GitHub

An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data. The vulnerability was introduced in v0.6…

An issue was discovered in the im crate prior to 15.1.0 for Rust. Because TreeFocus does not have bounds on its Send trait or Sync trait, a data race can occur.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-36204
https://github.com/bodil/im-rs/…

An issue was discovered in the miow crate before 0.3.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-35921
https://github.com/yoshuawuyts/miow/issues/38
h…

An issue was discovered in the ordered-float crate before 1.1.1 and 2.x before 2.0.1 for Rust. After using an assignment operators such as NotNan::add_assign, NotNan::mul_assign, etc., it was possible for the resulting NotNan value to contain a NaN. Th…

An issue was discovered in the sodiumoxide crate before 0.2.5 for Rust. generichash::Digest::eq compares itself to itself and thus has degenerate security properties.
References

https://nvd.nist.gov/vuln/detail/CVE-2019-25002
https://github.com/sodium…

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site….

An issue was discovered in management/commands/hyperkitty_import.py in HyperKitty prior to 1.3.5. When importing a private mailing list’s archives, these archives are publicly visible for the duration of the import. For example, sensitive information m…

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem tha…

A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the ‘ps’ bare command on the remote machine. An attacker could …

scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for us…