Backports OpenSuse Backports

Do you want an email whenever new security vulnerabilities are reported in OpenSuse Backports?

By the Year

In 2022 there have been 3 vulnerabilities in OpenSuse Backports with an average score of 6.3 out of ten. Backports did not have any published security vulnerabilities last year. That is, 3 more vulnerabilities have already been reported in 2022 as compared to last year.

Year Vulnerabilities Average Score
2022 3 6.27
2021 0 0.00
2020 6 7.00
2019 32 7.11
2018 0 0.00

It may take a day or so for new Backports vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent OpenSuse Backports Security Vulnerabilities

An issue was discovered in Cobbler before 3.3.1

CVE-2021-45082 7.8 - High - February 19, 2022

An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)

Command Injection

An issue was discovered in uriparser before 0.9.6

CVE-2021-46141 5.5 - Medium - January 06, 2022

An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.

Dangling pointer

An issue was discovered in uriparser before 0.9.6

CVE-2021-46142 5.5 - Medium - January 06, 2022

An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.

Dangling pointer

GraphicsMagick before 1.3.35 has an integer overflow and resultant heap-based buffer overflow in HuffmanDecodeImage in magick/compress.c.

CVE-2020-10938 9.8 - Critical - March 24, 2020

GraphicsMagick before 1.3.35 has an integer overflow and resultant heap-based buffer overflow in HuffmanDecodeImage in magick/compress.c.

Memory Corruption

Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7

CVE-2020-10592 7.5 - High - March 23, 2020

Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (CPU consumption), aka TROVE-2020-002.

Improper initialization in the Intel(R) SGX SDK before v2.6.100.1 may

CVE-2020-0561 7.8 - High - February 13, 2020

Improper initialization in the Intel(R) SGX SDK before v2.6.100.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

Improper Initialization

Improper Input Validation in Nextcloud Server 15.0.7

CVE-2019-15624 4.9 - Medium - February 04, 2020

Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.

Improper Input Validation

apt-cacher-ng through 3.3 allows local users to obtain sensitive information by hijacking the hardcoded TCP port

CVE-2020-5202 5.5 - Medium - January 21, 2020

apt-cacher-ng through 3.3 allows local users to obtain sensitive information by hijacking the hardcoded TCP port. The /usr/lib/apt-cacher-ng/acngtool program attempts to connect to apt-cacher-ng via TCP on localhost port 3142, even if the explicit SocketPath=/var/run/apt-cacher-ng/socket command-line option is passed. The cron job /etc/cron.daily/apt-cacher-ng (which is active by default) attempts this periodically. Because 3142 is an unprivileged port, any local user can try to bind to this port and will receive requests from acngtool. There can be sensitive data in these requests, e.g., if AdminAuth is enabled in /etc/apt-cacher-ng/security.conf. This sensitive data can leak to unprivileged local users that manage to bind to this port before the apt-cacher-ng daemon can.

GNU LibreDWG 0.9.3.2564 has an attempted excessive memory allocation in read_sections_map in decode_r2007.c.

CVE-2020-6610 6.5 - Medium - January 08, 2020

GNU LibreDWG 0.9.3.2564 has an attempted excessive memory allocation in read_sections_map in decode_r2007.c.

Allocation of Resources Without Limits or Throttling

An invalid memory address dereference was discovered in the canUnpack function in p_mach.cpp in UPX 3.95

CVE-2019-20053 5.5 - Medium - December 27, 2019

An invalid memory address dereference was discovered in the canUnpack function in p_mach.cpp in UPX 3.95 via a crafted Mach-O file.

Buffer Overflow

Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79

CVE-2019-13730 8.8 - High - December 10, 2019

Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2

CVE-2019-5163 7.5 - High - December 03, 2019

An exploitable denial-of-service vulnerability exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher and a local_address, arbitrary UDP packets can cause a FATAL error code path and exit. An attacker can send arbitrary UDP packets to trigger this vulnerability.

Missing Authentication for Critical Function

Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70

CVE-2019-13713 6.5 - Medium - November 25, 2019

Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70

CVE-2019-13711 5.3 - Medium - November 25, 2019

Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Insufficient validation of untrusted input in intents in Google Chrome on Android prior to 78.0.3904.70

CVE-2019-13707 5.5 - Medium - November 25, 2019

Insufficient validation of untrusted input in intents in Google Chrome on Android prior to 78.0.3904.70 allowed a local attacker to leak files via a crafted application.

Improper Input Validation

Insufficient policy enforcement in extensions in Google Chrome prior to 78.0.3904.70

CVE-2019-13705 4.3 - Medium - November 25, 2019

Insufficient policy enforcement in extensions in Google Chrome prior to 78.0.3904.70 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension.

Improper Privilege Management

ImageMagick 7.0.8-35 has a memory leak in coders/dps.c

CVE-2019-16709 6.5 - Medium - September 23, 2019

ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.

Memory Leak

An Integer underflow in VLC Media Player versions < 3.0.7 leads to an out-of-band read.

CVE-2019-5459 7.1 - High - July 30, 2019

An Integer underflow in VLC Media Player versions < 3.0.7 leads to an out-of-band read.

Integer underflow

Resource size information leakage in Blink in Google Chrome prior to 75.0.3770.80

CVE-2019-5837 6.5 - Medium - June 27, 2019

Resource size information leakage in Blink in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Excessive data validation in URL parser in Google Chrome prior to 75.0.3770.80

CVE-2019-5839 4.3 - Medium - June 27, 2019

Excessive data validation in URL parser in Google Chrome prior to 75.0.3770.80 allowed a remote attacker who convinced a user to input a URL to bypass website URL validation via a crafted URL.

Improper Input Validation

Insufficient policy enforcement in extensions API in Google Chrome prior to 75.0.3770.80

CVE-2019-5838 4.3 - Medium - June 27, 2019

Insufficient policy enforcement in extensions API in Google Chrome prior to 75.0.3770.80 allowed an attacker who convinced a user to install a malicious extension to bypass restrictions on file URIs via a crafted Chrome Extension.

AuthZ

Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131

CVE-2019-5827 8.8 - High - June 27, 2019

Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

Process lifetime issue in Chrome in Google Chrome on Android prior to 74.0.3729.108

CVE-2019-5816 8.8 - High - June 27, 2019

Process lifetime issue in Chrome in Google Chrome on Android prior to 74.0.3729.108 allowed a remote attacker to potentially persist an exploited process via a crafted HTML page.

Improper Control of a Resource Through its Lifetime

Heap buffer overflow in ANGLE in Google Chrome on Windows prior to 74.0.3729.108

CVE-2019-5817 8.8 - High - June 27, 2019

Heap buffer overflow in ANGLE in Google Chrome on Windows prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

Uninitialized data in media in Google Chrome prior to 74.0.3729.108

CVE-2019-5818 6.5 - Medium - June 27, 2019

Uninitialized data in media in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted video file.

Use of Uninitialized Resource

Insufficient data validation in developer tools in Google Chrome on OS X prior to 74.0.3729.108

CVE-2019-5819 7.8 - High - June 27, 2019

Insufficient data validation in developer tools in Google Chrome on OS X prior to 74.0.3729.108 allowed a local attacker to execute arbitrary code via a crafted string copied to clipboard.

Improper Input Validation

Integer overflow in PDFium in Google Chrome prior to 74.0.3729.108

CVE-2019-5820 8.8 - High - June 27, 2019

Integer overflow in PDFium in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

Memory Corruption

Integer overflow in PDFium in Google Chrome prior to 74.0.3729.108

CVE-2019-5821 8.8 - High - June 27, 2019

Integer overflow in PDFium in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

Memory Corruption

Inappropriate implementation in Blink in Google Chrome prior to 74.0.3729.108

CVE-2019-5822 8.8 - High - June 27, 2019

Inappropriate implementation in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

Authorization

Insufficient policy enforcement in service workers in Google Chrome prior to 74.0.3729.108

CVE-2019-5823 5.4 - Medium - June 27, 2019

Insufficient policy enforcement in service workers in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

Open Redirect

Parameter passing error in media in Google Chrome prior to 74.0.3729.131

CVE-2019-5824 8.8 - High - June 27, 2019

Parameter passing error in media in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

Insufficient policy enforcement in Blink in Google Chrome prior to 74.0.3729.108

CVE-2019-5814 6.5 - Medium - June 27, 2019

Insufficient policy enforcement in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Session Riding

Object lifecycle issue in ServiceWorker in Google Chrome prior to 75.0.3770.80

CVE-2019-5828 8.8 - High - June 27, 2019

Object lifecycle issue in ServiceWorker in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

Dangling pointer

Integer overflow in download manager in Google Chrome prior to 75.0.3770.80

CVE-2019-5829 8.8 - High - June 27, 2019

Integer overflow in download manager in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

Integer Overflow or Wraparound

Insufficient policy enforcement in CORS in Google Chrome prior to 75.0.3770.80

CVE-2019-5830 6.5 - Medium - June 27, 2019

Insufficient policy enforcement in CORS in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Object lifecycle issue in V8 in Google Chrome prior to 75.0.3770.80

CVE-2019-5831 8.8 - High - June 27, 2019

Object lifecycle issue in V8 in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

Insufficient policy enforcement in XMLHttpRequest in Google Chrome prior to 75.0.3770.80

CVE-2019-5832 6.5 - Medium - June 27, 2019

Insufficient policy enforcement in XMLHttpRequest in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Incorrect dialog box scoping in browser in Google Chrome on Android prior to 75.0.3770.80

CVE-2019-5833 6.5 - Medium - June 27, 2019

Incorrect dialog box scoping in browser in Google Chrome on Android prior to 75.0.3770.80 allowed a remote attacker to display misleading security UI via a crafted HTML page.

Insufficient data validation in Blink in Google Chrome prior to 75.0.3770.80

CVE-2019-5834 6.5 - Medium - June 27, 2019

Insufficient data validation in Blink in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

Origin Validation Error

Object lifecycle issue in SwiftShader in Google Chrome prior to 75.0.3770.80

CVE-2019-5835 6.5 - Medium - June 27, 2019

Object lifecycle issue in SwiftShader in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

Out-of-bounds Read

Heap buffer overflow in ANGLE in Google Chrome prior to 75.0.3770.80

CVE-2019-5836 8.8 - High - June 27, 2019

Heap buffer overflow in ANGLE in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for OpenSuse Leap or by OpenSuse? Click the Watch button to subscribe.

OpenSuse
Vendor

subscribe