Msrc Cbl Mariner 1.0 Arm vulnerabilities

CVE-2017-14992 [MEDIUM] CWE-20 Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0 1.10.3 17.03.0 17.03.1 17.03.2 17.06.0 17.06.1 17.06.2 17.09.0 and earlier allows a remote attacker to cause a Denial o Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0 1.10.3 17.03.0 17.03.1 17.03.2 17.06.0 17.06.1 17.06.2 17.09.0 and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload aka gzip bombing. FAQ:

CVE-2015-7504 [HIGH] CWE-787 Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. FAQ: Is Azure Linux the only Mic

CVE-2017-1000118 [HIGH] Akka HTTP versions <= 10.0.5 Illegal Media Range in Accept Header Causes StackOverflowError Leading to Denial of Service Akka HTTP versions Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source librar

CVE-2014-0047 [HIGH] Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage. Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to dat

CVE-2017-1000256 [HIGH] CWE-295 libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default. libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library

CVE-2017-14245 [HIGH] CWE-125 An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure related to mishandling of the NAN and INFINITY floating-po An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure related to mishandling of the NAN and INFINITY floating-point values. FAQ: Is Azure Linux the only Microsoft product that incl

CVE-2017-14167 [HIGH] CWE-190 Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header addre Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values which trigger an out-of-bounds write. FAQ: Is Azure Linux

CVE-2017-14246 [HIGH] CWE-125 An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure related to mishandling of the NAN and INFINITY floating-po An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure related to mishandling of the NAN and INFINITY floating-point values. FAQ: Is Azure Linux the only Microsoft product that incl

CVE-2017-14634 [MEDIUM] CWE-369 In libsndfile 1.0.28 a divide-by-zero error exists in the function double64_init() in double64.c which may lead to DoS when playing a crafted audio file. In libsndfile 1.0.28 a divide-by-zero error exists in the function double64_init() in double64.c which may lead to DoS when playing a crafted audio file. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the m

CVE-2017-12562 [CRITICAL] CWE-119 Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspe Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. FAQ: Is Azure Linux the only Microsoft prod

CVE-2017-6892 [HIGH] CWE-119 In libsndfile version 1.0.28 an error in the "aiff_read_chanmap()" function (aiff.c) can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file. In libsndfile version 1.0.28 an error in the "aiff_read_chanmap()" function (aiff.c) can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore pot

CVE-2017-8244 [HIGH] CWE-362 In core_info_read and inst_info_read in all Android releases from CAF using the Linux kernel variable "dbg_buf" "dbg_buf->curr" and "dbg_buf->filled_size" could be modified by different threads at the In core_info_read and inst_info_read in all Android releases from CAF using the Linux kernel variable "dbg_buf" "dbg_buf->curr" and "dbg_buf->filled_size" could be modified by different threads at the same time but they are not protected with mutex or locks. Buffer over

CVE-2017-8245 [HIGH] CWE-119 In all Android releases from CAF using the Linux kernel while processing a voice SVC request which is nonstandard by specifying a payload size that will overflow its own declared size an out of bounds In all Android releases from CAF using the Linux kernel while processing a voice SVC request which is nonstandard by specifying a payload size that will overflow its own declared size an out of bounds memory copy occurs. FAQ: Is Azure Linux the only Microsoft product t

CVE-2017-8246 [HIGH] CWE-416 In function msm_pcm_playback_close() in all Android releases from CAF using the Linux kernel prtd is assigned substream->runtime->private_data. Later prtd is freed. However prtd is not sanitized and s In function msm_pcm_playback_close() in all Android releases from CAF using the Linux kernel prtd is assigned substream->runtime->private_data. Later prtd is freed. However prtd is not sanitized and set to NULL resulting in a dangling pointer. There are other functions

CVE-2017-8361 [HIGH] CWE-119 The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. FAQ: Is Azure Linux the only Microsoft product

CVE-2017-3610 [HIGH] Vulnerability in the Data Store component of Oracle Berkeley DB. The supported version that is affected is Prior to 6.2.32. Difficult to exploit vulnerability allows unauthenticated attacker with logo Vulnerability in the Data Store component of Oracle Berkeley DB. The supported version that is affected is Prior to 6.2.32. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Data Store executes to compromise Data Store. Su

CVE-2017-3611 [HIGH] Vulnerability in the Data Store component of Oracle Berkeley DB. The supported version that is affected is Prior to 6.2.32. Difficult to exploit vulnerability allows unauthenticated attacker with logo Vulnerability in the Data Store component of Oracle Berkeley DB. The supported version that is affected is Prior to 6.2.32. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Data Store executes to compromise Data Store. Su

CVE-2017-3612 [HIGH] Vulnerability in the Data Store component of Oracle Berkeley DB. The supported version that is affected is Prior to 6.2.32. Difficult to exploit vulnerability allows unauthenticated attacker with logo Vulnerability in the Data Store component of Oracle Berkeley DB. The supported version that is affected is Prior to 6.2.32. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Data Store executes to compromise Data Store. Su

CVE-2017-3613 [HIGH] Vulnerability in the Data Store component of Oracle Berkeley DB. The supported version that is affected is Prior to 6.2.32. Difficult to exploit vulnerability allows unauthenticated attacker with logo Vulnerability in the Data Store component of Oracle Berkeley DB. The supported version that is affected is Prior to 6.2.32. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Data Store executes to compromise Data Store. Su

CVE-2017-3617 [HIGH] Vulnerability in the Data Store component of Oracle Berkeley DB. The supported version that is affected is Prior to 6.2.32. Difficult to exploit vulnerability allows unauthenticated attacker with logo Vulnerability in the Data Store component of Oracle Berkeley DB. The supported version that is affected is Prior to 6.2.32. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Data Store executes to compromise Data Store. Su