Details: https://nvd.nist.gov/vuln/detail/CVE-2021-47865
This CVE was opened based on a 5 years old Github issue[1], and has been made
public recently. The CVE wasn't officially disputed (yet?), but based on
the description and the given PoC the application is working as expected.
The vulnerability description and the PoC basically configures proftpd to
accept maximum x connections, and then when the user tries to open x + 1
concurrent connections, it refuses new connections over the configured limit.
See also discussion in the Github issue.
It seems that it won't be fixed, because there is nothing to fix.
[1]: https://github.com/proftpd/proftpd/issues/1298
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2003-0887
The vulnerability is about the default (example) configurations,
which place cache files into the /tmp folder, that is world-writeable.
The recommendation would be to place them to a more secure folder.
The recipe however does not install these example configurations,
and as such it is not vulnerable either.
Just to make sure, patch these folders to a non-tmp folder
(and also install that folder, empty).
Some more discussion about the vulnerability:
https://bugzilla.suse.com/show_bug.cgi?id=48161
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 0080dd7973)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Within tcpreplay's tcprewrite, a double free vulnerability has been identified
in the dlt_linuxsll2_cleanup() function in plugins/dlt_linuxsll2/linuxsll2.c.
This vulnerability is triggered when tcpedit_dlt_cleanup() indirectly invokes
the cleanup routine multiple times on the same memory region. By supplying a
specifically crafted pcap file to the tcprewrite binary, a local attacker can
exploit this flaw to cause a Denial of Service (DoS) via memory corruption.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been
discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is
also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND
configured to send ECS information along with queries to upstream name servers
CVE: CVE-2025-5994
Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Release Notes:
- CVE-2024-23184: A large number of address headers in email resulted
in excessive CPU usage.
- CVE-2024-23185: Abnormally large email headers are now truncated or
discarded, with a limit of 10MB on a single header and 50MB for all
the headers of all the parts of an email.
- oauth2: Dovecot would send client_id and client_secret as POST parameters
to introspection server. These need to be optionally in Basic auth
instead as required by OIDC specification.
- oauth2: JWT key type check was too strict.
- oauth2: JWT token audience was not validated against client_id as
required by OIDC specification.
- oauth2: XOAUTH2 and OAUTHBEARER mechanisms were not giving out
protocol specific error message on all errors. This broke OIDC discovery.
- oauth2: JWT aud validation was not performed if aud was missing
from token, but was configured on Dovecot.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2.
The impacted element is the function untrunc_packet of the file
src/tcpedit/edit_packet.c of the component tcprewrite. Executing
manipulation can lead to use after free. It is possible to launch
the attack on the local host. The exploit has been publicly disclosed
and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da.
Applying a patch is advised to resolve this issue.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit 0538af085a)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
CVE-2025-47917 is that the function mbedtls_x509_string_to_names() takes
a head argument and performs a deep free() on it.
Backport patch to fix CVE-2025-47917 and drop the modification in doc
file and comment in header file which lack of context.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The recipe splits python code to nftables-python package, however
setuptools classes add the dependency to main package.
Since nftables-python package already has python3-core explicit
dependency, remove it from the main package.
(From meta-openembedded rev: 331126a6d0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
CVE-2024-55553:
In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size
of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes.
An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by causing
more than this number of updates during an update interval (usually 30 minutes).
Additionally, this effect regularly occurs organically. Furthermore, an attacker can use this
to trigger route validation continuously. Given that routers with large full tables may need
more than 30 minutes to fully re-validate the table, continuous issuance/withdrawal of large numbers
of ROA may be used to impact the route handling performance of all FRR instances using RPKI globally.
Additionally, the re-validation will cause heightened BMP traffic to ingestors.
Fixed Versions: 10.0.3, 10.1.2, 10.2.1, >= 10.3.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-55553]
Upstream patches:
[https://github.com/FRRouting/frr/commit/b0800bfdf04b4fcf48504737ebfe4ba7f05268d3]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Pick commit mentioned in NVD CVE report.
Conflict in src/errorpage.cc resolved per patch from Debian bookworm.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This ancient CVE [1] is unversioned ("*") in NVD DB.
"mod_sqlpw module in ProFTPD does not reset a cached password..."
Looking at history and changelog, the module was removed [2] around
the time when this CVE was published, likely as reaction to this CVE.
"mod_sqlpw.c, mod_mysql.c and mod_pgsql.c have been REMOVED from the
distribution. They are currently unmaintained and have numerous bugs."
Note: It was later re-introduced as mod_sql when it got fixed under
new maintainer.
[1] https://nvd.nist.gov/vuln/detail/CVE-2001-0027
[2] https://github.com/proftpd/proftpd/blob/v1.3.8b/NEWS#L3362
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 03a1b56bc7)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Gyorgy Sarvari
Hitendra Prajapati
Archana Polampalli
Ankur Tyagi
Wang Mingyu
Jackson
Naman Jain
Peter Marko
Khem Raj
Kai Kang
Vijay Anusuri
Zhang Peng