Geeknik

**Nome do Software Vulnerável e Versões Afetadas** Tor versões anteriores a 0.4.9.7 **Descrição** Uma leitura fora dos limites (out-of-bounds read) de um byte pode ocorrer ao processar uma célula BEGIN malformada. **Recomendações** Atualize para a versão 0.4.9.7 ou posterior.

**Nome do Software Vulnerável e Versões Afetadas** Tor versões anteriores a 0.4.9.7 **Descrição** Ocorre uma leitura fora dos limites (out-of-bounds read) durante o processamento do payload de células quando uma célula END, TRUNCATE ou TRUNCATED não possui um motivo em seu payload. **Recomendações** Atualize para a versão 0.4.9.7 ou posterior.

**Nome do Software Vulnerável e Versões Afetadas** Tor versões anteriores a 0.4.9.7 **Description** O Tor manipula incorretamente a contabilização da fila de ordem incorreta (out-of-order queue) do conflux durante o processo de limpeza de uma fila. **Recommendations** Atualize para a versão 0.4.9.7 ou posterior.

**Nome do Software Vulnerável e Versões Afetadas** Tor versões anteriores a 0.4.9.7 **Descrição** Uma falha no cliente pode ocorrer quando existe pressão de memória na fila de circuitos devido ao fechamento duplo de um circuito. **Recomendações** Atualize para a versão 0.4.9.7 ou posterior.

**Nome do Software Vulnerável e Versões Afetadas** Tor versões anteriores a 0.4.9.7 **Descrição** Ocorre uma desreferência de ponteiro NULL quando uma célula CERT é recebida fora de ordem. Uma desreferência de ponteiro NULL é um erro de tempo de execução que acontece quando um programa tenta ler ou escrever em um endereço de memória que é NULL, frequentemente levando ao travamento do sistema. **Recomendações** Atualize para a versão 0.4.9.7 ou posterior.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions 4.4.0 through 4.4.13 Mastodon versions 4.5.0 through 4.5.6 **Description** Mastodon is a free, open-source social network server based on ActivityPub. The issue relates to FASP (Federated Actor Subscription Protocol) registration, which requires administrator approval. In affected versions, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not properly verify administrator approval. This only impacts Mastodon servers utilizing the experimental FASP feature, enabled by setting the `EXPERIMENTAL FEATURES` environment variable to include `fasp`. An attacker can create subscriptions and request content backfill without authorization. Repeated exploitation can lead to a denial-of-service (DOS) condition by overloading the `fasp` queue worker. The issue results in a potential information leak of publicly available URIs. **Recommendations** Update to Mastodon version 4.4.14 Update to Mastodon version 4.5.7 Administrators actively testing the "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions 4.4.0 through 4.4.13 Mastodon versions 4.5.0 through 4.5.6 **Description** Mastodon is a free, open-source social network server based on ActivityPub. A flaw exists in FASP registration where an unauthenticated attacker can register a FASP with a chosen `base url` that points to a local or internal address. This can cause the Mastodon server to make requests to that address. This issue only impacts Mastodon servers with the experimental FASP feature enabled via the `EXPERIMENTAL FEATURES` environment variable, specifically when it includes `fasp`. An attacker can force the server to make http(s) requests to internal systems, potentially triggering vulnerabilities or undesired behavior in those systems. The attacker cannot control the complete URL or view the request results, but can influence the URL prefix. **Recommendations** Mastodon version 4.4.14 or later Mastodon version 4.5.7 or later For administrators actively testing the experimental "fasp" feature, update your systems to the latest version. Servers not using the experimental feature flag `fasp` are not affected.

**Nome do software vulnerável e versões afetadas** Versões do Zydis v3.2.0 e anteriores **Descrição** O Zydis é uma biblioteca de desmontador para x86/x86-64. Usuários que utilizam as funções de string fornecidas no `zycore` para anexar dados de usuário não confiáveis ao buffer do formatador dentro de seus ganchos de formatador personalizados podem sofrer estouros de buffer de heap. Versões mais antigas do Zydis não inicializavam corretamente o objeto string dentro do buffer do formatador, esquecendo-se de inicializar alguns campos, deixando seus valores à mercê do acaso. Isso, por sua vez, poderia fazer com que funções do zycore como `ZyanStringAppend` fizessem cálculos incorretos para o novo tamanho de destino, resultando em corrupção da memória do heap. Isso não afeta o formatador Zydis padrão não personalizado, pois o Zydis internamente não usa as funções de string do zycore que atuam sobre esses campos. **Recomendações** Para as versões v3.2.0 e anteriores, atualize para a versão 3.2.1 ou posterior para corrigir o bug. Como solução temporária, os usuários podem evitar o uso das funções de string do zycore em seus ganchos de formatador até atualizarem para uma versão corrigida.

**Nome do software vulnerável e versões afetadas** Abe (também conhecido como bitcoin-abe) versões 0.7.2 e anteriores, 0.8pre **Descrição** A vulnerabilidade permite um ataque XSS na função ` call ` dentro do arquivo abe.py. Isso ocorre porque a variável de ambiente `PATH INFO` é tratada incorretamente durante uma exceção `PageNotFound`. **Recomendações** Para as versões 0.7.2 e anteriores, e 0.8pre, considere restringir o acesso à função ` call ` no abe.py até que uma correção adequada seja aplicada. Como solução temporária, evite usar a variável de ambiente `PATH INFO` no tratamento da exceção `PageNotFound` afetada até que o problema seja resolvido.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions 2.1.0 through 2.17.0 **Description** A cross-site scripting (XSS) issue exists in the View Filters page and Edit Filter page, allowing remote attackers to inject arbitrary code through a crafted PATH INFO, provided that the Content Security Policy (CSP) settings permit it. **Recommendations** For MantisBT versions 2.1.0 through 2.17.0, update to a version that includes a complete fix for the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tautulli version 2.1.26 **Description** The issue arises from a crafted Plex username that is mishandled when constructing the History page, leading to XSS. This occurs in the `data/interfaces/default/history.html` file. **Recommendations** For Tautulli version 2.1.26, consider restricting the use of crafted Plex usernames to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP versions 7.2.x through 7.2.7 **Description** The issue allows attackers to trigger a use-after-free in the `exif read from file` function because it closes a stream that it is not responsible for closing. This is reachable through the PHP `exif read data` function. **Recommendations** For PHP versions 7.2.x through 7.2.7, consider updating to a version where this issue is resolved, as the current version allows for a use-after-free exploit through the `exif read data` function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue is related to a buffer over-read in the PPP parser, specifically in the handle mlppp() function within print-ppp.c. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue is related to a buffer over-read in the IPv6 parser, specifically in the `ip6 print()` function within `print-ip6.c`. This could allow a remote attacker to obtain sensitive information by sending a specially crafted request. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the HNCP component until a patch is available. Avoid using the `ip6 print()` function in the affected `print-ip6.c` file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue concerns a buffer over-read in the IPv6 routing header parser. This could allow a remote attacker to obtain sensitive information by sending a specially crafted request. The buffer over-read occurs in the `rt6 print()` function within `print-rt6.c`. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `rt6 print()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue is related to a buffer over-read in the IEEE 802.11 parser, specifically in the `parse elements()` function within `print-802 11.c`. This could allow a remote attacker to obtain sensitive information by sending a specially crafted request. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `parse elements()` function in `print-802 11.c` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue concerns a buffer over-read in the IPv6 mobility parser, specifically in the `mobility print()` function within `print-mobility.c`. This could allow a remote attacker to obtain sensitive information by sending a specially crafted request. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `mobility print()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue is related to a buffer over-read in the BEEP parser, specifically in the `l strnstart()` function within `print-beep.c`. This could allow a remote attacker to obtain sensitive information by sending a specially crafted request. The HNCP component is also mentioned as being affected by a buffer overread memory issue. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the BEEP parser or the HNCP component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libzip (affected versions not specified) **Description** A double free vulnerability exists in the zip dirent read function in zip dirent.c, which may allow attackers to have an unspecified impact. The vectors by which this issue can be exploited are unknown. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** shoco through 2017-07-17 **Description** The issue allows remote attackers to cause a denial of service, resulting in a buffer over-read and application crash, via malformed compressed data. This is related to the `shoco decompress` function in the API. **Recommendations** For versions through 2017-07-17, consider disabling the `shoco decompress` function until a patch is available to prevent potential denial of service attacks.