Backports Sle OpenSuse Backports Sle

stack.watch can notify you when security vulnerabilities are reported in OpenSuse Backports Sle. You can add multiple products that you use with Backports Sle to create your own personal software stack watcher.

By the Year

In 2020 there have been 25 vulnerabilities in OpenSuse Backports Sle with an average score of 6.8 out of ten. Last year Backports Sle had 9 security vulnerabilities published. That is, 16 more vulnerabilities have already been reported in 2020 as compared to last year. Last year, the average CVE base score was greater by 1.04

Year Vulnerabilities Average Score
2020 25 6.84
2019 9 7.89
2018 0 0.00

It may take a day or so for new Backports Sle vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest OpenSuse Backports Sle Security Vulnerabilities

An issue was discovered in LinuxTV xawtv before 3.107

CVE-2020-13696 4.4 - Medium - June 08, 2020

An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to trigger an open on arbitrary files with mode O_RDWR. To achieve this, relative path components need to be added to the device path, as demonstrated by a v4l-conf -c /dev/../root/.bash_history command.

Incorrect Permission Assignment for Critical Resource

SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition leading to root privilege escalation because any user can replace a /tmp/sqliteodbc$$ file with new contents

CVE-2020-12050 7 - High - April 30, 2020

SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition leading to root privilege escalation because any user can replace a /tmp/sqliteodbc$$ file with new contents that cause loading of an arbitrary library.

Race Condition

CServer::SendMsg in engine/server/server.cpp in Teeworlds 0.7.x before 0.7.5

CVE-2020-12066 7.5 - High - April 22, 2020

CServer::SendMsg in engine/server/server.cpp in Teeworlds 0.7.x before 0.7.5 allows remote attackers to shut down the server.

Uncontrolled Resource Consumption ('Resource Exhaustion')

Integer overflow in JavaScript in Google Chrome on ChromeOS and Android prior to 80.0.3987.87

CVE-2020-6381 8.8 - High - February 11, 2020

Integer overflow in JavaScript in Google Chrome on ChromeOS and Android prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Integer Overflow or Wraparound

Insufficient policy enforcement in storage in Google Chrome prior to 80.0.3987.87

CVE-2020-6385 8.8 - High - February 11, 2020

Insufficient policy enforcement in storage in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass site isolation via a crafted HTML page.

Improper Input Validation

Insufficient validation of untrusted input in Blink in Google Chrome prior to 80.0.3987.87

CVE-2020-6391 4.3 - Medium - February 11, 2020

Insufficient validation of untrusted input in Blink in Google Chrome prior to 80.0.3987.87 allowed a local attacker to bypass content security policy via a crafted HTML page.

Improper Input Validation

Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.87

CVE-2020-6392 4.3 - Medium - February 11, 2020

Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

Improper Input Validation

Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87

CVE-2020-6393 6.5 - Medium - February 11, 2020

Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Improper Input Validation

Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87

CVE-2020-6394 5.4 - Medium - February 11, 2020

Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page.

Improper Input Validation

Inappropriate implementation in Skia in Google Chrome prior to 80.0.3987.87

CVE-2020-6396 4.3 - Medium - February 11, 2020

Inappropriate implementation in Skia in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

Improper Input Validation

Inappropriate implementation in sharing in Google Chrome prior to 80.0.3987.87

CVE-2020-6397 6.5 - Medium - February 11, 2020

Inappropriate implementation in sharing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to spoof security UI via a crafted HTML page.

Improper Input Validation

Use of uninitialized data in PDFium in Google Chrome prior to 80.0.3987.87

CVE-2020-6398 8.8 - High - February 11, 2020

Use of uninitialized data in PDFium in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

1187

Insufficient policy enforcement in AppCache in Google Chrome prior to 80.0.3987.87

CVE-2020-6399 6.5 - Medium - February 11, 2020

Insufficient policy enforcement in AppCache in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Improper Input Validation

Inappropriate implementation in CORS in Google Chrome prior to 80.0.3987.87

CVE-2020-6400 6.5 - Medium - February 11, 2020

Inappropriate implementation in CORS in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Information Leak

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87

CVE-2020-6401 6.5 - Medium - February 11, 2020

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

Improper Input Validation

Insufficient policy enforcement in downloads in Google Chrome on OS X prior to 80.0.3987.87

CVE-2020-6402 8.8 - High - February 11, 2020

Insufficient policy enforcement in downloads in Google Chrome on OS X prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.

Improper Input Validation

Incorrect implementation in Omnibox in Google Chrome on iOS prior to 80.0.3987.87

CVE-2020-6403 4.3 - Medium - February 11, 2020

Incorrect implementation in Omnibox in Google Chrome on iOS prior to 80.0.3987.87 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

Improper Input Validation

Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87

CVE-2020-6404 7.8 - High - February 11, 2020

Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

Insufficient policy enforcement in CORS in Google Chrome prior to 80.0.3987.87

CVE-2020-6408 5.5 - Medium - February 11, 2020

Insufficient policy enforcement in CORS in Google Chrome prior to 80.0.3987.87 allowed a local attacker to obtain potentially sensitive information via a crafted HTML page.

Information Leak

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87

CVE-2020-6412 5.4 - Medium - February 11, 2020

Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.

Improper Input Validation

Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87

CVE-2020-6413 8.8 - High - February 11, 2020

Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass HTML validators via a crafted HTML page.

Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 80.0.3987.87

CVE-2020-6414 8.8 - High - February 11, 2020

Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks

CVE-2020-7040 8.1 - High - January 21, 2020

storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks that possibly lead to privilege escalation. (Local users can also create a plain file named /tmp/storeBackup.lock to block use of storeBackup until an admin manually deletes that file.)

insecure temporary file

Use after free in audio in Google Chrome prior to 79.0.3945.117

CVE-2020-6377 8.8 - High - January 10, 2020

Use after free in audio in Google Chrome prior to 79.0.3945.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Use after free in media picker in Google Chrome prior to 79.0.3945.88

CVE-2019-13767 8.8 - High - January 10, 2020

Use after free in media picker in Google Chrome prior to 79.0.3945.88 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

An issue was discovered in GNU LibreDWG before 0.93

CVE-2019-20009 6.5 - Medium - December 27, 2019

An issue was discovered in GNU LibreDWG before 0.93. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_SPLINE_private in dwg.spec.

Uncontrolled Resource Consumption ('Resource Exhaustion')

An issue was discovered in GNU LibreDWG 0.92

CVE-2019-20010 8.8 - High - December 27, 2019

An issue was discovered in GNU LibreDWG 0.92. There is a use-after-free in resolve_objectref_vector in decode.c.

Dangling pointer

An issue was discovered in GNU LibreDWG 0.92

CVE-2019-20011 8.8 - High - December 27, 2019

An issue was discovered in GNU LibreDWG 0.92. There is a heap-based buffer over-read in decode_R13_R2000 in decode.c.

Out-of-bounds Read

An issue was discovered in GNU LibreDWG 0.92

CVE-2019-20012 6.5 - Medium - December 27, 2019

An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_HATCH_private in dwg.spec.

Uncontrolled Resource Consumption ('Resource Exhaustion')

An issue was discovered in GNU LibreDWG before 0.93

CVE-2019-20013 6.5 - Medium - December 27, 2019

An issue was discovered in GNU LibreDWG before 0.93. Crafted input will lead to an attempted excessive memory allocation in decode_3dsolid in dwg.spec.

Uncontrolled Resource Consumption ('Resource Exhaustion')

An issue was discovered in GNU LibreDWG before 0.93

CVE-2019-20014 8.8 - High - December 27, 2019

An issue was discovered in GNU LibreDWG before 0.93. There is a double-free in dwg_free in free.c.

Double-free

An issue was discovered in GNU LibreDWG 0.92

CVE-2019-20015 6.5 - Medium - December 27, 2019

An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_LWPOLYLINE_private in dwg.spec.

Uncontrolled Resource Consumption ('Resource Exhaustion')

An issue was discovered in phpMyAdmin before 4.9.2

CVE-2019-18622 9.8 - Critical - November 22, 2019

An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

An exploitable code execution vulnerability exists in the XPM image rendering function of SDL2_image 2.0.4

CVE-2019-5060 8.8 - High - July 31, 2019

An exploitable code execution vulnerability exists in the XPM image rendering function of SDL2_image 2.0.4. A specially crafted XPM image can cause an integer overflow in the colorhash function, allocating too small of a buffer. This buffer can then be written out of bounds, resulting in a heap overflow, ultimately ending in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

Integer Overflow or Wraparound