Pjlantz

**Name of the Vulnerable Software and Affected Versions** Cherokee versions 0.4.27 through 1.2.104 **Description** The issue is a denial of service caused by NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed `Authorization` header. This header is mishandled during a `cherokee buffer add` call within `cherokee validator parse basic` or `cherokee validator parse digest` functions. **Recommendations** For Cherokee versions 0.4.27 through 1.2.104, as a temporary workaround, consider restricting access to protected resources to minimize the risk of exploitation. Avoid using malformed `Authorization` headers in HTTP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OpenDMARC versions 1.3.2 and 1.4.x through 1.4.0-Beta1 Description: The issue is related to improper null termination in the `opendmarc xml parse` function, which can result in a one-byte heap overflow in `opendmarc xml` when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '0' byte overwrites the heap metadata of the next chunk and its PREV INUSE flag. The vulnerability may allow a remote attacker to execute arbitrary code in the target system by opening a specially crafted DMARC aggregate report. Recommendations: For OpenDMARC versions 1.3.2 and 1.4.x through 1.4.0-Beta1, consider disabling the `opendmarc xml parse` function until a patch is available to prevent remote memory corruption. Restrict access to the `opendmarc xml` module to minimize the risk of exploitation. Avoid using the `opendmarc xml` module to parse DMARC aggregate reports until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Portable UPnP SDK (aka libupnp) versions 1.12.1 and earlier **Description** The issue is related to a NULL pointer dereference in the `FindServiceControlURLPath` and `FindServiceEventURLPath` functions, which can be exploited by remote attackers to cause a denial of service (crash) via a crafted SSDP message. This is due to errors in pointer handling within the library. **Recommendations** For Portable UPnP SDK (aka libupnp) versions 1.12.1 and earlier, consider disabling the `FindServiceControlURLPath` and `FindServiceEventURLPath` functions as a temporary workaround until a patch is available. Restrict access to the `genlib/service table/service table.c` module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Modoboa modoboa-dmarc plugin version 1.1.0 **Description** The issue allows for an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality. This can be achieved by referencing sensitive files within XML documents emailed to the address in the rua field of the DMARC records of a domain. **Recommendations** For Modoboa modoboa-dmarc plugin version 1.1.0, consider disabling the DMARC reporting functionality until a patch is available to prevent exploitation. Restrict access to the XML processing module to minimize the risk of denial of service attacks. Avoid using the rua field in DMARC records to receive XML documents from untrusted sources.