Debian: >> Debian Linux Security Vulnerabilities
OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).
CVSS Score
4.4
EPSS Score
0.006
Published
2021-11-11
In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. This can be used to effectively stall validation. While Routinator has a configurable time-out value for RRDP connections, this time-out was only applied to individual read or write operations rather than the complete request. Thus, if an RRDP repository sends a little bit of data before that time-out expired, it can continuously extend the time it takes for the request to finish. Since validation will only continue once the update of an RRDP repository has concluded, this delay will cause validation to stall, leading to Routinator continuing to serve the old data set or, if in the initial validation run directly after starting, never serve any data at all.
CVSS Score
7.5
EPSS Score
0.004
Published
2021-11-09
NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. This encoding can be used by an RRDP repository to cause an out-of-memory crash in these versions of Routinator. RRDP uses XML which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge when being decompressed for further processing, big enough that Routinator runs out of memory when parsing input data waiting for the next XML element.
CVSS Score
7.5
EPSS Score
0.007
Published
2021-11-09
FORT Validator versions prior to 1.5.2 will crash if an RPKI CA publishes an X.509 EE certificate. This will lead to RTR clients such as BGP routers to lose access to the RPKI VRP data set, effectively disabling Route Origin Validation.
CVSS Score
7.5
EPSS Score
0.006
Published
2021-11-09
ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
CVSS Score
7.5
EPSS Score
0.009
Published
2021-11-08
OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-11-05
vim is vulnerable to Heap-based Buffer Overflow
CVSS Score
7.3
EPSS Score
0.002
Published
2021-11-05
vim is vulnerable to Use of Uninitialized Variable
CVSS Score
7.3
EPSS Score
0.0
Published
2021-11-05
An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.
CVSS Score
9.1
EPSS Score
0.002
Published
2021-11-04
An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.
CVSS Score
5.5
EPSS Score
0.0
Published
2021-11-04