eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and 2.6.5 contain a patch for this issue.

**Comments**

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Feb 7, 2023

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue eProsima#3236.

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Feb 7, 2023

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue eProsima#3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Mar 15, 2023

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

MiguelCompany pushed a commit that referenced this issue

Mar 16, 2023

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

MiguelCompany pushed a commit that referenced this issue

Mar 22, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

Co-authored-by: Seulbae Kim <squizz617@gmail.com>

MiguelCompany pushed a commit that referenced this issue

Mar 24, 2023

\* Implement a validity check for firstSN (#3274)

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

\* Refs #17717: Logging Macro fix

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>

---------

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>
Co-authored-by: Seulbae Kim <squizz617@gmail.com>
Co-authored-by: Mario Dominguez <mariodominguez@eprosima.com>

JLBuenoLopez-eProsima pushed a commit that referenced this issue

Apr 11, 2023

\* Implement a validity check for firstSN (#3274)

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

\* Refs #17717: Logging Macro fix

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>

---------

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>
Co-authored-by: Seulbae Kim <squizz617@gmail.com>
Co-authored-by: Mario Dominguez <mariodominguez@eprosima.com>

CVE-2023-39949: Assertion failure in SequenceNumber.h via malformed SPDP packet only when compiled in logging-enabled (Debug) mode · Issue #3236 · eProsima/Fast-DDS

FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.

CVE-2021-21692: Jenkins Security Advisory 2021-11-04

In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.

CentOS Web Panel or commonly known as CWP is a popular web hosting management software, used by over 200,000 unique servers, that can be found on Shodan or Census. The vulnerability chain that we used to exploit a full preauth remote command execution as root uses file inclusion (CVE-2021-45467) and file write (CVE-2021-45466) vulnerabilities. In this post we hope to cover our vulnerability research journey, and how we approached this particular target. 

**Mapping out attack surface**

After hosting CWP on a local environment it quickly became evident that most features require administrative or user accounts to perform. Since we are interested only in vulnerabilities that can be exploited without user authentication or interaction, we will avoid all the restricted sections and focus our research on parts of the panel that are exposed without authentication in the webroot. Turns out, not a lot is exposed. 

Some of the interesting pages that can be accessed without authentication are /user/loader.php and /user/index.php: had this interesting file inclusion protection method (/user/loader.php):

<?php
if(!empty($\_GET\["api"\])) {
        if (!empty($\_GET\["scripts"\])) {
            $\_GET\["scripts"\] = GETSecurity($\_GET\["scripts"\]);
            include "../../resources/admin/scripts/" . $\_GET\["scripts"\] . ".php";
        }

Where GETSecurity() is defined as the following: 

function GETSecurity($variable)
{
    if (stristr($variable, ".." ) {
        exit("hacking attempt");
    }
 }

if the parameter “scripts” contains “..” (two dots) then the application will not process the input and will instead exit with “hacking attempt” displayed to the user. 

_stristr()_ is basically the same function as strstr() in PHP except it isn’t case sensitive. Few ideas I had after looking at the code:

**Potential methods of bypassing stristr():** 

1\. Trick CWP to treat other characters as dot (.) 

2\. Find unique characters the language C processes as a dot (.) when lower cased. 

3\. Trick CWP into thinking there are no consecutive dots (..)

**1\. Trick CWP to treat other characters as a dot:**

For the first method, after fuzzing a basic unicode range, we quickly realized CWP doesn’t have any characters that it normalizes to dots. So this path wasn’t as promising as we thought it would be.

**2\. Find unique characters the language C processes as a dot when lower cased.**

The idea behind this came after wondering how stristr() does a case sensitivity check different from strstr(). PHP is written in C, so sometimes it helps to look at how the underlying functions work. And in this case, looking at php-src/ext/standard/string.c in PHP proved that stristr() is basically strstr():

PHPAPI char \*php\_stristr(char \*s, char \*t, size\_t s\_len, size\_t t\_len)
{
    zend\_str\_tolower(s, s\_len);
    zend\_str\_tolower(t, t\_len);
    return (char\*)php\_memnstr(s, t, t\_len, s + s\_len);
}

After looking at the code, you realize that the function takes any input and converts it to lowercase before it does the comparison. So, immediately we started fuzzing for unique unicode characters that when lowercased, might be converted to a dot. In javascript for example, the character “ſ” gets converted to “S” when capitalized: “ſ”.toUpperCase() => “S”. Unfortunately that didn’t yield any useful results but we did find some weird quirky behaviors worthy of future posts. 

**3\. Trick CWP into thinking there are no consecutive dots (..)**

This requires straight up fuzzing. After brainstorming a few ideas, we got this code: 

Running the above fuzzer actually got us a bypass: which is **/.%00./**

**CVE-2021-45467**

During our tests some functions in CWP (including the require() and include() functions) seem to process /**.%00./** as /**../** – Similarly, while their stristr() ignores the null bytes, it still counts its size so it bypasses the check. We aren’t exactly sure why this happens but it could be caused by a regression to their library using something like striptags()

Now using this trick it means we can include any local file on the server. We have a full file inclusion vulnerability, and if we find a way to write to a file, we can get preauth RCE. However, this next step wasn’t as straightforward as we’d like it to be, since CWP ships with interesting unix file r/w locking settings called CWP-Secure-Kernel. The server doesn’t give us easy file write or edit permissions to logs or anywhere obviously useful. 

But with our file inclusion bug, it means we can reach the restricted API section, which requires API key to access and is unreachable because it’s not exposed in the webroot. But by using our file inclusion, sending a request like the following will result in the server registering any API key we want.

GET https://CWP/user/loader.php?api=1&scripts= .%00./.%00./api/account\_new\_create&acc=guadaapi&ip=192.168.1.1&keyapi=OCTAGON 

Now we have added the api key “OCTAGON” requesting from 192.168.1.1 to have access to the full API like the following: 

GET https://CWP/api/?key=OCTAGON&api=add\_server is now a valid API request. When we reported this specific the vulnerability to CWP, their fix was adding the following code:

function GETSecurity($variable)
{

if (stristr($variable, "..") || stristr($variable, ".%00.")) {        
exit("hacking attempt");
    }
}

**Bypass:**

.%00%00%00./.%00%00%00./api/account\_new\_create lets us reach the same file, just add as many nullbytes as you like.  

**CVE-2021-45466**  

Time to find a basic file write vulnerability. This wasn’t very easy, but we found we can exploit a file write bug in the API section that lets us add to a .TXT file. For example, using our maliciously added key

https://CWP/api/?key=OCTAGON&api=add\_server&DHCP=<?=phpinfo()?>&fileFinal=/ will now write to a file called authorized\_keys located in the /resources/ folder. Next we use our first file inclusion bug to include our malicious authorized\_keys file to get full RCE.  _The file inclusion vulnerability was reported via the ZDI program and has been patched_ _in CWP, but we saw some managed to reverse the patch and exploit some servers._

So to reiterate the steps:

1.  Send a null byte powered file inclusion payload to add malicious API key 
2.  Use API key to write to a file (CVE-2021-45466)
3.  Use step #1 to include the file we just wrote into (CVE-2021-45467)
4.  Woot! 

We will release a full PoC for red teams that achieves preauth RCE once enough servers migrate to the latest version.

CVE-2021-45467: CVE-2021-45467: CWP CentOS Web Panel – preauth RCE – Blog

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.

**Release date:** July 10, 2015

**Vulnerability identifier:** APSA15-04

Priority: See table below

**CVE number**: CVE-2015-5122, CVE-2015-5123

**Platform:** Windows, Macintosh and Linux

Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  

Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.

UPDATE (July 14): Adobe recommends users update their product installations to the latest versions using the instructions provided in the "Solution" section in Security Bulletin APSB15-18.

*   Adobe Flash Player 18.0.0.203 and earlier versions for Windows and Macintosh 
*   Adobe Flash Player 18.0.0.204 and earlier versions for Linux installed with Google Chrome  
    
*   Adobe Flash Player Extended Support Release version 13.0.0.302 and earlier 13.x versions for Windows and Macintosh
*   Adobe Flash Player Extended Support Release version 11.2.202.481 and earlier 11.x versions for Linux  
    

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.   

Adobe categorizes these issues as critical vulnerabilities

Adobe would like to thank the following individuals and organizations for reporting these issues and for working with Adobe to help protect our customers:

*   Dhanesh Kizhakkinan of FireEye as well as Peter Pi of TrendMicro (CVE-2015-5122)
*   Peter Pi of TrendMicro as well as slipstream/RoL (@TheWack0lian) (CVE-2015-5123)

July 11, 2015: added information on CVE-2015-5123

July 12, 2015: added acknowledgement on CVE-2015-5123

July 14, 2015: added reference to security bulletin APSB15-18. 

August 10, 2015: added credit to TrendMicro for independently reporting CVE-2015-5122.

CVE-2015-5122: Adobe Security Bulletin

Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to 1.7.28.

@@ -214,7 +214,7 @@ public static function detectXss($string, array $options = null): ?string

'on\_events' => '#(<\[^>\]+\[\[a-z\\x00-\\x20\\"\\'\\/\])(\[\\s\\/\]on|\\sxmlns)\[a-z\].\*=>?#iUu',

  

// Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols

'invalid\_protocols' => '#(' . implode('|', array\_map('preg\_quote', $invalid\_protocols, \['#'\])) . '):\\S.\*?#iUu',

'invalid\_protocols' => '#(' . implode('|', array\_map('preg\_quote', $invalid\_protocols, \['#'\])) . ')(:|\\&\\#58)\\S.\*?#iUu',

  

// Match -moz-bindings

'moz\_binding' => '#-moz-binding\[a-z\\x00-\\x20\]\*:#u',

CVE-2022-0268: Fixed XSS check not detecting escaped `&#58` · getgrav/grav@6f2fa93

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.10.

@@ -776,14 +776,17 @@

break;

}

  

$userData = \[

'display\_name' => $userName,

'email' => $email,

'is\_visible' => $isVisible === 'on' ? 1 : 0

\];

$success = $user\->setUserData($userData);

  

if (0 !== strlen($password) && 0 !== strlen($confirm)) {

if (strlen($password) <= 7 || strlen($confirm) <= 7) {

$message = \['error' => $PMF\_LANG\['ad\_passwd\_fail'\]\];

break;

} else {

$userData = \[

'display\_name' => $userName,

'email' => $email,

'is\_visible' => $isVisible === 'on' ? 1 : 0

\];

$success = $user\->setUserData($userData);

  

foreach ($user\->getAuthContainer() as $author => $auth) {

if ($auth\->setReadOnly()) {

continue;

CVE-2023-0307: fix: added missing check on password length · thorsten/phpMyFAQ@8beed2f

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sun, 26 Sep 2021 08:52:50 -0600 (MDT)
From: Damien Miller <djm@....openbsd.org>
To: oss-security@...ts.openwall.com
Subject: Announce: OpenSSH 8.8 released

OpenSSH 8.8 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:\* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug- compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@...nssh.com" to support
this.

Security
========

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd\_config(5).

Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K \[1\]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

    Host old-host
        HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

\[1\] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

Changes since OpenSSH 8.7
=========================

This release is motivated primarily by the above deprecation and
security fix.

New features
------------
 \* ssh(1): allow the ssh\_config(5) CanonicalizePermittedCNAMEs
   directive to accept a "none" argument to specify the default
   behaviour.

Bugfixes
--------

 \* scp(1): when using the SFTP protocol, continue transferring files
   after a transfer error occurs, better matching original scp/rcp
   behaviour.
    
 \* ssh(1): fixed a number of memory leaks in multiplexing,

 \* ssh-keygen(1): avoid crash when using the -Y find-principals
   command.

 \* A number of documentation and manual improvements, including
   bz#3340, PR#139, PR#215, PR#241, PR#257

Portability
-----------

 \* ssh-agent(1): on FreeBSD, use procctl to disable ptrace(2)

 \* ssh(1)/sshd(8): some fixes to the pselect(2) replacement
   compatibility code. bz#3345

Checksums:
==========

 - SHA1 (openssh-8.8.tar.gz) = 732947082a8998047e839cc0b4c066bf0a7e1a5b
 - SHA256 (openssh-8.8.tar.gz) = AngyrPSQH255hnzU1l7y+LlVAUNcGWtuYQIFEl22nRo=

 - SHA1 (openssh-8.8p1.tar.gz) = 1eb964897a4372f6fb96c7effeb509ec71c379c9
 - SHA256 (openssh-8.8p1.tar.gz) = RZCJDqm7ms5Pca4zF4WjpYIyMkNRYZYO1fyGWI8zH+k=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE\_KEY.asc

Please note that the OpenPGP key used to sign releases has been
rotated for this release. The new key has been signed by the previous
key to provide continuity.

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@...nssh.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2021-41617: security - Announce: OpenSSH 8.8 released

libfreerdp/codec/planar.c in FreeRDP version > 1.0 through 2.0.0-rc4 has an Out-of-bounds Write.

**Commits on Apr 26, 2022**

**Commits on Apr 25, 2022**

**Commits on Apr 23, 2022**

**Commits on Apr 22, 2022**

**Commits on Apr 21, 2022**

**Commits on Apr 20, 2022**

**Commits on Apr 19, 2022**

2.  Logging and parser fixes (#7796)
    
    \* Fixed remdesk settings pointer
    
    \* Fixed sign warnings in display\_write\_monitor\_layout\_pdu
    
    \* Use freerdp\_abort\_connect\_context and freerdp\_shall\_disconnect\_context
    
    \* Added and updates settings
    
    \* info assert/dynamic timezone
    
    \* mcs assert/log/flags
    
    \* Fixed and added assertions for wStream
    
    \* Unified stream length checks
    
    \* Added new function to check for lenght and log
    \* Replace all usages with this new function
    
    \* Cleaned up PER, added parser logging
    
    \* Cleaned up BER, added parser logging
    
    \* log messages
    
    \* Modified Stream\_CheckAndLogRequiredLengthEx
    
    \* Allow custom format and options
    \* Add Stream\_CheckAndLogRequiredLengthExVa for prepared va\_list
    
    \* Improved Stream\_CheckAndLogRequiredLength
    
    \* Now have log level adjustable
    \* Added function equivalents for existing logger
    \* Added a backtrace in case of a failure is detected
    
    \* Fixed public API input checks
    
    ![@akallabeth](https://avatars.githubusercontent.com/u/3472254?s=40&v=4)
    

**Commits on Apr 15, 2022**

**Commits on Apr 13, 2022**

1.  Fix #7793: Do not expose internal input API (#7794)
    
    \* Fixed GetFileInformationByHandle initializers
    
    \* Fix #7793: Do not expose internal input API
    
    Slow-Path input uses UINT16 for scancodes on wire, but only the
    lower byte is actually used. (the extended fields are sent in
    keyboardFlags field)
    Hide this implementation detail and adjust the API to use UINT8
    for the code instead just like the corresponding Fast-Path PDU
    
    \* Added a warning for problematic slow path keyCodes
    
    ![@akallabeth](https://avatars.githubusercontent.com/u/3472254?s=40&v=4)
    

**Commits on Apr 12, 2022**

1.  proxy: correctly use the RemoteApp flag
    
    The flag was forcing the remoteApp usage when set, while all the other equivalent
    flags just enable the feature. This patch fixes that, so now setting RemoteApp = TRUE
    just enables the front client to do remoteApps.
    
     ![@hardening](https://avatars.githubusercontent.com/u/3237998?s=40&v=4)![@akallabeth](https://avatars.githubusercontent.com/u/3472254?s=40&v=4)
    

**Commits on Apr 10, 2022**

**Commits on Apr 8, 2022**

**Commits on Apr 7, 2022**

1.  Switch to official OpenSSL Download location and away from github.
    
    One of the benefits is that this adds support for building with OpenSSL 3.0 versions without breaking support for building with 1.1.1.
    
    As part of the work, the assumption that there is an /archive/ in the download path is removed.
    
    Furthermore, cmake modules for finding OpenSSL are updated in order to support 3.0.
    
     ![@iiordanov](https://avatars.githubusercontent.com/u/1421911?s=40&v=4)![@akallabeth](https://avatars.githubusercontent.com/u/3472254?s=40&v=4)
    

**Commits on Apr 6, 2022**

CVE-2020-11521: Commits · FreeRDP/FreeRDP

Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969.

@@ -622,6 +622,31 @@ check\_cursor(void) check\_cursor\_col(); }  
/\* \* Check if VIsual position is valid, correct it if not. \* Can be called when in Visual mode and a change has been made. \*/ void check\_visual\_pos(void) { if (VIsual.lnum > curbuf->b\_ml.ml\_line\_count) { VIsual.lnum = curbuf->b\_ml.ml\_line\_count; VIsual.col = 0; VIsual.coladd = 0; } else { int len = (int)STRLEN(ml\_get(VIsual.lnum));  
if (VIsual.col > len) { VIsual.col = len; VIsual.coladd = 0; } } }  
#if defined(FEAT\_TEXTOBJ) || defined(PROTO) /\* \* Make sure curwin->w\_cursor is not on the NUL at the end of the line. @@ -2416,7 +2441,7 @@ get\_user\_name(char\_u \*buf, int len) return OK; }  
#if defined(EXITFREE) || defined(PROTOS) #if defined(EXITFREE) || defined(PROTO) /\* \* Free the memory allocated by get\_user\_name() \*/

CVE-2022-1735: patch 8.2.4969: changing text in Visual mode may cause invalid memory… · vim/vim@7ce5b2b

An issue was discovered in DTS Monitoring 3.57.0. The parameter common_name within the SSL Certificate check function is vulnerable to OS command injection (blind).

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Search

lenovo warranty check/lookup | check warranty status | lenovo support us