Fedoraproject: >> Fedora >> 31 Security Vulnerabilities
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
CVSS Score
7.5
EPSS Score
0.064
Published
2020-08-12
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
CVSS Score
6.1
EPSS Score
0.007
Published
2020-08-12
Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-08-11
Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection.
CVSS Score
9.8
EPSS Score
0.045
Published
2020-08-11
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
CVSS Score
7.5
EPSS Score
0.772
Published
2020-08-07
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
CVSS Score
9.8
EPSS Score
0.822
Published
2020-08-07
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
CVSS Score
7.5
EPSS Score
0.37
Published
2020-08-07
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
CVSS Score
7.5
EPSS Score
0.001
Published
2020-08-06
An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.
CVSS Score
6.7
EPSS Score
0.001
Published
2020-08-05
scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.
CVSS Score
9.8
EPSS Score
0.013
Published
2020-08-05