[Winvulns-announcements] BES Auto Notification: New Fixlets Published in Fixlet Site: 'Vulnerabilities to Windows Systems'
Notification of New Vulnerabilties to Windows Systems Fixlet Messages
winvulns-announcements at bigmail.bigfix.com
Fri Oct 28 05:21:12 PDT 2016
Fixlet Site - 'Vulnerabilities to Windows Systems'
Current Version: 519 Published: Thu, 27 Oct 2016 22:11:02 GMT
New Fixlets:
============
***************************************************************
Title: Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier - CVE-2016-3440
Severity: Medium
Fixlet ID: 129502
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1295
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3440
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.
***************************************************************
Title: Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier - CVE-2016-5436
Severity: Medium
Fixlet ID: 130702
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1307
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5436
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: InnoDB.
***************************************************************
Title: Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier - CVE-2016-5437
Severity: Medium
Fixlet ID: 130802
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1308
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5437
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Log.
***************************************************************
Title: Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier - CVE-2016-3588
Severity: Medium
Fixlet ID: 130901
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1309
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3588
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote authenticated users to affect integrity and availability via vectors related to Server: InnoDB.
***************************************************************
Title: Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier - CVE-2016-3518
Severity: Medium
Fixlet ID: 131002
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1310
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3518
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.
***************************************************************
Title: Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier and MariaDB 10.0.x before 10.0.24 and 10.1.x before 10.1.12 - CVE-2016-0668
Severity: Low
Fixlet ID: 131101
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1311
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0668
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier and MariaDB 10.0.x before 10.0.24 and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to InnoDB.
***************************************************************
Title: Vulnerability in Oracle MySQL 5.6.29 and earlier, 5.7.11 and earlier - CVE-2016-0705
Severity: High
Fixlet ID: 131201
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1312
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0705
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.
***************************************************************
Title: Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 - CVE-2016-0666
Severity: Low
Fixlet ID: 131301
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1313
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0666
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to Security: Privileges.
***************************************************************
Title: Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 - CVE-2016-3615
Severity: Medium
Fixlet ID: 131401
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1314
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3615
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: DML.
***************************************************************
Title: Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier - CVE-2016-3614
Severity: Low
Fixlet ID: 131502
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1315
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3614
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Security: Encryption.
***************************************************************
Title: Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 - CVE-2016-3521
Severity: Medium
Fixlet ID: 131602
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1316
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3521
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: Types.
***************************************************************
Title: Vulnerability in Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2 - CVE-2015-7575
Severity: Medium
Fixlet ID: 131702
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1317
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7575
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
***************************************************************
Title: Bad cast in nsImageGeometryMixin class in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 - CVE-2016-5272
Severity: Medium
Fixlet ID: 131801
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1318
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5272
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The nsImageGeometryMixin class in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 does not properly perform a cast of an unspecified variable during handling of INPUT elements, which allows remote attackers to execute arbitrary code via a crafted web site.
***************************************************************
Title: Use-after-free vulnerability in the nsFrameManager::CaptureFrameState function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 - CVE-2016-5274
Severity: High
Fixlet ID: 131902
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1319
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5274
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Use-after-free vulnerability in the nsFrameManager::CaptureFrameState function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code by leveraging improper interaction between restyling and the Web Animations model implementation.
***************************************************************
Title: Use-after-free vulnerability in the mozilla::a11y::DocAccessible::ProcessInvalidationList function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 - CVE-2016-5276
Severity: High
Fixlet ID: 132001
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1320
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5276
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Use-after-free vulnerability in the mozilla::a11y::DocAccessible::ProcessInvalidationList function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an aria-owns attribute.
***************************************************************
Title: Heap-based buffer overflow in the nsCaseTransformTextRunFactory::TransformString function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 - CVE-2016-5270
Severity: High
Fixlet ID: 132102
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1321
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5270
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Heap-based buffer overflow in the nsCaseTransformTextRunFactory::TransformString function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to cause a denial of service (boolean out-of-bounds write) or possibly have unspecified other impact via Unicode characters that are mishandled during text conversion.
***************************************************************
Title: Expat allows context-dependent attackers to cause a denial of service (crash) - CVE-2016-0718
Severity: High
Fixlet ID: 132201
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1322
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
***************************************************************
Title: Use-after-free vulnerability in the js::PreliminaryObjectArray::sweep function in Mozilla Firefox before 48.0 - CVE-2016-5255
Severity: Medium
Fixlet ID: 132302
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1323
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5255
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Use-after-free vulnerability in the js::PreliminaryObjectArray::sweep function in Mozilla Firefox before 48.0 allows remote attackers to execute arbitrary code via crafted JavaScript that is mishandled during incremental garbage collection.
***************************************************************
Title: Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="password"' to 'INPUT type="text"' within a single Session Manager session - CVE-2016-5260
Severity: Medium
Fixlet ID: 132401
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1324
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5260
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Mozilla Firefox before 48.0 mishandles changes from 'INPUT type="password"' to 'INPUT type="text"' within a single Session Manager session, which might allow attackers to discover cleartext passwords by reading a session restoration file.
***************************************************************
Title: Stack-based buffer underflow in the mozilla::gfx::BasePoint4d function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 - CVE-2016-5252
Severity: Medium
Fixlet ID: 132502
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1325
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5252
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Stack-based buffer underflow in the mozilla::gfx::BasePoint4d function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code via crafted two-dimensional graphics data that is mishandled during clipping-region calculations.
***************************************************************
Title: Use-after-free vulnerability in the WebRTC socket thread in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 - CVE-2016-5258
Severity: Medium
Fixlet ID: 132602
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1326
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5258
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Use-after-free vulnerability in the WebRTC socket thread in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code by leveraging incorrect free operations on DTLS objects during the shutdown of a WebRTC session.
***************************************************************
Title: Use-after-free vulnerability in the nsXULPopupManager::KeyDown function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 - CVE-2016-5254
Severity: High
Fixlet ID: 132702
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1327
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5254
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Use-after-free vulnerability in the nsXULPopupManager::KeyDown function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) by leveraging keyboard access to use the Alt key during selection of top-level menu items.
***************************************************************
Title: Use-after-free vulnerability in the nsNodeUtils::NativeAnonymousChildListChange function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 - CVE-2016-5264
Severity: Medium
Fixlet ID: 132802
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1328
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5264
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Use-after-free vulnerability in the nsNodeUtils::NativeAnonymousChildListChange function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an SVG element that is mishandled during effect application.
***************************************************************
Title: The Updater in Mozilla Firefox before 48.0 on Windows allows local users to write to arbitrary files - CVE-2016-5253
Severity: Medium
Fixlet ID: 132902
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1329
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5253
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: The Updater in Mozilla Firefox before 48.0 on Windows allows local users to write to arbitrary files via vectors involving the callback application-path parameter and a hard link.
***************************************************************
Title: Use-after-free vulnerability in the CanonicalizeXPCOMParticipant function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 - CVE-2016-5259
Severity: Medium
Fixlet ID: 133002
Fixlet Link: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.cisecurity%3Adef%3A1330
Fixlet Link: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5259
Fixlet Link: http://nvd.nist.gov/cvss.cfm?vectorinfo
Fixlet Description: Use-after-free vulnerability in the CanonicalizeXPCOMParticipant function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code via a script that closes its own Service Worker within a nested sync event loop.
More information about the WinVulns-Announcements
mailing list