Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Debian Subscribe
Total 8236 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-7652 2 Debian, Eclipse 2 Debian Linux, Mosquitto 2019-10-09 6.0 MEDIUM 7.5 HIGH
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.
CVE-2017-2640 3 Debian, Pidgin, Redhat 7 Debian Linux, Pidgin, Enterprise Linux Desktop and 4 more 2019-10-09 7.5 HIGH 9.8 CRITICAL
An out-of-bounds write flaw was found in the way Pidgin before 2.12.0 processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process.
CVE-2017-2666 2 Debian, Redhat 4 Debian Linux, Enterprise Linux, Jboss Enterprise Application Platform and 1 more 2019-10-09 6.4 MEDIUM 6.5 MEDIUM
It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
CVE-2017-2669 2 Debian, Dovecot 2 Debian Linux, Dovecot 2019-10-09 5.0 MEDIUM 7.5 HIGH
Dovecot before version 2.2.29 is vulnerable to a denial of service. When 'dict' passdb and userdb were used for user authentication, the username sent by the IMAP/POP3 client was sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart), or excessive CPU usage causing all authentications to hang.
CVE-2017-2670 2 Debian, Redhat 4 Debian Linux, Enterprise Linux, Jboss Enterprise Application Platform and 1 more 2019-10-09 5.0 MEDIUM 7.5 HIGH
It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS.
CVE-2017-3135 4 Debian, Isc, Netapp and 1 more 10 Debian Linux, Bind, Data Ontap Edge and 7 more 2019-10-09 4.3 MEDIUM 5.9 MEDIUM
Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1.
CVE-2017-3137 4 Debian, Isc, Netapp and 1 more 11 Debian Linux, Bind, Data Ontap Edge and 8 more 2019-10-09 5.0 MEDIUM 7.5 HIGH
Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. Affects BIND 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8.
CVE-2017-3138 3 Debian, Isc, Netapp 5 Debian Linux, Bind, Data Ontap Edge and 2 more 2019-10-09 3.5 LOW 5.3 MEDIUM
named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.
CVE-2017-3145 4 Debian, Isc, Netapp and 1 more 9 Debian Linux, Bind, Data Ontap Edge and 6 more 2019-10-09 5.0 MEDIUM 7.5 HIGH
BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1.
CVE-2017-2624 2 Debian, X.org 2 Debian Linux, Xorg-server 2019-10-09 1.9 LOW 7.0 HIGH
It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.
CVE-2017-2616 3 Debian, Redhat, Util-linux Project 7 Debian Linux, Enterprise Linux Desktop, Enterprise Linux Server and 4 more 2019-10-09 4.7 MEDIUM 4.7 MEDIUM
A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.
CVE-2017-15105 3 Canonical, Debian, Nlnetlabs 3 Ubuntu Linux, Debian Linux, Unbound 2019-10-09 5.0 MEDIUM 5.3 MEDIUM
A flaw was found in the way unbound before 1.6.8 validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence (NXDOMAIN answer) of an existing wildcard record, or trick unbound into accepting a NODATA proof.
CVE-2017-15119 4 Canonical, Debian, Qemu and 1 more 4 Ubuntu Linux, Debian Linux, Qemu and 1 more 2019-10-09 5.0 MEDIUM 8.6 HIGH
The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.
CVE-2017-15120 2 Debian, Powerdns 2 Debian Linux, Recursor 2019-10-09 5.0 MEDIUM 7.5 HIGH
An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. An unauthenticated remote attacker could cause a denial of service.
CVE-2017-15132 3 Canonical, Debian, Dovecot 3 Ubuntu Linux, Debian Linux, Dovecot 2019-10-09 5.0 MEDIUM 7.5 HIGH
A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.
CVE-2017-12151 4 Debian, Hp, Redhat and 1 more 8 Debian Linux, Cifs Server, Enterprise Linux and 5 more 2019-10-09 5.8 MEDIUM 7.4 HIGH
A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
CVE-2017-12153 3 Canonical, Debian, Linux 3 Ubuntu Linux, Debian Linux, Linux Kernel 2019-10-09 4.9 MEDIUM 4.4 MEDIUM
A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel through 4.13.3. This function does not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash.
CVE-2017-12176 2 Debian, X.org 2 Debian Linux, Xorg-server 2019-10-09 7.5 HIGH 9.8 CRITICAL
xorg-x11-server before 1.19.5 was missing extra length validation in ProcEstablishConnection function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.
CVE-2017-12177 2 Debian, X.org 2 Debian Linux, Xorg-server 2019-10-09 7.5 HIGH 9.8 CRITICAL
xorg-x11-server before 1.19.5 was vulnerable to integer overflow in ProcDbeGetVisualInfo function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.
CVE-2017-12178 2 Debian, X.org 2 Debian Linux, Xorg-server 2019-10-09 7.5 HIGH 9.8 CRITICAL
xorg-x11-server before 1.19.5 had wrong extra length check in ProcXIChangeHierarchy function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.