Opensuse Backports vulnerabilities

CVE-2020-6445 [MEDIUM] CWE-276 CVE-2020-6445: Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a re Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page.

CVE-2020-6442 [MEDIUM] CWE-668 CVE-2020-6442: Inappropriate implementation in cache in Google Chrome prior to 81.0.4044.92 allowed a remote attack Inappropriate implementation in cache in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-10938 [CRITICAL] CWE-190 CVE-2020-10938: GraphicsMagick before 1.3.35 has an integer overflow and resultant heap-based buffer overflow in Huf GraphicsMagick before 1.3.35 has an integer overflow and resultant heap-based buffer overflow in HuffmanDecodeImage in magick/compress.c.

CVE-2020-10592 [HIGH] CVE-2020-10592: Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cau Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (CPU consumption), aka TROVE-2020-002.

CVE-2020-6425 [MEDIUM] CWE-20 CVE-2020-6425: Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.149 allowed an att Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.149 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension.

CVE-2020-0561 [HIGH] CWE-665 CVE-2020-0561: Improper initialization in the Intel(R) SGX SDK before v2.6.100.1 may allow an authenticated user to Improper initialization in the Intel(R) SGX SDK before v2.6.100.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVE-2019-15613 [HIGH] CWE-20 CVE-2019-15613: A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file ext A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.

CVE-2019-15624 [MEDIUM] CWE-20 CVE-2019-15624: Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.

CVE-2019-18899 [MEDIUM] CWE-269 CVE-2019-18899: The apt-cacher-ng package of openSUSE Leap 15.1 runs operations in user owned directory /run/apt-cac The apt-cacher-ng package of openSUSE Leap 15.1 runs operations in user owned directory /run/apt-cacher-ng with root privileges. This can allow local attackers to influence the outcome of these operations. This issue affects: openSUSE Leap 15.1 apt-cacher-ng versions prior to 3.1-lp151.3.3.1.

CVE-2020-5202 [MEDIUM] CVE-2020-5202: apt-cacher-ng through 3.3 allows local users to obtain sensitive information by hijacking the hardco apt-cacher-ng through 3.3 allows local users to obtain sensitive information by hijacking the hardcoded TCP port. The /usr/lib/apt-cacher-ng/acngtool program attempts to connect to apt-cacher-ng via TCP on localhost port 3142, even if the explicit SocketPath=/var/run/apt-cacher-ng/socket command-line option is passed. The cron job /etc/cron.daily/apt-cacher-n

CVE-2020-6610 [MEDIUM] CWE-770 CVE-2020-6610: GNU LibreDWG 0.9.3.2564 has an attempted excessive memory allocation in read_sections_map in decode_ GNU LibreDWG 0.9.3.2564 has an attempted excessive memory allocation in read_sections_map in decode_r2007.c.

CVE-2019-20053 [MEDIUM] CWE-119 CVE-2019-20053: An invalid memory address dereference was discovered in the canUnpack function in p_mach.cpp in UPX An invalid memory address dereference was discovered in the canUnpack function in p_mach.cpp in UPX 3.95 via a crafted Mach-O file.

CVE-2019-19953 [CRITICAL] CWE-125 CVE-2019-19953: In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buffer over-read in the function E In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based buffer over-read in the function EncodeImage of coders/pict.c.

CVE-2019-19950 [CRITICAL] CWE-416 CVE-2019-19950: In GraphicsMagick 1.4 snapshot-20190403 Q8, there is a use-after-free in ThrowException and ThrowLog In GraphicsMagick 1.4 snapshot-20190403 Q8, there is a use-after-free in ThrowException and ThrowLoggedException of magick/error.c.

CVE-2019-19951 [CRITICAL] CWE-787 CVE-2019-19951: In GraphicsMagick 1.4 snapshot-20190423 Q8, there is a heap-based buffer overflow in the function Im In GraphicsMagick 1.4 snapshot-20190423 Q8, there is a heap-based buffer overflow in the function ImportRLEPixels of coders/miff.c.

CVE-2019-13730 [HIGH] CWE-787 CVE-2019-13730: Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to pot Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-5163 [HIGH] CWE-306 CVE-2019-5163: An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-l An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher and a local_address, arbitrary UDP packets can cause a FATAL error code path and exit. An attacker can send arbitrary UDP packets to trigger this vulnerability.

CVE-2019-13723 [HIGH] CWE-416 CVE-2019-13723: Use after free in WebBluetooth in Google Chrome prior to 78.0.3904.108 allowed a remote attacker who Use after free in WebBluetooth in Google Chrome prior to 78.0.3904.108 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-13711 [MEDIUM] CVE-2019-13711: Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remot Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2019-13707 [MEDIUM] CWE-20 CVE-2019-13707: Insufficient validation of untrusted input in intents in Google Chrome on Android prior to 78.0.3904 Insufficient validation of untrusted input in intents in Google Chrome on Android prior to 78.0.3904.70 allowed a local attacker to leak files via a crafted application.