Debian: >> Debian Linux >> 8.0 Security Vulnerabilities
An issue was discovered in dhclient 4.3.1-6 due to an embedded path variable.
CVSS Score
8.1
EPSS Score
0.024
Published
2019-11-27
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
CVSS Score
6.1
EPSS Score
0.055
Published
2019-11-27
Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.
CVSS Score
8.0
EPSS Score
0.005
Published
2019-11-27
A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.
CVSS Score
7.8
EPSS Score
0.026
Published
2019-11-27
lilo-uuid-diskid causes lilo.conf to be world-readable in lilo 23.1.
CVSS Score
4.3
EPSS Score
0.003
Published
2019-11-26
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
CVSS Score
9.8
EPSS Score
0.154
Published
2019-11-26
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVSS Score
7.5
EPSS Score
0.005
Published
2019-11-26
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
CVSS Score
5.3
EPSS Score
0.005
Published
2019-11-26
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
CVSS Score
8.1
EPSS Score
0.016
Published
2019-11-26
An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.
CVSS Score
7.5
EPSS Score
0.243
Published
2019-11-26