL ioctl call.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5576
-
-CVE name: CVE-2017-5551
-Package: Kernel
-Score: 4.0 (Medium)
-Description: The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5551
-
-CVE name: CVE-2017-5548
-Package: Kernel
-Score: 7.0 (High)
-Description: drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5548
-
-CVE name: CVE-2017-5547
-Package: Kernel
-Score: 7.0 (High)
-Description: drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5547
-
-CVE name: CVE-2017-5546
-Package: Kernel
-Score: 7.0 (High)
-Description: The freelist-randomization feature in mm/slab.c in the Linux kernel 4.8.x and 4.9.x before 4.9.5 allows local users to cause a denial of service (duplicate freelist entries and system crash) or possibly have unspecified other impact in opportunistic circumstances by leveraging the selection of a large value for a random number.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5546
-
-CVE name: CVE-2017-5335
-Package: GnuTLS
-Score: 5.0 (Medium)
-Description: The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335
-
-CVE name: CVE-2017-5225
-Package: tiff
-Score: 7.5 (High)
-Description: LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225
-
-CVE name: CVE-2017-5029
-Package: libxslt
-Score: 6.8 (Medium)
-Description: The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5029
-
-CVE name: CVE-2017-3731
-Package: OpenSSL
-Score: 5.0 (Medium)
-Description: If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731
-
-CVE name: CVE-2017-3136 
-Package: bind
-Score: 5.9 (Medium)
-Description: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136 
-
-CVE name: CVE-2017-3135
-Package: bind
-Score: 6.0 (Medium)
-Description: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3135
-
-CVE name: CVE-2017-2636
-Package: Kernel
-Score: 7.2 (High)
-Description: Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2636
-
-CVE name: CVE-2017-2628 
-Package: curl
-Score: 0.0 (Low)
-Description: It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2628 
-
-CVE name: CVE-2017-2620
-Package: Qemu
-Score: 9.0 (High)
-Description: Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620
-
-CVE name: CVE-2016-10350
-Package: libarchive
-Score: 4.3 (Medium)
-Description: The archive_read_format_cab_read_header function in archive_read_support_format_cab.c in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10350
-
-CVE name: CVE-2016-10349
-Package: libarchive
-Score: 4.2 (Medium)
-Description: The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10349
-
-CVE name: CVE-2016-10229 
-Package: kernel
-Score: 10.0 (High)
-Description: udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229 
-
-CVE name: CVE-2016-10208
-Package: Kernel
-Score: 5.0 (Medium)
-Description: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10208
-
-CVE name: CVE-2016-10200
-Package: Kernel
-Score: 7.0 (High)
-Description: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10200
-
-CVE name: CVE-2016-10154
-Package: Kernel
-Score: 5.0 (Medium)
-Description: The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a scatterlist.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10154
-
-CVE name: CVE-2016-10153
-Package: Kernel
-Score: 7.0 (High)
-Description: The crypto scatterlist API in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging reliance on earlier net/ceph/crypto.c code.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10153
-
-CVE name: CVE-2016-10150
-Package: KVM
-Score: 10.0 (High)
-Description: Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10150
-
-CVE name: CVE-2016-10147
-Package: Kernel
-Score: 5.0 (Medium)
-Description: crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5).
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10147
-
-CVE name: CVE-2016-10124
-Package: LXC
-Score: 5.0 (Medium)
-Description: An issue was discovered in Linux Containers (LXC) before 2016-02-22. When executing a program via lxc-attach, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the container.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10124
-
-CVE name: CVE-2016-10087
-Package: Libpng
-Score: 5.0 (Medium)
-Description: The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087
-
-CVE name: CVE-2016-10044
-Package: Kernel
-Score: 7.0 (High)
-Description: The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10044
-
-CVE name: CVE-2016-10029
-Package: Qemu
-Score: 2.0 (Low)
-Description: The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SCANOUT command larger than num_scanouts.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10029
-
-CVE name: CVE-2016-9923
-Package: Qemu
-Score: 2.0 (Low)
-Description: Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9923
-
-CVE name: CVE-2016-9921
-Package: Qemu
-Score: 2.0 (Low)
-Description: Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9921
-
-CVE name: CVE-2016-9916
-Package: Qemu
-Score: 5.0 (Medium)
-Description: Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9916
-
-CVE name: CVE-2016-9915
-Package: Qemu
-Score: 5.0 (Medium)
-Description: Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9915
-
-CVE name: CVE-2016-9914
-Package: Qemu
-Score: 5.0 (Medium)
-Description: Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9914
-
-CVE name: CVE-2016-9913
-Package: Qemu
-Score: 5.0 (Medium)
-Description: Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9913
-
-CVE name: CVE-2016-9912
-Package: Qemu
-Score: 2.0 (Low)
-Description: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9912
-
-CVE name: CVE-2016-9911
-Package: Qemu
-Score: 2.0 (Low)
-Description: Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9911
-
-CVE name: CVE-2016-9908
-Package: Qemu
-Score: 2.0 (Low)
-Description: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9908
-
-CVE name: CVE-2016-9907
-Package: Qemu
-Score: 2.0 (Low)
-Description: Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9907
-
-CVE name: CVE-2016-9846
-Package: Qemu
-Score: 5.0 (Medium)
-Description: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9846
-
-CVE name: CVE-2016-9845
-Package: Qemu
-Score: 0.0 (Low)
-Description: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9845
-
-CVE name: CVE-2016-9844
-Package: unzip
-Score: 2.1 (Low)
-Description: Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9844
-
-CVE name: CVE-2016-9776
-Package: Qemu
-Score: 2.0 (Low)
-Description: QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9776
-
-CVE name: CVE-2016-9754
-Package: Kernel
-Score: 7.0 (High)
-Description: The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9754
-
-CVE name: CVE-2016-9603
-Package: Qemu
-Score: 8.0 (High)
-Description: A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9603
-
-CVE name: CVE-2016-9540
-Package: tiff
-Score: 7.5 (High)
-Description: tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow." 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9540
-
-CVE name: CVE-2016-9539
-Package: tiff
-Score: 7.5 (High)
-Description: tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9539
-
-CVE name: CVE-2016-9538
-Package: tiff
-Score: 7.5 (High)
-Description: tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readContigStripsIntoBuffer() because of a uint16 integer overflow. Reported as MSVR 35100. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9538
-
-CVE name: CVE-2016-9537
-Package: tiff
-Score: 7.5 (High)
-Description: tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and MSVR 35097. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9537
-
-CVE name: CVE-2016-9536
-Package: tiff
-Score: 7.5 (High)
-Description: tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka "t2p_process_jpeg_strip heap-buffer-overflow."
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9536
-
-CVE name: CVE-2016-9535
-Package: tiff
-Score: 7.5 (High)
-Description: tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow." 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9535
-
-CVE name: CVE-2016-9534
-Package: tiff
-Score: 7.5 (High)
-Description: tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow." 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9534
-
-CVE name: CVE-2016-9533
-Package: tiff
-Score: 7.5 (High)
-Description: tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka "PixarLog horizontalDifference heap-buffer-overflow."
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9533
-
-CVE name: CVE-2016-9448
-Package: tiff
-Score: 5.0 (Medium)
-Description: The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by setting the tags TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII to values that access 0-byte arrays. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9297. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
-
-CVE name: CVE-2016-9444
-Package: bind
-Score: 7.0 (High)
-Description: named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9444
-
-CVE name: CVE-2016-9401
-Package: bash
-Score: 2.0 (Low)
-Description: ref to yocto patch: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=1b2857a781b6666feaf5d3c91dc02ac263d0c4f6
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401
-
-CVE name: CVE-2016-9318
-Package: libxml2-native
-Score: 6.8 (Medium)
-Description: libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318
-
-CVE name: CVE-2016-9297
-Package: tiff
-Score: 5.0 (Medium)
-Description: The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII tag values. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9297
-
-CVE name: CVE-2016-9273
-Package: tiff
-Score: 4.3 (Medium)
-Description: tiffsplit in libtiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file, related to changing td_nstrips in TIFF_STRIPCHOP mode. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
-
-CVE name: CVE-2016-9106
-Package: Qemu
-Score: 2.0 (Low)
-Description: Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9106
-
-CVE name: CVE-2016-9105
-Package: Qemu
-Score: 2.0 (Low)
-Description: Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9105
-
-CVE name: CVE-2016-9104
-Package: Qemu
-Score: 2.0 (Low)
-Description: Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9104
-
-CVE name: CVE-2016-9103
-Package: Qemu
-Score: 2.0 (Low)
-Description: The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9103
-
-CVE name: CVE-2016-9102
-Package: Qemu
-Score: 2.0 (Low)
-Description: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9102
-
-CVE name: CVE-2016-9083 
-Package: Kernel
-Score: 8.0 (High)
-Description: drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug."
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083 
-
-CVE name: CVE-2016-8910
-Package: Qemu
-Score: 2.0 (Low)
-Description: The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8910
-
-CVE name: CVE-2016-8909
-Package: Qemu
-Score: 2.0 (Low)
-Description: The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8909
-
-CVE name: CVE-2016-8864
-Package: bind
-Score: 5.0 (Medium)
-Description: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864
-
-CVE name: CVE-2016-8858
-Package: openssh
-Score: 7.8 (High)
-Description: A memory exhaustion issue in OpenSSH that can be triggered before user authentication was found. An unauthenticated attacker could consume approx. 400 MB of memory per each connection. The attacker could set up multiple such connections to run out of server�s memory.   
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8858
-
-CVE name: CVE-2016-8669
-Package: Qemu
-Score: 2.0 (Low)
-Description: The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8669
-
-CVE name: CVE-2016-8668
-Package: Qemu
-Score: 2.0 (Low)
-Description: The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8668
-
-CVE name: CVE-2016-8655 
-Package: Kernel
-Score: 8.0 (High)
-Description: Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655 
-
-CVE name: CVE-2016-8649
-Package: lxc
-Score: 9.0 (High)
-Description: lxc-attach in LXC before 1.0.9 and 2.x before 2.0.6 allows an attacker inside of an unprivileged container to use an inherited file descriptor, of the host's /proc, to access the rest of the host's filesystem via the openat() family of syscalls.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8649
-
-CVE name: CVE-2016-8636
-Package: Kernel
-Score: 7.0 (High)
-Description: Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the "RDMA protocol over infiniband" (aka Soft RoCE) technology.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8636
-
-CVE name: CVE-2016-8630
-Package: Kernel
-Score: 6.0 (Medium)
-Description: The x86_decode_insn function in arch/x86/kvm/emulate.c in the Linux kernel before 4.8.7, when KVM is enabled, allows local users to cause a denial of service (host OS crash) via a certain use of a ModR/M byte in an undefined instruction. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8630
-
-CVE name: CVE-2016-8625
-Package: curl
-Score: 6.9 (Medium)
-Description: When curl is built with libidn to handle International Domain Names (IDNA), ittranslates them to puny code for DNS resolving using the IDNA 2003 standard,while IDNA 2008 is the modern and up-to-date IDNA standard.This misalignment causes problems with for example domains using the German �character (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') whichis used at times in the .de TLD and is translated differently in the two IDNAstandards, leading to users potentially and unknowingly issuing networktransfer requests to the wrong host.For example, `stra�e.de` is translated into `strasse.de` using IDNA 2003 butis translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, thosehost names could very well resolve to different addresses and be twocompletely independent servers. IDNA 2008 is mandatory for .de domains.curl is not alone with this problem, as there's currently a big flux in theworld of network user-agents about which IDNA version to support and use.This name problem exists for DNS-using protocols in curl, but only when builtto use libidn.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625
-
-CVE name: CVE-2016-8624
-Package: curl
-Score: 6.9 (Medium)
-Description: curl doesn't parse the authority component of the URL correctly when the hostname part ends with a '#' character, and could instead be tricked intoconnecting to a different host. This may have security implications if you forexample use an URL parser that follows the RFC to check for allowed domainsbefore using curl to request them.Passing in `http://example.com#@evil.com/x.txt` would wrongly make curl send arequest to evil.com while your browser would connect to example.com given thesame URL.The problem exists for most protocol schemes.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624
-
-CVE name: CVE-2016-8623
-Package: curl
-Score: 4.9 (Medium)
-Description: libcurl explicitly allows users to share cookies between multiple easy handlesthat are concurrently employed by different threads.When cookies to be sent to a server are collected, the matching functioncollects all cookies to send and the cookie lock is released immediatelyafterwards. That function however only returns a list with *references* back tothe original strings for name, value, path and so on. Therefore, if anotherthread quickly takes the lock and frees one of the original cookie structstogether with its strings, a use-after-free can occur and lead to informationdisclosure. Another thread can also replace the contents of the cookies fromseparate HTTP responses or API calls.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623
-
-CVE name: CVE-2016-8622
-Package: curl
-Score: 4.9 (Medium)
-Description: The URL percent-encoding decode function in libcurl is called`curl_easy_unescape`. Internally, even if this function would be made toallocate a unscape destination buffer larger than 2GB, it would return thatnew length in a signed 32 bit integer variable, thus the length would geteither just truncated or both truncated and turned negative. That could thenlead to libcurl writing outside of its heap based buffer.This can be triggered by a user on a 64bit system if the user can send in acustom (very large) URL to a libcurl using program.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622
-
-CVE name: CVE-2016-8621
-Package: curl
-Score: 4.9 (Medium)
-Description: The `curl_getdate` converts a given date string into a numerical timestamp andit supports a range of different formats and possibilites to express a dateand time. The underlying date parsing function is also used internally whenparsing for example HTTP cookies (possibly received from remote servers) andit can be used when doing conditional HTTP requests.The date parser function uses the libc sscanf() function at two places, withthe parsing strings "%02d:%02d" and ""%02d:%02d:%02d". The intent being thatit would parse either a string with HH:MM (two digits colon two digits) orHH:MM:SS (two digits colon two digits colon two digits). If instead the pieceof time that was sent in had the final digit cut off, thus ending with asingle-digit, the date parser code would advance its read pointer one byte toomuch and end up reading out of bounds.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621
-
-CVE name: CVE-2016-8620
-Package: curl
-Score: 6.9 (Medium)
-Description: The curl tool's "globbing" feature allows a user to specify a numerical rangethrough which curl will iterate. It is typically specified as [1-5],specifying the first and the last numbers in the range. Or with [a-z], usingletters.1. The curl code for parsing the second *unsigned* number did not check for aleading minus character, which allowed a user to specify `[1--1]` with nocomplaints and have the latter `-1` number get turned into the largestunsigned long value the system can handle. This would ultimately cause curl towrite outside the dedicated malloced buffer after no less than 100,000iterations, since it would have room for 5 digits but not 6.2. When the range is specified with letters, and the ending letter is left out`[L-]`, the code would still advance its read pointer 5 bytes even if thestring was just 4 bytes and end up reading outside the given buffer.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620
-
-CVE name: CVE-2016-8619
-Package: curl
-Score: 6.9 (Medium)
-Description: In curl's implementation of the Kerberos authentication mechanism, thefunction `read_data()` in security.c is used to fill the necessary krb5structures. When reading one of the length fields from the socket, it fails toensure that the length parameter passed to realloc() is not set to 0.This would lead to realloc() getting called with a zero size and when doing sorealloc() returns NULL *and* frees the memory - in contrary to normalrealloc() fails where it only returns NULL - causing libcurl to free thememory *again* in the error path.This flaw could be triggered by a malicious or just otherwise ill-behavingserver.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619
-
-CVE name: CVE-2016-8618
-Package: curl
-Score: 6.9 (Medium)
-Description: The libcurl API function called `curl_maprintf()` can be tricked into doing adouble-free due to an unsafe `size_t` multiplication, on systems using 32 bit`size_t` variables. The function is also used internallty in numeroussituations.The function doubles an allocated memory area with realloc() and allows thesize to wrap and become zero and when doing so realloc() returns NULL *and*frees the memory - in contrary to normal realloc() fails where it only returnsNULL - causing libcurl to free the memory *again* in the error path.Systems with 64 bit versions of the `size_t` type are not affected by thisissue.This behavior is triggable using the publicly exposed function.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618
-
-CVE name: CVE-2016-8617
-Package: curl
-Score: 6.9 (Medium)
-Description: In libcurl's base64 encode function, the output buffer is allocated as followswithout any checks on insize:     malloc( insize * 4 / 3 + 4 )On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), themultiplication in the expression wraps around if insize is at least 1GB ofdata. If this happens, an undersized output buffer will be allocated, but thefull result will be written, thus causing the memory behind the output bufferto be overwritten.If a username is set directly via `CURLOPT_USERNAME` (or curl's `-u, --user`option), this vulnerability can be triggered. The name has to be at least512MB big in a 32bit system.Systems with 64 bit versions of the `size_t` type are not affected by thisissue.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617
-
-CVE name: CVE-2016-8616
-Package: curl
-Score: 3.9 (Low)
-Description: When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections.This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.We are not aware of any exploit of this flaw.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616
-
-CVE name: CVE-2016-8615
-Package: curl
-Score: 6.9 (Medium)
-Description: If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the fgets() function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server.We are not aware of any exploit of this flaw.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615
-
-CVE name: CVE-2016-8602
-Package: Ghostscript
-Score: 6.8 (Medium)
-Description: The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Postscript document that calls .sethalftone5 with an empty operand stack.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8602
-
-CVE name: CVE-2016-8578
-Package: Qemu
-Score: 2.0 (Low)
-Description: The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8578
-
-CVE name: CVE-2016-8577
-Package: Qemu
-Score: 2.0 (Low)
-Description: Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8577
-
-CVE name: CVE-2016-8576
-Package: Qemu
-Score: 2.0 (Low)
-Description: The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8576
-
-CVE name: CVE-2016-7995
-Package: Qemu
-Score: 2.0 (Low)
-Description: Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7995
-
-CVE name: CVE-2016-7994
-Package: Qemu
-Score: 2.0 (Low)
-Description: Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7994
-
-CVE name: CVE-2016-7979
-Package: ghostscript
-Score: 7.5 (High)
-Description: Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7979
-
-CVE name: CVE-2016-7978
-Package: ghostscript
-Score: 7.5 (High)
-Description: Use-after-free vulnerability in Ghostscript 9.20 might allow remote attackers to execute arbitrary code via vectors related to a reference leak in .setdevice.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7978
-
-CVE name: CVE-2016-7977
-Package: ghostscript
-Score: 4.3 (Medium)
-Description: Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently read arbitrary files via the use of the .libfile operator in a crafted postscript document.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7977
-
-CVE name: CVE-2016-7909
-Package: Qemu
-Score: 5.0 (Medium)
-Description: The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7909
-
-CVE name: CVE-2016-7908
-Package: Qemu
-Score: 2.0 (Low)
-Description: The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7908
-
-CVE name: CVE-2016-7795
-Package: systemd
-Score: 4.9 (Medium)
-Description: The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7795
-
-CVE name: CVE-2016-7466
-Package: Qemu
-Score: 2.0 (Low)
-Description: Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7466
-
-CVE name: CVE-2016-7423
-Package: Qemu
-Score: 2.0 (Low)
-Description: The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7423
-
-CVE name: CVE-2016-7422
-Package: Qemu
-Score: 2.0 (Low)
-Description: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7422
-
-CVE name: CVE-2016-7421
-Package: Qemu
-Score: 2.0 (Low)
-Description: The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7421
-
-CVE name: CVE-2016-7170
-Package: Qemu
-Score: 2.0 (Low)
-Description: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7170
-
-CVE name: CVE-2016-7157
-Package: Qemu
-Score: 2.0 (Low)
-Description: The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7157
-
-CVE name: CVE-2016-7156
-Package: Qemu
-Score: 2.0 (Low)
-Description: The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7156
-
-CVE name: CVE-2016-7155
-Package: Qemu
-Score: 2.0 (Low)
-Description: hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7155
-
-CVE name: CVE-2016-7116
-Package: Qemu
-Score: 2.0 (Low)
-Description: Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7116
-
-CVE name: CVE-2016-7097
-Package: Kernel
-Score: 3.6 (Low)
-Description: The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7097
-
-CVE name: CVE-2016-6888
-Package: Qemu
-Score: 2.0 (Low)
-Description: Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6888
-
-CVE name: CVE-2016-6836
-Package: Qemu
-Score: 2.0 (Low)
-Description: The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.  
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6836
-
-CVE name: CVE-2016-6835
-Package: Qemu 
-Score: 2.0 (Low)
-Description: The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6835
-
-CVE name: CVE-2016-6834
-Package: Qemu
-Score: 2.0 (Low)
-Description: The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6834
-
-CVE name: CVE-2016-6833
-Package: Qemu
-Score: 2.0 (Low)
-Description: Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6833
-
-CVE name: CVE-2016-6490
-Package: Qemu
-Score: 2.0 (Low)
-Description: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6490
-
-CVE name: CVE-2016-6489
-Package: nettle
-Score: 5.0 (Medium)
-Description: The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6489
-
-CVE name: CVE-2016-6480
-Package: Kernel
-Score: 4.7 (Medium)
-Description: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480
-
-CVE name: CVE-2016-6354
-Package: flex
-Score: 7.5 (High)
-Description: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
-
-CVE name: CVE-2016-6351
-Package: Qemu
-Score: 7.0 (High)
-Description: The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6351
-
-CVE name: CVE-2016-6323
-Package: glibc
-Score: 5.0 (Medium)
-Description: The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6323
-
-CVE name: CVE-2016-6321
-Package: Tar (Gnu)
-Score: 5.0 (Medium)
-Description: Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
-
-CVE name: CVE-2016-6318
-Package: cracklib
-Score: 7.5 (High)
-Description: Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318
-
-CVE name: CVE-2016-6301
-Package: busybox
-Score: 7.1 (High)
-Description: The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6301
-
-CVE name: CVE-2016-6252
-Package: shadow
-Score: 5.0 (Medium)
-Description: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. Patch: https://bugzilla.suse.com/attachment.cgi?id=684679&action=diff 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252
-
-CVE name: CVE-2016-6185
-Package: Perl
-Score: 5.0 (Medium)
-Description: The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185
-
-CVE name: CVE-2016-6170
-Package: bind
-Score: 6.0 (Medium)
-Description: DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone.  However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service).  A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.https://kb.isc.org/article/AA-01390
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6170
-
-CVE name: CVE-2016-6131
-Package: gcc
-Score: 4.9 (Medium)
-Description: A stack overflow vulnerability in the libiberty demangler was found, which causes its host application to crash on a tainted branch instruction. The problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to an infinite recursion during the demangling.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131
-
-CVE name: CVE-2016-5875
-Package: libtiff
-Score: 8.0 (High)
-Description: An exploitable heap based buffer overflow exists in the handling of compressed TIFF images in LibTIFF�s PixarLogDecode api. A crafted TIFF document can lead to a heap based buffer overflow resulting in remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5875
-
-CVE name: CVE-2016-5652
-Package: tiff
-Score: 6.8 (Medium)
-Description: An exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF's TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
-
-CVE name: CVE-2016-5636
-Package: CPython
-Score: 10.0 (High)
-Description: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636
-
-CVE name: CVE-2016-5403
-Package: Qemu
-Score: 5.0 (Medium)
-Description: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5403
-
-CVE name: CVE-2016-5338
-Package: Qemu
-Score: 5.0 (Medium)
-Description: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5338
-
-CVE name: CVE-2016-5337
-Package: Qemu
-Score: 2.0 (Low)
-Description: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5337
-
-CVE name: CVE-2016-5300
-Package: expat
-Score: 7.8 (High)
-Description: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
-
-CVE name: CVE-2016-5238
-Package: Qemu
-Score: 2.0 (Low)
-Description: The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5238
-
-CVE name: CVE-2016-5131
-Package: libxml2
-Score: 10.0 (High)
-Description: Use-after-free vulnerability in libxml2 (used in chromium-browser) through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131
-
-CVE name: CVE-2016-5126
-Package: Qemu
-Score: 5.0 (Medium)
-Description: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5126
-
-CVE name: CVE-2016-5107
-Package: Qemu
-Score: 2.0 (Low)
-Description: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5107
-
-CVE name: CVE-2016-5106
-Package: Qemu
-Score: 2.0 (Low)
-Description: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5106
-
-CVE name: CVE-2016-5105
-Package: Qemu
-Score: 2.0 (Low)
-Description: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5105
-
-CVE name: CVE-2016-5008
-Package: libvirt
-Score: 4.3 (Medium)
-Description: libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5008
-
-CVE name: CVE-2016-4964
-Package: Qemu
-Score: 5.0 (Medium)
-Description: The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4964
-
-CVE name: CVE-2016-4952
-Package: Qemu
-Score: 2.0 (Low)
-Description: QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4952
-
-CVE name: CVE-2016-4658
-Package: libxml2
-Score: 10.0 (High)
-Description: libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658
-
-CVE name: CVE-2016-4454
-Package: Qemu
-Score: 3.0 (Low)
-Description: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4454
-
-CVE name: CVE-2016-4453
-Package: Qemu
-Score: 5.0 (Medium)
-Description: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4453
-
-CVE name: CVE-2016-4448
-Package: libxml2
-Score: 10.0 (High)
-Description: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448
-
-CVE name: CVE-2016-4441
-Package: Qemu
-Score: 2.0 (Low)
-Description: The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4441
-
-CVE name: CVE-2016-4439
-Package: Qemu
-Score: 5.0 (Medium)
-Description: The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4439
-
-CVE name: CVE-2016-4037
-Package: Qemu
-Score: 5.0 (Medium)
-Description: The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4037
-
-CVE name: CVE-2016-4020
-Package: Qemu
-Score: 2.0 (Low)
-Description: The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4020
-
-CVE name: CVE-2016-4002
-Package: Qemu
-Score: 7.0 (High)
-Description: Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4002
-
-CVE name: CVE-2016-4001
-Package: Qemu
-Score: 4.0 (Medium)
-Description: Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4001
-
-CVE name: CVE-2016-3991
-Package: tiff
-Score: 6.8 (Medium)
-Description: Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991
-
-CVE name: CVE-2016-3990
-Package: tiff
-Score: 6.8 (Medium)
-Description: Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990
-
-CVE name: CVE-2016-3945
-Package: tiff
-Score: 6.8 (Medium)
-Description: Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image, which triggers an out-of-bounds write. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945
-
-CVE name: CVE-2016-3712
-Package: Qemu
-Score: 2.0 (Low)
-Description: Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3712
-
-CVE name: CVE-2016-3710
-Package: Qemu
-Score: 7.0 (High)
-Description: The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the \"Dark Portal\" issue.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3710
-
-CVE name: CVE-2016-3658
-Package: tiff
-Score: 5.0 (Medium)
-Description: The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3658
-
-CVE name: CVE-2016-3632
-Package: tiff
-Score: 6.0 (Medium)
-Description: Out-of-bounds write vulnerability was found in _TIFFVGetField function in tif_dirinfo.c, allowing attacker to cause a denial of service or command execution via a crafted TIFF image.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3632
-
-CVE name: CVE-2016-3623
-Package: tiff
-Score: 5.0 (Medium)
-Description: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623
-
-CVE name: CVE-2016-3622
-Package: tiff
-Score: 4.3 (Medium)
-Description: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3622
-
-CVE name: CVE-2016-2858
-Package: Qemu
-Score: 2.0 (Low)
-Description: QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2858
-
-CVE name: CVE-2016-2857
-Package: Qemu
-Score: 2.0 (Low)
-Description: The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2857
-
-CVE name: CVE-2016-2775
-Package: bind
-Score: 4.3 (Medium)
-Description: ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775
-
-CVE name: CVE-2016-2391
-Package: Qemu
-Score: 2.0 (Low)
-Description: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2391
-
-CVE name: CVE-2016-2381
-Package: Perl
-Score: 5.0 (Medium)
-Description: Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
-
-CVE name: CVE-2016-2183
-Package: OpenSSL
-Score: 5.0 (Medium)
-Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
-
-CVE name: CVE-2016-2147
-Package: busybox
-Score: 5.0 (Medium)
-Description: Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147
-
-CVE name: CVE-2016-1568
-Package: Qemu
-Score: 9.0 (High)
-Description: Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1568
-
-CVE name: CVE-2016-1238
-Package: Qemu
-Score: 7.0 (High)
-Description: (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238
-
-CVE name: CVE-2016-0800
-Package: OpenSSL
-Score: 4.3 (Medium)
-Description: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
-
-CVE name: CVE-2016-0718
-Package: expat
-Score: 7.5 (High)
-Description: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
-
-CVE name: CVE-2016-0634 
-Package: Bash
-Score: 5.0 (Medium)
-Description: A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string. 
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634 
-
-CVE name: CVE-2015-9019
-Package: libxslt-native 
-Score: 5.0 (Medium)
-Description: In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9019
-
-CVE name: CVE-2015-8666
-Package: Qemu
-Score: 1.9 (Low)
-Description: Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8666
-
-CVE name: CVE-2015-8613
-Package: Qemu
-Score: 1.9 (Low)
-Description: Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8613
-
-CVE name: CVE-2015-8568
-Package: Qemu
-Score: 4.7 (Medium)
-Description: Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8568
-
-CVE name: CVE-2015-8567
-Package: Qemu
-Score: 6.8 (Medium)
-Description: Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8567
-
-CVE name: CVE-2015-8558
-Package: Qemu
-Score: 5.0 (Medium)
-Description: The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8558
-
-CVE name: CVE-2015-7512
-Package: Qemu
-Score: 7.0 (High)
-Description: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7512
-
-CVE name: CVE-2015-7295
-Package: Qemu
-Score: 5.0 (Medium)
-Description: hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7295
-
-CVE name: CVE-2015-6855
-Package: Qemu
-Score: 10.0 (High)
-Description: hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6855
-
-CVE name: CVE-2015-5224
-Package: util-linux
-Score: 7.5 (High)
-Description: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5224
-
-CVE name: CVE-2015-5158
-Package: Qemu
-Score: 4.0 (Medium)
-Description: Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5158
-
-CVE name: CVE-2015-4106
-Package: Qemu
-Score: 7.0 (High)
-Description: QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4106
-
-CVE name: CVE-2015-3209
-Package: Qemu
-Score: 8.0 (High)
-Description: Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209
-
-CVE name: CVE-2015-1779
-Package: Qemu
-Score: 8.0 (High)
-Description: The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.
-Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1779
+CVE-2017-1000253

+Package: kernel

+Score: 8.0 (High)

+Description: A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.Upstream patch:https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2017-1000253

+

+CVE-2017-14496

+Package: dnsmasq 

+Score: 7.0 (High)

+Description: Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496

+

+CVE-2017-14495

+Package: dnsmasq

+Score: 7.0 (High)

+Description: Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14495

+

+CVE-2017-14494

+Package: dnsmasq

+Score: 7.0 (High)

+Description: dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14494

+

+CVE-2017-14493

+Package: dnsmasq

+Score: 9.0 (High)

+Description: Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14493

+

+CVE-2017-14492

+Package: dnsmasq

+Score: 9.0 (High)

+Description: Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14492

+

+CVE-2017-14491

+Package: dnsmasq

+Score: 9.0 (High)

+Description: Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491

+

+CVE-2017-12132

+Package: glibc

+Score: 4.3 (Medium)

+Description: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132

+

+CVE-2017-11176

+Package: kernel

+Score: 10.0 (High)

+Description: The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176

+

+CVE-2017-1000366

+Package: glibc

+Score: 7.2 (High)

+Description: glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366

+

+CVE-2017-1000364

+Package: Kernel

+Score: 7.0 (High)

+Description: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364

+

+CVE-2017-1000257 

+Package: curl

+Score: 6.4 (Medium)

+Description: An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257 

+

+CVE-2017-1000101 

+Package: curl

+Score: 4.0 (Medium)

+Description: curl supports "globbing" of URLs, in which a user can pass a numerical rangeto have the tool iterate over those numbers to do a sequence of transfers.In the globbing function that parses the numerical range, there was anomission that made curl read a byte beyond the end of the URL if given acarefully crafted, or just wrongly written, URL. The URL is stored in a heapbased buffer, so it could then be made to wrongly read something else insteadof crashing.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101 

+

+CVE-2017-1000100 

+Package: curl

+Score: 4.0 (Medium)

+Description: When doing an TFTP upload and curl/libcurl is given a URL that contains a verylong file name (longer than about 515 bytes), the file name is truncated tofit within the buffer boundaries, but the buffer size is still wrongly updatedto use the untruncated length. This too large value is then used in the`send()` call, making curl attempt to send more data than what is actually putinto the buffer. The `send()` function will then read beyond the end of theheap based buffer.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100 

+

+CVE-2017-1000082

+Package: systemd

+Score: 10.0 (High)

+Description: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082

+

+CVE-2017-9445

+Package: systemd

+Score: 5.0 (Medium)

+Description: In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9445

+

+CVE-2017-9050

+Package: libxml2-native

+Score: 5.0 (Medium)

+Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050

+

+CVE-2017-9049

+Package: libxml2-native

+Score: 5.0 (Medium)

+Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049

+

+CVE-2017-9048

+Package: libxml2-native

+Score: 5.0 (Medium)

+Description: libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048

+

+CVE-2017-9047

+Package: libxml2-native

+Score: 5.0 (Medium)

+Description: A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047

+

+CVE-2017-8872

+Package: libxml2-native

+Score: 6.4 (Medium)

+Description: The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872

+

+CVE-2017-8831

+Package: kernel

+Score: 7.2 (High)

+Description: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8831

+

+CVE-2017-8817

+Package: curl

+Score: 5.0 (Medium)

+Description: libcurl contains a read out of bounds flaw in the FTP wildcard function.libcurl's FTP wildcard matching feature, which is enabled with the CURLOPT_WILDCARDMATCH option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket ([) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard.For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern.We are not aware of any exploit of this flaw.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817

+

+CVE-2017-8816

+Package: curl

+Score: 5.0 (Medium)

+Description: libcurl contains a buffer overrun flaw in the NTLM authentication code.The internal function Curl_ntlm_core_mk_ntlmv2_hash sums up the lengths of the user name + password (= SUM) and multiplies the sum by two (= SIZE) to figure out how large storage to allocate from the heap.The SUvalue is subsequently used to iterate over the input and generate output into the storage buffer. On systems with a 32 bit size_t, the math to calculate SIZE triggers an integer overflow when the combined lengths of the user name and password is larger than 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a buffer overrun.We are not aware of any exploit of this flaw.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816

+

+CVE-2017-8804

+Package: glibc

+Score: 7.8 (High)

+Description: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8804

+

+CVE-2017-8392

+Package: binutils

+Score: 5.0 (Medium)

+Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read of size 8 because of missing a check to determine whether symbols are NULL in the _bfd_dwarf2_find_nearest_line function. This vulnerability causes programs that conduct an analysis of binary programs using the libbfd library, such as objdump, to crash.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8392

+

+CVE-2017-8309

+Package: Qemu

+Score: 7.8 (High)

+Description: Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309

+

+CVE-2017-8105

+Package: freetype

+Score: 7.5 (High)

+Description: FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105

+

+CVE-2017-8069

+Package: kernel

+Score: 7.2 (High)

+Description: drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8069

+

+CVE-2017-8068

+Package: kernel

+Score: 7.2 (High)

+Description: drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8068

+

+CVE-2017-8067

+Package: kernel

+Score: 7.2 (High)

+Description: drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8067

+

+CVE-2017-8066

+Package: kernel

+Score: 7.2 (High)

+Description: drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8066

+

+CVE-2017-8064

+Package: kernel

+Score: 7.2 (High)

+Description: drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8064

+

+CVE-2017-8063

+Package: kernel

+Score: 7.2 (High)

+Description: drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8063

+

+CVE-2017-8062

+Package: kernel

+Score: 7.2 (High)

+Description: drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8062

+

+CVE-2017-7869

+Package: gnutls

+Score: 5.0 (Medium)

+Description: GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7869

+

+CVE-2017-7645

+Package: kernel

+Score: 7.8 (High)

+Description: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645

+

+CVE-2017-7618   

+Package: kernel

+Score: 7.8 (High)

+Description: crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7618       

+

+CVE-2017-7487

+Package: kernel

+Score: 7.2 (High)

+Description: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7487

+

+CVE-2017-7471

+Package: Qemu

+Score: 0.0 (Low)

+Description: Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory.A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7471

+

+CVE-2017-7468 

+Package: curl

+Score: 6.0 (Medium)

+Description: libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate).

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7468 

+

+CVE-2017-7407

+Package: curl

+Score: 2.1 (Low)

+Description: The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407

+

+CVE-2017-7304

+Package: binutils

+Score: 5.0 (Medium)

+Description: The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7304

+

+CVE-2017-7210

+Package: binutils

+Score: 7.8 (High)

+Description: objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buffer over-reads (of size 1 and size 8) while handling corrupt STABS enum type strings in a crafted object file, leading to program crash.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7210

+

+CVE-2017-7209

+Package: binutils

+Score: 4.3 (Medium)

+Description: The dump_section_as_bytes function in readelf in GNU Binutils 2.28 accesses a NULL pointer while reading section contents in a corrupt binary, leading to a program crash.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7209

+

+CVE-2017-6969

+Package: binutils

+Score: 6.4 (Medium)

+Description: readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over-read while processing corrupt RL78 binaries. The vulnerability can trigger program crashes. It may lead to an information leak as well.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6969

+

+CVE-2017-6966

+Package: binutil

+Score: 4.0 (Medium)

+Description: readelf in GNU Binutils 2.28 has a use-after-free (specifically read-after-free) error while processing multiple, relocated sections in an MSP430 binary. This is caused by mishandling of an invalid symbol index, and mishandling of state across invocations.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6966

+

+CVE-2017-6965 

+Package: binutils

+Score: 4.3 (Medium)

+Description: readelf in GNU Binutils 2.28 writes to illegal addresses while processing corrupt input files containing symbol-difference relocations, leading to a heap-based buffer overflow.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6965 

+

+CVE-2017-6505

+Package: Qemu

+Score: 4.0 (Medium)

+Description: Quick Emulator built with the USB OHCI Emulation support is vulnerable to aninfinite loop issue. It could occur while processing an endpoint listdescriptor in ohci_service_ed_list().A guest user/process could use this flaw to crash Qemu process resulting in DoS.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6505

+

+CVE-2017-6353

+Package: Kernel

+Score: 5.0 (Medium)

+Description: net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6353

+

+CVE-2017-6348

+Package: Kernel

+Score: 5.0 (Medium)

+Description: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6348

+

+CVE-2017-6345

+Package: Kernel

+Score: 5.0 (Medium)

+Description: The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6345

+

+CVE-2017-6214

+Package: Kernel

+Score: 5.0 (Medium)

+Description: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6214

+

+CVE-2017-6058

+Package: Qemu

+Score: 5.0 (Medium)

+Description: Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6058

+

+CVE-2017-5986

+Package: Kernel

+Score: 7.0 (High)

+Description: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986

+

+CVE-2017-5970

+Package: Kernel

+Score: 5.0 (Medium)

+Description: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5970

+

+CVE-2017-5969

+Package: libxml2-native

+Score: 2.6 (Low)

+Description: libxml2 2.9.4, when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document.  NOTE: The maintainer states "I would disagree of a CVE with the Recover parsing option which should only be used for manual recovery at least for XML parser."

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5969

+

+CVE-2017-5931

+Package: Qemu

+Score: 6.0 (Medium)

+Description: Quick Emulator(Qemu) built with the Virtio crypto device emulation support isvulnerable to an integer overflow issue. It could occur while handling dataencryption/decryption requests in 'virtio_crypto_handle_sym_req'.A privileged user inside guest could use this flaw to crash the Qemu processresulting in DoS or potentially execute arbitrary code on the host withprivileges of the Qemu process.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931

+

+CVE-2017-5848

+Package: gstreamer

+Score: 5.0 (Medium)

+Description: The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5848

+

+CVE-2017-5847

+Package: gstreamer

+Score: 5.0 (Medium)

+Description: The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5847

+

+CVE-2017-5669

+Package: Kernel

+Score: 5.0 (Medium)

+Description: The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5669

+

+CVE-2017-5618

+Package: GNU screen 

+Score: 7.2 (High)

+Description: GNU screen before 4.5.1 allows local users to modify arbitrary files and consequently gain root privileges by leveraging improper checking of logfile permissions. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618

+

+CVE-2017-5577

+Package: Kernel

+Score: 5.0 (Medium)

+Description: The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5577

+

+CVE-2017-5551

+Package: Kernel

+Score: 4.0 (Medium)

+Description: The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5551

+

+CVE-2017-5335

+Package: GnuTLS

+Score: 5.0 (Medium)

+Description: The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335

+

+CVE-2017-3737

+Package: OpenSSL

+Score: 6.0 (Medium)

+Description: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"mechanism. The intent was that if a fatal error occurred during a handshake thenOpenSSL would move into the error state and would immediately fail if youattempted to continue the handshake. This works as designed for the explicithandshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()),however due to a bug it does not work correctly if SSL_read() or SSL_write() iscalled directly. In that scenario, if the handshake fails then a fatal errorwill be returned in the initial function call. If SSL_read()/SSL_write() issubsequently called by the application for the same SSL object then it willsucceed and the data is passed without being decrypted/encrypted directly fromthe SSL/TLS record layer.In order to exploit this issue an application bug would have to be present thatresulted in a call to SSL_read()/SSL_write() being issued after having alreadyreceived a fatal error.External References:https://www.openssl.org/news/secadv/20171207.txt

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737

+

+CVE-2017-3735

+Package: OpenSSL

+Score: 5.0 (Medium)

+Description: While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3735

+

+CVE-2017-3731

+Package: OpenSSL

+Score: 5.0 (Medium)

+Description: If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731

+

+CVE-2017-3136 

+Package: bind

+Score: 5.9 (Medium)

+Description: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate.An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136 

+

+CVE-2017-3135

+Package: bind

+Score: 6.0 (Medium)

+Description: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3135

+

+CVE-2017-2628 

+Package: curl

+Score: 0.0 (Low)

+Description: It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2628 

+

+CVE-2017-2620

+Package: Qemu

+Score: 9.0 (High)

+Description: Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process.Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620

+

+

+CVE-2016-9923

+Package: Qemu

+Score: 2.0 (Low)

+Description: Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9923

+

+CVE-2016-9921

+Package: Qemu

+Score: 2.0 (Low)

+Description: Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9921

+

+CVE-2016-9916

+Package: Qemu

+Score: 5.0 (Medium)

+Description: Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9916

+

+CVE-2016-9915

+Package: Qemu

+Score: 5.0 (Medium)

+Description: Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9915

+

+CVE-2016-9914

+Package: Qemu

+Score: 5.0 (Medium)

+Description: Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9914

+

+CVE-2016-9913

+Package: Qemu

+Score: 5.0 (Medium)

+Description: Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9913

+

+CVE-2016-9912

+Package: Qemu

+Score: 2.0 (Low)

+Description: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9912

+

+CVE-2016-9911

+Package: Qemu

+Score: 2.0 (Low)

+Description: Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9911

+

+CVE-2016-9908

+Package: Qemu

+Score: 2.0 (Low)

+Description: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9908

+

+CVE-2016-9907

+Package: Qemu

+Score: 2.0 (Low)

+Description: Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9907

+

+CVE-2016-9846

+Package: Qemu

+Score: 5.0 (Medium)

+Description: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9846

+

+CVE-2016-9845

+Package: Qemu

+Score: 0.0 (Low)

+Description: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9845

+

+CVE-2016-9776

+Package: Qemu

+Score: 2.0 (Low)

+Description: QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9776

+

+CVE-2016-9754

+Package: Kernel

+Score: 7.0 (High)

+Description: The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9754

+

+CVE-2016-9603

+Package: Qemu

+Score: 8.0 (High)

+Description: A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9603

+

+CVE-2016-9444

+Package: bind

+Score: 7.0 (High)

+Description: named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9444

+

+CVE-2016-9401

+Package: bash

+Score: 2.0 (Low)

+Description: ref to yocto patch: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=1b2857a781b6666feaf5d3c91dc02ac263d0c4f6

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401

+

+CVE-2016-9318

+Package: libxml2-native

+Score: 6.8 (Medium)

+Description: libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9318

+

+CVE-2016-9106

+Package: Qemu

+Score: 2.0 (Low)

+Description: Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9106

+

+CVE-2016-9105

+Package: Qemu

+Score: 2.0 (Low)

+Description: Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9105

+

+CVE-2016-9104

+Package: Qemu

+Score: 2.0 (Low)

+Description: Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9104

+

+CVE-2016-9103

+Package: Qemu

+Score: 2.0 (Low)

+Description: The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9103

+

+CVE-2016-9102

+Package: Qemu

+Score: 2.0 (Low)

+Description: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9102

+

+CVE-2016-9083 

+Package: Kernel

+Score: 8.0 (High)

+Description: drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug."

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083 

+

+CVE-2016-8910

+Package: Qemu

+Score: 2.0 (Low)

+Description: The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8910

+

+CVE-2016-8909

+Package: Qemu

+Score: 2.0 (Low)

+Description: The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8909

+

+CVE-2016-8864

+Package: bind

+Score: 5.0 (Medium)

+Description: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864

+

+CVE-2016-8858

+Package: OpenSSL

+Score: 7.8 (High)

+Description: A memory exhaustion issue in OpenSSH that can be triggered before user authentication was found. An unauthenticated attacker could consume approx. 400 MB of memory per each connection. The attacker could set up multiple such connections to run out of server’s memory.   

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8858

+

+CVE-2016-8669

+Package: Qemu

+Score: 2.0 (Low)

+Description: The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8669

+

+CVE-2016-8668

+Package: Qemu

+Score: 2.0 (Low)

+Description: The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8668

+

+CVE-2016-8655 

+Package: Kernel

+Score: 8.0 (High)

+Description: Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655 

+

+CVE-2016-8649

+Package: lxc

+Score: 9.0 (High)

+Description: lxc-attach in LXC before 1.0.9 and 2.x before 2.0.6 allows an attacker inside of an unprivileged container to use an inherited file descriptor, of the host's /proc, to access the rest of the host's filesystem via the openat() family of syscalls.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8649

+

+CVE-2016-8625

+Package: curl

+Score: 6.9 (Medium)

+Description: When curl is built with libidn to handle International Domain Names (IDNA), ittranslates them to puny code for DNS resolving using the IDNA 2003 standard,while IDNA 2008 is the modern and up-to-date IDNA standard.This misalignment causes problems with for example domains using the German ßcharacter (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') whichis used at times in the .de TLD and is translated differently in the two IDNAstandards, leading to users potentially and unknowingly issuing networktransfer requests to the wrong host.For example, `straße.de` is translated into `strasse.de` using IDNA 2003 butis translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, thosehost names could very well resolve to different addresses and be twocompletely independent servers. IDNA 2008 is mandatory for .de domains.curl is not alone with this problem, as there's currently a big flux in theworld of network user-agents about which IDNA version to support and use.This name problem exists for DNS-using protocols in curl, but only when builtto use libidn.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625

+

+CVE-2016-8624

+Package: curl

+Score: 6.9 (Medium)

+Description: curl doesn't parse the authority component of the URL correctly when the hostname part ends with a '#' character, and could instead be tricked intoconnecting to a different host. This may have security implications if you forexample use an URL parser that follows the RFC to check for allowed domainsbefore using curl to request them.Passing in `http://example.com#@evil.com/x.txt` would wrongly make curl send arequest to evil.com while your browser would connect to example.com given thesame URL.The problem exists for most protocol schemes.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624

+

+CVE-2016-8623

+Package: curl

+Score: 4.9 (Medium)

+Description: libcurl explicitly allows users to share cookies between multiple easy handlesthat are concurrently employed by different threads.When cookies to be sent to a server are collected, the matching functioncollects all cookies to send and the cookie lock is released immediatelyafterwards. That function however only returns a list with *references* back tothe original strings for name, value, path and so on. Therefore, if anotherthread quickly takes the lock and frees one of the original cookie structstogether with its strings, a use-after-free can occur and lead to informationdisclosure. Another thread can also replace the contents of the cookies fromseparate HTTP responses or API calls.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623

+

+CVE-2016-8622

+Package: curl

+Score: 4.9 (Medium)

+Description: The URL percent-encoding decode function in libcurl is called`curl_easy_unescape`. Internally, even if this function would be made toallocate a unscape destination buffer larger than 2GB, it would return thatnew length in a signed 32 bit integer variable, thus the length would geteither just truncated or both truncated and turned negative. That could thenlead to libcurl writing outside of its heap based buffer.This can be triggered by a user on a 64bit system if the user can send in acustom (very large) URL to a libcurl using program.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622

+

+CVE-2016-8621

+Package: curl

+Score: 4.9 (Medium)

+Description: The `curl_getdate` converts a given date string into a numerical timestamp andit supports a range of different formats and possibilites to express a dateand time. The underlying date parsing function is also used internally whenparsing for example HTTP cookies (possibly received from remote servers) andit can be used when doing conditional HTTP requests.The date parser function uses the libc sscanf() function at two places, withthe parsing strings "%02d:%02d" and ""%02d:%02d:%02d". The intent being thatit would parse either a string with HH:MM (two digits colon two digits) orHH:MM:SS (two digits colon two digits colon two digits). If instead the pieceof time that was sent in had the final digit cut off, thus ending with asingle-digit, the date parser code would advance its read pointer one byte toomuch and end up reading out of bounds.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621

+

+CVE-2016-8620

+Package: curl

+Score: 6.9 (Medium)

+Description: The curl tool's "globbing" feature allows a user to specify a numerical rangethrough which curl will iterate. It is typically specified as [1-5],specifying the first and the last numbers in the range. Or with [a-z], usingletters.1. The curl code for parsing the second *unsigned* number did not check for aleading minus character, which allowed a user to specify `[1--1]` with nocomplaints and have the latter `-1` number get turned into the largestunsigned long value the system can handle. This would ultimately cause curl towrite outside the dedicated malloced buffer after no less than 100,000iterations, since it would have room for 5 digits but not 6.2. When the range is specified with letters, and the ending letter is left out`[L-]`, the code would still advance its read pointer 5 bytes even if thestring was just 4 bytes and end up reading outside the given buffer.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620

+

+CVE-2016-8619

+Package: curl

+Score: 6.9 (Medium)

+Description: In curl's implementation of the Kerberos authentication mechanism, thefunction `read_data()` in security.c is used to fill the necessary krb5structures. When reading one of the length fields from the socket, it fails toensure that the length parameter passed to realloc() is not set to 0.This would lead to realloc() getting called with a zero size and when doing sorealloc() returns NULL *and* frees the memory - in contrary to normalrealloc() fails where it only returns NULL - causing libcurl to free thememory *again* in the error path.This flaw could be triggered by a malicious or just otherwise ill-behavingserver.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619

+

+CVE-2016-8618

+Package: curl

+Score: 6.9 (Medium)

+Description: The libcurl API function called `curl_maprintf()` can be tricked into doing adouble-free due to an unsafe `size_t` multiplication, on systems using 32 bit`size_t` variables. The function is also used internallty in numeroussituations.The function doubles an allocated memory area with realloc() and allows thesize to wrap and become zero and when doing so realloc() returns NULL *and*frees the memory - in contrary to normal realloc() fails where it only returnsNULL - causing libcurl to free the memory *again* in the error path.Systems with 64 bit versions of the `size_t` type are not affected by thisissue.This behavior is triggable using the publicly exposed function.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618

+

+CVE-2016-8617

+Package: curl

+Score: 6.9 (Medium)

+Description: In libcurl's base64 encode function, the output buffer is allocated as followswithout any checks on insize:     malloc( insize * 4 / 3 + 4 )On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), themultiplication in the expression wraps around if insize is at least 1GB ofdata. If this happens, an undersized output buffer will be allocated, but thefull result will be written, thus causing the memory behind the output bufferto be overwritten.If a username is set directly via `CURLOPT_USERNAME` (or curl's `-u, --user`option), this vulnerability can be triggered. The name has to be at least512MB big in a 32bit system.Systems with 64 bit versions of the `size_t` type are not affected by thisissue.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617

+

+CVE-2016-8616

+Package: curl

+Score: 3.9 (Low)

+Description: When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections.This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.We are not aware of any exploit of this flaw.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616

+

+CVE-2016-8615

+Package: curl

+Score: 6.9 (Medium)

+Description: If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the fgets() function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server.We are not aware of any exploit of this flaw.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615

+

+CVE-2016-8578

+Package: Qemu

+Score: 2.0 (Low)

+Description: The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8578

+

+CVE-2016-8577

+Package: Qemu

+Score: 2.0 (Low)

+Description: Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8577

+

+CVE-2016-8576

+Package: Qemu

+Score: 2.0 (Low)

+Description: The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8576

+

+CVE-2016-7995

+Package: Qemu

+Score: 2.0 (Low)

+Description: Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7995

+

+CVE-2016-7994

+Package: Qemu

+Score: 2.0 (Low)

+Description: Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7994

+

+CVE-2016-7909

+Package: Qemu

+Score: 5.0 (Medium)

+Description: The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7909

+

+CVE-2016-7908

+Package: Qemu

+Score: 2.0 (Low)

+Description: The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7908

+

+CVE-2016-7795

+Package: systemd

+Score: 4.9 (Medium)

+Description: The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7795

+

+CVE-2016-7466

+Package: Qemu

+Score: 2.0 (Low)

+Description: Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7466

+

+CVE-2016-7423

+Package: Qemu

+Score: 2.0 (Low)

+Description: The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7423

+

+CVE-2016-7422

+Package: Qemu

+Score: 2.0 (Low)

+Description: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7422

+

+CVE-2016-7421

+Package: Qemu

+Score: 2.0 (Low)

+Description: The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7421

+

+CVE-2016-7170

+Package: Qemu

+Score: 2.0 (Low)

+Description: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7170

+

+CVE-2016-7157

+Package: Qemu

+Score: 2.0 (Low)

+Description: The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7157

+

+CVE-2016-7156

+Package: Qemu

+Score: 2.0 (Low)

+Description: The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7156

+

+CVE-2016-7155

+Package: Qemu

+Score: 2.0 (Low)

+Description: hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7155

+

+CVE-2016-7116

+Package: Qemu

+Score: 2.0 (Low)

+Description: Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7116

+

+CVE-2016-7097

+Package: Kernel

+Score: 3.6 (Low)

+Description: The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr call, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7097

+

+CVE-2016-6888

+Package: Qemu

+Score: 2.0 (Low)

+Description: Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6888

+

+CVE-2016-6836

+Package: Qemu

+Score: 2.0 (Low)

+Description: The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.  

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6836

+

+CVE-2016-6835

+Package: Qemu 

+Score: 2.0 (Low)

+Description: The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6835

+

+CVE-2016-6834

+Package: Qemu

+Score: 2.0 (Low)

+Description: The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6834

+

+CVE-2016-6833

+Package: Qemu

+Score: 2.0 (Low)

+Description: Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6833

+

+CVE-2016-6490

+Package: Qemu

+Score: 2.0 (Low)

+Description: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6490

+

+CVE-2016-6489

+Package: nettle

+Score: 5.0 (Medium)

+Description: The RSA and DSA decryption code in Nettle makes it easier for attackers to discover private keys via a cache side channel attack.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6489

+

+CVE-2016-6480

+Package: Kernel

+Score: 4.7 (Medium)

+Description: Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480

+

+CVE-2016-6354

+Package: flex

+Score: 7.5 (High)

+Description: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354

+

+CVE-2016-6351

+Package: Qemu

+Score: 7.0 (High)

+Description: The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6351

+

+CVE-2016-6323

+Package: glibc

+Score: 5.0 (Medium)

+Description: The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6323

+

+CVE-2016-6321

+Package: Tar (Gnu)

+Score: 5.0 (Medium)

+Description: Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321

+

+CVE-2016-6318

+Package: cracklib

+Score: 7.5 (High)

+Description: Stack-based buffer overflow in the FascistGecosUser function in lib/fascist.c in cracklib allows local users to cause a denial of service (application crash) or gain privileges via a long GECOS field, involving longbuffer.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318

+

+CVE-2016-6301

+Package: busybox

+Score: 7.1 (High)

+Description: The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6301

+

+CVE-2016-6252

+Package: shadow

+Score: 5.0 (Medium)

+Description: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. Patch: https://bugzilla.suse.com/attachment.cgi?id=684679&action=diff 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252

+

+CVE-2016-6185

+Package: Perl

+Score: 5.0 (Medium)

+Description: The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185

+

+CVE-2016-6170

+Package: bind

+Score: 6.0 (Medium)

+Description: DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone.  However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service).  A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.https://kb.isc.org/article/AA-01390

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6170

+

+CVE-2016-6131

+Package: gcc

+Score: 4.9 (Medium)

+Description: A stack overflow vulnerability in the libiberty demangler was found, which causes its host application to crash on a tainted branch instruction. The problem is caused by a self-reference in a mangled type string that is "remembered" for later reference. This leads to an infinite recursion during the demangling.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6131

+

+CVE-2016-5636

+Package: CPython

+Score: 10.0 (High)

+Description: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636

+

+CVE-2016-5403

+Package: Qemu

+Score: 5.0 (Medium)

+Description: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5403

+

+CVE-2016-5338

+Package: Qemu

+Score: 5.0 (Medium)

+Description: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5338

+

+CVE-2016-5337

+Package: Qemu

+Score: 2.0 (Low)

+Description: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5337

+

+CVE-2016-5300

+Package: expat

+Score: 7.8 (High)

+Description: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300

+

+CVE-2016-5238

+Package: Qemu

+Score: 2.0 (Low)

+Description: The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5238

+

+CVE-2016-5131

+Package: libxml2

+Score: 10.0 (High)

+Description: Use-after-free vulnerability in libxml2 (used in chromium-browser) through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131

+

+CVE-2016-5126

+Package: Qemu

+Score: 5.0 (Medium)

+Description: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5126

+

+CVE-2016-5107

+Package: Qemu

+Score: 2.0 (Low)

+Description: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5107

+

+CVE-2016-5106

+Package: Qemu

+Score: 2.0 (Low)

+Description: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5106

+

+CVE-2016-5105

+Package: Qemu

+Score: 2.0 (Low)

+Description: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5105

+

+CVE-2016-5008

+Package: libvirt

+Score: 4.3 (Medium)

+Description: libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5008

+

+CVE-2016-4964

+Package: Qemu

+Score: 5.0 (Medium)

+Description: The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4964

+

+CVE-2016-4952

+Package: Qemu

+Score: 2.0 (Low)

+Description: QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4952

+

+CVE-2016-4658

+Package: libxml2

+Score: 10.0 (High)

+Description: libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658

+

+CVE-2016-4454

+Package: Qemu

+Score: 3.0 (Low)

+Description: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4454

+

+CVE-2016-4453

+Package: Qemu

+Score: 5.0 (Medium)

+Description: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4453

+

+CVE-2016-4448

+Package: libxml2

+Score: 10.0 (High)

+Description: Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448

+

+CVE-2016-4441

+Package: Qemu

+Score: 2.0 (Low)

+Description: The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4441

+

+CVE-2016-4439

+Package: Qemu

+Score: 5.0 (Medium)

+Description: The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4439

+

+CVE-2016-4037

+Package: Qemu

+Score: 5.0 (Medium)

+Description: The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4037

+

+CVE-2016-4020

+Package: Qemu

+Score: 2.0 (Low)

+Description: The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4020

+

+CVE-2016-4002

+Package: Qemu

+Score: 7.0 (High)

+Description: Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4002

+

+CVE-2016-4001

+Package: Qemu

+Score: 4.0 (Medium)

+Description: Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4001

+

+CVE-2016-3712

+Package: Qemu

+Score: 2.0 (Low)

+Description: Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3712

+

+CVE-2016-3710

+Package: Qemu

+Score: 7.0 (High)

+Description: The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the \"Dark Portal\" issue.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3710

+

+CVE-2016-2858

+Package: Qemu

+Score: 2.0 (Low)

+Description: QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2858

+

+CVE-2016-2857

+Package: Qemu

+Score: 2.0 (Low)

+Description: The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2857

+

+CVE-2016-2775

+Package: bind

+Score: 4.3 (Medium)

+Description: ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775

+

+CVE-2016-2391

+Package: Qemu

+Score: 2.0 (Low)

+Description: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2391

+

+CVE-2016-2381

+Package: Perl

+Score: 5.0 (Medium)

+Description: Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381

+

+CVE-2016-2183

+Package: OpenSSL

+Score: 5.0 (Medium)

+Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183

+

+CVE-2016-2147

+Package: busybox

+Score: 5.0 (Medium)

+Description: Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147

+

+CVE-2016-1568

+Package: Qemu

+Score: 9.0 (High)

+Description: Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1568

+

+CVE-2016-1238

+Package: Qemu

+Score: 7.0 (High)

+Description: (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238

+

+CVE-2016-10229 

+Package: kernel

+Score: 10.0 (High)

+Description: udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229 

+

+CVE-2016-10208

+Package: Kernel

+Score: 5.0 (Medium)

+Description: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10208

+

+CVE-2016-10154

+Package: Kernel

+Score: 5.0 (Medium)

+Description: The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a scatterlist.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10154

+

+CVE-2016-10150

+Package: KVM

+Score: 10.0 (High)

+Description: Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10150

+

+CVE-2016-10147

+Package: Kernel

+Score: 5.0 (Medium)

+Description: crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5).

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10147

+

+CVE-2016-10124

+Package: LXC

+Score: 5.0 (Medium)

+Description: An issue was discovered in Linux Containers (LXC) before 2016-02-22. When executing a program via lxc-attach, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the container.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10124

+

+CVE-2016-10087

+Package: Libpng

+Score: 5.0 (Medium)

+Description: The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087

+

+CVE-2016-10044

+Package: Kernel

+Score: 7.0 (High)

+Description: The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10044

+

+CVE-2016-10029

+Package: Qemu

+Score: 2.0 (Low)

+Description: The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SCANOUT command larger than num_scanouts.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10029

+

+CVE-2016-0800

+Package: OpenSSL

+Score: 4.3 (Medium)

+Description: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800

+

+CVE-2016-0718

+Package: expat

+Score: 7.5 (High)

+Description: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718

+

+CVE-2016-0634 

+Package: bash

+Score: 5.0 (Medium)

+Description: A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634 

+

+CVE-2015-8666

+Package: Qemu

+Score: 1.9 (Low)

+Description: Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8666

+

+CVE-2015-8613

+Package: Qemu

+Score: 1.9 (Low)

+Description: Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8613

+

+CVE-2015-8568

+Package: Qemu

+Score: 4.7 (Medium)

+Description: Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8568

+

+CVE-2015-8567

+Package: Qemu

+Score: 6.8 (Medium)

+Description: Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8567

+

+CVE-2015-8558

+Package: Qemu

+Score: 5.0 (Medium)

+Description: The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8558

+

+CVE-2015-7512

+Package: Qemu

+Score: 7.0 (High)

+Description: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7512

+

+CVE-2015-7295

+Package: Qemu

+Score: 5.0 (Medium)

+Description: hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7295

+

+CVE-2015-6855

+Package: Qemu

+Score: 10.0 (High)

+Description: hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6855

+

+CVE-2015-5224

+Package: util-linux

+Score: 7.5 (High)

+Description: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5224

+

+CVE-2015-5158

+Package: Qemu

+Score: 4.0 (Medium)

+Description: Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5158

+

+CVE-2015-4106

+Package: Qemu

+Score: 7.0 (High)

+Description: QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4106

+

+CVE-2015-3209

+Package: Qemu

+Score: 8.0 (High)

+Description: Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209

+

+CVE-2015-1779

+Package: Qemu

+Score: 8.0 (High)

+Description: The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1779

+

+CVE-2014-9365 

+Package: python

+Score: 5.8 (Medium)

+Description: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. 

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365 

+

+CVE-2014-7840

+Package: Qemu

+Score: 8.0 (High)

+Description: The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840

+

+CVE-2014-5388

+Package: Qemu

+Score: 5.0 (Medium)

+Description: Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5388

+

+CVE-2014-3615

+Package: Qemu

+Score: 2.0 (Low)

+Description: The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3615

+

+CVE-2009-0590

+Package: OpenSSL

+Score: 5.0 (Medium)

+Description: The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.

+Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590

+