Opensuse Leap vulnerabilities

CVE-2019-7396 [HIGH] CWE-401 CVE-2019-7396: In ImageMagick before 7.0.8-25, a memory leak exists in ReadSIXELImage in coders/sixel.c. In ImageMagick before 7.0.8-25, a memory leak exists in ReadSIXELImage in coders/sixel.c.

CVE-2019-7398 [HIGH] CWE-401 CVE-2019-7398: In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c. In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.

CVE-2019-7395 [HIGH] CWE-401 CVE-2019-7395: In ImageMagick before 7.0.8-25, a memory leak exists in WritePSDChannel in coders/psd.c. In ImageMagick before 7.0.8-25, a memory leak exists in WritePSDChannel in coders/psd.c.

CVE-2019-7397 [HIGH] CWE-401 CVE-2019-7397: In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in Writ In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.

CVE-2018-18506 [MEDIUM] CVE-2018-18506: When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file o When proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attack

CVE-2019-1000020 [MEDIUM] CWE-835 CVE-2019-1000020: libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploi

CVE-2019-7317 [MEDIUM] CWE-416 CVE-2019-7317: png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_fu png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

CVE-2019-1000019 [MEDIUM] CWE-125 CVE-2019-1000019: libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially

CVE-2019-7308 [MEDIUM] CWE-189 CVE-2019-7308: kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculati kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.

CVE-2019-6438 [CRITICAL] CVE-2019-6438: SchedMD Slurm before 17.11.13 and 18.x before 18.08.5 mishandles 32-bit systems. SchedMD Slurm before 17.11.13 and 18.x before 18.08.5 mishandles 32-bit systems.

CVE-2019-7150 [MEDIUM] CWE-125 CVE-2019-7150: An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlat An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.

CVE-2019-3819 [MEDIUM] CWE-835 CVE-2019-3819: A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debu A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ("root") can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable.

CVE-2019-6486 [HIGH] CWE-770 CVE-2019-6486: Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows a Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.

CVE-2016-10739 [MEDIUM] CWE-20 CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially d

CVE-2018-5740 [HIGH] CWE-617 CVE-2018-5740: "deny-answer-aliases" is a little-used feature intended to help recursive server operators protect e "deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND

CVE-2019-2422 [LOW] CVE-2019-2422: Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versio Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction fr

CVE-2019-2426 [LOW] CVE-2019-2426: Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versi Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can r

CVE-2019-3811 [MEDIUM] CWE-200 CVE-2019-3811: A vulnerability was found in sssd. If a user was configured with no home directory set, sssd would r A vulnerability was found in sssd. If a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot() etc. All versions before 2.1 are vulnerable.

CVE-2018-14662 [MEDIUM] CWE-285 CVE-2018-14662: It was found Ceph versions before 13.2.4 that authenticated ceph users with read only permissions co It was found Ceph versions before 13.2.4 that authenticated ceph users with read only permissions could steal dm-crypt encryption keys used in ceph disk encryption.

CVE-2018-16846 [MEDIUM] CWE-770 CVE-2018-16846: It was found in Ceph versions before 13.2.4 that authenticated ceph RGW users can cause a denial of It was found in Ceph versions before 13.2.4 that authenticated ceph RGW users can cause a denial of service against OMAPs holding bucket indices.