Aggregator

USN-3950-1: ZNC vulnerability

1 week ago
znc vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
Summary

ZNC could be made to crash or run programs if it received specially crafted network traffic.

Software Description
  • znc - advanced modular IRC bouncer
Details

It was discovered that ZNC incorrectly handled certain invalid encodings. An authenticated remote user could use this issue to cause ZNC to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
znc - 1.7.1-2ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

php-symfony4-4.1.12-1.fc29

1 week 1 day ago
**Version 4.1.12** (2019-04-17) * security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas) * security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (stof) * security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (nicolas-grekas) * security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (pborreli) * security #cve-2019-10913 [HttpFoundation] reject invalid method override (nicolas-grekas)

php-symfony4-4.2.7-2.fc30

1 week 1 day ago
**Version 4.2.7** (2019-04-17) * bug #31107 [Routing] fix trailing slash redirection with non-greedy trailing vars (nicolas-grekas) * bug #31108 [FrameworkBundle] decorate the ValidatorBuilder's translator with LegacyTranslatorProxy (nicolas-grekas) * bug #31121 [HttpKernel] Fix get session when the request stack is empty (yceruto) * bug #31084 [HttpFoundation] Make MimeTypeExtensionGuesser case insensitive (vermeirentony) * bug #31142 Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" (chalasr) * security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas) * security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (stof) * security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (nicolas-grekas) * security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (pborreli) * security #cve-2019-10913 [HttpFoundation] reject invalid method override (nicolas-grekas) ---- **Version 4.2.6** (2019-04-16) * bug #31088 [DI] fix removing non-shared definition while inlining them (nicolas-grekas) * bug #29944 [DI] Overriding services autowired by name under _defaults bind not working (przemyslaw-bogusz, renanbr) * bug #30993 [FrameworkBundle] Fix for Controller DEPRECATED when using composer --optimized (aweelex) * bug #31076 [HttpKernel] Fixed LoggerDataCollector crashing on empty file (althaus) * bug #31071 property normalizer should also pass format and context to isAllowedAttribute (dbu) * bug #31059 Show more accurate message in profiler when missing stopwatch (linaori) * bug #31026 [Serializer] Add default object class resolver (jdecool) * bug #31031 [Serializer] MetadataAwareNameConverter: Do not assume that property names are strings (soyuka) * bug #31043 [VarExporter] support PHP7.4 __serialize & __unserialize (nicolas-grekas) * bug #30423 [Security] Rework firewall's access denied rule (dimabory) * bug #31020 [VarExporter] fix exporting classes with private constructors (nicolas-grekas) * bug #31012 [Process] Fix missing $extraDirs when open_basedir returns (arsonik) * bug #30852 [Console] fix buildTableRows when Colspan is use with content too long (Raulnet) * bug #30950 [Serializer] Also validate callbacks when given in the normalizer context (dbu) * bug #30907 [Serializer] Respect ignored attributes in cache key of normalizer (dbu) * bug #30085 Fix TestRunner compatibility to PhpUnit 8 (alexander-schranz) * bug #30999 Fix dark themed componnents (ro0NL) * bug #30977 [serializer] prevent mixup in normalizer of the object to populate (dbu) * bug #30976 [Debug] Fixed error handling when an error is already handled when another error is already handled (5) (lyrixx) * bug #30979 Fix the configurability of CoreExtension deps in standalone usage (stof) * bug #30918 [Cache] fix using ProxyAdapter inside TagAwareAdapter (dmaicher) * bug #30961 [Form] fix translating file validation error message (xabbuh) * bug #30951 Handle case where no translations were found (greg0ire) * bug #29800 [Validator] Only traverse arrays that are cascaded into (corphi) * bug #30921 [Translator] Warm up the translations cache in dev (tgalopin) * bug #30922 [TwigBridge] fix horizontal spacing of inlined Bootstrap forms (xabbuh) * bug #30860 [Profiler] Fix dark theme elements color (dFayet) * bug #30895 [Form] turn failed file uploads into form errors (xabbuh) * bug #30919 [Translator] Fix wrong dump for PO files (deguif) * bug #30889 [DependencyInjection] Fix a wrong error when using a factory (Simperfit) * bug #30911 [Console] Fix table trailing backslash (maidmaid) * bug #30903 [Messenger] Uses the `SerializerStamp` when deserializing the envelope (sroze) * bug #30879 [Form] Php doc fixes and cs + optimizations (Jules Pietri) * bug #30883 [Console] Fix stty not reset when aborting in QuestionHelper::autocomplete() (Simperfit) * bug #30878 [Console] Fix inconsistent result for choice questions in non-interactive mode (chalasr) * bug #30825 [Routing] Fix: annotation loader ignores method's default values (voronkovich)

php-symfony4-4.2.7-1.fc30

1 week 1 day ago
**Version 4.2.7** (2019-04-17) * bug #31107 [Routing] fix trailing slash redirection with non-greedy trailing vars (nicolas-grekas) * bug #31108 [FrameworkBundle] decorate the ValidatorBuilder's translator with LegacyTranslatorProxy (nicolas-grekas) * bug #31121 [HttpKernel] Fix get session when the request stack is empty (yceruto) * bug #31084 [HttpFoundation] Make MimeTypeExtensionGuesser case insensitive (vermeirentony) * bug #31142 Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" (chalasr) * security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas) * security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (stof) * security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (nicolas-grekas) * security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (pborreli) * security #cve-2019-10913 [HttpFoundation] reject invalid method override (nicolas-grekas) ---- **Version 4.2.6** (2019-04-16) * bug #31088 [DI] fix removing non-shared definition while inlining them (nicolas-grekas) * bug #29944 [DI] Overriding services autowired by name under _defaults bind not working (przemyslaw-bogusz, renanbr) * bug #30993 [FrameworkBundle] Fix for Controller DEPRECATED when using composer --optimized (aweelex) * bug #31076 [HttpKernel] Fixed LoggerDataCollector crashing on empty file (althaus) * bug #31071 property normalizer should also pass format and context to isAllowedAttribute (dbu) * bug #31059 Show more accurate message in profiler when missing stopwatch (linaori) * bug #31026 [Serializer] Add default object class resolver (jdecool) * bug #31031 [Serializer] MetadataAwareNameConverter: Do not assume that property names are strings (soyuka) * bug #31043 [VarExporter] support PHP7.4 __serialize & __unserialize (nicolas-grekas) * bug #30423 [Security] Rework firewall's access denied rule (dimabory) * bug #31020 [VarExporter] fix exporting classes with private constructors (nicolas-grekas) * bug #31012 [Process] Fix missing $extraDirs when open_basedir returns (arsonik) * bug #30852 [Console] fix buildTableRows when Colspan is use with content too long (Raulnet) * bug #30950 [Serializer] Also validate callbacks when given in the normalizer context (dbu) * bug #30907 [Serializer] Respect ignored attributes in cache key of normalizer (dbu) * bug #30085 Fix TestRunner compatibility to PhpUnit 8 (alexander-schranz) * bug #30999 Fix dark themed componnents (ro0NL) * bug #30977 [serializer] prevent mixup in normalizer of the object to populate (dbu) * bug #30976 [Debug] Fixed error handling when an error is already handled when another error is already handled (5) (lyrixx) * bug #30979 Fix the configurability of CoreExtension deps in standalone usage (stof) * bug #30918 [Cache] fix using ProxyAdapter inside TagAwareAdapter (dmaicher) * bug #30961 [Form] fix translating file validation error message (xabbuh) * bug #30951 Handle case where no translations were found (greg0ire) * bug #29800 [Validator] Only traverse arrays that are cascaded into (corphi) * bug #30921 [Translator] Warm up the translations cache in dev (tgalopin) * bug #30922 [TwigBridge] fix horizontal spacing of inlined Bootstrap forms (xabbuh) * bug #30860 [Profiler] Fix dark theme elements color (dFayet) * bug #30895 [Form] turn failed file uploads into form errors (xabbuh) * bug #30919 [Translator] Fix wrong dump for PO files (deguif) * bug #30889 [DependencyInjection] Fix a wrong error when using a factory (Simperfit) * bug #30911 [Console] Fix table trailing backslash (maidmaid) * bug #30903 [Messenger] Uses the `SerializerStamp` when deserializing the envelope (sroze) * bug #30879 [Form] Php doc fixes and cs + optimizations (Jules Pietri) * bug #30883 [Console] Fix stty not reset when aborting in QuestionHelper::autocomplete() (Simperfit) * bug #30878 [Console] Fix inconsistent result for choice questions in non-interactive mode (chalasr) * bug #30825 [Routing] Fix: annotation loader ignores method's default values (voronkovich)

php-symfony3-3.4.26-1.fc28

1 week 1 day ago
**Version 3.4.26** (2019-04-17) * bug #31084 [HttpFoundation] Make MimeTypeExtensionGuesser case insensitive (vermeirentony) * bug #31142 Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)" (chalasr) * security #cve-2019-10910 [DI] Check service IDs are valid (nicolas-grekas) * security #cve-2019-10909 [FrameworkBundle][Form] Fix XSS issues in the form theme of the PHP templating engine (stof) * security #cve-2019-10912 [Cache][PHPUnit Bridge] Prevent destructors with side-effects from being unserialized (nicolas-grekas) * security #cve-2019-10911 [Security] Add a separator in the remember me cookie hash (pborreli) * security #cve-2019-10913 [HttpFoundation] reject invalid method override (nicolas-grekas) ---- **Version 3.4.25** (2019-04-16) * bug #29944 [DI] Overriding services autowired by name under _defaults bind not working (przemyslaw-bogusz, renanbr) * bug #31076 [HttpKernel] Fixed LoggerDataCollector crashing on empty file (althaus) * bug #31071 property normalizer should also pass format and context to isAllowedAttribute (dbu) * bug #31059 Show more accurate message in profiler when missing stopwatch (linaori) * bug #30423 [Security] Rework firewall's access denied rule (dimabory) * bug #31012 [Process] Fix missing $extraDirs when open_basedir returns (arsonik) * bug #30907 [Serializer] Respect ignored attributes in cache key of normalizer (dbu) * bug #30085 Fix TestRunner compatibility to PhpUnit 8 (alexander-schranz) * bug #30977 [serializer] prevent mixup in normalizer of the object to populate (dbu) * bug #30976 [Debug] Fixed error handling when an error is already handled when another error is already handled (5) (lyrixx) * bug #30979 Fix the configurability of CoreExtension deps in standalone usage (stof) * bug #30918 [Cache] fix using ProxyAdapter inside TagAwareAdapter (dmaicher) * bug #30961 [Form] fix translating file validation error message (xabbuh) * bug #30951 Handle case where no translations were found (greg0ire) * bug #29800 [Validator] Only traverse arrays that are cascaded into (corphi) * bug #30921 [Translator] Warm up the translations cache in dev (tgalopin) * bug #30922 [TwigBridge] fix horizontal spacing of inlined Bootstrap forms (xabbuh) * bug #30895 [Form] turn failed file uploads into form errors (xabbuh) * bug #30919 [Translator] Fix wrong dump for PO files (deguif) * bug #30889 [DependencyInjection] Fix a wrong error when using a factory (Simperfit) * bug #30879 [Form] Php doc fixes and cs + optimizations (Jules Pietri) * bug #30883 [Console] Fix stty not reset when aborting in QuestionHelper::autocomplete() (Simperfit) * bug #30878 [Console] Fix inconsistent result for choice questions in non-interactive mode (chalasr)