Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ubuntu_linux
(Canonical)Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2020-09-02 | CVE-2020-24654 | In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can install files outside the extraction directory, as demonstrated by a write operation to a user's home directory. | Ubuntu_linux, Debian_linux, Fedora, Ark, Leap | 3.3 | ||
2020-09-04 | CVE-2020-24659 | An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure. | Ubuntu_linux, Fedora, Gnutls, Leap | 7.5 | ||
2020-09-09 | CVE-2020-25219 | url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion. | Ubuntu_linux, Debian_linux, Fedora, Libproxy, Leap | 7.5 | ||
2020-09-15 | CVE-2020-8927 | A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits. | Ubuntu_linux, Debian_linux, Fedora, Brotli, \.net, \.net_core, Powershell, Visual_studio_2019, Visual_studio_2022, Leap | 6.5 | ||
2020-09-15 | CVE-2020-14314 | A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability. | Ubuntu_linux, Debian_linux, Linux_kernel, Starwind_virtual_san | 5.5 | ||
2020-09-15 | CVE-2020-14385 | A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability. | Ubuntu_linux, Debian_linux, Linux_kernel | 5.5 | ||
2020-09-16 | CVE-2020-14392 | An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's availability. | Ubuntu_linux, Debian_linux, Fedora, Leap, Database_interface | 5.5 | ||
2020-09-16 | CVE-2020-14382 | A vulnerability was found in upstream release cryptsetup-2.2.0 where, there's a bug in LUKS2 format validation code, that is effectively invoked on every device/image presenting itself as LUKS2 container. The bug is in segments validation code in file 'lib/luks2/luks2_json_metadata.c' in function hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj) where the code does not check for possible overflow on memory allocation used for intervals array (see statement "intervals =... | Ubuntu_linux, Cryptsetup, Fedora, Enterprise_linux | 7.8 | ||
2020-09-17 | CVE-2019-20919 | An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference. | Ubuntu_linux, Debian_linux, Fedora, Leap, Dbi | 4.7 | ||
2020-09-27 | CVE-2020-26116 | http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. | Ubuntu_linux, Debian_linux, Fedora, Hci_compute_node, Hci_storage_node, Solidfire, Leap, Zfs_storage_appliance_kit, Python | 7.2 |