Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Fedora
(Fedoraproject)| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-01-09 | CVE-2019-3498 | In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. | Ubuntu_linux, Debian_linux, Django, Fedora | 6.5 | ||
| 2019-01-14 | CVE-2019-6251 | WebKitGTK and WPE WebKit prior to version 2.24.1 are vulnerable to address bar spoofing upon certain JavaScript redirections. An attacker could cause malicious web content to be displayed as if for a trusted URI. This is similar to the CVE-2018-8383 issue in Microsoft Edge. | Ubuntu_linux, Fedora, Epiphany, Leap, Webkitgtk, Wpe_webkit | 8.1 | ||
| 2019-01-14 | CVE-2018-16886 | etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway. | Etcd, Fedora, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation | 8.1 | ||
| 2019-01-15 | CVE-2019-0001 | Receipt of a malformed packet on MX Series devices with dynamic vlan configuration can trigger an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (bbe-smgd), and lead to high CPU usage and a crash of the bbe-smgd service. Repeated receipt of the same packet can result in an extended denial of service condition for the device. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior... | Fedora, Junos | 7.5 | ||
| 2019-01-30 | CVE-2018-17189 | In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections. | Http_server, Ubuntu_linux, Debian_linux, Fedora, Santricity_cloud_connector, Storage_automation_store, Enterprise_manager_ops_center, Hospitality_guest_access, Instantis_enterprisetrack, Retail_xstore_point_of_service, Sun_zfs_storage_appliance_kit, Jboss_core_services | 5.3 | ||
| 2019-01-31 | CVE-2019-6109 | An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. | Ubuntu_linux, Debian_linux, Fedora, M10\-1_firmware, M10\-4_firmware, M10\-4s_firmware, M12\-1_firmware, M12\-2_firmware, M12\-2s_firmware, Element_software, Ontap_select_deploy, Storage_automation_store, Openssh, Enterprise_linux, Enterprise_linux_eus, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Scalance_x204rna_eec_firmware, Scalance_x204rna_firmware, Winscp | 6.8 | ||
| 2019-01-31 | CVE-2019-6111 | An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate... | Mina_sshd, Ubuntu_linux, Debian_linux, Fedora, Freebsd, M10\-1_firmware, M10\-4_firmware, M10\-4s_firmware, M12\-1_firmware, M12\-2_firmware, M12\-2s_firmware, Openssh, Enterprise_linux, Enterprise_linux_eus, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Scalance_x204rna_eec_firmware, Scalance_x204rna_firmware, Winscp | 5.9 | ||
| 2019-01-31 | CVE-2019-7282 | In NetKit through 0.17, rcp.c in the rcp client allows remote rsh servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. This is similar to CVE-2018-20685. | Debian_linux, Fedora, Netkit | 5.9 | ||
| 2019-02-03 | CVE-2019-7310 | In Poppler 0.73.0, a heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document, as demonstrated by pdftocairo. | Ubuntu_linux, Debian_linux, Fedora, Poppler, Enterprise_linux, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Enterprise_linux_workstation | 7.8 | ||
| 2019-02-04 | CVE-2019-1000018 | rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission. | Ubuntu_linux, Debian_linux, Fedora, Rssh | 7.8 |