Vulnerabilities (CVE)

Filtered by vendor Opensuse Subscribe
Filtered by product Leap
Total 1916 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-20919 5 Canonical, Debian, Fedoraproject and 2 more 5 Ubuntu Linux, Debian Linux, Fedora and 2 more 2023-11-07 1.9 LOW 4.7 MEDIUM
An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference.
CVE-2019-20907 7 Canonical, Debian, Fedoraproject and 4 more 8 Ubuntu Linux, Debian Linux, Fedora and 5 more 2023-11-07 5.0 MEDIUM 7.5 HIGH
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVE-2019-20840 5 Canonical, Debian, Libvnc Project and 2 more 16 Ubuntu Linux, Debian Linux, Libvncserver and 13 more 2023-11-07 5.0 MEDIUM 7.5 HIGH
An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws_decode.c can lead to a crash because of unaligned accesses in hybiReadAndDecode.
CVE-2019-20839 5 Canonical, Debian, Libvnc Project and 2 more 16 Ubuntu Linux, Debian Linux, Libvncserver and 13 more 2023-11-07 5.0 MEDIUM 7.5 HIGH
libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer overflow via a long socket filename.
CVE-2019-20787 2 Opensuse, Teeworlds 2 Leap, Teeworlds 2023-11-07 7.5 HIGH 9.8 CRITICAL
Teeworlds before 0.7.4 has an integer overflow when computing a tilemap size.
CVE-2019-20479 4 Debian, Fedoraproject, Openidc and 1 more 4 Debian Linux, Fedora, Mod Auth Openidc and 1 more 2023-11-07 5.8 MEDIUM 6.1 MEDIUM
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
CVE-2019-20446 6 Canonical, Debian, Fedoraproject and 3 more 6 Ubuntu Linux, Debian Linux, Fedora and 3 more 2023-11-07 4.3 MEDIUM 6.5 MEDIUM
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
CVE-2019-20386 5 Canonical, Fedoraproject, Netapp and 2 more 7 Ubuntu Linux, Fedora, Active Iq Unified Manager and 4 more 2023-11-07 2.1 LOW 2.4 LOW
An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.
CVE-2019-20382 4 Canonical, Debian, Opensuse and 1 more 4 Ubuntu Linux, Debian Linux, Leap and 1 more 2023-11-07 2.7 LOW 3.5 LOW
QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.
CVE-2019-20367 4 Canonical, Debian, Freedesktop and 1 more 4 Ubuntu Linux, Debian Linux, Libbsd and 1 more 2023-11-07 6.4 MEDIUM 9.1 CRITICAL
nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).
CVE-2019-1559 13 Canonical, Debian, F5 and 10 more 90 Ubuntu Linux, Debian Linux, Big-ip Access Policy Manager and 87 more 2023-11-07 4.3 MEDIUM 5.9 MEDIUM
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
CVE-2019-1551 7 Canonical, Debian, Fedoraproject and 4 more 9 Ubuntu Linux, Debian Linux, Fedora and 6 more 2023-11-07 5.0 MEDIUM 5.3 MEDIUM
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).
CVE-2019-1353 2 Git-scm, Opensuse 2 Git, Leap 2023-11-07 7.5 HIGH 9.8 CRITICAL
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
CVE-2019-1351 2 Microsoft, Opensuse 3 Visual Studio 2017, Visual Studio 2019, Leap 2023-11-07 5.0 MEDIUM 7.5 HIGH
A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'.
CVE-2019-1348 2 Git-scm, Opensuse 2 Git, Leap 2023-11-07 3.6 LOW 3.3 LOW
An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths.
CVE-2019-19921 5 Canonical, Debian, Linuxfoundation and 2 more 5 Ubuntu Linux, Debian Linux, Runc and 2 more 2023-11-07 4.4 MEDIUM 7.0 HIGH
runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)
CVE-2019-19918 3 Fedoraproject, Lout Project, Opensuse 4 Fedora, Lout, Backports Sle and 1 more 2023-11-07 6.8 MEDIUM 7.8 HIGH
Lout 3.40 has a heap-based buffer overflow in the srcnext() function in z02.c.
CVE-2019-19917 3 Fedoraproject, Lout Project, Opensuse 4 Fedora, Lout, Backports Sle and 1 more 2023-11-07 6.8 MEDIUM 7.8 HIGH
Lout 3.40 has a buffer overflow in the StringQuotedWord() function in z39.c.
CVE-2019-19604 4 Debian, Fedoraproject, Git-scm and 1 more 4 Debian Linux, Fedora, Git and 1 more 2023-11-07 9.3 HIGH 7.8 HIGH
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-19583 4 Debian, Fedoraproject, Opensuse and 1 more 4 Debian Linux, Fedora, Leap and 1 more 2023-11-07 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) because VMX VMEntry checks mishandle a certain case. Please see XSA-260 for background on the MovSS shadow. Please see XSA-156 for background on the need for #DB interception. The VMX VMEntry checks do not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service. All versions of Xen are affected. Only systems supporting VMX hardware virtual extensions (Intel, Cyrix, or Zhaoxin CPUs) are affected. Arm and AMD systems are unaffected. Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability.