Canonical Ubuntu Linux vulnerabilities

CVE-2017-18206 [CRITICAL] CWE-119 CVE-2017-18206: In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. In utils.c in zsh before 5.4, symlink expansion had a buffer overflow.

CVE-2016-10714 [CRITICAL] CWE-189 CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support In zsh before 5.3, an off-by-one error resulted in undersized buffers that were intended to support PATH_MAX characters.

CVE-2014-10071 [CRITICAL] CWE-119 CVE-2014-10071: In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds in the ">& fd" syntax. In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds in the ">& fd" syntax.

CVE-2018-7549 [HIGH] CWE-20 CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstr In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p.

CVE-2018-7492 [MEDIUM] CWE-476 CVE-2018-7492: A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux ke A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST.

CVE-2018-7480 [HIGH] CWE-415 CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local use The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure.

CVE-2018-7456 [MEDIUM] CVE-2018-7456: A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 3.9.3 A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CV

CVE-2018-6764 [HIGH] CWE-346 CVE-2018-6764: util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which al util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module.

CVE-2018-7443 [MEDIUM] CWE-770 CVE-2018-7443: The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-23 Q16 does not properly validate t The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-23 Q16 does not properly validate the amount of image data in a file, which allows remote attackers to cause a denial of service (memory allocation failure in the AcquireMagickMemory function in MagickCore/memory.c).

CVE-2018-1305 [MEDIUM] CVE-2018-1305: Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were lo

CVE-2018-7225 [CRITICAL] CWE-190 CVE-2018-7225: An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.

CVE-2018-5379 [CRITICAL] CWE-415 CVE-2018-5379: The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain f The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or potentially allow an attacker to execute arbitrary code.

CVE-2018-5381 [HIGH] CWE-228 CVE-2018-5381: The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BG The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service.

CVE-2018-7253 [HIGH] CWE-125 CVE-2018-7253: The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attac The ParseDsdiffHeaderConfig function of the cli/dsdiff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (heap-based buffer over-read) or possibly overwrite the heap via a maliciously crafted DSDIFF file.

CVE-2018-5380 [MEDIUM] CWE-125 CVE-2018-5380: The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun internal BGP code-to-string conversi The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input.

CVE-2018-5378 [MEDIUM] CWE-119 CVE-2018-5378: The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent wit The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash.

CVE-2017-18190 [HIGH] CWE-290 CVE-2017-18190: A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 a A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible

CVE-2018-1049 [MEDIUM] CWE-362 CVE-2018-1049: In systemd prior to 234 a race condition exists between .mount and .automount units such that automo In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted.

CVE-2018-7053 [CRITICAL] CWE-416 CVE-2018-7053: An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. There is a use-after-free when An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. There is a use-after-free when SASL messages are received in an unexpected order.

CVE-2018-7054 [CRITICAL] CVE-2018-7054: An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. There is a use-after-free when An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. There is a use-after-free when a server is disconnected during netsplits. NOTE: this issue exists because of an incomplete fix for CVE-2017-7191.