Geeknik

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.4.9.7 **Description** An out-of-bounds read of one byte can occur when processing a malformed BEGIN cell. **Recommendations** Update to version 0.4.9.7 or later.

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.4.9.7 **Description** An out-of-bounds read occurs during cell payload processing when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload. **Recommendations** Update to version 0.4.9.7 or later.

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.4.9.7 **Description** Tor mishandles the accounting of the conflux out-of-order queue during the process of clearing a queue. **Recommendations** Update to version 0.4.9.7 or later.

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.4.9.7 **Description** A client crash can occur when circuit queue memory pressure exists due to a double close of a circuit. **Recommendations** Update to version 0.4.9.7 or later.

**Name of the Vulnerable Software and Affected Versions** Tor versions prior to 0.4.9.7 **Description** A NULL pointer dereference occurs when a CERT cell is received out of order. A NULL pointer dereference is a runtime error that happens when a program attempts to read or write to a memory address that is NULL, often leading to a crash. **Recommendations** Update to version 0.4.9.7 or later.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions 4.4.0 through 4.4.13 Mastodon versions 4.5.0 through 4.5.6 **Description** Mastodon is a free, open-source social network server based on ActivityPub. The issue relates to FASP (Federated Actor Subscription Protocol) registration, which requires administrator approval. In affected versions, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content did not properly verify administrator approval. This only impacts Mastodon servers utilizing the experimental FASP feature, enabled by setting the `EXPERIMENTAL FEATURES` environment variable to include `fasp`. An attacker can create subscriptions and request content backfill without authorization. Repeated exploitation can lead to a denial-of-service (DOS) condition by overloading the `fasp` queue worker. The issue results in a potential information leak of publicly available URIs. **Recommendations** Update to Mastodon version 4.4.14 Update to Mastodon version 4.5.7 Administrators actively testing the "fasp" feature should update their systems. Servers not using the experimental feature flag `fasp` are not affected.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions 4.4.0 through 4.4.13 Mastodon versions 4.5.0 through 4.5.6 **Description** Mastodon is a free, open-source social network server based on ActivityPub. A flaw exists in FASP registration where an unauthenticated attacker can register a FASP with a chosen `base url` that points to a local or internal address. This can cause the Mastodon server to make requests to that address. This issue only impacts Mastodon servers with the experimental FASP feature enabled via the `EXPERIMENTAL FEATURES` environment variable, specifically when it includes `fasp`. An attacker can force the server to make http(s) requests to internal systems, potentially triggering vulnerabilities or undesired behavior in those systems. The attacker cannot control the complete URL or view the request results, but can influence the URL prefix. **Recommendations** Mastodon version 4.4.14 or later Mastodon version 4.5.7 or later For administrators actively testing the experimental "fasp" feature, update your systems to the latest version. Servers not using the experimental feature flag `fasp` are not affected.

**Name of the Vulnerable Software and Affected Versions** Zydis versions v3.2.0 and older **Description** Zydis is an x86/x86-64 disassembler library. Users that use the string functions provided in `zycore` to append untrusted user data to the formatter buffer within their custom formatter hooks can run into heap buffer overflows. Older versions of Zydis failed to properly initialize the string object within the formatter buffer, forgetting to initialize a few fields, leaving their value to chance. This could then in turn cause zycore functions like `ZyanStringAppend` to make incorrect calculations for the new target size, resulting in heap memory corruption. This does not affect the regular uncustomized Zydis formatter, because Zydis internally doesn't use the string functions in zycore that act upon these fields. **Recommendations** For versions v3.2.0 and older, update to version 3.2.1 or later to patch the bug. As a temporary workaround, users may refrain from using zycore string functions in their formatter hooks until updating to a patched version.

**Name of the Vulnerable Software and Affected Versions** Abe (aka bitcoin-abe) versions 0.7.2 and earlier, 0.8pre **Description** The issue allows for XSS in the ` call ` function within abe.py. This occurs because the `PATH INFO` environment variable is mishandled during a `PageNotFound` exception. **Recommendations** For versions 0.7.2 and earlier, and 0.8pre, consider restricting access to the ` call ` function in abe.py until a proper fix is applied. As a temporary workaround, avoid using the `PATH INFO` environment variable in the affected `PageNotFound` exception handling until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions 2.1.0 through 2.17.0 **Description** A cross-site scripting (XSS) issue exists in the View Filters page and Edit Filter page, allowing remote attackers to inject arbitrary code through a crafted PATH INFO, provided that the Content Security Policy (CSP) settings permit it. **Recommendations** For MantisBT versions 2.1.0 through 2.17.0, update to a version that includes a complete fix for the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tautulli version 2.1.26 **Description** The issue arises from a crafted Plex username that is mishandled when constructing the History page, leading to XSS. This occurs in the `data/interfaces/default/history.html` file. **Recommendations** For Tautulli version 2.1.26, consider restricting the use of crafted Plex usernames to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP versions 7.2.x through 7.2.7 **Description** The issue allows attackers to trigger a use-after-free in the `exif read from file` function because it closes a stream that it is not responsible for closing. This is reachable through the PHP `exif read data` function. **Recommendations** For PHP versions 7.2.x through 7.2.7, consider updating to a version where this issue is resolved, as the current version allows for a use-after-free exploit through the `exif read data` function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue is related to a buffer over-read in the PPP parser, specifically in the handle mlppp() function within print-ppp.c. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue is related to a buffer over-read in the IPv6 parser, specifically in the `ip6 print()` function within `print-ip6.c`. This could allow a remote attacker to obtain sensitive information by sending a specially crafted request. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the HNCP component until a patch is available. Avoid using the `ip6 print()` function in the affected `print-ip6.c` file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue concerns a buffer over-read in the IPv6 routing header parser. This could allow a remote attacker to obtain sensitive information by sending a specially crafted request. The buffer over-read occurs in the `rt6 print()` function within `print-rt6.c`. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `rt6 print()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue is related to a buffer over-read in the IEEE 802.11 parser, specifically in the `parse elements()` function within `print-802 11.c`. This could allow a remote attacker to obtain sensitive information by sending a specially crafted request. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `parse elements()` function in `print-802 11.c` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue concerns a buffer over-read in the IPv6 mobility parser, specifically in the `mobility print()` function within `print-mobility.c`. This could allow a remote attacker to obtain sensitive information by sending a specially crafted request. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `mobility print()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** tcpdump versions prior to 4.9.2 **Description** The issue is related to a buffer over-read in the BEEP parser, specifically in the `l strnstart()` function within `print-beep.c`. This could allow a remote attacker to obtain sensitive information by sending a specially crafted request. The HNCP component is also mentioned as being affected by a buffer overread memory issue. **Recommendations** For versions prior to 4.9.2, update to version 4.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the BEEP parser or the HNCP component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libzip (affected versions not specified) **Description** A double free vulnerability exists in the zip dirent read function in zip dirent.c, which may allow attackers to have an unspecified impact. The vectors by which this issue can be exploited are unknown. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** shoco through 2017-07-17 **Description** The issue allows remote attackers to cause a denial of service, resulting in a buffer over-read and application crash, via malformed compressed data. This is related to the `shoco decompress` function in the API. **Recommendations** For versions through 2017-07-17, consider disabling the `shoco decompress` function until a patch is available to prevent potential denial of service attacks.