view
![[BACK]](/gifs/back.gif){kind=small} Return to vuln.xml CVS log ![[TXT]](/gifs/text.gif){kind=small} | ![[DIR]](/gifs/dir.gif){kind=small} Up to [FreeBSD] / ports / security / vuxml |
File:
[FreeBSD] / ports / security / vuxml / vuln.xml
Revision 1.2747: download - view: text, annotated - select for diffs
Wed Jun 27 21:04:48 2012 UTC (10 months, 3 weeks ago) by rene
Branches: MAIN
CVS tags: HEAD
Revision 1.2747: download - view: text, annotated - select for diffs
Wed Jun 27 21:04:48 2012 UTC (10 months, 3 weeks ago) by rene
Branches: MAIN
CVS tags: HEAD
Document vulnerabilities for www/chromium < 20.0.1132.43 Obtained from: http://googlechromereleases.blogspot.nl/search/label/Stable%20updates
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
<!--
Copyright 2003-2012 Jacques Vidrine and contributors
Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
HTML, PDF, PostScript, RTF and so forth) with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code (VuXML) must retain the above
copyright notice, this list of conditions and the following
disclaimer as the first lines of this file unmodified.
2. Redistributions in compiled form (transformed to other DTDs,
published online in any format, converted to PDF, PostScript,
RTF and other formats) must reproduce the above copyright
notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the
distribution.
THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
$FreeBSD: ports/security/vuxml/vuln.xml,v 1.2747 2012/06/27 21:04:48 rene Exp $
QUICK GUIDE TO ADDING A NEW ENTRY
1. run 'make newentry' to add a template to the top of the document
2. fill in the template
3. use 'make validate' to verify syntax correctness (you might need to install
textproc/libxml2 for parser, and this port for catalogs)
4. run 'make tidy' and then diff vuln.xml and vuln.xml.tidy - there should be
no difference.
5. ???
6. profit!
Extensive documentation of the format is available in Porter's Handbook at
http://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html
Help is available from ports-security@freebsd.org
Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="ff922811-c096-11e1-b0f4-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>20.0.1132.43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/search/label/Stable%20updates">
<p>[118633] Low CVE-2012-2815: Leak of iframe fragment id. Credit to
Elie Bursztein of Google.</p>
<p>[120222] High CVE-2012-2817: Use-after-free in table section
handling. Credit to miaubiz.</p>
<p>[120944] High CVE-2012-2818: Use-after-free in counter layout.
Credit to miaubiz.</p>
<p>[120977] High CVE-2012-2819: Crash in texture handling. Credit to
Ken "gets" Russell of the Chromium development community.</p>
<p>[121926] Medium CVE-2012-2820: Out-of-bounds read in SVG filter
handling. Credit to Atte Kettunen of OUSPG.</p>
<p>[122925] Medium CVE-2012-2821: Autofill display problem. Credit to
"simonbrown60".</p>
<p>[various] Medium CVE-2012-2822: Misc. lower severity OOB read
issues in PDF. Credit to awesome ASAN and various Googlers (Kostya
Serebryany, Evgeniy Stepanov, Mateusz Jurczyk, Gynvael Coldwind).</p>
<p>[124356] High CVE-2012-2823: Use-after-free in SVG resource
handling. Credit to miaubiz.</p>
<p>[125374] High CVE-2012-2824: Use-after-free in SVG painting.
Credit to miaubiz.</p>
<p>[128688] Medium CVE-2012-2826: Out-of-bounds read in texture
conversion. Credit to Google Chrome Security Team (Inferno).</p>
<p>[Mac only] [129826] Low CVE-2012-2827: Use-after-free in Mac UI.
Credit to the Chromium development community (Dharani Govindan).</p>
<p>[129857] High CVE-2012-2828: Integer overflows in PDF. Credit to
Mateusz Jurczyk of Google Security Team and Google Chrome Security
Team (Chris Evans).</p>
<p>[129947] High CVE-2012-2829: Use-after-free in first-letter
handling. Credit to miaubiz.</p>
<p>[129951] High CVE-2012-2830: Wild pointer in array value setting.
Credit to miaubiz.</p>
<p>[130356] High CVE-2012-2831: Use-after-free in SVG reference
handling. Credit to miaubiz.</p>
<p>[131553] High CVE-2012-2832: Uninitialized pointer in PDF image
codec. Credit to Mateusz Jurczyk of Google Security Team.</p>
<p>[132156] High CVE-2012-2833: Buffer overflow in PDF JS API. Credit
to Mateusz Jurczyk of Google Security Team.</p>
<p>[132779] High CVE-2012-2834: Integer overflow in Matroska
container. Credit to Juri Aedla.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2815</cvename>
<cvename>CVE-2012-2817</cvename>
<cvename>CVE-2012-2818</cvename>
<cvename>CVE-2012-2819</cvename>
<cvename>CVE-2012-2820</cvename>
<cvename>CVE-2012-2821</cvename>
<cvename>CVE-2012-2822</cvename>
<cvename>CVE-2012-2823</cvename>
<cvename>CVE-2012-2824</cvename>
<cvename>CVE-2012-2826</cvename>
<cvename>CVE-2012-2827</cvename>
<cvename>CVE-2012-2828</cvename>
<cvename>CVE-2012-2829</cvename>
<cvename>CVE-2012-2830</cvename>
<cvename>CVE-2012-2831</cvename>
<cvename>CVE-2012-2832</cvename>
<cvename>CVE-2012-2833</cvename>
<cvename>CVE-2012-2834</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-06-26</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="aed44c4e-c067-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- Privilege escalation when returning from kernel</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_9</lt></range>
<range><ge>8.1</ge><lt>8.1_12</lt></range>
<range><ge>8.2</ge><lt>8.2_9</lt></range>
<range><ge>8.3</ge><lt>8.3_3</lt></range>
<range><ge>9.0</ge><lt>9.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc">
<p>FreeBSD/amd64 runs on CPUs from different vendors. Due to varying
behaviour of CPUs in 64 bit mode a sanity check of the kernel may be
insufficient when returning from a system call.</p>
<p>Successful exploitation of the problem can lead to local kernel privilege
escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code with user
privileges on the target system.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:04.sysret</freebsdsa>
<cvename>CVE-2012-0217</cvename>
</references>
<dates>
<discovery>2012-06-12</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="fc5231b6-c066-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- Incorrect handling of zero-length RDATA fields in named(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_9</lt></range>
<range><ge>8.1</ge><lt>8.1_11</lt></range>
<range><ge>8.2</ge><lt>8.2_9</lt></range>
<range><ge>8.3</ge><lt>8.3_3</lt></range>
<range><ge>9.0</ge><lt>9.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:03.bind.asc">
<p>The named(8) server does not properly handle DNS resource records where
the RDATA field is zero length, which may cause various issues for the
servers handling them.</p>
<p>Resolving servers may crash or disclose some portion of memory to the
client. Authoritative servers may crash on restart after transferring a
zone containing records with zero-length RDATA fields. These would
result in a denial of service, or leak of sensitive information.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:03.bind</freebsdsa>
<cvename>CVE-2012-1667</cvename>
</references>
<dates>
<discovery>2012-06-12</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="185ff22e-c066-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- Incorrect crypt() hashing</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_8</lt></range>
<range><ge>8.1</ge><lt>8.1_10</lt></range>
<range><ge>8.2</ge><lt>8.2_8</lt></range>
<range><ge>8.3</ge><lt>8.3_2</lt></range>
<range><ge>9.0</ge><lt>9.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:02.crypt.asc">
<p>There is a programming error in the DES implementation used in crypt()
when handling input which contains characters that can not be represented
with 7-bit ASCII.</p>
<p>When the input contains characters with only the most significant bit set
(0x80), that character and all characters after it will be ignored.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:02.crypt</freebsdsa>
<cvename>CVE-2012-2143</cvename>
</references>
<dates>
<discovery>2012-05-30</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="2ae114de-c064-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- OpenSSL multiple vulnerabilities</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_8</lt></range>
<range><ge>8.1</ge><lt>8.1_10</lt></range>
<range><ge>8.2</ge><lt>8.2_8</lt></range>
<range><ge>8.3</ge><lt>8.3_2</lt></range>
<range><ge>9.0</ge><lt>9.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc">
<p>OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]</p>
<p>OpenSSL support for handshake restarts for server gated cryptography (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]</p>
<p>If an application uses OpenSSL's certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]</p>
<p>A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]</p>
<p>The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates
or RSA public keys. [CVE-2012-2110]</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:01.openssl</freebsdsa>
<cvename>CVE-2011-4576</cvename>
<cvename>CVE-2011-4619</cvename>
<cvename>CVE-2011-4109</cvename>
<cvename>CVE-2012-0884</cvename>
<cvename>CVE-2012-2110</cvename>
</references>
<dates>
<discovery>2012-05-03</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="f45c0049-be72-11e1-a284-0023ae8e59f0">
<topic>pycrypto -- vulnerable ElGamal key generation</topic>
<affects>
<package>
<name>py-pycrypto</name>
<range><ge>2.5</ge><lt>2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dwayne C. Litzenberger of PyCrypto reports:</p>
<blockquote cite="http://lists.dlitz.net/pipermail/pycrypto/2012q2/000587.html">
<p>In the ElGamal schemes (for both encryption and signatures), g is
supposed to be the generator of the entire Z^*_p group. However, in
PyCrypto 2.5 and earlier, g is more simply the generator of a random
sub-group of Z^*_p.</p>
<p>The result is that the signature space (when the key is used for
signing) or the public key space (when the key is used for encryption)
may be greatly reduced from its expected size of log(p) bits, possibly
down to 1 bit (the worst case if the order of g is 2).</p>
<p>While it has not been confirmed, it has also been suggested that an
attacker might be able to use this fact to determine the private key.</p>
<p>Anyone using ElGamal keys should generate new keys as soon as
practical.</p>
<p>Any additional information about this bug will be tracked at
https://bugs.launchpad.net/pycrypto/+bug/985164</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2417</cvename>
<url>http://lists.dlitz.net/pipermail/pycrypto/2012q2/000587.html</url>
<url>https://bugs.launchpad.net/pycrypto/+bug/985164</url>
</references>
<dates>
<discovery>2012-05-24</discovery>
<entry>2012-06-24</entry>
</dates>
</vuln>
<vuln vid="f46c4c6a-ba25-11e1-806a-001143cd36d8">
<topic>joomla -- Privilege Escalation</topic>
<affects>
<package>
<name>joomla</name>
<range><lt>2.5.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Joomla! reported a Core Privilege Escalation::</p>
<blockquote cite="http://developer.joomla.org/security/news/470-20120601-core-privilege-escalation.html">
<p>Inadequate checking leads to possible user privilege escalation..</p>
</blockquote>
</body>
</description>
<references>
<url>http://developer.joomla.org/security/news/470-20120601-core-privilege-escalation.html</url>
</references>
<dates>
<discovery>2012-04-29</discovery>
<entry>2012-06-19</entry>
</dates>
</vuln>
<vuln vid="eb12ebee-b7af-11e1-b5e0-000c299b62e1">
<topic>clamav -- multiple vulnerabilities</topic>
<affects>
<package>
<name>clamav</name>
<range><lt>0.97.5</lt></range>
</package>
<package>
<name>clamav-devel</name>
<range><lt>20120612</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE Advisories report:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1419">
<p>The TAR parser allows remote attackers to bypass malware detection
via a POSIX TAR file with an initial [aliases] character sequence.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1457">
<p>The TAR parser allows remote attackers to bypass malware detection
via a TAR archive entry with a length field that exceeds the total
TAR file size.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458">
<p>The Microsoft CHM file parser allows remote attackers to bypass
malware detection via a crafted reset interval in the LZXC header
of a CHM file.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1459">
<p>The TAR file parser allows remote attackers to bypass malware
detection via a TAR archive entry with a length field
corresponding to that entire entry, plus part of the header ofxi
the next entry.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1419</cvename>
<cvename>CVE-2012-1457</cvename>
<cvename>CVE-2012-1458</cvename>
<cvename>CVE-2012-1459</cvename>
</references>
<dates>
<discovery>2012-03-19</discovery>
<entry>2012-06-16</entry>
</dates>
</vuln>
<vuln vid="3c8d1e5b-b673-11e1-be25-14dae9ebcf89">
<topic>asterisk -- remote crash vulnerability</topic>
<affects>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Skinny Channel Driver Remote Crash Vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3553</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-009.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2012-06-14</discovery>
<entry>2012-06-14</entry>
</dates>
</vuln>
<vuln vid="5140dc69-b65e-11e1-9425-001b21614864">
<topic>ImageMagick -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ImageMagick</name>
<range><lt>6.7.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ImageMagick reports:</p>
<blockquote cite="http://www.cert.fi/en/reports/2012/vulnerability635606.html">
<p>Three vulnerabilities have been identified in ImageMagick's
handling of JPEG and TIFF files. With these vulnerabilities, it is
possible to cause a denial of service situation in the target
system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0259</cvename>
<cvename>CVE-2012-0260</cvename>
<cvename>CVE-2012-1798</cvename>
<url>http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629</url>
<url>http://www.cert.fi/en/reports/2012/vulnerability635606.html</url>
</references>
<dates>
<discovery>2012-03-28</discovery>
<entry>2012-06-14</entry>
</dates>
</vuln>
<vuln vid="55587adb-b49d-11e1-8df1-0004aca374af">
<topic>mantis -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mantis</name>
<range><lt>1.2.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mantis reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2012/06/09/1">
<p>Roland Becker and Damien Regad (MantisBT developers) found that
any user able to report issues via the SOAP interface could also
modify any bugnotes (comments) created by other users. In a
default/typical MantisBT installation, SOAP API is enabled and any
user can sign up to report new issues. This vulnerability therefore
impacts upon many public facing MantisBT installations.</p>
<p>Roland Becker (MantisBT developer) found that the
delete_attachments_threshold permission was not being checked when
a user attempted to delete an attachment from an issue. The more
generic update_bug_threshold permission was being checked instead.
MantisBT administrators may have been under the false impression
that their configuration of the delete_attachments_threshold was
successfully preventing unwanted users from deleting
attachments.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2691</cvename>
<cvename>CVE-2012-2692</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2012/06/09/1</mlist>
<mlist>http://sourceforge.net/mailarchive/forum.php?thread_name=1339229952.28538.22%40d.hx.id.au&forum_name=mantisbt-dev</mlist>
</references>
<dates>
<discovery>2012-06-09</discovery>
<entry>2012-06-12</entry>
<modified>2012-06-13</modified>
</dates>
</vuln>
<vuln vid="38195f00-b215-11e1-8132-003067b2972c">
<topic>linux-flashpluyin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.236</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb12-14.html">
<p>These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2034</cvename>
<cvename>CVE-2012-2035</cvename>
<cvename>CVE-2012-2036</cvename>
<cvename>CVE-2012-2037</cvename>
<cvename>CVE-2012-2038</cvename>
<cvename>CVE-2012-2039</cvename>
<cvename>CVE-2012-2040</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb12-14.html</url>
</references>
<dates>
<discovery>2012-06-08</discovery>
<entry>2012-06-09</entry>
</dates>
</vuln>
<vuln vid="bfecf7c1-af47-11e1-9580-4061862b8c22">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>13.0,1</lt></range>
<range><lt>10.0.5,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.5,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.10</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.5</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.10</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>13.0</lt></range>
<range><lt>10.0.5</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)</p>
<p>MFSA 2012-36 Content Security Policy inline-script bypass</p>
<p>MFSA 2012-37 Information disclosure though Windows file shares and shortcut files</p>
<p>MFSA 2012-38 Use-after-free while replacing/inserting a node in a document</p>
<p>MFSA 2012-39 NSS parsing errors with zero length items</p>
<p>MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3101</cvename>
<cvename>CVE-2012-0441</cvename>
<cvename>CVE-2012-1938</cvename>
<cvename>CVE-2012-1939</cvename>
<cvename>CVE-2012-1937</cvename>
<cvename>CVE-2012-1940</cvename>
<cvename>CVE-2012-1941</cvename>
<cvename>CVE-2012-1944</cvename>
<cvename>CVE-2012-1945</cvename>
<cvename>CVE-2012-1946</cvename>
<cvename>CVE-2012-1947</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-34.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-36.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-37.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-38.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-39.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-40.html</url>
</references>
<dates>
<discovery>2012-06-05</discovery>
<entry>2012-06-05</entry>
</dates>
</vuln>
<vuln vid="1e14d46f-af1f-11e1-b242-00215af774f0">
<topic>quagga -- BGP OPEN denial of service vulnerability</topic>
<affects>
<package>
<name>quagga</name>
<range><le>0.99.20.1</le></range>
</package>
<package>
<name>quagga-re</name>
<range><lt>0.99.17.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/962587">
<p>If a pre-configured BGP peer sends a specially-crafted OPEN
message with a malformed ORF capability TLV, Quagga bgpd process
will erroneously try to consume extra bytes from the input packet
buffer. The process will detect a buffer overrun attempt before
it happens and immediately terminate with an error message. All
BGP sessions established by the attacked router will be closed
and its BGP routing disrupted.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1820</cvename>
<url>http://www.kb.cert.org/vuls/id/962587</url>
</references>
<dates>
<discovery>2012-06-04</discovery>
<entry>2012-06-05</entry>
</dates>
</vuln>
<vuln vid="de6d8290-aef7-11e1-898f-14dae938ec40">
<topic>mail/sympa* -- Multiple vulnerabilities in Sympa archive management</topic>
<affects>
<package>
<name>sympa</name>
<range><lt>6.0.7</lt></range>
<range><gt>6.1.*</gt><lt>6.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Verdin reports:</p>
<blockquote cite="http://www.sympa.org/security_advisories#security_breaches_in_archives_management">
<p>Multiple vulnerabilities have been discovered in Sympa archive
management that allow to skip the scenario-based authorization
mechanisms.</p>
<p>This vulnerability allows the attacker to:</p>
<ul>
<li>display the archives management page ('arc_manage')</li>
<li>download the list's archives</li>
<li>delete the list's archives</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.sympa.org/security_advisories#security_breaches_in_archives_management</url>
</references>
<dates>
<discovery>2012-05-15</discovery>
<entry>2012-06-05</entry>
</dates>
</vuln>
<vuln vid="1ecc0d3f-ae8e-11e1-965b-0024e88a8c98">
<topic>dns/bind9* -- zero-length RDATA can cause named to terminate, reveal memory</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.1.1</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.3.1</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.6.1</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/bind/advisories/cve-2012-1667">
<p>Processing of DNS resource records where the rdata field is zero length
may cause various issues for the servers handling them.</p>
<p>Processing of these records may lead to unexpected outcomes. Recursive
servers may crash or disclose some portion of memory to the client.
Secondary servers may crash on restart after transferring a zone
containing these records. Master servers may corrupt zone data if the
zone option "auto-dnssec" is set to "maintain". Other unexpected
problems that are not listed here may also be encountered.</p>
<p>Impact: This issue primarily affects recursive nameservers.
Authoritative nameservers will only be impacted if an administrator
configures experimental record types with no data. If the server is
configured this way, then secondaries can crash on restart after
transferring that zone. Zone data on the master can become corrupted if
the zone with those records has named configured to manage the DNSSEC
key rotation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1667</cvename>
<url>http://www.isc.org/software/bind/advisories/cve-2012-1667</url>
</references>
<dates>
<discovery>2012-06-04</discovery>
<entry>2012-06-04</entry>
<modified>2012-06-06</modified>
</dates>
</vuln>
<vuln vid="a8864f8f-aa9e-11e1-a284-0023ae8e59f0">
<topic>databases/postgresql*-server -- crypt vulnerabilities</topic>
<affects>
<package>
<name>postgresql-server</name>
<range><gt>8.3.*</gt><lt>8.3.18_1</lt></range>
<range><gt>8.4.*</gt><lt>8.4.11_1</lt></range>
<range><gt>9.0.*</gt><lt>9.0.7_2</lt></range>
<range><gt>9.1.*</gt><lt>9.1.3_1</lt></range>
<range><gt>9.2.*</gt><lt>9.2.b1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL Global Development Group reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1397/">
<p>Today the PHP, OpenBSD and FreeBSD communities announced updates to
patch a security hole involving their crypt() hashing algorithms. This
issue is described in CVE-2012-2143. This vulnerability also affects a
minority of PostgreSQL users, and will be fixed in an update release on
June 4, 2012.</p>
<p>Affected users are those who use the crypt(text, text) function
with DES encryption in the optional pg_crypto module. Passwords
affected are those that contain characters that cannot be
represented with 7-bit ASCII. If a password contains a character
that has the most significant bit set (0x80), and DES encryption
is used, that character and all characters after it will be ignored.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2143</cvename>
<url>http://www.postgresql.org/about/news/1397/</url>
<url>http://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=932ded2ed51e8333852e370c7a6dad75d9f236f9</url>
</references>
<dates>
<discovery>2012-05-30</discovery>
<entry>2012-05-30</entry>
<modified>2012-05-31</modified>
</dates>
</vuln>
<vuln vid="47f13540-c4cb-4971-8dc6-28d0dabfd9cd">
<topic>nut -- upsd can be remotely crashed</topic>
<affects>
<package>
<name>nut</name>
<range><ge>2.4.0</ge><le>2.6.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Networkupstools project reports:</p>
<blockquote cite="http://trac.networkupstools.org/projects/nut/changeset/3633">
<p>NUT server (upsd), from versions 2.4.0 to 2.6.3, are exposed to
crashes when receiving random data from the network.</p>
<p>This issue is related to the way NUT parses characters, especially
from the network. Non printable characters were missed from strings
operation (such as strlen), but still copied to the buffer, causing
an overflow.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2944</cvename>
<url>http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1027934.html</url>
<url>http://trac.networkupstools.org/projects/nut/changeset/3633</url>
</references>
<dates>
<discovery>2012-05-30</discovery>
<entry>2012-05-30</entry>
</dates>
</vuln>
<vuln vid="359f615d-a9e1-11e1-8a66-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><le>1.6.2.24</le></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.12.1</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Remote crash vulnerability in IAX2 channel driver.</p>
<p>Skinny Channel Driver Remote Crash Vulnerability</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2947</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-007.html</url>
<cvename>CVE-2012-2948</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-008.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2012-05-29</discovery>
<entry>2012-05-29</entry>
<modified>2012-05-29</modified>
</dates>
</vuln>
<vuln vid="219d0bfd-a915-11e1-b519-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>19.0.1084.52</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[117409] High CVE-2011-3103: Crashes in v8 garbage collection.
Credit to the Chromium development community (Brett Wilson).</p>
<p>[118018] Medium CVE-2011-3104: Out-of-bounds read in Skia. Credit
to Google Chrome Security Team (Inferno).</p>
<p>[120912] High CVE-2011-3105: Use-after-free in first-letter
handling. Credit to miaubiz.</p>
<p>[122654] Critical CVE-2011-3106: Browser memory corruption with
websockets over SSL. Credit to the Chromium development community
(Dharani Govindan).</p>
<p>[124625] High CVE-2011-3107: Crashes in the plug-in JavaScript
bindings. Credit to the Chromium development community (Dharani
Govindan).</p>
<p>[125159] Critical CVE-2011-3108: Use-after-free in browser cache.
Credit to "efbiaiinzinz".</p>
<p>[Linux only] [126296] High CVE-2011-3109: Bad cast in GTK UI.
Credit to Micha Bartholome.</p>
<p>[126337] [126343] [126378] [127349] [127819] [127868] High
CVE-2011-3110: Out of bounds writes in PDF. Credit to Mateusz
Jurczyk of the Google Security Team, with contributions by Gynvael
Coldwind of the Google Security Team.</p>
<p>[126414] Medium CVE-2011-3111: Invalid read in v8. Credit to
Christian Holler.</p>
<p>[127331] High CVE-2011-3112: Use-after-free with invalid encrypted
PDF. Credit to Mateusz Jurczyk of the Google Security Team, with
contributions by Gynvael Coldwind of the Google Security Team.</p>
<p>[127883] High CVE-2011-3113: Invalid cast with colorspace handling
in PDF. Credit to Mateusz Jurczyk of the Google Security Team, with
contributions by Gynvael Coldwind of the Google Security Team.</p>
<p>[128014] High CVE-2011-3114: Buffer overflows with PDF functions.
Credit to Google Chrome Security Team (scarybeasts).</p>
<p>[128018] High CVE-2011-3115: Type corruption in v8. Credit to
Christian Holler.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3103</cvename>
<cvename>CVE-2011-3104</cvename>
<cvename>CVE-2011-3105</cvename>
<cvename>CVE-2011-3106</cvename>
<cvename>CVE-2011-3107</cvename>
<cvename>CVE-2011-3108</cvename>
<cvename>CVE-2011-3110</cvename>
<cvename>CVE-2011-3111</cvename>
<cvename>CVE-2011-3112</cvename>
<cvename>CVE-2011-3113</cvename>
<cvename>CVE-2011-3114</cvename>
<cvename>CVE-2011-3115</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-05-23</discovery>
<entry>2012-05-28</entry>
</dates>
</vuln>
<vuln vid="617959ce-a5f6-11e1-a284-0023ae8e59f0">
<topic>haproxy -- buffer overflow</topic>
<affects>
<package>
<name>haproxy</name>
<range><lt>1.4.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>HAProxy reports:</p>
<blockquote cite="http://haproxy.1wt.eu/news.html">
<p>A flaw was reported in HAProxy where, due to a boundary error
when copying data into the trash buffer, an external attacker could
cause a buffer overflow. Exploiting this flaw could lead to the
execution of arbitrary code, however it requires non-default settings
for the global.tune.bufsize configuration option (must be set to a
value greater than the default), and also that header rewriting is
enabled (via, for example, the regrep or rsprep directives).
This flaw is reported against 1.4.20, prior versions may also be
affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2391</cvename>
<url>https://secunia.com/advisories/49261/</url>
<url>http://haproxy.1wt.eu/download/1.4/src/CHANGELOG</url>
<url>http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b</url>
<url>http://haproxy.1wt.eu/news.html</url>
</references>
<dates>
<discovery>2012-05-21</discovery>
<entry>2012-05-24</entry>
<modified>2012-05-29</modified>
</dates>
</vuln>
<vuln vid="e0a969e4-a512-11e1-90b4-e0cb4e266481">
<topic>RT -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>rt40</name>
<range><ge>4.0</ge><lt>4.0.6</lt></range>
</package>
<package>
<name>rt38</name>
<range><lt>3.8.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BestPractical report:</p>
<blockquote cite="http://blog.bestpractical.com/2012/05/security-vulnerabilities-in-rt.html">
<p>Internal audits of the RT codebase have uncovered a
number of security vulnerabilities in RT. We are releasing
versions 3.8.12 and 4.0.6 to resolve these vulnerabilities,
as well as patches which apply atop all released versions of
3.8 and 4.0.</p>
<p>The vulnerabilities addressed by 3.8.12, 4.0.6, and the
below patches include the following:</p>
<p>The previously released tool to upgrade weak password
hashes as part of CVE-2011-0009 was an incomplete fix and
failed to upgrade passwords of disabled users.</p>
<p>RT versions 3.0 and above contain a number of cross-site
scripting (XSS) vulnerabilities which allow an attacker to
run JavaScript with the user's credentials. CVE-2011-2083 is
assigned to this vulnerability.</p>
<p>RT versions 3.0 and above are vulnerable to multiple
information disclosure vulnerabilities. This includes the
ability for privileged users to expose users' previous
password hashes -- this vulnerability is particularly
dangerous given RT's weak hashing previous to the fix in
CVE-2011-0009. A separate vulnerability allows privileged
users to obtain correspondence history for any ticket in
RT. CVE-2011-2084 is assigned to this vulnerability.</p>
<p>All publicly released versions of RT are vulnerable to
cross-site request forgery (CSRF). CVE-2011-2085 is assigned
to this vulnerability.</p>
<p>We have also added a separate configuration option
($RestrictLoginReferrer) to prevent login CSRF, a different
class of CSRF attack.</p>
<p>RT versions 3.6.1 and above are vulnerable to a remote
execution of code vulnerability if the optional VERP
configuration options ($VERPPrefix and $VERPDomain) are
enabled. RT 3.8.0 and higher are vulnerable to a limited
remote execution of code which can be leveraged for
privilege escalation. RT 4.0.0 and above contain a
vulnerability in the global $DisallowExecuteCode option,
allowing sufficiently privileged users to still execute code
even if RT was configured to not allow it. CVE-2011-4458 is
assigned to this set of vulnerabilities.</p>
<p>RT versions 3.0 and above may, under some circumstances,
still respect rights that a user only has by way of a
currently-disabled group. CVE-2011-4459 is assigned to this
vulnerability.</p>
<p>RT versions 2.0 and above are vulnerable to a SQL
injection attack, which allow privileged users to obtain
arbitrary information from the database. CVE-2011-4460 is
assigned to this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0009</cvename>
<cvename>CVE-2011-2082</cvename>
<cvename>CVE-2011-2083</cvename>
<cvename>CVE-2011-2084</cvename>
<cvename>CVE-2011-2085</cvename>
<cvename>CVE-2011-4458</cvename>
<cvename>CVE-2011-4459</cvename>
<cvename>CVE-2011-4460</cvename>
<url>http://blog.bestpractical.com/2012/05/security-vulnerabilities-in-rt.html</url>
</references>
<dates>
<discovery>2012-05-22</discovery>
<entry>2012-05-23</entry>
</dates>
</vuln>
<vuln vid="78c39232-a345-11e1-9d81-d0df9acfd7e5">
<topic>sympa -- Multiple Security Bypass Vulnerabilities</topic>
<affects>
<package>
<name>sympa</name>
<range><lt>6.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia team reports:</p>
<blockquote cite="http://secunia.com/advisories/49045/">
<p>Multiple vulnerabilities have been reported in Sympa, which can be
exploited by malicious people to bypass certain security
restrictions.</p>
<p>The vulnerabilities are caused due to the application allowing
access to archive functions without checking credentials. This can
be exploited to create, download, and delete an archive.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2352</cvename>
<url>http://secunia.com/advisories/49045/</url>
</references>
<dates>
<discovery>2012-05-14</discovery>
<entry>2012-05-21</entry>
</dates>
</vuln>
<vuln vid="495b46fd-a30f-11e1-82c9-d0df9acfd7e5">
<topic>foswiki -- Script Insertion Vulnerability via unchecked user registration fields</topic>
<affects>
<package>
<name>foswiki</name>
<range><lt>1.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Foswiki team reports:</p>
<blockquote cite="http://foswiki.org/Support/SecurityAlert-CVE-2012-1004">
<p>When a new user registers, the new user can add arbitrary HTML and
script code into the user topic which is generated by the
RegistrationAgent via standard registration fields such as
"FirstName" or "OrganisationName".</p>
<p>By design, Foswiki's normal editing features allow arbitrary HTML
markup, including script code, to be inserted into any topic anyway,
assuming the authenticated user has CHANGE permission - which is the
case on many Foswiki sites. However, the assumption that only
authenticated users with CHANGE permission may create script content
is false if new users exploit the vulnerability detailed in this
alert to manipulate the registration agent into creating that
content for them.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1004</cvename>
<url>http://foswiki.org/Support/SecurityAlert-CVE-2012-1004</url>
</references>
<dates>
<discovery>2012-04-13</discovery>
<entry>2012-05-21</entry>
</dates>
</vuln>
<vuln vid="b8ae4659-a0da-11e1-a294-bcaec565249c">
<topic>libxml2 -- An off-by-one out-of-bounds write by XPointer</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.7.8_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google chrome team reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html">
<p>An off-by-one out-of-bounds write flaw was found in the way libxml, a library
for providing XML and HTML support, evaluated certain XPointer parts (XPointer
is used by libxml to include only the part from the returned XML document, that
can be accessed using the XPath expression given with the XPointer). A remote
attacker could provide a specially-crafted XML file, which once opened in an
application, linked against libxml, would lead to that application crash, or,
potentially arbitrary code execution with the privileges of the user running
the application.</p>
<p>Note: The flaw to be exploited requires the particular application, linked
against libxml, to use the XPointer evaluation functionality.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3202</cvename>
<url>http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3102</url>
</references>
<dates>
<discovery>2012-05-15</discovery>
<entry>2012-05-18</entry>
</dates>
</vuln>
<vuln vid="f5f00804-a03b-11e1-a284-0023ae8e59f0">
<topic>inspircd -- buffer overflow</topic>
<affects>
<package>
<name>inspircd</name>
<range><ge>1.2</ge><lt>1.2.9</lt></range>
<range><ge>2.0</ge><lt>2.0.5_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>InspIRCd reports:</p>
<blockquote cite="http://inspircd.github.com/">
<p>InspIRCd contains a heap corruption vulnerability that exists in the
dns.cpp code. The res[] buffer is allocated on the heap and can be
overflowed. The res[] buffer can be exploited during its deallocation.
The number of overflowed bytes can be controlled with DNS compression
features.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1836</cvename>
<url>http://inspircd.github.com/</url>
</references>
<dates>
<discovery>2012-03-19</discovery>
<entry>2012-05-17</entry>
<modified>2012-06-21</modified>
</dates>
</vuln>
<vuln vid="aa71daaa-9f8c-11e1-bd0a-0082a0c18826">
<topic>pidgin-otr -- format string vulnerability</topic>
<affects>
<package>
<name>pidgin-otr</name>
<range><lt>3.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The authors report:</p>
<blockquote cite="http://www.cypherpunks.ca/otr/">
<p>Versions 3.2.0 and earlier of the pidgin-otr plugin contain
a format string security flaw. This flaw could potentially be
exploited by a remote attacker to cause arbitrary code to be
executed on the user's machine.</p>
<p>The flaw is in pidgin-otr, not in libotr. Other applications
that use libotr are not affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2369</cvename>
<url>http://www.cypherpunks.ca/otr/</url>
</references>
<dates>
<discovery>2012-05-16</discovery>
<entry>2012-05-16</entry>
</dates>
</vuln>
<vuln vid="b3435b68-9ee8-11e1-997c-002354ed89bc">
<topic>sudo -- netmask vulnerability</topic>
<affects>
<package>
<name>sudo</name>
<range><le>1.8.4_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.sudo.ws/sudo/alerts/netmask.html">
<p>Sudo supports granting access to commands on a per-host basis.
The host specification may be in the form of a host name, a
netgroup, an IP address, or an IP network (an IP address with an
associated netmask).</p>
<p>When IPv6 support was added to sudo, a bug was introduced that
caused the IPv6 network matching code to be called when an IPv4
network address does not match. Depending on the value of the
uninitialized portion of the IPv6 address, it is possible for the
IPv4 network number to match when it should not. This bug only
affects IP network matching and does not affect simple IP address
matching.</p>
<p>The reported configuration that exhibited the bug was an
LDAP-based sudo installation where the sudoRole object contained
multiple sudoHost entries, each containing a different IPv4
network. File-based sudoers should be affected as well as the
same matching code is used.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2337</cvename>
<url>http://www.sudo.ws/sudo/alerts/netmask.html</url>
</references>
<dates>
<discovery>2012-05-16</discovery>
<entry>2012-05-16</entry>
</dates>
</vuln>
<vuln vid="dba5d1c9-9f29-11e1-b511-003067c2616f">
<topic>OpenSSL -- DTLS and TLS 1.1, 1.2 denial of service</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL security team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120510.txt">
<p>A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and
servers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2333</cvename>
<url>http://www.openssl.org/news/secadv_20120510.txt</url>
</references>
<dates>
<discovery>2012-05-10</discovery>
<entry>2012-05-10</entry>
</dates>
</vuln>
<vuln vid="1449af37-9eba-11e1-b9c1-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>19.0.1084.46</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[112983] Low CVE-2011-3083: Browser crash with video + FTP. Credit
to Aki Helin of OUSPG.</p>
<p>[113496] Low CVE-2011-3084: Load links from internal pages in their
own process. Credit to Brett Wilson of the Chromium development
community.</p>
<p>[118374] Medium CVE-2011-3085: UI corruption with long autofilled
values. Credit to "psaldorn".</p>
<p>[118642] High CVE-2011-3086: Use-after-free with style element.
Credit to Arthur Gerkis.</p>
<p>[118664] Low CVE-2011-3087: Incorrect window navigation. Credit to
Charlie Reis of the Chromium development community.</p>
<p>[120648] Medium CVE-2011-3088: Out-of-bounds read in hairline
drawing. Credit to Aki Helin of OUSPG.</p>
<p>[120711] High CVE-2011-3089: Use-after-free in table handling.
Credit to miaubiz.</p>
<p>[121223] Medium CVE-2011-3090: Race condition with workers. Credit
to Arthur Gerkis.</p>
<p>[121734] High CVE-2011-3091: Use-after-free with indexed DB. Credit
to Google Chrome Security Team (Inferno).</p>
<p>[122337] High CVE-2011-3092: Invalid write in v8 regex. Credit to
Christian Holler.</p>
<p>[122585] Medium CVE-2011-3093: Out-of-bounds read in glyph
handling. Credit to miaubiz.</p>
<p>[122586] Medium CVE-2011-3094: Out-of-bounds read in Tibetan
handling. Credit to miaubiz.</p>
<p>[123481] High CVE-2011-3095: Out-of-bounds write in OGG container.
Credit to Hannu Heikkinen.</p>
<p>[Linux only] [123530] Low CVE-2011-3096: Use-after-free in GTK
omnibox handling. Credit to Arthur Gerkis.</p>
<p>[123733] [124182] High CVE-2011-3097: Out-of-bounds write in
sampled functions with PDF. Credit to Kostya Serebryany of Google
and Evgeniy Stepanov of Google.</p>
<p>[124479] High CVE-2011-3099: Use-after-free in PDF with corrupt
font encoding name. Credit to Mateusz Jurczyk of Google Security
Team and Gynvael Coldwind of Google Security Team.</p>
<p>[124652] Medium CVE-2011-3100: Out-of-bounds read drawing dash
paths. Credit to Google Chrome Security Team (Inferno).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3083</cvename>
<cvename>CVE-2011-3084</cvename>
<cvename>CVE-2011-3085</cvename>
<cvename>CVE-2011-3086</cvename>
<cvename>CVE-2011-3087</cvename>
<cvename>CVE-2011-3088</cvename>
<cvename>CVE-2011-3089</cvename>
<cvename>CVE-2011-3090</cvename>
<cvename>CVE-2011-3091</cvename>
<cvename>CVE-2011-3092</cvename>
<cvename>CVE-2011-3093</cvename>
<cvename>CVE-2011-3094</cvename>
<cvename>CVE-2011-3095</cvename>
<cvename>CVE-2011-3096</cvename>
<cvename>CVE-2011-3097</cvename>
<cvename>CVE-2011-3099</cvename>
<cvename>CVE-2011-3100</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-05-15</discovery>
<entry>2012-05-15</entry>
</dates>
</vuln>
<vuln vid="6601127c-9e09-11e1-b5e0-000c299b62e1">
<topic>socat -- Heap-based buffer overflow</topic>
<affects>
<package>
<name>socat</name>
<range><lt>1.7.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The socat development team reports:</p>
<blockquote cite="http://www.dest-unreach.org/socat/contrib/socat-secadv3.html">
<p>This vulnerability can be exploited when socat is invoked with the
READLINE address (this is usually only used interactively) without
option "prompt" and without option "noprompt" and an attacker succeeds
to provide malicious data to the other (arbitrary) address that is then
transferred by socat to the READLINE address for output.</p>
<p>Successful exploitation may allow an attacker to execute arbitrary
code with the privileges of the socat process.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0219</cvename>
<url>www.dest-unreach.org/socat/contrib/socat-secadv3.html</url>
</references>
<dates>
<discovery>2012-05-14</discovery>
<entry>2012-05-14</entry>
</dates>
</vuln>
<vuln vid="59b68b1e-9c78-11e1-b5e0-000c299b62e1">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<range><gt>5.4</gt><lt>5.4.3</lt></range>
<range><lt>5.3.13</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.13</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Development Team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-05-08-1">
<p>The release of PHP 5.4.13 and 5.4.3 complete a fix for the
vulnerability in CGI-based setups as originally described in
CVE-2012-1823. (CVE-2012-2311)</p>
<p>Note: mod_php and php-fpm are not vulnerable to this attack.</p>
<p>PHP 5.4.3 fixes a buffer overflow vulnerability in the
apache_request_headers() (CVE-2012-2329).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1823</cvename>
<cvename>CVE-2012-2311</cvename>
<cvename>CVE-2012-2329</cvename>
</references>
<dates>
<discovery>2012-05-08</discovery>
<entry>2012-05-12</entry>
</dates>
</vuln>
<vuln vid="64f8b72d-9c4e-11e1-9c94-000bcdf0a03b">
<topic>libpurple -- Invalid memory dereference in the XMPP protocol plug-in by processing serie of specially-crafted file transfer requests</topic>
<affects>
<package>
<name>libpurple</name>
<range><lt>2.10.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pidgin reports:</p>
<blockquote cite="http://pidgin.im/news/security/?id=62">
<p>A series of specially crafted file transfer requests can cause clients to reference invalid memory. The user must have accepted one of the file transfer requests.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2214</cvename>
</references>
<dates>
<discovery>2012-05-06</discovery>
<entry>2012-05-12</entry>
</dates>
</vuln>
<vuln vid="0d3547ab-9b69-11e1-bdb1-525401003090">
<topic>PivotX -- 'ajaxhelper.php' Cross Site Scripting Vulnerability</topic>
<affects>
<package>
<name>pivotx</name>
<range><le>2.3.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>High-Tech Bridge reports:</p>
<blockquote cite="https://www.htbridge.com/advisory/HTB23087">
<p>Input passed via the "file" GET parameter to
/pivotx/ajaxhelper.php is not properly sanitised before
being returned to the user. This can be exploited to
execute arbitrary HTML and script code in administrator's
browser session in context of the affected website.</p>
</blockquote>
</body>
</description>
<references>
<bid>52159</bid>
<cvename>CVE-2012-2274</cvename>
<url>https://www.htbridge.com/advisory/HTB23087</url>
</references>
<dates>
<discovery>2012-05-09</discovery>
<entry>2012-05-12</entry>
<modified>2012-05-14</modified>
</dates>
</vuln>
<vuln vid="b91234e7-9a8b-11e1-b666-001636d274f3">
<topic>NVIDIA UNIX driver -- access to arbitrary system memory</topic>
<affects>
<package>
<name>nvidia-driver</name>
<range><gt>173.14.31_1</gt><lt>295.40</lt></range>
<range><ge>100.14.03</ge><lt>173.14.31_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVIDIA Unix security team reports:</p>
<blockquote cite="http://nvidia.custhelp.com/app/answers/detail/a_id/3109">
<p>Security vulnerability CVE-2012-0946 in the NVIDIA UNIX driver
was disclosed to NVIDIA on March 20th, 2012. The vulnerability
makes it possible for an attacker who has read and write access
to the GPU device nodes to reconfigure GPUs to gain access to
arbitrary system memory. NVIDIA is not aware of any reports of
this vulnerability, outside of the disclosure which was made
privately to NVIDIA.</p>
<p>NVIDIA has identified the root cause of the vulnerability and
has released updated drivers which close it. [NVIDIA encourages]
all users with Geforce 8 or newer, G80 Quadro or newer, and all
Tesla GPUs to update their drivers to 295.40 or later.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0946</cvename>
</references>
<dates>
<discovery>2012-03-20</discovery>
<entry>2012-05-10</entry>
</dates>
</vuln>
<vuln vid="3d55b961-9a2e-11e1-a2ef-001fd0af1a4c">
<topic>rubygem-mail -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-mail</name>
<range><lt>2.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>rubygem-mail -- multiple vulnerabilities</p>
<blockquote cite="http://seclists.org/oss-sec/2012/q2/190">
<p>Two issues were fixed. They are a file system traversal in file_delivery method and arbitrary command execution when using exim or sendmail from the command line.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2139</cvename>
<cvename>CVE-2012-2140</cvename>
<url>http://seclists.org/oss-sec/2012/q2/190</url>
</references>
<dates>
<discovery>2012-03-14</discovery>
<entry>2012-05-09</entry>
</dates>
</vuln>
<vuln vid="a1d0911f-987a-11e1-a2ef-001fd0af1a4c">
<topic>node -- private information disclosure</topic>
<affects>
<package>
<name>node</name>
<name>node-devel</name>
<range><lt>0.6.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Private information disclosure</p>
<blockquote cite="http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/">
<p>An attacker can cause private information disclosure.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/</url>
</references>
<dates>
<discovery>2012-04-17</discovery>
<entry>2012-05-07</entry>
</dates>
</vuln>
<vuln vid="725ab25a-987b-11e1-a2ef-001fd0af1a4c">
<topic>p5-Config-IniFiles -- unsafe temporary file creation</topic>
<affects>
<package>
<name>p5-Config-IniFiles</name>
<range><lt>2.71</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Unsafe Temporary file creation</p>
<blockquote cite="https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59">
<p>Config::IniFiles used a predictable name for its temporary
file without opening it correctly.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2451</cvename>
<url>https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59</url>
</references>
<dates>
<discovery>2012-05-02</discovery>
<entry>2012-05-07</entry>
</dates>
</vuln>
<vuln vid="60de13d5-95f0-11e1-806a-001143cd36d8">
<topic>php -- vulnerability in certain CGI-based setups</topic>
<affects>
<package>
<name>php5</name>
<range><gt>5.4</gt><lt>5.4.2</lt></range>
<range><lt>5.3.12</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.12</lt></range>
</package>
<package>
<name>php4</name>
<range><lt>4.4.10</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>php development team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-05-03-1">
<p>Security Enhancements and Fixes in PHP 5.3.12:</p>
<ul>
<li>Initial fix for cgi-bin ?-s cmdarg parse issue
(CVE-2012-1823)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1823</cvename>
</references>
<dates>
<discovery>2012-05-03</discovery>
<entry>2012-05-05</entry>
</dates>
</vuln>
<vuln vid="18dffa02-946a-11e1-be9d-000c29cc39d3">
<topic>WebCalendar -- multiple vulnerabilities</topic>
<affects>
<package>
<name>WebCalendar-devel</name>
<range><le>1.2.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hanno Boeck reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2012/04/28/1">
<p>Fixes [are now available] for various security vulnerabilities
including LFI (local file inclusion), XSS (cross site scripting)
and others.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1495</cvename>
<cvename>CVE-2012-1496</cvename>
<url>http://packetstormsecurity.org/files/112332/WebCalendar-1.2.4-Remote-Code-Execution.html</url>
<url>http://packetstormsecurity.org/files/112323/WebCalendar-1.2.4-Pre-Auth-Remote-Code-Injection.html</url>
<url>http://archives.neohapsis.com/archives/bugtraq/2012-04/0182.html</url>
</references>
<dates>
<discovery>2012-04-28</discovery>
<entry>2012-05-02</entry>
</dates>
</vuln>
<vuln vid="94c0ac4f-9388-11e1-b242-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>18.0.1025.168</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[106413] High CVE-2011-3078: Use after free in floats handling.
Credit to Google Chrome Security Team (Marty Barbella) and
independent later discovery by miaubiz.</p>
<p>[117627] Medium CVE-2011-3079: IPC validation failure. Credit to
PinkiePie.</p>
<p>[121726] Medium CVE-2011-3080: Race condition in sandbox IPC.
Credit to Willem Pinckaers of Matasano.</p>
<p>[121899] High CVE-2011-3081: Use after free in floats handling.
Credit to miaubiz.</p>
<p>[117110] High CVE-2012-1521: Use after free in xml parser. Credit
to Google Chrome Security Team (SkyLined) and independent later
discovery by wushi of team509 reported through iDefense VCP
(V-874rcfpq7z).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3078</cvename>
<cvename>CVE-2011-3079</cvename>
<cvename>CVE-2011-3080</cvename>
<cvename>CVE-2011-3081</cvename>
<cvename>CVE-2012-1521</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-04-30</discovery>
<entry>2012-05-01</entry>
</dates>
</vuln>
<vuln vid="2cde1892-913e-11e1-b44c-001fd0af1a4c">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php53</name>
<range><lt>5.3.11</lt></range>
</package>
<package>
<name>php5</name>
<range><lt>5.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>php development team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-04-26-1">
<p>Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:</p>
<ul>
<li>Insufficient validating of upload name leading to corrupted $_FILES indices. (CVE-2012-1172) </li>
<li>Add open_basedir checks to readline_write_history and readline_read_history.</li>
</ul>
<p>Security Enhancements for both PHP 5.3.11 only:</p>
<ul>
<li>Regression in magic_quotes_gpc fix for CVE-2012-0831.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0831</cvename>
<cvename>CVE-2012-1172</cvename>
<url>http://www.php.net/archive/2012.php#id2012-04-26-1</url>
</references>
<dates>
<discovery>2012-03-01</discovery>
<entry>2012-04-28</entry>
<modified>2012-05-04</modified>
</dates>
</vuln>
<vuln vid="0fa15e08-92ec-11e1-a94a-00215c6a37bb">
<topic>samba -- incorrect permission checks vulnerability</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>3.4.*</gt><lt>3.4.17</lt></range>
</package>
<package>
<name>samba35</name>
<range><gt>3.5.*</gt><lt>3.5.15</lt></range>
</package>
<package>
<name>samba36</name>
<range><gt>3.6.*</gt><lt>3.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba project reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2012-2111">
<p>Samba versions 3.4.x to 3.6.4 inclusive are affected
by a vulnerability that allows arbitrary users to modify
privileges on a file server.</p>
<p>Security checks were incorrectly applied to the Local
Security Authority (LSA) remote proceedure calls (RPC)
CreateAccount, OpenAccount, AddAccountRights and
RemoveAccountRights allowing any authenticated user
to modify the privileges database.</p>
<p>This is a serious error, as it means that authenticated
users can connect to the LSA and grant themselves the
"take ownership" privilege. This privilege is used by the
smbd file server to grant the ability to change ownership
of a file or directory which means users could take ownership
of files or directories they do not own.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2111</cvename>
</references>
<dates>
<discovery>2012-04-30</discovery>
<entry>2012-04-30</entry>
</dates>
</vuln>
<vuln vid="b428e6b3-926c-11e1-8d7b-003067b2972c">
<topic>portupgrade-devel -- lack of distfile checksums</topic>
<affects>
<package>
<name>portupgrade-devel</name>
<range><lt>0,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ports security team reports:</p>
<p>The portupgrade-devel port fetched directly from a git
respository without checking against a known good
SHA hash. This means that it is possible that packages
built using this port may not match the one vetted
by the maintainer. Users are advised to rebuild
portupgrade-devel from known good sources.</p>
</body>
</description>
<references>
<mlist>http://web.archiveorange.com/archive/v/6ETvLYPz7CfFT9tiHKiI</mlist>
<mlist>http://www.freebsd.org/cgi/getmsg.cgi?fetch=100677+0+/usr/local/www/db/text/2012/cvs-ports/20120506.cvs-ports</mlist>
</references>
<dates>
<discovery>2012-04-30</discovery>
<entry>2012-04-30</entry>
<modified>2012-05-06</modified>
</dates>
</vuln>
<vuln vid="5d85976a-9011-11e1-b5e0-000c299b62e1">
<topic>net-snmp -- Remote DoS</topic>
<affects>
<package>
<name>net-snmp</name>
<range><lt>5.7.1_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Red Hat Security Response Team reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=815813">
<p>An array index error, leading to out-of heap-based buffer read flaw was
found in the way the net-snmp agent performed lookups in the
extension table. When certain MIB subtrees were handled by the
extend directive, a remote attacker (having read privileges to the
subntree) could use this flaw to cause a denial of service condition
via an SNMP GET request involving a non-existent extension table
entry.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2141</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=815813</url>
<url>http://www.openwall.com/lists/oss-security/2012/04/26/2</url>
</references>
<dates>
<discovery>2012-04-26</discovery>
<entry>2012-04-27</entry>
</dates>
</vuln>
<vuln vid="380e8c56-8e32-11e1-9580-4061862b8c22">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>12.0,1</lt></range>
<range><lt>10.0.4,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.4,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.9</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.4</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.9</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>12.0</lt></range>
<range><lt>10.0.4</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)</p>
<p>MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9</p>
<p>MFSA 2012-22 use-after-free in IDBKeyRange</p>
<p>MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface</p>
<p>MFSA 2012-24 Potential XSS via multibyte content processing errors</p>
<p>MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite</p>
<p>MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error</p>
<p>MFSA 2012-27 Page load short-circuit can lead to XSS</p>
<p>MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions</p>
<p>MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues</p>
<p>MFSA 2012-30 Crash with WebGL content using textImage2D</p>
<p>MFSA 2012-31 Off-by-one error in OpenType Sanitizer</p>
<p>MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors</p>
<p>MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1187</cvename>
<cvename>CVE-2011-3062</cvename>
<cvename>CVE-2012-0467</cvename>
<cvename>CVE-2012-0468</cvename>
<cvename>CVE-2012-0469</cvename>
<cvename>CVE-2012-0470</cvename>
<cvename>CVE-2012-0471</cvename>
<cvename>CVE-2012-0472</cvename>
<cvename>CVE-2012-0473</cvename>
<cvename>CVE-2012-0474</cvename>
<cvename>CVE-2012-0475</cvename>
<cvename>CVE-2012-0477</cvename>
<cvename>CVE-2012-0478</cvename>
<cvename>CVE-2012-0479</cvename>
<cvename>CVE-2012-1126</cvename>
<cvename>CVE-2012-1127</cvename>
<cvename>CVE-2012-1128</cvename>
<cvename>CVE-2012-1129</cvename>
<cvename>CVE-2012-1130</cvename>
<cvename>CVE-2012-1131</cvename>
<cvename>CVE-2012-1132</cvename>
<cvename>CVE-2012-1133</cvename>
<cvename>CVE-2012-1134</cvename>
<cvename>CVE-2012-1135</cvename>
<cvename>CVE-2012-1136</cvename>
<cvename>CVE-2012-1137</cvename>
<cvename>CVE-2012-1138</cvename>
<cvename>CVE-2012-1139</cvename>
<cvename>CVE-2012-1140</cvename>
<cvename>CVE-2012-1141</cvename>
<cvename>CVE-2012-1142</cvename>
<cvename>CVE-2012-1143</cvename>
<cvename>CVE-2012-1144</cvename>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-20.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-21.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-22.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-23.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-24.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-25.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-26.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-27.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-28.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-29.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-30.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-31.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-32.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-33.html</url>
</references>
<dates>
<discovery>2012-04-24</discovery>
<entry>2012-04-24</entry>
</dates>
</vuln>
<vuln vid="a04247f1-8d9c-11e1-93c7-00215c6a37bb">
<topic>Dokuwiki -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20120125_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Andy Webber reports:</p>
<blockquote cite="http://bugs.dokuwiki.org/index.php?do=details&task_id=2487">
<p>Add User appears to be vulnerable to Cross Site Request Forgery (CSRF/XSRF).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2128</cvename>
<cvename>CVE-2012-2129</cvename>
</references>
<dates>
<discovery>2012-04-17</discovery>
<entry>2012-04-23</entry>
</dates>
</vuln>
<vuln vid="1c5abbe2-8d7f-11e1-a374-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.24</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.11.1</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Remote Crash Vulnerability in SIP Channel Driver</p>
<p>Heap Buffer Overflow in Skinny Channel Driver</p>
<p>Asterisk Manager User Unauthorized Shell Access</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.digium.com/pub/security/AST-2012-004.html</url>
<cvename>CVE-2012-2414</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-005.html</url>
<cvename>CVE-2012-2415</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-006.html</url>
<cvename>CVE-2012-2416</cvename>
</references>
<dates>
<discovery>2012-04-23</discovery>
<entry>2012-04-23</entry>
</dates>
</vuln>
<vuln vid="b384cc5b-8d56-11e1-8d7b-003067b2972c">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.3.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wordpress reports:</p>
<blockquote cite="https://codex.wordpress.org/Version_3.3.2">
<p>External code has been updated to
non-vulnerable versions.
In addition the following bugs have been fixed:</p>
<ul>
<li>Limited privilege escalation where a site administrator could
deactivate network-wide plugins when running a WordPress network under
particular circumstances.</li>
<li>Cross-site scripting vulnerability when making URLs
clickable.</li>
<li>Cross-site scripting vulnerabilities in redirects after posting
comments in older browsers, and when filtering URLs.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2399</cvename>
<cvename>CVE-2012-2400</cvename>
<cvename>CVE-2012-2401</cvename>
<cvename>CVE-2012-2402</cvename>
<cvename>CVE-2012-2403</cvename>
<cvename>CVE-2012-2404</cvename>
<url>https://codex.wordpress.org/Version_3.3.2</url>
</references>
<dates>
<discovery>2012-04-20</discovery>
<entry>2012-04-23</entry>
</dates>
</vuln>
<vuln vid="7184f92e-8bb8-11e1-8d7b-003067b2972c">
<topic>OpenSSL -- integer conversions result in memory corruption</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL security team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120419.txt">
<p>A potentially exploitable vulnerability has been discovered in the OpenSSL
function asn1_d2i_read_bio.
Any application which uses BIO or FILE based functions to read untrusted DER
format data is vulnerable. Affected functions are of the form d2i_*_bio or
d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2110</cvename>
<mlist msgid="20120419103522.GN30784@cmpxchg8b.com">http://marc.info/?l=full-disclosure&m=133483221408243</mlist>
<url>http://www.openssl.org/news/secadv_20120419.txt</url>
</references>
<dates>
<discovery>2012-04-19</discovery>
<entry>2012-04-21</entry>
</dates>
</vuln>
<vuln vid="09c87973-8b9d-11e1-b393-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>3.6.0</ge><lt>3.6.9</lt></range>
<range><ge>4.0.0</ge><lt>4.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>A Bugzilla Security Advisory reports:</h1>
<blockquote cite="http://www.bugzilla.org/security/3.6.8/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<h1>Unauthorized Access</h1>
<p>Due to a lack of proper validation of the X-FORWARDED-FOR
header of an authentication request, an attacker could bypass
the current lockout policy used for protection against brute-
force password discovery. This vulnerability can only be
exploited if the 'inbound_proxies' parameter is set.</p>
<h1>Cross Site Scripting</h1>
<p>A JavaScript template used by buglist.cgi could be used
by a malicious script to permit an attacker to gain access
to some information about bugs he would not normally be
allowed to see, using the victim's credentials. To be
exploitable, the victim must be logged in when visiting
the attacker's malicious page.</p>
<p>All affected installations are encouraged to upgrade as soon
as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0465</cvename>
<cvename>CVE-2012-0466</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=728639</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=745397</url>
</references>
<dates>
<discovery>2012-04-18</discovery>
<entry>2012-04-21</entry>
</dates>
</vuln>
<vuln vid="67516177-88ec-11e1-9a10-0023ae8e59f0">
<topic>typo -- Cross-Site Scripting</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.6.0</ge><le>4.6.7</le></range>
<range><ge>4.5.0</ge><le>4.5.14</le></range>
<range><ge>4.4.0</ge><le>4.4.14</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo Security Team reports:</p>
<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/">
<p>Failing to properly encode the output, the default TYPO3
Exception Handler is susceptible to Cross-Site Scripting. We
are not aware of a possibility to exploit this vulnerability
without third party extensions being installed that put user
input in exception messages. However, it has come to our
attention that extensions using the extbase MVC framework can
be used to exploit this vulnerability if these extensions
accept objects in controller actions.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2112</cvename>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/</url>
</references>
<dates>
<discovery>2012-04-17</discovery>
<entry>2012-04-18</entry>
</dates>
</vuln>
<vuln vid="0c14dfa7-879e-11e1-a2a0-00500802d8f7">
<topic>nginx -- Buffer overflow in the ngx_http_mp4_module</topic>
<affects>
<package>
<name>nginx</name>
<range><lt>1.0.15</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><lt>1.1.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The nginx project reports:</p>
<blockquote cite="http://nginx.org/en/security_advisories.html">
<p>Buffer overflow in the ngx_http_mp4_module</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2089</cvename>
<url>http://nginx.org/en/security_advisories.html</url>
</references>
<dates>
<discovery>2012-04-12</discovery>
<entry>2012-04-16</entry>
</dates>
</vuln>
<vuln vid="c80a3d93-8632-11e1-a374-14dae9ebcf89">
<topic>phpmyfaq -- Remote PHP Code Execution Vulnerability</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><lt>2.7.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyFAQ project reports:</p>
<blockquote cite="http://www.phpmyfaq.de/advisory_2011-10-25.php">
<p>The bundled ImageManager library allows injection of arbitrary
PHP code to execute arbitrary PHP code and upload malware and
trojan horses.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyfaq.de/advisory_2012-04-14.php</url>
</references>
<dates>
<discovery>2012-04-14</discovery>
<entry>2012-04-14</entry>
</dates>
</vuln>
<vuln vid="607d2108-a0e4-423a-bf78-846f2a8f01b0">
<topic>puppet -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>puppet</name>
<range><lt>2.7.12_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://puppetlabs.com/security/">
<p>Multiple vulnerabilities exist in puppet that can result in
arbitrary code execution, arbitrary file read access, denial of
service, and arbitrary file write access. Please review the
details in each of the CVEs for additional information.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1906</cvename>
<cvename>CVE-2012-1986</cvename>
<cvename>CVE-2012-1987</cvename>
<cvename>CVE-2012-1988</cvename>
<cvename>CVE-2012-1989</cvename>
<url>http://puppetlabs.com/security/cve/cve-2012-1906/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1986/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1987/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1988/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1989/</url>
</references>
<dates>
<discovery>2012-03-26</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="baf37cd2-8351-11e1-894e-00215c6a37bb">
<topic>samba -- "root" credential remote code execution</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>3.4.*</gt><lt>3.4.16</lt></range>
</package>
<package>
<name>samba35</name>
<range><gt>3.5.*</gt><lt>3.5.14</lt></range>
</package>
<package>
<name>samba36</name>
<range><gt>3.6.*</gt><lt>3.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba development team reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2012-1182">
<p>Samba versions 3.6.3 and all versions previous to this
are affected by a vulnerability that allows remote code
execution as the "root" user from an anonymous connection.</p>
<p>As this does not require an authenticated connection it
is the most serious vulnerability possible in a program,
and users and vendors are encouraged to patch their Samba
installations immediately.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1182</cvename>
</references>
<dates>
<discovery>2012-04-10</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="7f448dc1-82ca-11e1-b393-20cf30e32f6d">
<topic>bugzilla Cross-Site Request Forgery</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>4.0.0</ge><lt>4.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/4.0.4/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<ul>
<li>Due to a lack of validation of the enctype form attribute
when making POST requests to xmlrpc.cgi, a possible CSRF
vulnerability was discovered. If a user visits an HTML page
with some malicious HTML code in it, an attacker could make
changes to a remote Bugzilla installation on behalf of the
victim's account by using the XML-RPC API on a site running
mod_perl. Sites running under mod_cgi are not affected.
Also, the user would have had to be already logged in to the
target site for the vulnerability to work.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon
as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0453</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=725663</url>
</references>
<dates>
<discovery>2012-02-22</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="20923a0d-82ba-11e1-8d7b-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.228</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-07.html">
<p>Multiple Priority 2 vulnerabilities could cause a crash and
potentially allow an attacker to take control of the affected
system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0724</cvename>
<cvename>CVE-2012-0725</cvename>
<cvename>CVE-2012-0772</cvename>
<cvename>CVE-2012-0773</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-07.html</url>
</references>
<dates>
<discovery>2012-04-05</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="262b92fe-81c8-11e1-8899-001ec9578670">
<topic>png -- memory corruption/possible remote code execution</topic>
<affects>
<package>
<name>png</name>
<range><lt>1.4.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PNG project reports:</p>
<blockquote cite="http://www.libpng.org/pub/png/libpng.html">
<p>libpng fails to correctly handle malloc() failures for text
chunks (in png_set_text_2()), which can lead to memory
corruption and the possibility of remote code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3048</cvename>
<url>http://www.libpng.org/pub/png/libpng.html</url>
</references>
<dates>
<discovery>2012-03-29</discovery>
<entry>2012-04-08</entry>
</dates>
</vuln>
<vuln vid="462e2d6c-8017-11e1-a571-bcaec565249c">
<topic>freetype -- multiple vulnerabilities</topic>
<affects>
<package>
<name>freetype2</name>
<range><lt>2.4.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Freetype project reports:</p>
<blockquote cite="https://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view">
<p>Multiple vulnerabilities exist in freetype that can result in
application crashes and remote code execution. Please review
the details in each of the CVEs for additional information.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1126</cvename>
<cvename>CVE-2012-1127</cvename>
<cvename>CVE-2012-1128</cvename>
<cvename>CVE-2012-1129</cvename>
<cvename>CVE-2012-1130</cvename>
<cvename>CVE-2012-1131</cvename>
<cvename>CVE-2012-1132</cvename>
<cvename>CVE-2012-1133</cvename>
<cvename>CVE-2012-1134</cvename>
<cvename>CVE-2012-1135</cvename>
<cvename>CVE-2012-1136</cvename>
<cvename>CVE-2012-1137</cvename>
<cvename>CVE-2012-1138</cvename>
<cvename>CVE-2012-1139</cvename>
<cvename>CVE-2012-1140</cvename>
<cvename>CVE-2012-1141</cvename>
<cvename>CVE-2012-1142</cvename>
<cvename>CVE-2012-1143</cvename>
<cvename>CVE-2012-1144</cvename>
<url>https://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=806270</url>
</references>
<dates>
<discovery>2012-03-08</discovery>
<entry>2012-04-06</entry>
</dates>
</vuln>
<vuln vid="49314321-7fd4-11e1-9582-001b2134ef46">
<topic>mutt-devel -- failure to check SMTP TLS server certificate</topic>
<affects>
<package>
<name>mutt-devel</name>
<range><lt>1.5.21_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dave B reports on Full Disclosure:</p>
<blockquote cite="http://seclists.org/fulldisclosure/2011/Mar/87">
<p>It seems that mutt fails to check the validity of a SMTP
servers certificate during a TLS connection. [...]
This means that an attacker could potentially MITM a
mutt user connecting to their SMTP server even when the
user has forced a TLS connection.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1429</cvename>
<url>http://seclists.org/fulldisclosure/2011/Mar/87</url>
</references>
<dates>
<discovery>2012-03-08</discovery>
<entry>2012-04-06</entry>
</dates>
</vuln>
<vuln vid="057130e6-7f61-11e1-8a43-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>18.0.1025.151</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[106577] Medium CVE-2011-3066: Out-of-bounds read in Skia clipping. Credit to miaubiz.</p>
<p>[117583] Medium CVE-2011-3067: Cross-origin iframe replacement.
Credit to Sergey Glazunov.</p>
<p>[117698] High CVE-2011-3068: Use-after-free in run-in handling.
Credit to miaubiz.</p>
<p>[117728] High CVE-2011-3069: Use-after-free in line box handling.
Credit to miaubiz.</p>
<p>[118185] High CVE-2011-3070: Use-after-free in v8 bindings. Credit
to Google Chrome Security Team (SkyLined).</p>
<p>[118273] High CVE-2011-3071: Use-after-free in HTMLMediaElement.
Credit to pa_kt, reporting through HP TippingPoint ZDI
(ZDI-CAN-1528).</p>
<p>[118467] Low CVE-2011-3072: Cross-origin violation parenting pop-up
window. Credit to Sergey Glazunov.</p>
<p>[118593] High CVE-2011-3073: Use-after-free in SVG resource
handling. Credit to Arthur Gerkis.</p>
<p>[119281] Medium CVE-2011-3074: Use-after-free in media handling.
Credit to Slawomir Blazek.</p>
<p>[119525] High CVE-2011-3075: Use-after-free applying style command.
Credit to miaubiz.</p>
<p>[120037] High CVE-2011-3076: Use-after-free in focus handling.
Credit to miaubiz.</p>
<p>[120189] Medium CVE-2011-3077: Read-after-free in script bindings.
Credit to Google Chrome Security Team (Inferno).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3066</cvename>
<cvename>CVE-2011-3067</cvename>
<cvename>CVE-2011-3068</cvename>
<cvename>CVE-2011-3069</cvename>
<cvename>CVE-2011-3070</cvename>
<cvename>CVE-2011-3071</cvename>
<cvename>CVE-2011-3072</cvename>
<cvename>CVE-2011-3073</cvename>
<cvename>CVE-2011-3074</cvename>
<cvename>CVE-2011-3075</cvename>
<cvename>CVE-2011-3076</cvename>
<cvename>CVE-2011-3077</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-04-05</discovery>
<entry>2012-04-05</entry>
</dates>
</vuln>
<vuln vid="7289214f-7c55-11e1-ab3b-000bcdf0a03b">
<topic>libpurple -- Remote DoS via an MSN OIM message that lacks UTF-8 encoding</topic>
<affects>
<package>
<name>libpurple</name>
<range><lt>2.10.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1178">
<p>The msn_oim_report_to_user function in oim.c in the MSN protocol
plugin in libpurple in Pidgin before 2.10.2 allows remote servers
to cause a denial of service (application crash) via an OIM message
that lacks UTF-8 encoding.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1178</cvename>
</references>
<dates>
<discovery>2012-03-15</discovery>
<entry>2012-04-01</entry>
</dates>
</vuln>
<vuln vid="a81161d2-790f-11e1-ac16-e0cb4e266481">
<topic>phpMyAdmin -- Path disclosure due to missing verification of file presence</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.10.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMYAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php">
<p>The show_config_errors.php scripts did not validate the presence
of the configuration file, so an error message shows the full path
of this file, leading to possible further attacks. For the error
messages to be displayed, php.ini's error_reporting must be set to
E_ALL and display_errors must be On (these settings are not
recommended on a production server in the PHP manual).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1902</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php</url>
</references>
<dates>
<discovery>2012-03-28</discovery>
<entry>2012-03-28</entry>
</dates>
</vuln>
<vuln vid="b8f0a391-7910-11e1-8a43-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>18.0.1025.142</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[109574] Medium CVE-2011-3058: Bad interaction possibly leading to
XSS in EUC-JP. Credit to Masato Kinugawa.</p>
<p>[112317] Medium CVE-2011-3059: Out-of-bounds read in SVG text
handling. Credit to Arthur Gerkis.</p>
<p>[114056] Medium CVE-2011-3060: Out-of-bounds read in text fragment
handling. Credit to miaubiz.</p>
<p>[116398] Medium CVE-2011-3061: SPDY proxy certificate checking
error. Credit to Leonidas Kontothanassis of Google.</p>
<p>[116524] High CVE-2011-3062: Off-by-one in OpenType Sanitizer.
Credit to Mateusz Jurczyk of the Google Security Team.</p>
<p>[117417] Low CVE-2011-3063: Validate navigation requests from the
renderer more carefully. Credit to kuzzcc, Sergey Glazunov,
PinkiePie and scarybeasts (Google Chrome Security Team).</p>
<p>[117471] High CVE-2011-3064: Use-after-free in SVG clipping. Credit to Atte Kettunen of OUSPG.</p>
<p>[117588] High CVE-2011-3065: Memory corruption in Skia. Credit to
Omair.</p>
<p>[117794] Medium CVE-2011-3057: Invalid read in v8. Credit to
Christian Holler.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3057</cvename>
<cvename>CVE-2011-3058</cvename>
<cvename>CVE-2011-3059</cvename>
<cvename>CVE-2011-3060</cvename>
<cvename>CVE-2011-3061</cvename>
<cvename>CVE-2011-3062</cvename>
<cvename>CVE-2011-3063</cvename>
<cvename>CVE-2011-3064</cvename>
<cvename>CVE-2011-3065</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-03-28</discovery>
<entry>2012-03-28</entry>
</dates>
</vuln>
<vuln vid="60f81af3-7690-11e1-9423-00235a5f2c9a">
<topic>raptor/raptor2 -- XXE in RDF/XML File Interpretation</topic>
<affects>
<package>
<name>raptor2</name>
<range><lt>2.0.7</lt></range>
</package>
<package>
<name>raptor</name>
<range><lt>1.4.21_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Timothy D. Morgan reports:</p>
<blockquote cite="http://www.vsecurity.com/resources/advisory/20120324-1/">
<p>In December 2011, VSR identified a vulnerability in multiple open
source office products (including OpenOffice, LibreOffice, KOffice,
and AbiWord) due to unsafe interpretation of XML files with custom
entity declarations. Deeper analysis revealed that the
vulnerability was caused by acceptance of external entities by the
libraptor library, which is used by librdf and is in turn used by
these office products.</p>
<p>In the context of office applications, these vulnerabilities could
allow for XML External Entity (XXE) attacks resulting in file theft
and a loss of user privacy when opening potentially malicious ODF
documents. For other applications which depend on librdf or
libraptor, potentially serious consequences could result from
accepting RDF/XML content from untrusted sources, though the impact
may vary widely depending on the context.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0037</cvename>
<url>http://seclists.org/fulldisclosure/2012/Mar/281</url>
<url>http://www.vsecurity.com/resources/advisory/20120324-1/</url>
</references>
<dates>
<discovery>2012-03-24</discovery>
<entry>2012-03-25</entry>
</dates>
</vuln>
<vuln vid="42a2c82a-75b9-11e1-89b4-001ec9578670">
<topic>quagga -- multiple vulnerabilities</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.20.1</lt></range>
</package>
<package>
<name>quagga-re</name>
<range><lt>0.99.17.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/551715">
<p>The ospfd implementation of OSPF in Quagga allows a remote
attacker (on a local network segment with OSPF enabled) to cause
a denial of service (daemon aborts due to an assert) with a
malformed OSPF LS-Update message.</p>
<p>The ospfd implementation of OSPF in Quagga allows a remote
attacker (on a local network segment with OSPF enabled) to cause
a denial of service (daemon crash) with a malformed OSPF Network-
LSA message.</p>
<p>The bgpd implementation of BGP in Quagga allows remote attackers
to cause a denial of service (daemon aborts due to an assert) via
BGP Open message with an invalid AS4 capability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0249</cvename>
<cvename>CVE-2012-0250</cvename>
<cvename>CVE-2012-0255</cvename>
<url>http://www.kb.cert.org/vuls/id/551715</url>
</references>
<dates>
<discovery>2012-03-23</discovery>
<entry>2012-03-24</entry>
<modified>2012-03-26</modified>
</dates>
</vuln>
<vuln vid="acab2f88-7490-11e1-865f-00e0814cab4e">
<topic>Apache Traffic Server -- heap overflow vulnerability</topic>
<affects>
<package>
<name>trafficserver</name>
<range><lt>3.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT-FI reports:</p>
<blockquote cite="https://www.cert.fi/en/reports/2012/vulnerability612884.html">
<p>A heap overflow vulnerability has been found in the HTTP
(Hypertext Transfer Protocol) protocol handling of Apache
Traffic Server. The vulnerability allows an attacker to cause
a denial of service or potentially to execute his own code by
sending a specially modified HTTP message to an affected
server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0256</cvename>
</references>
<dates>
<discovery>2012-03-22</discovery>
<entry>2012-03-24</entry>
</dates>
</vuln>
<vuln vid="330106da-7406-11e1-a1d7-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.83</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[113902] High CVE-2011-3050: Use-after-free with first-letter
handling. Credit to miaubiz.</p>
<p>[116162] High CVE-2011-3045: libpng integer issue from upstream.
Credit to Glenn Randers-Pehrson of the libpng project.</p>
<p>[116461] High CVE-2011-3051: Use-after-free in CSS cross-fade
handling. Credit to Arthur Gerkis.</p>
<p>[116637] High CVE-2011-3052: Memory corruption in WebGL canvas
handling. Credit to Ben Vanik of Google.</p>
<p>[116746] High CVE-2011-3053: Use-after-free in block splitting.
Credit to miaubiz.</p>
<p>[117418] Low CVE-2011-3054: Apply additional isolations to webui
privileges. Credit to Sergey Glazunov.</p>
<p>[117736] Low CVE-2011-3055: Prompt in the browser native UI for
unpacked extension installation. Credit to PinkiePie.</p>
<p>[117550] High CVE-2011-3056: Cross-origin violation with "magic
iframe". Credit to Sergey Glazunov.</p>
<p>[117794] Medium CVE-2011-3057: Invalid read in v8. Credit to
Christian Holler.</p>
<p>[108648] Low CVE-2011-3049: Extension web request API can
interfere with system requests. Credit to Michael Gundlach.
Fixed in an earlier release.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3045</cvename>
<cvename>CVE-2011-3049</cvename>
<cvename>CVE-2011-3050</cvename>
<cvename>CVE-2011-3051</cvename>
<cvename>CVE-2011-3052</cvename>
<cvename>CVE-2011-3053</cvename>
<cvename>CVE-2011-3054</cvename>
<cvename>CVE-2011-3055</cvename>
<cvename>CVE-2011-3056</cvename>
<cvename>CVE-2011-3057</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-03-21</discovery>
<entry>2012-03-22</entry>
</dates>
</vuln>
<vuln vid="2e7e9072-73a0-11e1-a883-001cc0a36e12">
<topic>libtasn1 -- ASN.1 length decoding vulnerability</topic>
<affects>
<package>
<name>libtasn1</name>
<range><lt>2.12</lt></range>
</package>
<package>
<name>gnutls</name>
<range><lt>2.12.18</lt></range>
</package>
<package>
<name>gnutls-devel</name>
<range><gt>2.99</gt><lt>3.0.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mu Dynamics, Inc. reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5959">
<p>Various functions using the ASN.1 length decoding logic in
Libtasn1 were incorrectly assuming that the return value from
asn1_get_length_der is always less than the length of the
enclosing ASN.1 structure, which is only true for valid
structures and not for intentionally corrupt or otherwise
buggy structures.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1569</cvename>
</references>
<dates>
<discovery>2012-03-20</discovery>
<entry>2012-03-21</entry>
<modified>2012-03-24</modified>
</dates>
</vuln>
<vuln vid="aecee357-739e-11e1-a883-001cc0a36e12">
<topic>gnutls -- possible overflow/Denial of service vulnerabilities</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>2.12.18</lt></range>
</package>
<package>
<name>gnutls-devel</name>
<range><gt>2.99</gt><lt>3.0.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mu Dynamics, Inc. reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5959">
<p>The block cipher decryption logic in GnuTLS assumed that a
record containing any data which was a multiple of the block
size was valid for further decryption processing, leading to
a heap corruption vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1573</cvename>
</references>
<dates>
<discovery>2012-03-20</discovery>
<entry>2012-03-21</entry>
<modified>2012-03-24</modified>
</dates>
</vuln>
<vuln vid="0d530174-6eef-11e1-afd6-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.44</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.23</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.10.1</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Stack Buffer Overflow in HTTP Manager</p>
<p>Remote Crash Vulnerability in Milliwatt Application</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2012-002.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2012-003.html</url>
</references>
<dates>
<discovery>2012-03-15</discovery>
<entry>2012-03-15</entry>
</dates>
</vuln>
<vuln vid="60eb344e-6eb1-11e1-8ad7-00e0815b8da8">
<topic>OpenSSL -- CMS and S/MIME Bleichenbacher attack</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL Team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120312.txt">
<p>A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA).</p>
<p>Only users of CMS, PKCS #7, or S/MIME decryption operations are
affected. A successful attack needs on average 2^20 messages. In
practice only automated systems will be affected as humans will
not be willing to process this many messages.</p>
<p>SSL/TLS applications are *NOT* affected by this problem since
the SSL/TLS code does not use the PKCS#7 or CMS decryption
code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0884</cvename>
<url>http://www.openssl.org/news/secadv_20120312.txt</url>
</references>
<dates>
<discovery>2012-03-12</discovery>
<entry>2012-03-15</entry>
</dates>
</vuln>
<vuln vid="29194cb8-6e9f-11e1-8376-f0def16c5c1b">
<topic>nginx -- potential information leak</topic>
<affects>
<package>
<name>nginx</name>
<range><lt>1.0.14,1</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><lt>1.1.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>nginx development team reports:</p>
<blockquote cite="http://nginx.net/CHANGES">
<p>Matthew Daley recently discovered a security problem
which may lead to a disclosure of previously freed memory
on specially crafted response from an upstream server,
potentially resulting in sensitive information leak.</p>
</blockquote>
</body>
</description>
<references>
<url>http://nginx.net/CHANGES</url>
</references>
<dates>
<discovery>2012-03-15</discovery>
<entry>2012-03-15</entry>
</dates>
</vuln>
<vuln vid="a1050b8b-6db3-11e1-8b37-0011856a6e37">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>10.0.3,1</lt></range>
<range><ge>3.6.*,1</ge><lt>3.6.28</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.3,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.8</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.3</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.8</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>10.0.3</lt></range>
<range><gt>3.1.*</gt><lt>3.1.20</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.28</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-13 XSS with Drag and Drop and Javascript: URL</p>
<p>MFSA 2012-14 SVG issues found with Address Sanitizer</p>
<p>MFSA 2012-15 XSS with multiple Content Security Policy headers</p>
<p>MFSA 2012-16 Escalation of privilege with Javascript: URL as home page</p>
<p>MFSA 2012-17 Crash when accessing keyframe cssText after dynamic modification</p>
<p>MFSA 2012-18 window.fullScreen writeable by untrusted content</p>
<p>MFSA 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0451</cvename>
<cvename>CVE-2012-0455</cvename>
<cvename>CVE-2012-0456</cvename>
<cvename>CVE-2012-0457</cvename>
<cvename>CVE-2012-0458</cvename>
<cvename>CVE-2012-0459</cvename>
<cvename>CVE-2012-0460</cvename>
<cvename>CVE-2012-0461</cvename>
<cvename>CVE-2012-0462</cvename>
<cvename>CVE-2012-0463</cvename>
<cvename>CVE-2012-0464</cvename>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-13.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-14.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-15.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-16.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-17.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-18.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-19.html</url>
</references>
<dates>
<discovery>2012-03-13</discovery>
<entry>2012-03-14</entry>
<modified>2012-03-18</modified>
</dates>
</vuln>
<vuln vid="6d329b64-6bbb-11e1-9166-001e4f0fb9b1">
<topic>portaudit -- auditfile remote code execution</topic>
<affects>
<package>
<name>portaudit</name>
<range><lt>0.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael Gmelin and Jörg Scheinert has reported a remote
command execution vulnerability in portaudit.</p>
<p>An attacker who can get the user to use a specially crafted
audit file will be able to run commands on the users system,
with the privileges of the user running running portaudit
(often root).</p>
<p>The attack could e.g. happen through DNS hijacking or a man
in the middle attack.</p>
<p>Note that if the user has set up portaudit to run from
periodic this attack could happen without direct user
interaction.</p>
<p>In the FreeBSD Ports Collection (bsd.port.mk) the check for
vulnerable ports at install-time directly operates on the
auditfile and has the same vulnerability as portaudit. As
the Ports Collection infrastructure does not have a version
number just be sure to have a Ports Collection new enough to
contain the fix for portaudit. Note that this is <em>only</em>
a problem for users which has portaudit installed, as they will
not have the audit database installed or downloaded
otherwise.</p>
</body>
</description>
<references>
<url>http://cvsweb.FreeBSD.org/ports/ports-mgmt/portaudit/Makefile#rev1.30</url>
<url>http://cvsweb.FreeBSD.org/ports/Mk/bsd.port.mk#rev1.707</url>
</references>
<dates>
<discovery>2012-03-11</discovery>
<entry>2012-03-11</entry>
</dates>
</vuln>
<vuln vid="ab1f515d-6b69-11e1-8288-00262d5ed8ee">
<topic>chromium -- Errant plug-in load and GPU process memory corruption</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.79</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[117620] [117656] Critical CVE-2011-3047: Errant plug-in load and
GPU process memory corruption. Credit to PinkiePie.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3047</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-03-10</discovery>
<entry>2012-03-11</entry>
</dates>
</vuln>
<vuln vid="9da3834b-6a50-11e1-91af-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.1r102.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-05.html">
<p>These vulnerabilities could cause a crash and potentially allow
an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0768</cvename>
<cvename>CVE-2012-0769</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-05.html</url>
</references>
<dates>
<discovery>2012-03-05</discovery>
<entry>2012-03-09</entry>
</dates>
</vuln>
<vuln vid="1015e1fe-69ce-11e1-8288-00262d5ed8ee">
<topic>chromium -- cross-site scripting vulnerability</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.78</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[117226] [117230] Critical CVE-2011-3046: UXSS and bad history
navigation. Credit to Sergey Glazunov.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3046</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-03-08</discovery>
<entry>2012-03-09</entry>
</dates>
</vuln>
<vuln vid="9448a82f-6878-11e1-865f-00e0814cab4e">
<topic>jenkins -- XSS vulnerability</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>1.453</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory reports:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05">
<p>An XSS vulnerability was found in Jenkins core, which allows an
attacker to inject malicious HTMLs to pages served by Jenkins.
This allows an attacker to escalate his privileges by hijacking
sessions of other users. This vulnerability affects all
versions.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05</url>
</references>
<dates>
<discovery>2012-03-05</discovery>
<entry>2012-03-07</entry>
</dates>
</vuln>
<vuln vid="99aef698-66ed-11e1-8288-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.65</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[105867] High CVE-2011-3031: Use-after-free in v8 element wrapper.
Credit to Chamal de Silva.</p>
<p>[108037] High CVE-2011-3032: Use-after-free in SVG value handling.
Credit to Arthur Gerkis.</p>
<p>[108406] [115471] High CVE-2011-3033: Buffer overflow in the Skia
drawing library. Credit to Aki Helin of OUSPG.</p>
<p>[111748] High CVE-2011-3034: Use-after-free in SVG document
handling. Credit to Arthur Gerkis.</p>
<p>[112212] High CVE-2011-3035: Use-after-free in SVG use handling.
Credit to Arthur Gerkis.</p>
<p>[113258] High CVE-2011-3036: Bad cast in line box handling. Credit
to miaubiz.</p>
<p>[113439] [114924] [115028] High CVE-2011-3037: Bad casts in
anonymous block splitting. Credit to miaubiz.</p>
<p>[113497] High CVE-2011-3038: Use-after-free in multi-column
handling. Credit to miaubiz.</p>
<p>[113707] High CVE-2011-3039: Use-after-free in quote handling.
Credit to miaubiz.</p>
<p>[114054] High CVE-2011-3040: Out-of-bounds read in text handling.
Credit to miaubiz.</p>
<p>[114068] High CVE-2011-3041: Use-after-free in class attribute
handling. Credit to miaubiz.</p>
<p>[114219] High CVE-2011-3042: Use-after-free in table section
handling. Credit to miaubiz.</p>
<p>[115681] High CVE-2011-3043: Use-after-free in flexbox with floats.
Credit to miaubiz.</p>
<p>[116093] High CVE-2011-3044: Use-after-free with SVG animation
elements. Credit to Arthur Gerkis.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3031</cvename>
<cvename>CVE-2011-3032</cvename>
<cvename>CVE-2011-3033</cvename>
<cvename>CVE-2011-3034</cvename>
<cvename>CVE-2011-3035</cvename>
<cvename>CVE-2011-3036</cvename>
<cvename>CVE-2011-3037</cvename>
<cvename>CVE-2011-3038</cvename>
<cvename>CVE-2011-3039</cvename>
<cvename>CVE-2011-3040</cvename>
<cvename>CVE-2011-3041</cvename>
<cvename>CVE-2011-3042</cvename>
<cvename>CVE-2011-3043</cvename>
<cvename>CVE-2011-3044</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-03-04</discovery>
<entry>2012-03-05</entry>
</dates>
</vuln>
<vuln vid="eba70db4-6640-11e1-98af-00262d8b701d">
<topic>dropbear -- arbitrary code execution</topic>
<affects>
<package>
<name>dropbear</name>
<range><ge>0.51</ge><lt>2012.55</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Dropbear project reports:</p>
<blockquote cite="http://xforce.iss.net/xforce/xfdb/73444">
<p>Dropbear SSH Server could allow a remote authenticated attacker
to execute arbitrary code on the system, caused by a use-after-
free error. If a command restriction is enforced, an attacker
could exploit this vulnerability to execute arbitrary code on
the system with root privileges.</p>
</blockquote>
</body>
</description>
<references>
<bid>52159</bid>
<cvename>CVE-2012-0920</cvename>
<url>http://secunia.com/advisories/48147</url>
<url>http://xforce.iss.net/xforce/xfdb/73444</url>
</references>
<dates>
<discovery>2012-02-22</discovery>
<entry>2012-03-04</entry>
</dates>
</vuln>
<vuln vid="46aeba13-64a1-11e1-bc16-0023ae8e59f0">
<topic>openx -- security issue</topic>
<affects>
<package>
<name>openx</name>
<range><lt>2.8.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenX Reports:</p>
<blockquote cite="http://blog.openx.org/12/security-matters-3/">
<p>Recently we became aware of a security issue with OpenX Source
v2.8.7 and, in response, we've now issued and released
OpenXSource v2.8.8 to address it.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.openx.org/12/security-matters-3</url>
</references>
<dates>
<discovery>2011-12-01</discovery>
<entry>2012-03-02</entry>
</dates>
</vuln>
<vuln vid="174b8864-6237-11e1-be18-14dae938ec40">
<topic>databases/postgresql*-client -- multiple vulnerabilities</topic>
<affects>
<package>
<name>postgresql-client</name>
<range><lt>8.3.18</lt></range>
<range><ge>8.4</ge><lt>8.4.11</lt></range>
<range><ge>9</ge><lt>9.0.7</lt></range>
<range><ge>9.1</ge><lt>9.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL Global Development Group reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1377/">
<p>These vulnerabilities could allow users to define triggers that
execute functions on which the user does not have EXECUTE
permission, allow SSL certificate spoofing and allow line breaks
in object names to be exploited to execute code when loading a
pg_dump file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0866</cvename>
<cvename>CVE-2012-0867</cvename>
<cvename>CVE-2012-0868</cvename>
<url>http://www.postgresql.org/about/news/1377/</url>
</references>
<dates>
<discovery>2012-02-27</discovery>
<entry>2012-02-28</entry>
</dates>
</vuln>
<vuln vid="f63bf080-619d-11e1-91af-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.1r102.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-03.html">
<p>These vulnerabilities could cause a crash and potentially allow
an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0751</cvename>
<cvename>CVE-2012-0752</cvename>
<cvename>CVE-2012-0753</cvename>
<cvename>CVE-2012-0754</cvename>
<cvename>CVE-2012-0755</cvename>
<cvename>CVE-2012-0756</cvename>
<cvename>CVE-2012-0767</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-03.html</url>
</references>
<dates>
<discovery>2012-02-15</discovery>
<entry>2012-02-27</entry>
</dates>
</vuln>
<vuln vid="57f1a624-6197-11e1-b98c-bcaec565249c">
<topic>libxml2 -- heap buffer overflow</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.7.8_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google chrome team reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html">
<p>Heap-based buffer overflow in libxml2, allows remote attackers
to cause a denial of service or possibly have unspecified other
impact via unknown vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3919</cvename>
<url>http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html</url>
</references>
<dates>
<discovery>2012-01-05</discovery>
<entry>2012-02-27</entry>
</dates>
</vuln>
<vuln vid="ba51c2f7-5b43-11e1-8288-00262d5ed8ee">
<topic>plib -- remote code execution via buffer overflow</topic>
<affects>
<package>
<name>torcs</name>
<range><lt>1.3.3</lt></range>
</package>
<package>
<name>plib</name>
<range><le>1.8.5_3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/47297/">
<p>A vulnerability has been discovered in PLIB, which can be
exploited by malicious people to compromise an application using
the library.</p>
<p>The vulnerability is caused due to a boundary error within the
"ulSetError()" function (src/util/ulError.cxx) when creating the
error message, which can be exploited to overflow a static
buffer.</p>
<p>Successful exploitation allows the execution of arbitrary code
but requires that the attacker can e.g. control the content of
an overly long error message passed to the "ulSetError()"
function.</p>
<p>The vulnerability is confirmed in version 1.8.5. Other versions
may also be affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4620</cvename>
<url>http://secunia.com/advisories/47297/</url>
<url>http://torcs.sourceforge.net/index.php?name=News&file=article&sid=79</url>
</references>
<dates>
<discovery>2011-12-21</discovery>
<entry>2012-02-19</entry>
</dates>
</vuln>
<vuln vid="fdd1c316-5a3d-11e1-8d3e-e0cb4e266481">
<topic>phpMyAdmin -- XSS in replication setup</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.10.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php">
<p>It was possible to conduct XSS using a crafted database name.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1190</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php</url>
</references>
<dates>
<discovery>2012-02-18</discovery>
<entry>2012-02-18</entry>
</dates>
</vuln>
<vuln vid="da317bc9-59a6-11e1-bc16-0023ae8e59f0">
<topic>piwik -- xss and click-jacking issues</topic>
<affects>
<package>
<name>piwik</name>
<range><lt>1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Piwik Team reports:</p>
<blockquote cite="http://piwik.org/blog/2012/02/7775/">
<p>We would like to thank the following security researchers for
their responsible disclosure of XSS and click-jacking issues:
Piotr Duszynski, Sergey Markov, Mauro Gentile.</p>
</blockquote>
</body>
</description>
<references>
<url>"http://piwik.org/blog/2012/02/7775/"</url>
</references>
<dates>
<discovery>2012-02-16</discovery>
<entry>2012-02-16</entry>
</dates>
</vuln>
<vuln vid="d7dbd2db-599c-11e1-a2fb-14dae9ebcf89">
<topic>mozilla -- heap-buffer overflow</topic>
<affects>
<package>
<name>firefox</name>
<range><ge>10.0,1</ge><lt>10.0.2,1</lt></range>
<range><ge>3.6.*,1</ge><lt>3.6.27</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><ge>10.0,1</ge><lt>10.0.2,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><ge>2.7</ge><lt>2.7.2</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>10.0</ge><lt>10.0.2</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><ge>2.7</ge><lt>2.7.2</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>10.0</ge><lt>10.0.2</lt></range>
<range><gt>3.1.*</gt><lt>3.1.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-11 libpng integer overflow</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3026</cvename>
<url>https://www.mozilla.org/security/announce/2012/mfsa2012-11.html</url>
</references>
<dates>
<discovery>2012-02-16</discovery>
<entry>2012-02-17</entry>
<modified>2012-03-18</modified>
</dates>
</vuln>
<vuln vid="2f5ff968-5829-11e1-8288-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.56</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[105803] High CVE-2011-3015: Integer overflows in PDF codecs.
Credit to Google Chrome Security Team (scarybeasts).</p>
<p>[106336] Medium CVE-2011-3016: Read-after-free with counter nodes.
Credit to miaubiz.</p>
<p>[108695] High CVE-2011-3017: Possible use-after-free in database
handling. Credit to miaubiz.</p>
<p>[110172] High CVE-2011-3018: Heap overflow in path rendering.
Credit to Aki Helin of OUSPG.</p>
<p>[110849] High CVE-2011-3019: Heap buffer overflow in MKV handling.
Credit to Google Chrome Security Team (scarybeasts) and Mateusz
Jurczyk of the Google Security Team.</p>
<p>[111575] Medium CVE-2011-3020: Native client validator error.
Credit to Nick Bray of the Chromium development community.</p>
<p>[111779] High CVE-2011-3021: Use-after-free in subframe loading.
Credit to Arthur Gerkis.</p>
<p>[112236] Medium CVE-2011-3022: Inappropriate use of http for
translation script. Credit to Google Chrome Security Team (Jorge
Obes).</p>
<p>[112259] Medium CVE-2011-3023: Use-after-free with drag and drop.
Credit to pa_kt.</p>
<p>[112451] Low CVE-2011-3024: Browser crash with empty x509
certificate. Credit to chrometot.</p>
<p>[112670] Medium CVE-2011-3025: Out-of-bounds read in h.264
parsing. Credit to Slawomir Blazek.</p>
<p>[112822] High CVE-2011-3026: Integer overflow / truncation in
libpng. Credit to Juri Aedla.</p>
<p>[112847] Medium CVE-2011-3027: Bad cast in column handling.
Credit to miaubiz.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3015</cvename>
<cvename>CVE-2011-3016</cvename>
<cvename>CVE-2011-3017</cvename>
<cvename>CVE-2011-3018</cvename>
<cvename>CVE-2011-3019</cvename>
<cvename>CVE-2011-3020</cvename>
<cvename>CVE-2011-3021</cvename>
<cvename>CVE-2011-3022</cvename>
<cvename>CVE-2011-3023</cvename>
<cvename>CVE-2011-3024</cvename>
<cvename>CVE-2011-3025</cvename>
<cvename>CVE-2011-3026</cvename>
<cvename>CVE-2011-3027</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-02-15</discovery>
<entry>2012-02-15</entry>
</dates>
</vuln>
<vuln vid="b4f8be9e-56b2-11e1-9fb7-003067b2972c">
<topic>Python -- DoS via malformed XML-RPC / HTTP POST request</topic>
<affects>
<package>
<name>python32</name>
<range><le>3.2.2_2</le></range>
</package>
<package>
<name>python31</name>
<range><le>3.1.4_2</le></range>
</package>
<package>
<name>python27</name>
<range><le>2.7.2_3</le></range>
</package>
<package>
<name>python26</name>
<range><le>2.6.7_2</le></range>
</package>
<package>
<name>python25</name>
<range><le>2.5.6_2</le></range>
</package>
<package>
<name>python24</name>
<range><le>2.4.5_8</le></range>
</package>
<package>
<name>pypy</name>
<!-- note that it also affects 1.8 but we do not yet have
this version in ports. -->
<range><le>1.7</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jan Lieskovsky reports,</p>
<blockquote cite="http://bugs.python.org/issue14001">
<p>A denial of service flaw was found in the way Simple XML-RPC
Server module of Python processed client connections, that were
closed prior the complete request body has been received. A
remote attacker could use this flaw to cause Python Simple
XML-RPC based server process to consume excessive amount of
CPU.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0845</cvename>
<url>http://bugs.python.org/issue14001</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=789790</url>
<url>https://bugs.pypy.org/issue1047</url>
</references>
<dates>
<discovery>2012-02-13</discovery>
<entry>2012-02-14</entry>
<modified>2012-02-26</modified>
</dates>
</vuln>
<vuln vid="2b20fd5f-552e-11e1-9fb7-003067b2972c">
<topic>WebCalendar -- Persistent XSS</topic>
<affects>
<package>
<name>WebCalendar</name>
<range><le>1.2.4</le></range>
</package>
<package>
<name>WebCalendar-devel</name>
<range><le>1.2.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>tom reports,</p>
<blockquote cite="http://seclists.org/bugtraq/2012/Jan/128">
<p>There is no sanitation on the input of the location variable
allowing for persistent XSS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0846</cvename>
<url>http://sourceforge.net/tracker/?func=detail&aid=3472745&group_id=3870&atid=103870</url>
</references>
<dates>
<discovery>2012-01-11</discovery>
<entry>2012-02-12</entry>
<modified>2012-02-13</modified>
</dates>
</vuln>
<vuln vid="eba9aa94-549c-11e1-b6b7-0011856a6e37">
<topic>mozilla -- use after free in nsXBLDocumentInfo::ReadPrototypeBindings</topic>
<affects>
<package>
<name>firefox</name>
<range><ge>10.0,1</ge><lt>10.0.1,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><ge>10.0,1</ge><lt>10.0.1,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><ge>2.7</ge><lt>2.7.1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>10.0</ge><lt>10.0.1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><ge>2.7</ge><lt>2.7.1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>10.0</ge><lt>10.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0452</cvename>
<url>https://www.mozilla.org/security/announce/2012/mfsa2012-10.html</url>
</references>
<dates>
<discovery>2012-02-10</discovery>
<entry>2012-02-11</entry>
</dates>
</vuln>
<vuln vid="1c4cab30-5468-11e1-9fb7-003067b2972c">
<topic>bip -- buffer overflow</topic>
<affects>
<package>
<name>bip</name>
<range><le>0.8.8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Julien Tinnes reports,</p>
<blockquote cite="https://projects.duckcorp.org/issues/269">
<p>Bip doesn't check if fd is equal or larger than FD_SETSIZE.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0806</cvename>
<url>https://projects.duckcorp.org/projects/bip/repository/revisions/222a33cb84a2e52ad55a88900b7895bf9dd0262c</url>
<url>https://projects.duckcorp.org/issues/269</url>
</references>
<dates>
<discovery>2012-01-07</discovery>
<entry>2012-02-11</entry>
</dates>
</vuln>
<vuln vid="039d057e-544e-11e1-9fb7-003067b2972c">
<topic>surf -- private information disclosure</topic>
<affects>
<package>
<name>surf</name>
<range><le>0.4.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>surf does not protect its cookie jar against access read access from
other local users</p>
</body>
</description>
<references>
<cvename>CVE-2012-0842</cvename>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296</url>
</references>
<dates>
<discovery>2012-02-10</discovery>
<entry>2012-02-11</entry>
</dates>
</vuln>
<vuln vid="7c769c89-53c2-11e1-8e52-00163e22ef61">
<topic>glpi -- remote attack via crafted POST request</topic>
<affects>
<package>
<name>glpi</name>
<range><lt>0.80.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The GLPI project reports:</p>
<blockquote cite="http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en">
<p>The autocompletion functionality in GLPI before 0.80.2 does not
blacklist certain username and password fields, which allows
remote attackers to obtain sensitive information via a crafted
POST request.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en</url>
<url>https://forge.indepnet.net/issues/3017</url>
<cvename>CVE-2011-2720</cvename>
</references>
<dates>
<discovery>2011-07-20</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="fe1976c2-5317-11e1-9e99-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.46</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[73478] Low CVE-2011-3953: Avoid clipboard monitoring after paste
event. Credit to Daniel Cheng of the Chromium development
community.</p>
<p>[92550] Low CVE-2011-3954: Crash with excessive database usage.
Credit to Collin Payne.</p>
<p>[93106] High CVE-2011-3955: Crash aborting an IndexDB transaction.
Credit to David Grogan of the Chromium development community.</p>
<p>[103630] Low CVE-2011-3956: Incorrect handling of sandboxed origins
inside extensions. Credit to Devdatta Akhawe, UC Berkeley.</p>
<p>[104056] High CVE-2011-3957: Use-after-free in PDF garbage
collection. Credit to Aki Helin of OUSPG.</p>
<p>[105459] High CVE-2011-3958: Bad casts with column spans. Credit
to miaubiz.</p>
<p>[106441] High CVE-2011-3959: Buffer overflow in locale handling.
Credit to Aki Helin of OUSPG.</p>
<p>[108416] Medium CVE-2011-3960: Out-of-bounds read in audio
decoding. Credit to Aki Helin of OUSPG.</p>
<p>[108871] Critical CVE-2011-3961: Race condition after crash of
utility process. Credit to Shawn Goertzen.</p>
<p>[108901] Medium CVE-2011-3962: Out-of-bounds read in path clipping.
Credit to Aki Helin of OUSPG.</p>
<p>[109094] Medium CVE-2011-3963: Out-of-bounds read in PDF fax image
handling. Credit to Atte Kettunen of OUSPG.</p>
<p>[109245] Low CVE-2011-3964: URL bar confusion after drag + drop.
Credit to Code Audit Labs of VulnHunt.com.</p>
<p>[109664] Low CVE-2011-3965: Crash in signature check. Credit to
Slawomir Blazek.</p>
<p>[109716] High CVE-2011-3966: Use-after-free in stylesheet error
handling. Credit to Aki Helin of OUSPG.</p>
<p>[109717] Low CVE-2011-3967: Crash with unusual certificate. Credit
to Ben Carrillo.</p>
<p>[109743] High CVE-2011-3968: Use-after-free in CSS handling.
Credit to Arthur Gerkis.</p>
<p>[110112] High CVE-2011-3969: Use-after-free in SVG layout. Credit
to Arthur Gerkis.</p>
<p>[110277] Medium CVE-2011-3970: Out-of-bounds read in libxslt.
Credit to Aki Helin of OUSPG.</p>
<p>[110374] High CVE-2011-3971: Use-after-free with mousemove events.
Credit to Arthur Gerkis.</p>
<p>[110559] Medium CVE-2011-3972: Out-of-bounds read in shader
translator. Credit to Google Chrome Security Team (Inferno).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3953</cvename>
<cvename>CVE-2011-3954</cvename>
<cvename>CVE-2011-3955</cvename>
<cvename>CVE-2011-3956</cvename>
<cvename>CVE-2011-3957</cvename>
<cvename>CVE-2011-3958</cvename>
<cvename>CVE-2011-3959</cvename>
<cvename>CVE-2011-3960</cvename>
<cvename>CVE-2011-3961</cvename>
<cvename>CVE-2011-3962</cvename>
<cvename>CVE-2011-3963</cvename>
<cvename>CVE-2011-3964</cvename>
<cvename>CVE-2011-3965</cvename>
<cvename>CVE-2011-3966</cvename>
<cvename>CVE-2011-3967</cvename>
<cvename>CVE-2011-3968</cvename>
<cvename>CVE-2011-3969</cvename>
<cvename>CVE-2011-3970</cvename>
<cvename>CVE-2011-3971</cvename>
<cvename>CVE-2011-3972</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-02-08</discovery>
<entry>2012-02-09</entry>
</dates>
</vuln>
<vuln vid="10720fe8-51e0-11e1-91c1-00215c6a37bb">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal6</name>
<range><lt>6.23</lt></range>
</package>
<package>
<name>drupal7</name>
<range><lt>7.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal development team reports:</p>
<blockquote cite="http://drupal.org/node/1425084">
<h3>Cross Site Request Forgery vulnerability in Aggregator
module</h3>
<p>CVE: CVE-2012-0826</p>
<p>An XSRF vulnerability can force an aggregator feed to update.
Since some services are rate-limited (e.g. Twitter limits
requests to 150 per hour) this could lead to a denial of
service.</p>
<p>This issue affects Drupal 6.x and 7.x.</p>
<h3>OpenID not verifying signed attributes in SREG and AX</h3>
<p>CVE: CVE-2012-0825</p>
<p>A group of security researchers identified a flaw in how some
OpenID relying parties implement Attribute Exchange (AX). Not
verifying that attributes being passed through AX have been
signed could allow an attacker to modify users' information.</p>
<p>This issue affects Drupal 6.x and 7.x.</p>
<h3>Access bypass in File module</h3>
<p>CVE: CVE-2012-0827</p>
<p>When using private files in combination with certain field
access modules, the File module will allow users to download
the file even if they do not have access to view the field it
was attached to.</p>
<p>This issue affects Drupal 7.x only.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0825</cvename>
<cvename>CVE-2012-0826</cvename>
<cvename>CVE-2012-0827</cvename>
</references>
<dates>
<discovery>2012-02-01</discovery>
<entry>2012-02-07</entry>
</dates>
</vuln>
<vuln vid="309542b5-50b9-11e1-b0d8-00151735203a">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>2.4.*</ge><lt>3.6.8</lt></range>
<range><ge>4.0.*</ge><lt>4.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4.12/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<ul>
<li>Account Impersonation:
When a user creates a new account, Bugzilla doesn't correctly
reject email addresses containing non-ASCII characters, which
could be used to impersonate another user account. Such email
addresses could look visually identical to other valid email
addresses, and an attacker could try to confuse other users
and be added to bugs he shouldn't have access to.</li>
<li>Cross-Site Request Forgery:
Due to a lack of validation of the Content-Type head when
making POST requests to jsonrpc.cgi, a possible CSRF
vulnerability was discovered. If a user visits an HTML page
with some malicious JS code in it, an attacker could make
changes to a remote Bugzilla installation on behalf of the
victim's account by using the JSON-RPC API. The user would
have had to be already logged in to the target site for the
vulnerability to work.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0448</cvename>
<cvename>CVE-2012-0440</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=714472</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=718319</url>
</references>
<dates>
<discovery>2012-01-31</discovery>
<entry>2012-02-06</entry>
</dates>
</vuln>
<vuln vid="3fd040be-4f0b-11e1-9e32-0025900931f8">
<topic>php -- arbitrary remote code execution vulnerability</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.3.9</ge><lt>5.3.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/47806/">
<p>A vulnerability has been reported in PHP, which can be exploited
by malicious people to compromise a vulnerable system.</p>
<p>The vulnerability is caused due to a logic error within the
"php_register_variable_ex()" function (php_variables.c) when
hashing form posts and updating a hash table, which can be
exploited to execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0830</cvename>
<url>http://www.php.net/archive/2012.php#id2012-02-02-1</url>
<url>http://secunia.com/advisories/47806/</url>
</references>
<dates>
<discovery>2012-02-02</discovery>
<entry>2012-02-04</entry>
<modified>2012-02-06</modified>
</dates>
</vuln>
<vuln vid="6e7ad1d7-4e27-11e1-8e12-90e6ba8a36a2">
<topic>mathopd - directory traversal vulnerability</topic>
<affects>
<package>
<name>mathopd</name>
<range><lt>1.5p7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michiel Boland reports:</p>
<blockquote cite="http://www.mathopd.org/security.html">
<p>The software has a vulnerability that could lead to directory
traversal if the '*' construct for mass virtual hosting is
used.</p>
</blockquote>
</body>
</description>
<references>
<mlist msgid="4F2AFEF2.5040708@boland.org">http://www.mail-archive.com/mathopd%40mathopd.org/msg00392.html</mlist>
<url>http://www.mathopd.org/security.html</url>
</references>
<dates>
<discovery>2012-02-02</discovery>
<entry>2012-02-03</entry>
</dates>
</vuln>
<vuln vid="4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0">
<topic>apache -- multiple vulnerabilities</topic>
<affects>
<package>
<name>apache</name>
<range><gt>2.*</gt><lt>2.2.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE MITRE reports:</p>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_22.html">
<p>An exposure was found when using mod_proxy in reverse proxy
mode. In certain configurations using RewriteRule with proxy
flag or ProxyPassMatch, a remote attacker could cause the reverse
proxy to connect to an arbitrary server, possibly disclosing
sensitive information from internal web servers not directly
accessible to attacker.</p>
<p>Integer overflow in the ap_pregsub function in server/util.c in
the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through
2.2.21, when the mod_setenvif module is enabled, allows local
users to gain privileges via a .htaccess file with a crafted
SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.</p>
<p>An additional exposure was found when using mod_proxy in
reverse proxy mode. In certain configurations using RewriteRule
with proxy flag or ProxyPassMatch, a remote attacker could cause
the reverse proxy to connect to an arbitrary server, possibly
disclosing sensitive information from internal web servers
not directly accessible to attacker.</p>
<p>A flaw was found in mod_log_config. If the '%{cookiename}C' log
format string is in use, a remote attacker could send a specific
cookie causing a crash. This crash would only be a denial of
service if using a threaded MPM.</p>
<p>A flaw was found in the handling of the scoreboard. An
unprivileged child process could cause the parent process to
crash at shutdown rather than terminate cleanly.</p>
<p>A flaw was found in the default error response for status code
400. This flaw could be used by an attacker to expose
"httpOnly" cookies when no custom ErrorDocument is specified.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3368</cvename>
<cvename>CVE-2011-3607</cvename>
<cvename>CVE-2011-4317</cvename>
<cvename>CVE-2012-0021</cvename>
<cvename>CVE-2012-0031</cvename>
<cvename>CVE-2012-0053</cvename>
</references>
<dates>
<discovery>2011-10-05</discovery>
<entry>2012-01-31</entry>
</dates>
</vuln>
<vuln vid="0a9e2b72-4cb7-11e1-9146-14dae9ebcf89">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>10.0,1</lt></range>
<range><ge>3.6.*,1</ge><lt>3.6.26</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.7</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.7</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>10.0</lt></range>
<range><gt>3.1.*</gt><lt>3.1.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/
rv:1.9.2.26)</p>
<p>MFSA 2012-02 Overly permissive IPv6 literal syntax</p>
<p>MFSA 2012-03 iframe element exposed across domains via name
attribute</p>
<p>MFSA 2012-04 Child nodes from nsDOMAttribute still accessible
after removal of nodes</p>
<p>MFSA 2012-05 Frame scripts calling into untrusted objects bypass
security checks</p>
<p>MFSA 2012-06 Uninitialized memory appended when encoding icon
images may cause information disclosure</p>
<p>MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis
files</p>
<p>MFSA 2012-08 Crash with malformed embedded XSLT stylesheets</p>
<p>MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe
permission</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0442</cvename>
<cvename>CVE-2012-0443</cvename>
<cvename>CVE-2011-3670</cvename>
<cvename>CVE-2012-0445</cvename>
<cvename>CVE-2011-3659</cvename>
<cvename>CVE-2012-0446</cvename>
<cvename>CVE-2012-0447</cvename>
<cvename>CVE-2012-0449</cvename>
<cvename>CVE-2012-0450</cvename>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-01.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-02.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-03.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-04.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-05.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-06.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-07.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-08.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-09.html</url>
</references>
<dates>
<discovery>2012-01-31</discovery>
<entry>2012-02-01</entry>
<modified>2012-03-18</modified>
</dates>
</vuln>
<vuln vid="7c920bb7-4b5f-11e1-9f47-00e0815b8da8">
<topic>sudo -- format string vulnerability</topic>
<affects>
<package>
<name>sudo</name>
<range><ge>1.8.0</ge><lt>1.8.3_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.gratisoft.us/sudo/alerts/sudo_debug.html">
<p>Sudo 1.8.0 introduced simple debugging support that was primarily
intended for use when developing policy or I/O logging plugins.
The sudo_debug() function contains a flaw where the program name
is used as part of the format string passed to the fprintf()
function. The program name can be controlled by the caller,
either via a symbolic link or, on some systems, by setting argv[0]
when executing sudo.</p>
<p>Using standard format string vulnerability exploitation
techniques it is possible to leverage this bug to achieve root
privileges.</p>
<p>Exploitation of the bug does not require that the attacker be
listed in the sudoers file. As such, we strongly suggest that
affected sites upgrade from affected sudo versions as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0809</cvename>
<url>http://www.gratisoft.us/sudo/alerts/sudo_debug.html</url>
</references>
<dates>
<discovery>2012-01-30</discovery>
<entry>2012-01-30</entry>
<modified>2012-01-31</modified>
</dates>
</vuln>
<vuln vid="e51d5b1a-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- pam_ssh() does not validate service names</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_7</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:10.pam.asc">
<h1>Problem Description:</h1>
<p>Some third-party applications, including KDE's kcheckpass command,
allow the user to specify the name of the policy on the command
line. Since OpenPAM treats the policy name as a path relative to
/etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run
such an application can craft their own policies and cause the
application to load and execute their own modules.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:10.pam</freebsdsa>
<cvename>CVE-2011-4122</cvename>
</references>
<dates>
<discovery>2011-12-23</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="eda151d8-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- pam_ssh improperly grants access when user account has unencrypted SSH private keys</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_7</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc">
<h1>Problem Description:</h1>
<p>The OpenSSL library call used to decrypt private keys ignores the
passphrase argument if the key is not encrypted. Because the
pam_ssh module only checks whether the passphrase provided by the
user is null, users with unencrypted SSH private keys may
successfully authenticate themselves by providing a dummy
passphrase.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:09.pam_ssh</freebsdsa>
</references>
<dates>
<discovery>2012-12-23</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="f56390a4-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- Buffer overflow in handling of UNIX socket addresses</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_8</lt></range>
<range><ge>7.4</ge><lt>7.4_4</lt></range>
<range><ge>8.1</ge><lt>8.1_6</lt></range>
<range><ge>8.2</ge><lt>8.2_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc">
<h1>Problem Description:</h1>
<p>When a UNIX-domain socket is attached to a location using the
bind(2) system call, the length of the provided path is not
validated. Later, when this address was returned via other system
calls, it is copied into a fixed-length buffer.</p>
<p>Linux uses a larger socket address structure for UNIX-domain
sockets than FreeBSD, and the FreeBSD's linux emulation code did
not translate UNIX-domain socket addresses into the correct size
of structure.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:05.unix</freebsdsa>
</references>
<dates>
<discovery>2011-09-28</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="fee94342-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- errors handling corrupt compress file in compress(1) and gzip(1)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_7</lt></range>
<range><ge>7.4</ge><lt>7.4_3</lt></range>
<range><ge>8.1</ge><lt>8.1_5</lt></range>
<range><ge>8.2</ge><lt>8.2_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:04.compress.asc">
<h1>Problem Description:</h1>
<p>The code used to decompress a file created by compress(1) does not
do sufficient boundary checks on compressed code words, allowing
reference beyond the decompression table, which may result in a
stack overflow or an infinite loop when the decompressor encounters
a corrupted file.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:04.compress</freebsdsa>
<cvename>CVE-2011-2895</cvename>
</references>
<dates>
<discovery>2011-09-28</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="7a09a8df-ca41-11df-aade-0050568f000c">
<topic>FreeBSD -- Network ACL mishandling in mountd(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_5</lt></range>
<range><ge>7.4</ge><lt>7.4_1</lt></range>
<range><ge>8.1</ge><lt>8.1_3</lt></range>
<range><ge>8.2</ge><lt>8.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:01.mountd.asc">
<h1>Problem Description:</h1>
<p>While parsing the exports(5) table, a network mask in the form of
"-network=netname/prefixlength" results in an incorrect network mask
being computed if the prefix length is not a multiple of 8.</p>
<p>For example, specifying the ACL for an export as "-network
192.0.2.0/23" would result in a netmask of 255.255.127.0 being used
instead of the correct netmask of 255.255.254.0.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:01.mountd</freebsdsa>
<cvename>CVE-2011-1739</cvename>
</references>
<dates>
<discovery>2011-04-20</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="93688f8f-4935-11e1-89b4-001ec9578670">
<topic>postfixadmin -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>postfixadmin</name>
<range><lt>2.3.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Postfix Admin Team reports:</p>
<blockquote cite="http://sourceforge.net/projects/postfixadmin/forums/forum/676076/topic/4977778">
<p>Multiple XSS vulnerabilities exist:<br/>
- XSS with $_GET[domain] in templates/menu.php and
edit-vacation<br/>
- XSS in some create-domain input fields<br/>
- XSS in create-alias and edit-alias error message<br/>
- XSS (by values stored in the database) in fetchmail list
view, list-domain and list-virtual</p>
<p>Multiple SQL injection issues exist:<br/>
- SQL injection in pacrypt() (if $CONF[encrypt] ==
'mysql_encrypt')<br/>
- SQL injection in backup.php - the dump was not mysql_escape()d,
therefore users could inject SQL (for example in the vacation message)
which will be executed when restoring the database dump.
WARNING: database dumps created with backup.php from 2.3.4 or older
might contain malicious SQL. Double-check before using them!</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0811</cvename>
<cvename>CVE-2012-0812</cvename>
<url>http://sourceforge.net/projects/postfixadmin/forums/forum/676076/topic/4977778</url>
</references>
<dates>
<discovery>2012-01-27</discovery>
<entry>2012-01-27</entry>
</dates>
</vuln>
<vuln vid="e465159c-4817-11e1-89b4-001ec9578670">
<topic>mpack -- Information disclosure</topic>
<affects>
<package>
<name>mpack</name>
<range><lt>1.6_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The oss-security list reports:</p>
<blockquote cite="http://openwall.com/lists/oss-security/2011/12/31/1">
<p>Incorrect permissions on temporary files can lead to
information disclosure.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4919</cvename>
<url>http://openwall.com/lists/oss-security/2011/12/31/1</url>
</references>
<dates>
<discovery>2011-12-31</discovery>
<entry>2012-01-26</entry>
</dates>
</vuln>
<vuln vid="fa2f386f-4814-11e1-89b4-001ec9578670">
<topic>acroread9 -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>acroread9</name>
<range><lt>9.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Adobe Security Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa11-04.html">
<p>An unspecified vulnerability in the U3D component allows
remote attackers to execute arbitrary code (or cause a denial
of service attack) via unknown vectors.</p>
</blockquote>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-24.html">
<p>A heap-based buffer overflow allows attackers to execute
arbitrary code via unspecified vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2462</cvename>
<cvename>CVE-2011-1353</cvename>
<cvename>CVE-2011-2431</cvename>
<cvename>CVE-2011-2432</cvename>
<cvename>CVE-2011-2433</cvename>
<cvename>CVE-2011-2434</cvename>
<cvename>CVE-2011-2435</cvename>
<cvename>CVE-2011-2436</cvename>
<cvename>CVE-2011-2437</cvename>
<cvename>CVE-2011-2438</cvename>
<cvename>CVE-2011-2439</cvename>
<cvename>CVE-2011-2440</cvename>
<cvename>CVE-2011-2441</cvename>
<cvename>CVE-2011-2442</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-24.html</url>
<url>http://www.adobe.com/support/security/advisories/apsa11-04.html</url>
</references>
<dates>
<discovery>2011-12-07</discovery>
<entry>2012-01-26</entry>
</dates>
</vuln>
<vuln vid="33d73d59-4677-11e1-88cd-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>16.0.912.77</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[106484] High CVE-2011-3924: Use-after-free in DOM selections.
Credit to Arthur Gerkis.</p>
<p>[108461] High CVE-2011-3928: Use-after-free in DOM handling.
Credit to wushi of team509 reported through ZDI (ZDI-CAN-1415).</p>
<p>[108605] High CVE-2011-3927: Uninitialized value in Skia. Credit
to miaubiz.</p>
<p>[109556] High CVE-2011-3926: Heap-buffer-overflow in tree builder.
Credit to Arthur Gerkis.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3924</cvename>
<cvename>CVE-2011-3926</cvename>
<cvename>CVE-2011-3927</cvename>
<cvename>CVE-2011-3928</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-01-23</discovery>
<entry>2012-01-24</entry>
</dates>
</vuln>
<vuln vid="3ebb2dc8-4609-11e1-9f47-00e0815b8da8">
<topic>Wireshark -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
<package>
<name>tshark</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark reports:</p>
<blockquote cite="http://www.wireshark.org/docs/relnotes/wireshark-1.6.5.html">
<p>Laurent Butti discovered that Wireshark failed to properly check
record sizes for many packet capture file formats</p>
<p>Wireshark could dereference a NULL pointer and crash.</p>
<p>The RLC dissector could overflow a buffer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0041</cvename>
<cvename>CVE-2012-0066</cvename>
<cvename>CVE-2012-0067</cvename>
<cvename>CVE-2012-0068</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2012-01.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-02.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-03.html</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6666</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6667</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6668</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6669</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6670</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6634</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6391</url>
</references>
<dates>
<discovery>2010-01-10</discovery>
<entry>2012-01-23</entry>
</dates>
</vuln>
<vuln vid="7d2336c2-4607-11e1-9f47-00e0815b8da8">
<topic>spamdyke -- Buffer Overflow Vulnerabilities</topic>
<affects>
<package>
<name>spamdyke</name>
<range><lt>4.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://www.spamdyke.org/documentation/Changelog.txt">
<p>Fixed a number of very serious errors in the usage of
snprintf()/vsnprintf().</p>
<p>The return value was being used as the length of the string
printed into the buffer, but the return value really indicates
the length of the string that *could* be printed if the buffer
were of infinite size. Because the returned value could be
larger than the buffer's size, this meant remotely exploitable
buffer overflows were possible, depending on spamdyke's
configuration.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0802</cvename>
<url>https://secunia.com/advisories/47548/</url>
<url>http://www.spamdyke.org/documentation/Changelog.txt</url>
</references>
<dates>
<discovery>2012-01-15</discovery>
<entry>2012-01-23</entry>
</dates>
</vuln>
<vuln vid="5c5f19ce-43af-11e1-89b4-001ec9578670">
<topic>OpenSSL -- DTLS Denial of Service</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL Team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120118.txt">
<p>A flaw in the fix to CVE-2011-4108 can be exploited in a
denial of service attack. Only DTLS applications using OpenSSL
1.0.0f and 0.9.8s are affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0050</cvename>
<url>http://www.openssl.org/news/secadv_20120118.txt</url>
</references>
<dates>
<discovery>2012-01-18</discovery>
<entry>2012-01-20</entry>
</dates>
</vuln>
<vuln vid="dd698b76-42f7-11e1-a1b6-14dae9ebcf89">
<topic>asterisk -- SRTP Video Remote Crash Vulnerability</topic>
<affects>
<package>
<name>asterisk18</name>
<range><lt>1.8.8.2</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><lt>10.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="http://downloads.asterisk.org/pub/security/AST-2012-001.html">
<p>An attacker attempting to negotiate a secure video stream can
crash Asterisk if video support has not been enabled and the
res_srtp Asterisk module is loaded.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2012-001.html</url>
</references>
<dates>
<discovery>2012-01-15</discovery>
<entry>2011-12-19</entry>
</dates>
</vuln>
<vuln vid="7f5ccb1d-439b-11e1-bc16-0023ae8e59f0">
<topic>tomcat -- Denial of Service</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>5.5.0</gt><lt>5.5.35</lt></range>
</package>
<package>
<name>tomcat</name>
<range><gt>6.0.0</gt><lt>6.0.34</lt></range>
</package>
<package>
<name>tomcat</name>
<range><gt>7.0.0</gt><lt>7.0.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tomcat security team reports:</p>
<blockquote cite="http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.35">
<p>Analysis of the recent hash collision vulnerability identified
unrelated inefficiencies with Apache Tomcat's handling of large
numbers of parameters and parameter values. These inefficiencies
could allow an attacker, via a specially crafted request, to
cause large amounts of CPU to be used which in turn could create
a denial of service. The issue was addressed by modifying the
Tomcat parameter handling code to efficiently process large
numbers of parameters and parameter values.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0022</cvename>
<url>http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.35</url>
<url>http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34</url>
<url>http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.23</url>
</references>
<dates>
<discovery>2011-10-21</discovery>
<entry>2012-01-17</entry>
</dates>
</vuln>
<vuln vid="1ac858b0-3fae-11e1-a127-0013d3ccd9df">
<topic>OpenTTD -- Denial of service (server) via slow read attack</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>0.3.5</ge><lt>1.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2012-0049">
<p>Using a slow read type attack it is possible to prevent anyone
from joining a server with virtually no resources. Once
downloading the map no other downloads of the map can start, so
downloading really slowly will prevent others from joining.
This can be further aggravated by the pause-on-join setting in
which case the game is paused and the players cannot continue
the game during such an attack. This attack requires that the
user is not banned and passes the authorization to the server,
although for many servers there is no server password and thus
authorization is easy.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0049</cvename>
<url>http://security.openttd.org/en/CVE-2012-0049</url>
</references>
<dates>
<discovery>2012-01-06</discovery>
<entry>2012-01-16</entry>
</dates>
</vuln>
<vuln vid="91be81e7-3fea-11e1-afc7-2c4138874f7d">
<topic>Multiple implementations -- DoS via hash algorithm collision</topic>
<affects>
<package>
<name>jruby</name>
<range><lt>1.6.5.1</lt></range>
</package>
<package>
<name>ruby</name>
<name>ruby+nopthreads</name>
<name>ruby+nopthreads+oniguruma</name>
<name>ruby+oniguruma</name>
<range><lt>1.8.7.357,1</lt></range>
</package>
<package>
<name>rubygem-rack</name>
<range><lt>1.3.6,3</lt></range>
</package>
<package>
<name>v8</name>
<range><lt>3.8.5</lt></range>
</package>
<package>
<name>redis</name>
<range><le>2.4.6</le></range>
</package>
<package>
<name>node</name>
<range><lt>0.6.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2011-003.html">
<p>A variety of programming languages suffer from a denial-of-service
(DoS) condition against storage functions of key/value pairs in
hash data structures, the condition can be leveraged by exploiting
predictable collisions in the underlying hashing algorithms.</p>
<p>The issue finds particular exposure in web server applications
and/or frameworks. In particular, the lack of sufficient limits
for the number of parameters in POST requests in conjunction with
the predictable collision properties in the hashing functions of
the underlying languages can render web applications vulnerable
to the DoS condition. The attacker, using specially crafted HTTP
requests, can lead to a 100% of CPU usage which can last up to
several hours depending on the targeted application and server
performance, the amplification effect is considerable and
requires little bandwidth and time on the attacker side.</p>
<p>The condition for predictable collisions in the hashing functions
has been reported for the following language implementations:
Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the
Ruby language, the 1.9.x branch is not affected by the
predictable collision condition since this version includes a
randomization of the hashing function.</p>
<p>The vulnerability outlined in this advisory is practically
identical to the one reported in 2003 and described in the paper
Denial of Service via Algorithmic Complexity Attacks which
affected the Perl language.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4838</cvename>
<cvename>CVE-2011-4815</cvename>
<cvename>CVE-2011-5036</cvename>
<cvename>CVE-2011-5037</cvename>
<url>http://www.ocert.org/advisories/ocert-2011-003.html</url>
<url>http://www.nruns.com/_downloads/advisory28122011.pdf</url>
</references>
<dates>
<discovery>2011-12-28</discovery>
<entry>2012-01-16</entry>
<modified>2012-01-20</modified>
</dates>
</vuln>
<vuln vid="ea2ddc49-3e8e-11e1-8095-5404a67eef98">
<topic>ffmpeg -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ffmpeg</name>
<range><lt>0.7.11,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ubuntu Security Notice USN-1320-1 reports:</p>
<blockquote cite="http://www.ubuntu.com/usn/usn-1320-1">
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed QDM2 streams. If a user were tricked into opening
a crafted QDM2 stream file, an attacker could cause a denial of
service via application crash, or possibly execute arbitrary code
with the privileges of the user invoking the program.
(CVE-2011-4351)</p>
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed VP3 streams. If a user were tricked into opening
a crafted file, an attacker could cause a denial of service via
application crash, or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2011-4352)</p>
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed VP5 and VP6 streams. If a user were tricked into
opening a crafted file, an attacker could cause a denial of service
via application crash, or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2011-4353)</p>
<p>It was discovered that FFmpeg incorrectly handled certain
malformed VMD files. If a user were tricked into opening a crafted
VMD file, an attacker could cause a denial of service via
application crash, or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2011-4364)</p>
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed SVQ1 streams. If a user were tricked into opening
a crafted SVQ1 stream file, an attacker could cause a denial of
service via application crash, or possibly execute arbitrary code
with the privileges of the user invoking the program.
(CVE-2011-4579)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4351</cvename>
<cvename>CVE-2011-4352</cvename>
<cvename>CVE-2011-4353</cvename>
<cvename>CVE-2011-4364</cvename>
<cvename>CVE-2011-4579</cvename>
<url>http://www.ubuntu.com/usn/usn-1320-1</url>
</references>
<dates>
<discovery>2011-09-14</discovery>
<entry>2012-01-14</entry>
</dates>
</vuln>
<vuln vid="78cc8a46-3e56-11e1-89b4-001ec9578670">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL Team reports:</p>
<blockquote cite="http://openssl.org/news/secadv_20120104.txt">
<p>6 security flaws have been fixed in OpenSSL 1.0.0f:</p>
<p>If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8,
then a policy check failure can lead to a double-free.</p>
<p>OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the
bytes used as block cipher padding in SSL 3.0 records.
As a result, in each record, up to 15 bytes of
uninitialized memory may be sent, encrypted, to the SSL
peer. This could include sensitive contents of
previously freed memory.</p>
<p>RFC 3779 data can be included in certificates, and if
it is malformed, may trigger an assertion failure.
This could be used in a denial-of-service attack.</p>
<p>Support for handshake restarts for server gated
cryptograpy (SGC) can be used in a denial-of-service
attack.</p>
<p>A malicious TLS client can send an invalid set of GOST
parameters which will cause the server to crash due to
lack of error checking. This could be used in a
denial-of-service attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4108</cvename>
<cvename>CVE-2011-4109</cvename>
<cvename>CVE-2011-4576</cvename>
<cvename>CVE-2011-4577</cvename>
<cvename>CVE-2011-4619</cvename>
<cvename>CVE-2012-0027</cvename>
<url>http://openssl.org/news/secadv_20120104.txt</url>
</references>
<dates>
<discovery>2012-01-04</discovery>
<entry>2012-01-14</entry>
</dates>
</vuln>
<vuln vid="1800886c-3dde-11e1-89b4-001ec9578670">
<topic>isc-dhcp-server -- DoS in DHCPv6</topic>
<affects>
<package>
<name>isc-dhcp42-server</name>
<range><lt>4.2.3_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/software/dhcp/advisories/cve-2011-4868">
<p>Due to improper handling of a DHCPv6 lease structure, ISC DHCP
servers that are serving IPv6 address pools AND using Dynamic
DNS can encounter a segmentation fault error while updating lease
status under certain conditions.</p>
<p>The potential exists for this condition to be intentionally
triggered, resulting in effective denial of service to
clients expecting service from the affected server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4868</cvename>
<url>https://www.isc.org/software/dhcp/advisories/cve-2011-4868</url>
</references>
<dates>
<discovery>2012-01-13</discovery>
<entry>2012-01-13</entry>
</dates>
</vuln>
<vuln vid="3338f87c-3d5f-11e1-a00a-000c6eb41cf7">
<topic>PowerDNS -- Denial of Service Vulnerability</topic>
<affects>
<package>
<name>powerdns</name>
<name>powerdns-devel</name>
<range><lt>3.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PowerDNS Team reports:</p>
<blockquote cite="http://www.powerdns.com/news/powerdns-security-advisory-2012-01.html">
<p>Using well crafted UDP packets, one or more PowerDNS servers
could be made to enter a tight packet loop, causing temporary
denial of service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0206</cvename>
</references>
<dates>
<discovery>2012-01-10</discovery>
<entry>2012-01-12</entry>
</dates>
</vuln>
<vuln vid="d3921810-3c80-11e1-97e8-00215c6a37bb">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<name>php5-exif</name>
<range><lt>5.3.9</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_5</lt></range>
</package>
<package>
<name>php52-exif</name>
<range><lt>5.2.17_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>php development team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-01-11-1">
<p>Security Enhancements and Fixes in PHP 5.3.9:</p>
<ul>
<li>Added max_input_vars directive to prevent attacks
based on hash collisions. (CVE-2011-4885)</li>
<li>Fixed bug #60150 (Integer overflow during the parsing
of invalid exif header). (CVE-2011-4566)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4566</cvename>
<cvename>CVE-2011-4885</cvename>
<url>http://www.nruns.com/_downloads/advisory28122011.pdf</url>
</references>
<dates>
<discovery>2011-12-29</discovery>
<entry>2012-01-11</entry>
<modified>2012-01-19</modified>
</dates>
</vuln>
<vuln vid="e7fd27b2-3ae9-11e1-8b5c-00262d5ed8ee">
<topic>torcs -- untrusted local library loading</topic>
<affects>
<package>
<name>torcs</name>
<range><lt>1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>TORCS News reports:</p>
<blockquote cite="http://torcs.sourceforge.net/index.php?name=News&file=article&sid=77">
<p>An insecure change to LD_LIBRARY_PATH allows loading of libraries
in directories other than the standard paths. This can be a
problem when downloading and installing untrusted content from the
Internet.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3384</cvename>
<url>http://torcs.sourceforge.net/index.php?name=News&file=article&sid=77</url>
<url>http://sourceforge.net/tracker/index.php?func=detail&aid=3089384&group_id=3777&atid=103777</url>
</references>
<dates>
<discovery>2010-10-20</discovery>
<entry>2012-01-09</entry>
</dates>
</vuln>
<vuln vid="a47af810-3a17-11e1-a1be-00e0815b8da8">
<topic>spamdyke -- STARTTLS Plaintext Injection Vulnerability</topic>
<affects>
<package>
<name>spamdyke</name>
<range><lt>4.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/47435/">
<p>The vulnerability is caused due to the TLS implementation not
properly clearing transport layer buffers when upgrading from
plaintext to ciphertext after receiving the "STARTTLS" command.
This can be exploited to insert arbitrary plaintext data (e.g.
SMTP commands) during the plaintext phase, which will then be
executed after upgrading to the TLS ciphertext phase.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0070</cvename>
<url>http://secunia.com/advisories/47435/</url>
<url>http://www.spamdyke.org/documentation/Changelog.txt</url>
</references>
<dates>
<discovery>2012-01-04</discovery>
<entry>2012-01-08</entry>
<modified>2012-01-23</modified>
</dates>
</vuln>
<vuln vid="1a1aef8e-3894-11e1-8b5c-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>16.0.912.75</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[106672] High CVE-2011-3921: Use-after-free in animation frames.
Credit to Boris Zbarsky of Mozilla.<br/>
[107128] High CVE-2011-3919: Heap-buffer-overflow in libxml.
Credit to Juri Aedla.<br/>
[108006] High CVE-2011-3922: Stack-buffer-overflow in glyph
handling. Credit to Google Chrome Security Team (Cris
Neckar).</p>
<p>[107182] Critical CVE-2011-3925: Use-after-free in Safe Browsing
navigation. Credit to Chamal de Silva.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3919</cvename>
<cvename>CVE-2011-3921</cvename>
<cvename>CVE-2011-3922</cvename>
<cvename>CVE-2011-3925</cvename>
</references>
<dates>
<discovery>2012-01-05</discovery>
<entry>2012-01-06</entry>
<modified>2012-01-23</modified>
</dates>
</vuln>
<vuln vid="0c7a3ee2-3654-11e1-b404-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>2.4.*</ge><lt>3.6.7</lt></range>
<range><ge>4.0.*</ge><lt>4.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4.12/">
<p>The following security issues have been discovered in Bugzilla:</p>
<ul>
<li>Tabular and graphical reports, as well as new charts have
a debug mode which displays raw data as plain text. This
text is not correctly escaped and a crafted URL could use
this vulnerability to inject code leading to XSS.</li>
<li>The User.offer_account_by_email WebService method ignores
the user_can_create_account setting of the authentication
method and generates an email with a token in it which the
user can use to create an account. Depending on the
authentication method being active, this could allow the
user to log in using this account.
Installations where the createemailregexp parameter is
empty are not vulnerable to this issue.</li>
<li>The creation of bug reports and of attachments is not
protected by a token and so they can be created without the
consent of a user if the relevant code is embedded in an
HTML page and the user visits this page. This behavior was
intentional to let third-party applications submit new bug
reports and attachments easily. But as this behavior can be
abused by a malicious user, it has been decided to block
submissions with no valid token starting from version 4.2rc1.
Older branches are not patched to not break these third-party
applications after the upgrade.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon
as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3657</cvename>
<cvename>CVE-2011-3667</cvename>
<cvename>CVE-2011-3668</cvename>
<cvename>CVE-2011-3669</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=697699</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=711714</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=703975</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=703983</url>
</references>
<dates>
<discovery>2011-11-28</discovery>
<entry>2012-01-05</entry>
</dates>
</vuln>
<vuln vid="810df820-3664-11e1-8fe3-00215c6a37bb">
<topic>WordPress -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.3.1,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>3.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>WordPress development team reports:</p>
<blockquote cite="http://wordpress.org/news/2012/01/wordpress-3-3-1/">
<p>WordPress 3.3.1 is now available. This maintenance release
fixes 15 issues with WordPress 3.3, as well as a fix for a
cross-site scripting vulnerability that affected version 3.3.
Thanks to Joshua H., Hoang T., Stefan Zimmerman, Chris K., and
the Go Daddy security team for responsibly disclosing the bug
to our security team.</p>
</blockquote>
</body>
</description>
<references>
<url>http://threatpost.com/en_us/blogs/xss-bug-found-wordpress-33-010312</url>
</references>
<dates>
<discovery>2012-01-03</discovery>
<entry>2012-01-03</entry>
</dates>
</vuln>
<vuln vid="048c77df-3211-11e1-9583-14dae938ec40">
<topic>zabbix-frontend -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>zabbix-frontend</name>
<range><lt>1.8.10,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Martina Matari reports:</p>
<blockquote cite="https://support.zabbix.com/browse/ZBX-4015">
<p>These URLs (hostgroups.php, usergrps.php) are vulnerable to
persistent XSS attacks due to improper sanitation of gname
variable when creating user and host groups.</p>
</blockquote>
</body>
</description>
<references>
<url>https://support.zabbix.com/browse/ZBX-4015</url>
</references>
<dates>
<discovery>2011-08-04</discovery>
<entry>2011-12-29</entry>
</dates>
</vuln>
<vuln vid="c6521b04-314b-11e1-9cf4-5404a67eef98">
<topic>lighttpd -- remote DoS in HTTP authentication</topic>
<affects>
<package>
<name>lighttpd</name>
<range><lt>1.4.30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT/NIST reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4362">
<p>Integer signedness error in the base64_decode function in the
HTTP authentication functionality (http_auth.c) in lighttpd 1.4
before 1.4.30 and 1.5 before SVN revision 2806 allows remote
attackers to cause a denial of service (segmentation fault)
via crafted base64 input that triggers an out-of-bounds read
with a negative index.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4362</cvename>
</references>
<dates>
<discovery>2011-11-29</discovery>
<entry>2011-12-28</entry>
</dates>
</vuln>
<vuln vid="4ddc78dc-300a-11e1-a2aa-0016ce01e285">
<topic>krb5-appl -- telnetd code execution vulnerability</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_7</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
<package>
<name>krb5-appl</name>
<range><lt>1.0.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos Team reports:</p>
<blockquote cite="http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc">
<p>When an encryption key is supplied via the TELNET protocol,
its length is not validated before the key is copied into a
fixed-size buffer. Also see MITKRB5-SA-2011-008.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:08.telnetd</freebsdsa>
<cvename>CVE-2011-4862</cvename>
<url>http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc</url>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt</url>
</references>
<dates>
<discovery>2011-12-23</discovery>
<entry>2011-12-26</entry>
<modified>2012-01-29</modified>
</dates>
</vuln>
<vuln vid="022a4c77-2da4-11e1-b356-00215c6a37bb">
<topic>proftpd -- arbitrary code execution vulnerability with chroot</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_6</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
<package>
<name>proftpd</name>
<name>proftpd-mysql</name>
<range><lt>1.3.3g_1</lt></range>
</package>
<package>
<name>proftpd-devel</name>
<range><lt>1.3.3.r4_3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The FreeBSD security advisory FreeBSD-SA-11:07.chroot reports:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:07.chroot.asc">
<p>If ftpd is configured to place a user in a chroot environment,
then an attacker who can log in as that user may be able to run
arbitrary code(...).</p>
</blockquote>
<p>Proftpd shares the same problem of a similar nature.</p>
</body>
</description>
<references>
<freebsdsa>SA-11:07.chroot</freebsdsa>
<url>http://seclists.org/fulldisclosure/2011/Nov/452</url>
</references>
<dates>
<discovery>2011-11-30</discovery>
<entry>2011-12-23</entry>
<modified>2012-01-29</modified>
</dates>
</vuln>
<vuln vid="8c83145d-2c95-11e1-89b4-001ec9578670">
<topic>phpMyAdmin -- Multiple XSS</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.9.r1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php">
<p>Using crafted url parameters, it was possible to produce XSS on
the export panels in the server, database and table sections.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php">
<p>Crafted values entered in the setup interface can produce XSS;
also, if the config directory exists and is writeable, the XSS
payload can be saved to this directory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4780</cvename>
<cvename>CVE-2011-4782</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php</url>
</references>
<dates>
<discovery>2011-12-16</discovery>
<entry>2011-12-22</entry>
</dates>
</vuln>
<vuln vid="e3ff776b-2ba6-11e1-93c6-0011856a6e37">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>9.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>9.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.6</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>9.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.6</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>9.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-53 Miscellaneous memory safety hazards (rv:9.0)</p>
<p>MFSA 2011-54 Potentially exploitable crash in the YARR regular
expression library</p>
<p>MFSA 2011-55 nsSVGValue out-of-bounds access</p>
<p>MFSA 2011-56 Key detection without JavaScript via SVG
animation</p>
<p>MFSA 2011-58 Crash scaling video to extreme sizes</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3658</cvename>
<cvename>CVE-2011-3660</cvename>
<cvename>CVE-2011-3661</cvename>
<cvename>CVE-2011-3663</cvename>
<cvename>CVE-2011-3665</cvename>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-53.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-54.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-55.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-56.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-58.html</url>
</references>
<dates>
<discovery>2011-12-20</discovery>
<entry>2011-12-21</entry>
<modified>2011-12-21</modified>
</dates>
</vuln>
<vuln vid="7ba65bfd-2a40-11e1-b96e-00215af774f0">
<topic>unbound -- denial of service vulnerabilities from nonstandard redirection and denial of existence</topic>
<affects>
<package>
<name>unbound</name>
<range><lt>1.4.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Unbound developer reports:</p>
<blockquote cite="http://www.unbound.net/downloads/CVE-2011-4528.txt">
<p>Unbound crashes when confronted with a non-standard response
from a server for a domain. This domain produces duplicate RRs
from a certain type and is DNSSEC signed. Unbound also crashes
when confronted with a query that eventually, and under specific
circumstances, resolves to a domain that misses expected NSEC3
records.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4528</cvename>
<url>http://unbound.nlnetlabs.nl/downloads/CVE-2011-4528.txt</url>
</references>
<dates>
<discovery>2011-12-19</discovery>
<entry>2011-12-19</entry>
</dates>
</vuln>
<vuln vid="3c957a3e-2978-11e1-89b4-001ec9578670">
<topic>typo3 -- Remote Code Execution</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.6</ge><lt>4.6.2</lt></range>
<range><lt>4.5.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The typo3 security team reports:</p>
<blockquote cite="http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/">
<p>A crafted request to a vulnerable TYPO3 installation will allow
an attacker to load PHP code from an external source and to
execute it on the TYPO3 installation.</p>
<p>This is caused by a PHP file, which is part of the workspaces
system extension, that does not validate passed arguments.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4614</cvename>
<url>http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/</url>
</references>
<dates>
<discovery>2011-12-16</discovery>
<entry>2011-12-18</entry>
</dates>
</vuln>
<vuln vid="6c7d9a35-2608-11e1-89b4-001ec9578670">
<topic>krb5 -- KDC null pointer dereference in TGS handling</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.9</ge><lt>1.9.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos Team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-007.txt">
<p>In releases krb5-1.9 and later, the KDC can crash due to a NULL
pointer dereference in code that handles TGS (Ticket Granting
Service) requests. The trigger condition is trivial to produce
using unmodified client software, but requires the ability to
authenticate as a principal in the KDC's realm.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1530</cvename>
<url>http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-007.txt</url>
</references>
<dates>
<discovery>2011-12-11</discovery>
<entry>2011-12-14</entry>
</dates>
</vuln>
<vuln vid="a4a809d8-25c8-11e1-b531-00215c6a37bb">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<name>linux-opera</name>
<range><lt>11.60</lt></range>
</package>
<package>
<name>opera-devel</name>
<range><lt>11.60,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera software reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1160/">
<ul>
<li>Fixed a moderately severe issue; details will be
disclosed at a later date</li>
<li>Fixed an issue that could allow pages to set cookies
or communicate cross-site for some top level domains;
see our <a href="http://www.opera.com/support/kb/view/1003/">advisory</a></li>
<li>Improved handling of certificate revocation corner
cases</li>
<li>Added a fix for a weakness in the SSL v3.0 and TLS 1.0
specifications, as reported by Thai Duong and Juliano Rizzo;
see our <a href="http://www.opera.com/support/kb/view/1004/">advisory</a></li>
<li>Fixed an issue where the JavaScript "in" operator
allowed leakage of cross-domain information, as reported
by David Bloom; see our <a href="http://www.opera.com/support/kb/view/1005/">advisory</a></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3389</cvename>
<cvename>CVE-2011-4681</cvename>
<cvename>CVE-2011-4682</cvename>
<cvename>CVE-2011-4683</cvename>
<url>http://www.opera.com/support/kb/view/1003/</url>
<url>http://www.opera.com/support/kb/view/1004/</url>
<url>http://www.opera.com/support/kb/view/1005/</url>
</references>
<dates>
<discovery>2011-12-06</discovery>
<entry>2011-12-13</entry>
</dates>
</vuln>
<vuln vid="68ac6266-25c3-11e1-b63a-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>16.0.912.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[81753] Medium CVE-2011-3903: Out-of-bounds read in regex
matching. Credit to David Holloway of the Chromium development
community.<br/>
[95465] Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to
Google Chrome Security Team (Inferno).<br/>
[98809] Medium CVE-2011-3906: Out-of-bounds read in PDF parser.
Credit to Aki Helin of OUSPG.<br/>
[99016] High CVE-2011-3907: URL bar spoofing with view-source.
Credit to Mitja Kolsek of ACROS Security.<br/>
[100863] Low CVE-2011-3908: Out-of-bounds read in SVG parsing.
Credit to Aki Helin of OUSPG.<br/>
[101010] Medium CVE-2011-3909: [64-bit only] Memory corruption in
CSS property array. Credit to Google Chrome Security Team
(scarybeasts) and Chu.<br/>
[101494] Medium CVE-2011-3910: Out-of-bounds read in YUV video
frame handling. Credit to Google Chrome Security Team (Cris
Neckar).<br/>
[101779] Medium CVE-2011-3911: Out-of-bounds read in PDF. Credit to
Google Chrome Security Team (scarybeasts) and Robert Swiecki of
the Google Security Team.<br/>
[102359] High CVE-2011-3912: Use-after-free in SVG filters. Credit
to Arthur Gerkis.<br/>
[103921] High CVE-2011-3913: Use-after-free in Range handling.
Credit to Arthur Gerkis.<br/>
[104011] High CVE-2011-3914: Out-of-bounds write in v8 i18n
handling. Credit to Slawomir Blazek.<br/>
[104529] High CVE-2011-3915: Buffer overflow in PDF font handling.
Credit to Atte Kettunen of OUSPG.<br/>
[104959] Medium CVE-2011-3916: Out-of-bounds reads in PDF cross
references. Credit to Atte Kettunen of OUSPG.<br/>
[105162] Medium CVE-2011-3917: Stack-buffer-overflow in FileWatcher.
Credit to Google Chrome Security Team (Marty Barbella).<br/>
[107258] High CVE-2011-3904: Use-after-free in bidi handling.
Credit to Google Chrome Security Team (Inferno) and miaubiz.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3903</cvename>
<cvename>CVE-2011-3904</cvename>
<cvename>CVE-2011-3905</cvename>
<cvename>CVE-2011-3906</cvename>
<cvename>CVE-2011-3907</cvename>
<cvename>CVE-2011-3908</cvename>
<cvename>CVE-2011-3909</cvename>
<cvename>CVE-2011-3910</cvename>
<cvename>CVE-2011-3911</cvename>
<cvename>CVE-2011-3912</cvename>
<cvename>CVE-2011-3913</cvename>
<cvename>CVE-2011-3914</cvename>
<cvename>CVE-2011-3915</cvename>
<cvename>CVE-2011-3916</cvename>
<cvename>CVE-2011-3917</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2011-12-13</discovery>
<entry>2011-12-13</entry>
</dates>
</vuln>
<vuln vid="bbd5f486-24f1-11e1-95bc-080027ef73ec">
<topic>PuTTY 0.59 - 0.61 -- Password vulnerability</topic>
<affects>
<package>
<name>putty</name>
<range><ge>0.59</ge><lt>0.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon Tatham reports:</p>
<blockquote cite="http://lists.tartarus.org/pipermail/putty-announce/2011/000017.html">
<p>PuTTY 0.62 fixes a security issue present in 0.59, 0.60 and 0.61.
If you log in using SSH-2 keyboard-interactive authentication
(which is the usual method used by modern servers to request a
password), the password you type was accidentally kept in PuTTY's
memory for the rest of its run, where it could be retrieved by
other processes reading PuTTY's memory, or written out to swap
files or crash dumps.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4607</cvename>
<mlist>http://lists.tartarus.org/pipermail/putty-announce/2011/000017.html</mlist>
</references>
<dates>
<discovery>2011-12-10</discovery>
<entry>2011-12-12</entry>
</dates>
</vuln>
<vuln vid="bb389137-21fb-11e1-89b4-001ec9578670">
<topic>asterisk -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>asterisk18</name>
<range><lt>1.8.7.2</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><lt>1.6.2.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="http://downloads.asterisk.org/pub/security/AST-2011-013.html">
<p>It is possible to enumerate SIP usernames when the general and
user/peer NAT settings differ in whether to respond to the port
a request is sent from or the port listed for responses in the
Via header.</p>
</blockquote>
<blockquote cite="http://downloads.asterisk.org/pub/security/AST-2011-014.html">
<p>When the "automon" feature is enabled in features.conf, it is
possible to send a sequence of SIP requests that cause Asterisk
to dereference a NULL pointer and crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4597</cvename>
<cvename>CVE-2011-4598</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2011-013.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-014.html</url>
</references>
<dates>
<discovery>2011-12-08</discovery>
<entry>2011-12-09</entry>
</dates>
</vuln>
<vuln vid="93be487e-211f-11e1-89b4-001ec9578670">
<topic>isc-dhcp-server -- Remote DoS</topic>
<affects>
<package>
<name>isc-dhcp42-server</name>
<range><lt>4.2.3_1</lt></range>
</package>
<package>
<name>isc-dhcp41-server</name>
<range><lt>4.1.e_3,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/software/bind/advisories/cve-2011-4539">
<p>A bug exists which allows an attacker who is able to send DHCP
Request packets, either directly or through a relay, to remotely
crash an ISC DHCP server if that server is configured to evaluate
expressions using a regular expression (i.e. uses the "~=" or
"~~" comparison operators).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4539</cvename>
</references>
<dates>
<discovery>2011-12-07</discovery>
<entry>2011-12-07</entry>
</dates>
</vuln>
<vuln vid="ed536336-1c57-11e1-86f4-e0cb4e266481">
<topic>phpMyAdmin -- Multiple XSS</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.8.r1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php">
<p>Using crafted database names, it was possible to produce XSS
in the Database Synchronize and Database rename panels. Using
an invalid and crafted SQL query, it was possible to produce
XSS when editing a query on a table overview panel or when
using the view creation dialog. Using a crafted column type,
it was possible to produce XSS in the table search and create
index dialogs.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4634</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php</url>
</references>
<dates>
<discovery>2011-11-24</discovery>
<entry>2011-12-01</entry>
</dates>
</vuln>
<vuln vid="eef56761-11eb-11e1-bb94-001c140104d4">
<topic>hiawatha -- memory leak in PreventSQLi routine</topic>
<affects>
<package>
<name>hiawatha</name>
<range><ge>7.6</ge><lt>7.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hugo Leisink reports via private mail to maintainer:</p>
<blockquote>
<p>The memory leak was introduced in version 7.6. It is in the
routing that checks for SQL injections. So, if you have set
PreventSQLi to 'no', there is no problem.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.hiawatha-webserver.org/changelog</url>
</references>
<dates>
<discovery>2011-11-18</discovery>
<entry>2011-11-18</entry>
</dates>
</vuln>
<vuln vid="90cc1494-10ac-11e1-b3ec-0024e830109b">
<topic>BIND -- Remote DOS</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_7</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R5.1</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.4.1</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Internet Systems Consortium reports:</p>
<blockquote cite="https://www.isc.org/software/bind/advisories/cve-2011-4313">
<p>Organizations across the Internet reported crashes interrupting
service on BIND 9 nameservers performing recursive queries.
Affected servers crashed after logging an error in query.c with
the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))"
Multiple versions were reported being affected, including all
currently supported release versions of ISC BIND 9.</p>
<p>Because it may be possible to trigger this bug even on networks
that do not allow untrusted users to access the recursive name
servers (perhaps via specially crafted e-mail messages, and/or
malicious web sites) it is recommended that ALL operators of
recursive name servers upgrade immediately.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:06.bind</freebsdsa>
<cvename>CVE-2011-4313</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313</url>
<url>https://www.isc.org/software/bind/advisories/cve-2011-4313</url>
</references>
<dates>
<discovery>2011-11-16</discovery>
<entry>2011-11-16</entry>
<modified>2012-01-29</modified>
</dates>
</vuln>
<vuln vid="d8c901ff-0f0f-11e1-902b-20cf30e32f6d">
<topic>Apache 1.3 -- mod_proxy reverse proxy exposure</topic>
<affects>
<package>
<name>apache</name>
<range><lt>1.3.43</lt></range>
</package>
<package>
<name>apache+ssl</name>
<range><lt>1.3.43.1.59_2</lt></range>
</package>
<package>
<name>apache+ipv6</name>
<range><lt>1.3.43</lt></range>
</package>
<package>
<name>apache+mod_perl</name>
<range><lt>1.3.43</lt></range>
</package>
<package>
<name>apache+mod_ssl</name>
<range><lt>1.3.41+2.8.31_4</lt></range>
</package>
<package>
<name>apache+mod_ssl+ipv6</name>
<range><lt>1.3.41+2.8.31_4</lt></range>
</package>
<package>
<name>ru-apache-1.3</name>
<range><lt>1.3.43+30.23_1</lt></range>
</package>
<package>
<name>ru-apache+mod_ssl</name>
<range><lt>1.3.43+30.23_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache HTTP server project reports:</p>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_13.html">
<p>An exposure was found when using mod_proxy in reverse proxy mode.
In certain configurations using RewriteRule with proxy flag, a
remote attacker could cause the reverse proxy to connect to an
arbitrary server, possibly disclosing sensitive information from
internal web servers not directly accessible to attacker. There
is no patch against this issue!</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3368</cvename>
<url>http://httpd.apache.org/security/vulnerabilities_13.html</url>
<url>http://seclists.org/fulldisclosure/2011/Oct/232</url>
</references>
<dates>
<discovery>2011-10-05</discovery>
<entry>2011-11-14</entry>
</dates>
</vuln>
<vuln vid="7fb9e739-0e6d-11e1-87cd-00235a5f2c9a">
<topic>kdeutils4 -- Directory traversal vulnerability</topic>
<affects>
<package>
<name>kdeutils</name>
<range><ge>4.0.*</ge><lt>4.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tim Brown from Nth Dimention reports:</p>
<blockquote cite="http://seclists.org/fulldisclosure/2011/Oct/351">
<p>I recently discovered that the Ark archiving tool is vulnerable
to directory traversal via malformed. When attempts are made to
view files within the malformed Zip file in Ark's default view,
the wrong file may be displayed due to incorrect construction of
the temporary file name. Whilst this does not allow the wrong
file to be overwritten, after closing the default view, Ark will
then attempt to delete the temporary file which could result in
the deletion of the incorrect file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2725</cvename>
<url>http://seclists.org/fulldisclosure/2011/Oct/351</url>
</references>
<dates>
<discovery>2011-10-19</discovery>
<entry>2011-11-14</entry>
</dates>
</vuln>
<vuln vid="38560d79-0e42-11e1-902b-20cf30e32f6d">
<topic>Apache APR -- DoS vulnerabilities</topic>
<affects>
<package>
<name>apr0</name>
<range><lt>0.9.20.0.9.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Portable Runtime Project reports:</p>
<blockquote cite="http://www.apache.org/dist/apr/CHANGES-APR-0.9">
<p>Reimplement apr_fnmatch() from scratch using a non-recursive
algorithm; now has improved compliance with the fnmatch()
spec.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0419</cvename>
<url>http://www.apache.org/dist/apr/Announcement0.9.html</url>
</references>
<dates>
<discovery>2011-05-19</discovery>
<entry>2011-11-13</entry>
</dates>
</vuln>
<vuln vid="1f6ee708-0d22-11e1-b5bd-14dae938ec40">
<topic>phpmyadmin -- Local file inclusion</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.7.1</lt></range>
<range><lt>3.3.10.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jan Lieskovsky reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php">
<p>Importing a specially-crafted XML file which contains an XML
entity injection permits to retrieve a local file (limited by the
privileges of the user running the web server).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4107</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php</url>
</references>
<dates>
<discovery>2011-11-10</discovery>
<entry>2011-11-12</entry>
</dates>
</vuln>
<vuln vid="0e8e1212-0ce5-11e1-849b-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r183.11</lt></range>
<range><gt>11</gt><lt>11.1r102.55</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb11-28.html">
<p>Critical vulnerabilities have been identified in Adobe Flash
Player 11.0.1.152 and earlier versions for Windows, Macintosh,
Linux and Solaris, and Adobe Flash Player 11.0.1.153 and earlier
versions for Android.</p>
</blockquote>
<p>In addition a patch was released for users of flash10.</p>
</body>
</description>
<references>
<cvename>CVE-2011-2445</cvename>
<cvename>CVE-2011-2450</cvename>
<cvename>CVE-2011-2451</cvename>
<cvename>CVE-2011-2452</cvename>
<cvename>CVE-2011-2453</cvename>
<cvename>CVE-2011-2454</cvename>
<cvename>CVE-2011-2455</cvename>
<cvename>CVE-2011-2456</cvename>
<cvename>CVE-2011-2457</cvename>
<cvename>CVE-2011-2458</cvename>
<cvename>CVE-2011-2459</cvename>
<cvename>CVE-2011-2460</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb11-28.html</url>
</references>
<dates>
<discovery>2011-11-10</discovery>
<entry>2011-11-11</entry>
</dates>
</vuln>
<vuln vid="ce4b3af8-0b7c-11e1-846b-00235409fd3e">
<topic>libxml -- Integer overflow</topic>
<affects>
<package>
<name>libxml</name>
<range><lt>1.8.17_5</lt></range>
</package>
<package>
<name>libxml2</name>
<range><lt>2.7.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Integer overflow in xpath.c, allows context-dependent attackers
to to cause a denial of service (crash) and possibly execute
arbitrary code via a crafted XML file that triggers a heap-based
buffer overflow when adding a new namespace node, related to
handling of XPath expressions.</p>
</body>
</description>
<references>
<cvename>CVE-2011-1944</cvename>
</references>
<dates>
<discovery>2011-09-02</discovery>
<entry>2011-11-10</entry>
<modified>2011-11-12</modified>
</dates>
</vuln>
<vuln vid="ce4b3af8-0b7c-11e1-846b-00235409fd3e">
<topic>libxml -- Multiple use-after-free vulnerabilities</topic>
<affects>
<package>
<name>libxml</name>
<range><lt>1.8.17_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple use-after-free vulnerabilities in libxml 1.8.17 that
allow context-dependent attackers to cause a denial of service
(application crash) via crafted (1) Notation or (2) Enumeration
attribute types in an XML file.</p>
</body>
</description>
<references>
<cvename>CVE-2009-2416</cvename>
</references>
<dates>
<discovery>2009-08-03</discovery>
<entry>2011-11-10</entry>
<modified>2011-11-12</modified>
</dates>
</vuln>
<vuln vid="5a7d4110-0b7a-11e1-846b-00235409fd3e">
<topic>libxml -- Stack consumption vulnerability</topic>
<affects>
<package>
<name>libxml</name>
<range><lt>1.8.17_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stack consumption vulnerability allows context-dependent
attackers to cause a denial of service (application crash) via
a large depth of element declarations in a DTD.</p>
</body>
</description>
<references>
<cvename>CVE-2009-2414</cvename>
</references>
<dates>
<discovery>2009-08-03</discovery>
<entry>2011-11-10</entry>
<modified>2011-11-12</modified>
</dates>
</vuln>
<vuln vid="bdec8dc2-0b3b-11e1-b722-001cc0476564">
<topic>gnutls -- client session resumption vulnerability</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>2.12.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The GnuTLS team reports:</p>
<blockquote cite="http://www.gnu.org/software/gnutls/security.html">
<p>GNUTLS-SA-2011-2 Possible buffer overflow/Denial of service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4128</cvename>
<url>http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5596</url>
</references>
<dates>
<discovery>2011-11-08</discovery>
<entry>2011-11-10</entry>
</dates>
</vuln>
<vuln vid="6c8ad3e8-0a30-11e1-9580-4061862b8c22">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>8.0,1</lt></range>
<range><gt>3.6.*,1</gt><lt>3.6.24,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.24</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>8.0,1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>8.0</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>8.0</lt></range>
<range><lt>3.1.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-46 loadSubScript unwraps XPCNativeWrapper scope
parameter (1.9.2 branch)</p>
<p>MFSA 2011-47 Potential XSS against sites using Shift-JIS</p>
<p>MFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0)</p>
<p>MFSA 2011-49 Memory corruption while profiling using Firebug</p>
<p>MFSA 2011-50 Cross-origin data theft using canvas and Windows
D2D</p>
<p>MFSA 2011-51 Cross-origin image theft on Mac with integrated
Intel GPU</p>
<p>MFSA 2011-52 Code execution via NoWaiverWrapper</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3647</cvename>
<cvename>CVE-2011-3648</cvename>
<cvename>CVE-2011-3649</cvename>
<cvename>CVE-2011-3650</cvename>
<cvename>CVE-2011-3651</cvename>
<cvename>CVE-2011-3652</cvename>
<cvename>CVE-2011-3653</cvename>
<cvename>CVE-2011-3654</cvename>
<cvename>CVE-2011-3655</cvename>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-46.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-47.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-48.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-49.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-50.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-51.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-52.html</url>
</references>
<dates>
<discovery>2011-11-08</discovery>
<entry>2011-11-08</entry>
</dates>
</vuln>
<vuln vid="9dde9dac-08f4-11e1-af36-003067b2972c">
<topic>caml-light - insecure use of temporary files</topic>
<affects>
<package>
<name>caml-light</name>
<range><le>0.75</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>caml-light uses mktemp() insecurely, and also does
unsafe things in /tmp during make install.</p>
</body>
</description>
<references>
<cvename>CVE-2011-4119</cvename>
<mlist msgid="20111106200911.GC13652@netbsd.org">http://seclists.org/oss-sec/2011/q4/249</mlist>
</references>
<dates>
<discovery>2011-11-02</discovery>
<entry>2011-11-06</entry>
</dates>
</vuln>
<vuln vid="54075e39-04ac-11e1-a94e-bcaec565249c">
<topic>freetype -- Some type 1 fonts handling vulnerabilities</topic>
<affects>
<package>
<name>freetype2</name>
<range><lt>2.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The FreeType project reports:</p>
<blockquote cite="http://sourceforge.net/projects/freetype/files/freetype2/2.4.7/README/view">
<p>A couple of vulnerabilities in handling Type 1 fonts.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3256</cvename>
<url>http://sourceforge.net/projects/freetype/files/freetype2/2.4.7/README/view</url>
<url>https://bugzilla.redhat.com/attachment.cgi?id=528829&action=diff</url>
</references>
<dates>
<discovery>2011-10-12</discovery>
<entry>2011-11-01</entry>
</dates>
</vuln>
<vuln vid="f08e2c15-ffc9-11e0-b0f3-bcaec565249c">
<topic>cacti -- Multiple vulnabilites</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.7h</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cacti Group reports:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_7h.php">
<p>SQL injection issue with user login, and cross-site scripting
issues.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.cacti.net/release_notes_0_8_7h.php</url>
</references>
<dates>
<discovery>2011-09-26</discovery>
<entry>2011-10-26</entry>
</dates>
</vuln>
<vuln vid="395e0faa-ffa7-11e0-8ac4-6c626dd55a41">
<topic>phpmyfaq -- Remote PHP Code Injection Vulnerability</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><lt>2.6.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyFAQ project reports:</p>
<blockquote cite="http://www.phpmyfaq.de/advisory_2011-10-25.php">
<p>The phpMyFAQ Team has learned of a serious security issue that
has been discovered in our bundled ImageManager library we use
in phpMyFAQ 2.6 and 2.7. The bundled ImageManager library
allows injection of arbitrary PHP code via POST requests.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyfaq.de/advisory_2011-10-25.php</url>
<url>http://forum.phpmyfaq.de/viewtopic.php?f=3&t=13402</url>
</references>
<dates>
<discovery>2011-10-25</discovery>
<entry>2011-10-26</entry>
</dates>
</vuln>
<vuln vid="edf47177-fe3f-11e0-a207-0014a5e3cda6">
<topic>phpLDAPadmin -- Remote PHP code injection vulnerability</topic>
<affects>
<package>
<name>phpldapadmin</name>
<range><ge>1.2.0</ge><lt>1.2.1.1_1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>EgiX (n0b0d13s at gmail dot com) reports:</p>
<blockquote cite="http://packetstormsecurity.org/files/106120/phpldapadmin-inject.txt">
<p>The $sortby parameter passed to 'masort' function in file
lib/functions.php isn't properly sanitized before being used in
a call to create_function() at line 1080. This can be exploited
to inject and execute arbitrary PHP code. The only possible
attack vector is when handling the 'query_engine' command, in
which input passed through $_REQUEST['orderby'] is passed as
$sortby parameter to 'masort' function.</p>
</blockquote>
</body>
</description>
<references>
<url>http://packetstormsecurity.org/files/106120/phpldapadmin-inject.txt</url>
<url>http://sourceforge.net/tracker/?func=detail&aid=3417184&group_id=61828&atid=498546</url>
</references>
<dates>
<discovery>2011-10-23</discovery>
<entry>2011-10-24</entry>
</dates>
</vuln>
<vuln vid="6d21a287-fce0-11e0-a828-00235a5f2c9a">
<topic>kdelibs4, rekonq -- input validation failure</topic>
<affects>
<package>
<name>kdelibs</name>
<range><ge>4.0.*</ge><lt>4.7.2</lt></range>
</package>
<package>
<name>rekonq</name>
<range><lt>0.8.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>KDE Security Advisory reports:</p>
<blockquote cite="http://www.kde.org/info/security/advisory-20111003-1.txt">
<p>The default rendering type for a QLabel is QLabel::AutoText,
which uses heuristics to determine whether to render the given
content as plain text or rich text. KSSL and Rekonq did not
properly force its QLabels to use QLabel::PlainText. As a result,
if given a certificate containing rich text in its fields, they
would render the rich text. Specifically, a certificate
containing a common name (CN) that has a table element will cause
the second line of the table to be displayed. This can allow
spoofing of the certificate's common name.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.kde.org/info/security/advisory-20111003-1.txt</url>
<url>http://www.nth-dimension.org.uk/pub/NDSA20111003.txt.asc</url>
<cvename>CVE-2011-3365</cvename>
<cvename>CVE-2011-3366</cvename>
</references>
<dates>
<discovery>2011-10-03</discovery>
<entry>2011-10-23</entry>
</dates>
</vuln>
<vuln vid="411ecb79-f9bc-11e0-a7e6-6c626dd55a41">
<topic>piwik -- unknown critical vulnerabilities</topic>
<affects>
<package>
<name>piwik</name>
<range><gt>1.1</gt><lt>1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/46461/">
<p>Multiple vulnerabilities with an unknown impact have been
reported in Piwik. The vulnerabilities are caused due to
unspecified errors. No further information is currently
available.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/46461/</url>
<url>http://piwik.org/blog/2011/10/piwik-1-6/</url>
</references>
<dates>
<discovery>2011-10-18</discovery>
<entry>2011-10-20</entry>
</dates>
</vuln>
<vuln vid="8441957c-f9b4-11e0-a78a-bcaec565249c">
<topic>Xorg server -- two vulnerabilities in X server lock handling code</topic>
<affects>
<package>
<name>xorg-server</name>
<range><lt>1.7.7_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthieu Herrb reports:</p>
<blockquote cite="http://lists.freedesktop.org/archives/xorg-announce/2011-October/001744.html">
<p>It is possible to deduce if a file exists or not by exploiting
the way that Xorg creates its lock files. This is caused by the
fact that the X server is behaving differently if the lock file
already exists as a symbolic link pointing to an existing or
non-existing file.</p>
<p>It is possible for a non-root user to set the permissions for
all users on any file or directory to 444, giving unwanted read
access or causing denies of service (by removing execute
permission). This is caused by a race between creating the lock
file and setting its access modes.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4028</cvename>
<cvename>CVE-2011-4029</cvename>
</references>
<dates>
<discovery>2011-10-18</discovery>
<entry>2011-10-18</entry>
</dates>
</vuln>
<vuln vid="a95092a6-f8f1-11e0-a7ea-00215c6a37bb">
<topic>asterisk -- remote crash vulnerability in SIP channel driver</topic>
<affects>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.7.1</lt></range>
</package>
<package>
<name>asterisk</name>
<range><gt>10.0.0.*</gt><lt>10.0.0.r1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="http://downloads.asterisk.org/pub/security/AST-2011-012.html">
<p>A remote authenticated user can cause a crash with a malformed
request due to an unitialized variable.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4063</cvename>
</references>
<dates>
<discovery>2011-10-17</discovery>
<entry>2011-10-17</entry>
</dates>
</vuln>
<vuln vid="e454ca2f-f88d-11e0-b566-00163e01a509">
<topic>PivotX -- Remote File Inclusion Vulnerability of TimThumb</topic>
<affects>
<package>
<name>pivotx</name>
<range><lt>2.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PivotX team reports:</p>
<blockquote cite="http://blog.pivotx.net/page/security">
<p>TimThumb domain name security bypass and insecure cache
handling. PivotX before 2.3.0 includes a vulnerable version
of TimThumb.</p>
</blockquote>
<blockquote cite="http://blog.pivotx.net/2011-10-14/timthumb-update-for-older-pivotx-installs">
<p>If you are still running PivotX 2.2.6, you might be vulnerable
to a security exploit, that was patched previously. Version
2.3.0 doesn't have this issue, but any older version of PivotX
might be vulnerable.</p>
</blockquote>
</body>
</description>
<references>
<bid>48963</bid>
<url>https://secunia.com/advisories/45416/</url>
</references>
<dates>
<discovery>2011-08-03</discovery>
<entry>2011-10-17</entry>
</dates>
</vuln>
<vuln vid="9bad5ab1-f3f6-11e0-8b5c-b482fe3f522d">
<topic>OpenTTD -- Multiple buffer overflows in validation of external data</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>0.1.0</ge><lt>1.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3343">
<p>Multiple buffer overflows in OpenTTD before 1.1.3 allow local
users to cause a denial of service (daemon crash) or possibly
gain privileges via (1) a crafted BMP file with RLE compression
or (2) crafted dimensions in a BMP file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3343</cvename>
<url>http://security.openttd.org/en/CVE-2011-3343</url>
</references>
<dates>
<discovery>2011-08-25</discovery>
<entry>2011-10-16</entry>
</dates>
</vuln>
<vuln vid="78c25ed7-f3f9-11e0-8b5c-b482fe3f522d">
<topic>OpenTTD -- Buffer overflows in savegame loading</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>0.1.0</ge><lt>1.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3342">
<p>Multiple buffer overflows in OpenTTD before 1.1.3 allow remote
attackers to cause a denial of service (daemon crash) or possibly
execute arbitrary code via vectors related to (1) NAME, (2) PLYR,
(3) CHTS, or (4) AIPL (aka AI config) chunk loading from a
savegame.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3342</cvename>
<url>http://security.openttd.org/en/CVE-2011-3342</url>
</references>
<dates>
<discovery>2011-08-08</discovery>
<entry>2011-10-16</entry>
</dates>
</vuln>
<vuln vid="e77befb5-f3f9-11e0-8b5c-b482fe3f522d">
<topic>OpenTTD -- Denial of service via improperly validated commands</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>0.3.5</ge><lt>1.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3341">
<p>Multiple off-by-one errors in order_cmd.cpp in OpenTTD before
1.1.3 allow remote attackers to cause a denial of service (daemon
crash) or possibly execute arbitrary code via a crafted
CMD_INSERT_ORDER command.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3341</cvename>
<url>http://security.openttd.org/en/CVE-2011-3341</url>
</references>
<dates>
<discovery>2011-08-25</discovery>
<entry>2011-10-16</entry>
</dates>
</vuln>
<vuln vid="ab9be2c8-ef91-11e0-ad5a-00215c6a37bb">
<topic>quagga -- multiple vulnerabilities</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT-FI reports:</p>
<blockquote cite="https://www.cert.fi/en/reports/2011/vulnerability539178.html">
<p>Five vulnerabilities have been found in the BGP, OSPF, and
OSPFv3 components of Quagga. The vulnerabilities allow an
attacker to cause a denial of service or potentially to
execute his own code by sending a specially modified packets
to an affected server. Routing messages are typically accepted
from the routing peers. Exploiting these vulnerabilities may
require an established routing session (BGP peering or
OSPF/OSPFv3 adjacency) to the router.</p>
<p>The vulnerability <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3327">CVE-2011-3327</a>
is related to the extended communities handling in BGP
messages. Receiving a malformed BGP update can result
in a buffer overflow and disruption of IPv4 routing.</p>
<p>The vulnerability <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3326">CVE-2011-3326</a>
results from the handling of LSA (Link State Advertisement)
states in the OSPF service. Receiving a modified Link State
Update message with malicious state information can result in
denial of service in IPv4 routing.</p>
<p>The vulnerability <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3325">CVE-2011-3325</a>
is a denial of service vulnerability related to Hello message
handling by the OSPF service. As Hello messages are used to
initiate adjacencies, exploiting the vulnerability may be
feasible from the same broadcast domain without an established
adjacency. A malformed packet may result in denial of service
in IPv4 routing.</p>
<p>The vulnerabilities <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3324">CVE-2011-3324</a>
and <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3323">CVE-2011-3323</a>
are related to the IPv6 routing protocol (OSPFv3) implemented
in ospf6d daemon. Receiving modified Database Description and
Link State Update messages, respectively, can result in denial
of service in IPv6 routing.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3323</cvename>
<cvename>CVE-2011-3324</cvename>
<cvename>CVE-2011-3325</cvename>
<cvename>CVE-2011-3326</cvename>
<cvename>CVE-2011-3327</cvename>
</references>
<dates>
<discovery>2011-09-26</discovery>
<entry>2011-10-05</entry>
</dates>
</vuln>
<vuln vid="1fade8a3-e9e8-11e0-9580-4061862b8c22">
<topic>Mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>7.0,1</lt></range>
<range><gt>3.6.*,1</gt><lt>3.6.23,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.23</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>7.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.4</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>7.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.4</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>7.0</lt></range>
<range><lt>3.1.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 /
rv:1.9.2.23)</p>
<p>MFSA 2011-37 Integer underflow when using JavaScript RegExp</p>
<p>MFSA 2011-38 XSS via plugins and shadowed window.location
object</p>
<p>MFSA 2011-39 Defense against multiple Location headers due to
CRLF Injection</p>
<p>MFSA 2011-40 Code installation through holding down Enter</p>
<p>MFSA 2011-41 Potentially exploitable WebGL crashes</p>
<p>MFSA 2011-42 Potentially exploitable crash in the YARR regular
expression library</p>
<p>MFSA 2011-43 loadSubScript unwraps XPCNativeWrapper scope
parameter</p>
<p>MFSA 2011-44 Use after free reading OGG headers</p>
<p>MFSA 2011-45 Inferring Keystrokes from motion data</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2372</cvename>
<cvename>CVE-2011-2995</cvename>
<cvename>CVE-2011-2996</cvename>
<cvename>CVE-2011-2997</cvename>
<cvename>CVE-2011-2999</cvename>
<cvename>CVE-2011-3000</cvename>
<cvename>CVE-2011-3001</cvename>
<cvename>CVE-2011-3002</cvename>
<cvename>CVE-2011-3003</cvename>
<cvename>CVE-2011-3004</cvename>
<cvename>CVE-2011-3005</cvename>
<cvename>CVE-2011-3232</cvename>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-36.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-37.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-38.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-39.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-40.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-41.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-42.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-43.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-44.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-45.html</url>
</references>
<dates>
<discovery>2011-09-27</discovery>
<entry>2011-09-28</entry>
</dates>
</vuln>
<vuln vid="53e531a7-e559-11e0-b481-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r183.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb11-26.html">
<p>Critical vulnerabilities have been identified in Adobe Flash
Player 10.3.183.7 and earlier versions for Windows, Macintosh,
Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier
versions for Android. These vulnerabilities could cause a crash
and potentially allow an attacker to take control of the
affected system.</p>
<p>There are reports that one of these vulnerabilities
(CVE-2011-2444) is being exploited in the wild in active
targeted attacks designed to trick the user into clicking on
a malicious link delivered in an email message. This universal
cross-site scripting issue could be used to take actions on a
user's behalf on any website or webmail provider if the user
visits a malicious website.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.adobe.com/support/security/bulletins/apsb11-26.html</url>
<cvename>CVE-2011-2426</cvename>
<cvename>CVE-2011-2427</cvename>
<cvename>CVE-2011-2428</cvename>
<cvename>CVE-2011-2429</cvename>
<cvename>CVE-2011-2430</cvename>
<cvename>CVE-2011-2444</cvename>
</references>
<dates>
<discovery>2011-06-06</discovery>
<entry>2011-09-22</entry>
</dates>
</vuln>
<vuln vid="e44fe906-df27-11e0-a333-001cc0a36e12">
<topic>phpMyAdmin -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php">
<p>Firstly, if a row contains javascript code, after inline
editing this row and saving, the code is executed. Secondly,
missing sanitization on the db, table and column names leads
to XSS vulnerabilities.</p>
<p>Versions 3.4.0 to 3.4.4 were found vulnerable.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php</url>
</references>
<dates>
<discovery>2011-09-11</discovery>
<entry>2011-09-14</entry>
</dates>
</vuln>
<vuln vid="d01d10c7-de2d-11e0-b215-00215c6a37bb">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py27-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><ge>1.3</ge><lt>1.3.1</lt></range>
<range><ge>1.2</ge><lt>1.2.7</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py27-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>16758,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">
<p>Today the Django team is issuing multiple releases --
Django 1.2.6 and Django 1.3.1 -- to remedy security issues
reported to us. Additionally, this announcement contains
advisories for several other issues which, while not
requiring changes to Django itself, will be of concern
to users of Django.</p>
<p>All users are encouraged to upgrade Django, and to implement
the recommendations in these advisories, immediately.</p>
<h3>Session manipulation</h3>
<p>Django's session framework, django.contrib.sessions, is
configurable to use any of multiple backends for storage of
session data. One such backend, provided with Django itself,
integrates with Django's cache framework to use the cache as
storage for session data.</p>
<p>When configured in this fashion using memory-based sessions
and caching, Django sessions are stored directly in the root
namespace of the cache, using session identifiers as keys.</p>
<p>This results in a potential attack when coupled with an
application storing user-supplied data in the cache; if an
attacker can cause data to be cached using a key which is
also a valid session identifier, Django's session framework
will treat that data -- so long as it is a dictionary-like
object -- as the session, thus allowing arbitrary data to be
inserted into a session so long as the attacker knows the
session key.</p>
<h3>Denial of service attack via URLField</h3>
<p>Django's model system includes a field type -- URLField --
which validates that the supplied value is a valid URL, and if
the boolean keyword argument verify_exists is true, attempts
to validate that the supplied URL also resolves, by issuing a
request to it.</p>
<p>By default, the underlying socket libraries in Python do not
have a timeout. This can manifest as a security problem in
three different ways:</p>
<ol>
<li>An attacker can supply a slow-to-respond URL. Each request
will tie up a server process for a period of time; if the
attacker is able to make enough requests, they can tie up
all available server processes.</li>
<li>An attacker can supply a URL under his or her control, and
which will simply hold an open connection indefinitely. Due
to the lack of timeout, the Django process attempting to
verify the URL will similarly spin indefinitely. Repeating
this can easily tie up all available server processes.</li>
<li>An attacker can supply a URL under his or her control
which not only keeps the connection open, but also sends an
unending stream of random garbage data. This data will
cause the memory usage of the Django process (which will
hold the response in memory) to grow without bound, thus
consuming not only server processes but also server
memory.</li>
</ol>
<h3>URLField redirection</h3>
<p>The regular expression which validates URLs is used to check
the supplied URL before issuing a check to verify that it
exists, but if that URL issues a redirect in response to the
request, no validation of the resulting redirected URL is
performed, including basic checks for supported protocols
(HTTP, HTTPS, and FTP).</p>
<p>This creates a small window for an attacker to gain knowledge
of, for example, server layout; a redirect to a file:// URL,
for example, will tell an attacker whether a given file exists
locally on the server.</p>
<p>Additionally, although the initial request issued by Django
uses the HEAD method for HTTP/HTTPS, the request to the target
of the redirect is issued using GET. This may create further
issues for systems which implicitly trust GET requests from
the local machine/network.</p>
<h3>Host header cache poisoning</h3>
<p>In several places, Django itself -- independent of the
developer -- generates full URLs (for example, when issuing
HTTP redirects). Currently this uses the value of the HTTP
Host header from the request to construct the URL, which opens
a potential cache-poisoning vector: an attacker can submit
a request with a Host header of his or her choice, receive a
response which constructs URLs using that Host header, and --
if that response is cached -- further requests will be served
out of cache using URLs containing the attacker's host of
choice.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/</url>
</references>
<dates>
<discovery>2011-09-09</discovery>
<entry>2011-09-13</entry>
<modified>2011-11-01</modified>
</dates>
</vuln>
<vuln vid="4ae68e7c-dda4-11e0-a906-00215c6a37bb">
<topic>roundcube -- XSS vulnerability</topic>
<affects>
<package>
<name>roundcube</name>
<range><lt>0.5.4,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RoundCube development Team reports:</p>
<blockquote cite="http://sourceforge.net/news/?group_id=139281&id=302769">
<p>We just published a new release which fixes a recently
reported XSS vulnerability as an update to the stable 0.5
branch. Please update your installations with this new
version or patch them with the fix which is also published
in the downloads section or our sourceforge.net page.</p>
</blockquote>
<p>and:</p>
<blockquote cite="http://trac.roundcube.net/ticket/1488030">
<p>During one of pen-tests I found that _mbox parameter is not
properly sanitized and reflected XSS attack is possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2937</cvename>
</references>
<dates>
<discovery>2011-08-09</discovery>
<entry>2011-09-13</entry>
</dates>
</vuln>
<vuln vid="b9f3ffa3-dd6c-11e0-b7fc-000a5e1e33c6">
<topic>libsndfile -- PAF file processing integer overflow</topic>
<affects>
<package>
<name>libsndfile</name>
<range><lt>1.0.25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/45125/">
<p>Hossein Lotfi has discovered a vulnerability in libsndfile,
which can be exploited by malicious people to potentially
compromise an application using the library. The vulnerability
is caused due to an integer overflow error in the "paf24_init()"
function (src/paf.c) when processing Paris Audio (PAF) files.
This can be exploited to cause a heap-based buffer overflow via
a specially crafted file. Successful exploitation may allow
execution of arbitrary code. The vulnerability is confirmed in
version 1.0.24. Other versions may also be affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2696</cvename>
<url>http://secunia.com/advisories/45125/</url>
</references>
<dates>
<discovery>2011-07-12</discovery>
<entry>2011-09-12</entry>
</dates>
</vuln>
<vuln vid="2ecb7b20-d97e-11e0-b2e2-00215c6a37bb">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><ge>1.0.0</ge><lt>1.0.0_6</lt></range>
<range><ge>0.9.8</ge><lt>1.0.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL Team reports:</p>
<blockquote cite="http://openssl.org/news/secadv_20110906.txt">
<p>Two security flaws have been fixed in OpenSSL 1.0.0e</p>
<p>Under certain circumstances OpenSSL's internal certificate
verification routines can incorrectly accept a CRL whose
nextUpdate field is in the past. (CVE-2011-3207)</p>
<p>OpenSSL server code for ephemeral ECDH ciphersuites is not
thread-safe, and furthermore can crash if a client violates
the protocol by sending handshake messages in incorrect
order. (CVE-2011-3210)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3207</cvename>
<cvename>CVE-2011-3210</cvename>
<url>http://www.openssl.org/news/secadv_20110906.txt</url>
</references>
<dates>
<discovery>2011-09-06</discovery>
<entry>2011-09-07</entry>
</dates>
</vuln>
<vuln vid="a83f25df-d775-11e0-8bf1-003067b2972c">
<topic>XSS issue in MantisBT</topic>
<affects>
<package>
<name>mantis</name>
<range><ge>1.2.0</ge><lt>1.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://www.mantisbt.org/blog/?p=142">
<p>Net.Edit0r from BlACK Hat Group reported an XSS issue in
search.php. All MantisBT users (including anonymous users that
are not logged in to public bug trackers) could be impacted by
this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/160368</freebsdpr>
<cvename>CVE-2011-2938</cvename>
</references>
<dates>
<discovery>2011-08-18</discovery>
<entry>2011-09-05</entry>
</dates>
</vuln>
<vuln vid="e55f948f-d729-11e0-abd1-0017f22d6707">
<topic>security/cfs -- buffer overflow</topic>
<affects>
<package>
<name>cfs</name>
<range><le>1.4.1_6</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian reports:</p>
<blockquote cite="http://www.debian.org/security/2002/dsa-116">
<p>Zorgon found several buffer overflows in cfsd, a daemon that
pushes encryption services into the Unix(tm) file system.
We are not yet sure if these overflows can successfully be
exploited to gain root access to the machine running the CFS
daemon. However, since cfsd can easily be forced to die, a
malicious user can easily perform a denial of service attack
to it.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2002-0351</cvename>
<url>http://www.debian.org/security/2002/dsa-116</url>
</references>
<dates>
<discovery>2002-03-02</discovery>
<entry>2011-09-04</entry>
</dates>
</vuln>
<vuln vid="1b27af46-d6f6-11e0-89a6-080027ef73ec">
<topic>ca_root_nss -- extraction of explicitly-untrusted certificates into trust bundle</topic>
<affects>
<package>
<name>ca_root_nss</name>
<range><lt>3.12.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports that the ca-bundle.pl used in older
versions of the ca_root_nss FreeBSD port before 3.12.11 did not
take the Mozilla/NSS/CKBI untrusted markers into account and
would add certificates to the trust bundle that were marked
unsafe by Mozilla.</p>
</body>
</description>
<references>
<freebsdpr>ports/160455</freebsdpr>
</references>
<dates>
<discovery>2011-09-04</discovery>
<entry>2011-09-04</entry>
</dates>
</vuln>
<vuln vid="aa5bc971-d635-11e0-b3cf-080027ef73ec">
<topic>nss/ca_root_nss -- fraudulent certificates issued by DigiNotar.nl</topic>
<affects>
<package>
<name>nss</name>
<range><lt>3.12.11</lt></range>
<!-- this builds on the assumption that 3.12.11 in ports actually
contains the CKBI 1.87 update to the built-in certificates
as commited by kwm@ on September 3rd, 2011 -->
</package>
<package>
<name>ca_root_nss</name>
<range><lt>3.12.11</lt></range>
<!-- this builds on the assumption that 3.12.11 in ports actually
contains the CKBI 1.87 update to the built-in certificates
as commited by mandree@ on September 4th, 2011 -->
</package>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.22,1</lt></range>
<range><gt>4.0.*,1</gt><lt>6.0.2,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.3.2</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.22,1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>3.1.*</gt><lt>3.1.14</lt></range>
<range><gt>5.0.*</gt><lt>6.0.2</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>3.1.14</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Heather Adkins, Google's Information Security Manager, reported that
Google received</p>
<blockquote cite="http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html">
<p>[...] reports of attempted SSL man-in-the-middle (MITM)
attacks against Google users, whereby someone tried to get between
them and encrypted Google services. The people affected were
primarily located in Iran. The attacker used a fraudulent SSL
certificate issued by DigiNotar, a root certificate authority that
should not issue certificates for Google (and has since revoked
it). [...]</p>
</blockquote>
<p>VASCO Data Security International Inc., owner of DigiNotar, issued a
press statement confirming this incident:</p>
<blockquote cite="http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx">
<p>On July 19th 2011, DigiNotar detected an intrusion
into its Certificate Authority (CA) infrastructure, which resulted
in the fraudulent issuance of public key certificate requests for
a number of domains, including Google.com. [...] an external
security audit concluded that all fraudulently issued certificates
were
revoked. Recently, it was discovered that at least one fraudulent
certificate had not been revoked at the time. [...]</p>
</blockquote>
<p>Mozilla, maintainer of the NSS package, from which FreeBSD derived
ca_root_nss, stated that they:</p>
<blockquote cite="https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/">
<p>revoked our trust in the DigiNotar certificate authority from
all Mozilla software. This is not a temporary suspension, it is
a complete removal from our trusted root program. Complete
revocation of trust is a decision we treat with careful
consideration, and employ as a last resort.
</p><p>Three central issues informed our decision:</p>
<ol><li>Failure to notify. [...]</li>
<li>The scope of the breach remains unknown. [...]</li>
<li>The attack is not theoretical.</li></ol>
</blockquote>
</body>
</description>
<references>
<url>http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-34.html</url>
<url>http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html</url>
</references>
<dates>
<discovery>2011-07-19</discovery>
<entry>2011-09-03</entry>
<modified>2011-09-06</modified>
</dates>
</vuln>
<vuln vid="7f6108d2-cea8-11e0-9d58-0800279895ea">
<topic>apache -- Range header DoS vulnerability</topic>
<affects>
<package>
<name>apache</name>
<name>apache-event</name>
<name>apache-itk</name>
<name>apache-peruser</name>
<name>apache-worker</name>
<range><gt>2.*</gt><lt>2.2.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache HTTP server project reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192">
<p>A denial of service vulnerability has been found in the way
the multiple overlapping ranges are handled by Apache HTTPD
server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3192</cvename>
<url>https://people.apache.org/~dirkx/CVE-2011-3192.txt</url>
<url>https://svn.apache.org/viewvc?view=revision&revision=1161534</url>
<url>https://svn.apache.org/viewvc?view=revision&revision=1162874</url>
</references>
<dates>
<discovery>2011-08-24</discovery>
<entry>2011-08-30</entry>
<modified>2011-09-01</modified>
</dates>
</vuln>
<vuln vid="cdeb34e6-d00d-11e0-987e-00215c6a37bb">
<topic>stunnel -- heap corruption vulnerability</topic>
<affects>
<package>
<name>stunnel</name>
<range><ge>4.40</ge><lt>4.42</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michal Trojnara reports:</p>
<blockquote cite="http://www.stunnel.org/pipermail/stunnel-announce/2011-August/000059.html">
<p>Version 4.42, 2011.08.18, urgency: HIGH:</p>
<p>Fixed a heap corruption vulnerability in versions 4.40 and 4.41.
It may possibly be leveraged to perform DoS or remote code
execution attacks.</p>
</blockquote>
</body>
</description>
<references>
<bid>49254</bid>
<cvename>CVE-2011-2940</cvename>
</references>
<dates>
<discovery>2011-08-25</discovery>
<entry>2011-08-26</entry>
</dates>
</vuln>
<vuln vid="75e26236-ce9e-11e0-b26a-00215c6a37bb">
<topic>phpMyAdmin -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-13.php">
<p>Multiple XSS in the Tracking feature.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3181</cvename>
</references>
<dates>
<discovery>2011-08-24</discovery>
<entry>2011-08-24</entry>
</dates>
</vuln>
<vuln vid="3f1df2f9-cd22-11e0-9bb2-00215c6a37bb">
<topic>PHP -- crypt() returns only the salt for MD5</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.3.7</ge><lt>5.3.7_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP development team reports:</p>
<blockquote cite="https://bugs.php.net/bug.php?id=55439">
<p>If crypt() is executed with MD5 salts, the return value
consists of the salt only. DES and BLOWFISH salts work as
expected.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.php.net/bug.php?id=55439</url>
</references>
<dates>
<discovery>2011-08-17</discovery>
<entry>2011-08-23</entry>
<modified>2011-08-30</modified>
</dates>
</vuln>
<vuln vid="057bf770-cac4-11e0-aea3-00215c6a37bb">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<name>php5-sockets</name>
<range><lt>5.3.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP development team reports:</p>
<blockquote cite="http://www.php.net/ChangeLog-5.php#5.3.7">
<p>Security Enhancements and Fixes in PHP 5.3.7:</p>
<ul>
<li>Updated crypt_blowfish to 1.2. (CVE-2011-2483)</li>
<li>Fixed crash in error_log(). Reported by Mateusz
Kocielski</li>
<li>Fixed buffer overflow on overlog salt in crypt().</li>
<li>Fixed bug #54939 (File path injection vulnerability
in RFC1867 File upload filename). Reported by Krzysztof
Kotowicz. (CVE-2011-2202)</li>
<li>Fixed stack buffer overflow in socket_connect().
(CVE-2011-1938)</li>
<li>Fixed bug #54238 (use-after-free in substr_replace()).
(CVE-2011-1148)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<bid>49241</bid>
<cvename>CVE-2011-2483</cvename>
<cvename>CVE-2011-2202</cvename>
<cvename>CVE-2011-1938</cvename>
<cvename>CVE-2011-1148</cvename>
</references>
<dates>
<discovery>2011-08-18</discovery>
<entry>2011-08-20</entry>
</dates>
</vuln>
<vuln vid="be77eff6-ca91-11e0-aea3-00215c6a37bb">
<topic>rubygem-rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-rails</name>
<range><lt>3.0.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/49179/discuss">
<p>Ruby on Rails is prone to multiple vulnerabilities
including SQL-injection, information-disclosure,
HTTP-header-injection, security-bypass and cross-site
scripting issues.</p>
</blockquote>
</body>
</description>
<references>
<bid>49179</bid>
<url>http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b</url>
<url>http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6</url>
<url>http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768</url>
<url>http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12</url>
<url>http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195</url>
</references>
<dates>
<discovery>2011-08-16</discovery>
<entry>2011-08-19</entry>
</dates>
</vuln>
<vuln vid="0b53f5f7-ca8a-11e0-aea3-00215c6a37bb">
<topic>dovecot -- denial of service vulnerability</topic>
<affects>
<package>
<name>dovecot</name>
<range><lt>1.2.17</lt></range>
<range><gt>2.0</gt><lt>2.0.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Timo Sirainen reports:</p>
<blockquote cite="http://dovecot.org/pipermail/dovecot/2011-May/059086.html">
<p> Fixed potential crashes and other problems when parsing header
names that contained NUL characters.</p>
</blockquote>
</body>
</description>
<references>
<bid>47930</bid>
<cvename>CVE-2011-1929</cvename>
</references>
<dates>
<discovery>2011-05-25</discovery>
<entry>2011-08-19</entry>
</dates>
</vuln>
<vuln vid="86baa0d4-c997-11e0-8a8e-00151735203a">
<topic>OTRS -- Vulnerabilities in OTRS-Core allows read access to any file on local file system</topic>
<affects>
<package>
<name>otrs</name>
<range><gt>2.1.*</gt><lt>3.0.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://otrs.org/advisory/OSA-2011-03-en/">
<ul>
<li>An attacker with valid session and admin permissions could
get read access to any file on the servers local operating
system. For this it would be needed minimum one installed
OTRS package.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2746</cvename>
<url>http://otrs.org/advisory/OSA-2011-03-en/</url>
</references>
<dates>
<discovery>2011-08-16</discovery>
<entry>2011-08-18</entry>
</dates>
</vuln>
<vuln vid="834591a9-c82f-11e0-897d-6c626dd55a41">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.20,1</lt></range>
<range><gt>5.0.*,1</gt><lt>6.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.3</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.20,1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>3.1.12</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>3.1.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-29 Security issues addressed in Firefox 6</p>
<p>MFSA 2011-28 Security issues addressed in Firefox 3.6.20</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-29.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-30.html</url>
<cvename>CVE-2011-2982</cvename>
<cvename>CVE-2011-0084</cvename>
<cvename>CVE-2011-2981</cvename>
<cvename>CVE-2011-2378</cvename>
<cvename>CVE-2011-2984</cvename>
<cvename>CVE-2011-2980</cvename>
<cvename>CVE-2011-2983</cvename>
<cvename>CVE-2011-2989</cvename>
<cvename>CVE-2011-2991</cvename>
<cvename>CVE-2011-2992</cvename>
<cvename>CVE-2011-2985</cvename>
<cvename>CVE-2011-2993</cvename>
<cvename>CVE-2011-2988</cvename>
<cvename>CVE-2011-2987</cvename>
<cvename>CVE-2011-0084</cvename>
<cvename>CVE-2011-2990</cvename>
<cvename>CVE-2011-2986</cvename>
</references>
<dates>
<discovery>2011-08-16</discovery>
<entry>2011-08-16</entry>
</dates>
</vuln>
<vuln vid="56f4b3a6-c82c-11e0-a498-00215c6a37bb">
<topic>Samba -- cross site scripting and request forgery vulnerabilities</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>3.4.*</gt><lt>3.4.14</lt></range>
</package>
<package>
<name>samba35</name>
<range><gt>3.5.*</gt><lt>3.5.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba security advisory reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2011-2522">
<p>All current released versions of Samba are vulnerable to a
cross-site request forgery in the Samba Web Administration Tool
(SWAT). By tricking a user who is authenticated with SWAT into
clicking a manipulated URL on a different web page, it is
possible to manipulate SWAT.</p>
</blockquote>
<blockquote cite="http://www.samba.org/samba/security/CVE-2011-2694">
<p>All current released versions of Samba are vulnerable to a
cross-site scripting issue in the Samba Web Administration Tool
(SWAT). On the "Change Password" field, it is possible to insert
arbitrary content into the "user" field.</p>
</blockquote>
</body>
</description>
<references>
<bid>48901</bid>
<bid>48899</bid>
<cvename>CVE-2011-2522</cvename>
<cvename>CVE-2011-2694</cvename>
</references>
<dates>
<discovery>2011-07-27</discovery>
<entry>2011-08-16</entry>
</dates>
</vuln>
<vuln vid="510b630e-c43b-11e0-916c-00e0815b8da8">
<topic>isc-dhcp-server -- server halt upon processing certain packets</topic>
<affects>
<package>
<name>isc-dhcp31-server</name>
<range><lt>3.1.ESV_1,1</lt></range>
</package>
<package>
<name>isc-dhcp41-server</name>
<range><lt>4.1.e_2,2</lt></range>
</package>
<package>
<name>isc-dhcp42-server</name>
<range><lt>4.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/dhcp/advisories/cve-2011-2748">
<p>A pair of defects cause the server to halt upon processing
certain packets. The patch is to properly discard or process
those packets.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2748</cvename>
<cvename>CVE-2011-2749</cvename>
</references>
<dates>
<discovery>2011-08-10</discovery>
<entry>2011-08-13</entry>
</dates>
</vuln>
<vuln vid="dc8741b9-c5d5-11e0-8a8e-00151735203a">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>2.4.*</ge><lt>3.6.6</lt></range>
<range><ge>4.0.*</ge><lt>4.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4.11/">
<p>The following security issues have been discovered in Bugzilla:</p>
<ul>
<li>Internet Explorer 8 and older, and Safari before 5.0.6 do
content sniffing when viewing a patch in "Raw Unified" mode,
which could trigger a cross-site scripting attack due to
the execution of malicious code in the attachment.</li>
<li>It is possible to determine whether or not certain group
names exist while creating or updating bugs.</li>
<li>Attachment descriptions with a newline in them could lead
to the injection of crafted headers in email notifications sent
to the requestee or the requester when editing an attachment
flag.</li>
<li>If an attacker has access to a user's session, he can modify
that user's email address without that user being notified
of the change.</li>
<li>Temporary files for uploaded attachments are not deleted
on Windows, which could let a user with local access to
the server read them.</li>
<li>Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised,
it can be used to inject HTML code when viewing a bug report,
leading to a cross-site scripting attack.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2379</cvename>
<cvename>CVE-2011-2380</cvename>
<cvename>CVE-2011-2979</cvename>
<cvename>CVE-2011-2381</cvename>
<cvename>CVE-2011-2978</cvename>
<cvename>CVE-2011-2977</cvename>
<cvename>CVE-2011-2976</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=637981</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=653477</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=674497</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=657158</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=670868</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=660502</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=660053</url>
</references>
<dates>
<discovery>2011-08-04</discovery>
<entry>2011-08-13</entry>
</dates>
</vuln>
<vuln vid="879b0242-c5b6-11e0-abd1-0017f22d6707">
<topic>dtc -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dtc</name>
<range><lt>0.32.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ansgar Burchardt reports:</p>
<blockquote cite="http://www.debian.org/security/2011/dsa-2179">
<p>Ansgar Burchardt discovered several vulnerabilities in DTC, a
web control panel for admin and accounting hosting services:
The bw_per_moth.php graph contains an SQL injection
vulnerability; insufficient checks in bw_per_month.php can lead
to bandwidth usage information disclosure; after a registration,
passwords are sent in cleartext email messages and Authenticated
users could delete accounts using an obsolete interface which
was incorrectly included in the package.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0434</cvename>
<cvename>CVE-2011-0435</cvename>
<cvename>CVE-2011-0436</cvename>
<cvename>CVE-2011-0437</cvename>
<url>http://www.debian.org/security/2011/dsa-2179</url>
</references>
<dates>
<discovery>2011-03-02</discovery>
<entry>2011-08-13</entry>
</dates>
</vuln>
<vuln vid="304409c3-c3ef-11e0-8aa5-485d60cb5385">
<topic>libXfont -- possible local privilege escalation</topic>
<affects>
<package>
<name>libXfont</name>
<range><lt>1.4.4_1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tomas Hoger reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=725760">
<p>The compress/ LZW decompress implentation does not correctly
handle compressed streams that contain code words that were not
yet added to the decompression table. This may lead to
arbitrary memory corruption. Successfull exploitation may
possible lead to a local privilege escalation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2895</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=725760</url>
</references>
<dates>
<discovery>2011-07-26</discovery>
<entry>2011-08-11</entry>
<modified>2012-03-13</modified>
</dates>
</vuln>
<vuln vid="5d374b01-c3ee-11e0-8aa5-485d60cb5385">
<topic>freetype2 -- execute arbitrary code or cause denial of service</topic>
<affects>
<package>
<name>freetype2</name>
<range><lt>2.4.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Vincent Danen reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0226">
<p>Due to an error within the t1_decoder_parse_charstrings()
function (src/psaux/t1decode.c) and can be exploited to corrupt
memory by tricking a user into processing a specially-crafted
postscript Type1 font in an application that uses the freetype
library.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0226</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0226</url>
</references>
<dates>
<discovery>2011-07-19</discovery>
<entry>2011-08-11</entry>
</dates>
</vuln>
<vuln vid="2c12ae0c-c38d-11e0-8eb7-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r183.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb11-21.html">
<p>Critical vulnerabilities have been identified in Adobe Flash
Player 10.3.181.36 and earlier versions for Windows, Macintosh,
Linux and Solaris, and Adobe Flash Player 10.3.185.25 and
earlier versions for Android. These vulnerabilities could
cause a crash and potentially allow an attacker to take control
of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2130</cvename>
<cvename>CVE-2011-2134</cvename>
<cvename>CVE-2011-2135</cvename>
<cvename>CVE-2011-2136</cvename>
<cvename>CVE-2011-2137</cvename>
<cvename>CVE-2011-2138</cvename>
<cvename>CVE-2011-2139</cvename>
<cvename>CVE-2011-2140</cvename>
<cvename>CVE-2011-2414</cvename>
<cvename>CVE-2011-2415</cvename>
<cvename>CVE-2011-2416</cvename>
<cvename>CVE-2011-2417</cvename>
<cvename>CVE-2011-2425</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb11-21.html</url>
</references>
<dates>
<discovery>2011-05-13</discovery>
<entry>2011-08-10</entry>
</dates>
</vuln>
<vuln vid="30cb4522-b94d-11e0-8182-485d60cb5385">
<topic>libsoup -- unintentionally allow access to entire local filesystem</topic>
<affects>
<package>
<name>libsoup</name>
<range><lt>2.32.2_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dan Winship reports:</p>
<blockquote cite="http://mail.gnome.org/archives/ftp-release-list/2011-July/msg00176.html">
<p>Fixed a security hole that caused some SoupServer users to
unintentionally allow accessing the entire local filesystem when
they thought they were only providing access to a single
directory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2054</cvename>
<url>http://mail.gnome.org/archives/ftp-release-list/2011-July/msg00176.html</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=653258</url>
</references>
<dates>
<discovery>2011-06-23</discovery>
<entry>2011-07-28</entry>
</dates>
</vuln>
<vuln vid="d79fc873-b5f9-11e0-89b4-001ec9578670">
<topic>phpmyadmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.4.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php">
<p>XSS in table Print view.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php">
<p>Via a crafted MIME-type transformation parameter, an attacker can
perform a local file inclusion.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php">
<p>In the 'relational schema' code a parameter was not sanitized before
being used to concatenate a class name.</p>
<p>The end result is a local file inclusion vulnerability and code
execution.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php">
<p>It was possible to manipulate the PHP session superglobal using
some of the Swekey authentication code.</p>
<p>This is very similar to PMASA-2011-5, documented in
7e4e5c53-a56c-11e0-b180-00216aa06fc2</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2642</cvename>
<cvename>CVE-2011-2643</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php</url>
</references>
<dates>
<discovery>2011-07-23</discovery>
<entry>2011-07-24</entry>
<modified>2011-07-28</modified>
</dates>
</vuln>
<vuln vid="9f14cb36-b6fc-11e0-a044-445c73746d79">
<topic>opensaml2 -- unauthenticated login</topic>
<affects>
<package>
<name>opensaml2</name>
<range><gt>0</gt><lt>2.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSAML developer reports:</p>
<blockquote cite="http://shibboleth.internet2.edu/secadv/secadv_20110725.txt">
<p>The Shibboleth software relies on the OpenSAML libraries to
perform verification of signed XML messages such as attribute
queries or SAML assertions. Both the Java and C++ versions are
vulnerable to a so-called "wrapping attack" that allows a remote,
unauthenticated attacker to craft specially formed messages that
can be successfully verified, but contain arbitrary content.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1411</cvename>
<mlist msgid="CA530061.113D6%cantor.2@osu.edu">https://groups.google.com/a/shibboleth.net/group/announce/browse_thread/thread/cf3e0d76afbb57d9</mlist>
</references>
<dates>
<discovery>2011-07-25</discovery>
<entry>2011-07-25</entry>
</dates>
</vuln>
<vuln vid="9a777c23-b310-11e0-832d-00215c6a37bb">
<topic>rsync -- incremental recursion memory corruption vulnerability</topic>
<affects>
<package>
<name>rsync</name>
<range><gt>3.0</gt><lt>3.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>rsync development team reports:</p>
<blockquote cite="http://rsync.samba.org/ftp/rsync/src/rsync-3.0.8-NEWS">
<p>Fixed a data-corruption issue when preserving hard-links
without preserving file ownership, and doing deletions either
before or during the transfer (CVE-2011-1097). This
fixes some assert errors in the hard-linking code, and some
potential failed checksums (via -c) that should have matched.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1097</cvename>
<url>https://bugzilla.samba.org/show_bug.cgi?id=7936</url>
</references>
<dates>
<discovery>2011-04-08</discovery>
<entry>2011-07-20</entry>
</dates>
</vuln>
<vuln vid="fd64188d-a71d-11e0-89b4-001ec9578670">
<topic>BIND -- Remote DoS against authoritative and recursive servers</topic>
<affects>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R4.3</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.3.3</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/software/bind/advisories/cve-2011-2464">
<p>A defect in the affected BIND 9 versions allows an attacker to
remotely cause the "named" process to exit using a specially
crafted packet.</p>
<p>This defect affects both recursive and authoritative servers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2464</cvename>
<url>https://www.isc.org/software/bind/advisories/cve-2011-2464</url>
</references>
<dates>
<discovery>2011-07-05</discovery>
<entry>2011-07-05</entry>
</dates>
</vuln>
<vuln vid="4ccee784-a721-11e0-89b4-001ec9578670">
<topic>BIND -- Remote DoS with certain RPZ configurations</topic>
<affects>
<package>
<name>bind98</name>
<range><lt>9.8.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/software/bind/advisories/cve-2011-2465">
<p>Two defects were discovered in ISC's BIND 9.8 code. These
defects only affect BIND 9.8 servers which have recursion
enabled and which use a specific feature of the software known
as Response Policy Zones (RPZ) and where the RPZ zone contains
a specific rule/action pattern.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2465</cvename>
<url>https://www.isc.org/software/bind/advisories/cve-2011-2465</url>
</references>
<dates>
<discovery>2011-07-05</discovery>
<entry>2011-07-05</entry>
</dates>
</vuln>
<vuln vid="7e4e5c53-a56c-11e0-b180-00216aa06fc2">
<topic>phpmyadmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.4.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php">
<p>It was possible to manipulate the PHP session superglobal using
some of the Swekey authentication code. This could open a path
for other attacks.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php">
<p>An unsanitized key from the Servers array is written in a comment
of the generated config. An attacker can modify this key by
modifying the SESSION superglobal array. This allows the attacker
to close the comment and inject code.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php">
<p>Through a possible bug in PHP running on Windows systems a NULL
byte can truncate the pattern string allowing an attacker to
inject the /e modifier causing the preg_replace function to
execute its second argument as PHP code.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php">
<p>Fixed filtering of a file path in the MIME-type transformation
code, which allowed for directory traversal.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2505</cvename>
<cvename>CVE-2011-2506</cvename>
<cvename>CVE-2011-2507</cvename>
<cvename>CVE-2011-2508</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php</url>
</references>
<dates>
<discovery>2011-07-02</discovery>
<entry>2011-07-03</entry>
<modified>2011-07-28</modified>
</dates>
</vuln>
<vuln vid="40544e8c-9f7b-11e0-9bec-6c626dd55a41">
<topic>Asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.41.2</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.18.2</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://www.asterisk.org/node/51650">
<p>AST-2011-008: If a remote user sends a SIP packet containing a
NULL, Asterisk assumes available data extends past the null to
the end of the packet when the buffer is actually truncated when
copied. This causes SIP header parsing to modify data past the
end of the buffer altering unrelated memory structures. This
vulnerability does not affect TCP/TLS connections.</p>
<p>AST-2011-009: A remote user sending a SIP packet containing a
Contact header with a missing left angle bracket causes Asterisk
to access a null pointer.</p>
<p>AST-2011-010: A memory address was inadvertently transmitted
over the network via IAX2 via an option control frame and the
remote party would try to access it.</p>
<p>Possible enumeration of SIP users due to differing
authentication responses.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2529</cvename>
<cvename>CVE-2011-2535</cvename>
<cvename>CVE-2011-2536</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2011-008.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-009.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-010.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-011.html</url>
</references>
<dates>
<discovery>2011-06-24</discovery>
<entry>2011-06-25</entry>
<modified>2011-06-29</modified>
</dates>
</vuln>
<vuln vid="01d3ab7d-9c43-11e0-bc0f-0014a5e3cda6">
<topic>ejabberd -- remote denial of service vulnerability</topic>
<affects>
<package>
<name>ejabberd</name>
<range><lt>2.1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>It's reported in CVE advisory that:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1753">
<p>expat_erl.c in ejabberd before 2.1.7 and 3.x before
3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect
recursion during entity expansion, which allows remote attackers
to cause a denial of service (memory and CPU consumption) via a
crafted XML document containing a large number of nested entity
references, a similar issue to CVE-2003-1564.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1753</cvename>
<url>http://www.ejabberd.im/ejabberd-2.1.7</url>
</references>
<dates>
<discovery>2011-04-27</discovery>
<entry>2011-06-24</entry>
</dates>
</vuln>
<vuln vid="dfe40cff-9c3f-11e0-9bec-6c626dd55a41">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.20,1</lt></range>
<range><gt>3.6.*,1</gt><lt>3.6.18,1</lt></range>
<range><gt>4.0.*,1</gt><lt>5.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.18,1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>3.1.11</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>3.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-19 Miscellaneous memory safety hazards
(rv:3.0/1.9.2.18)</p>
<p>MFSA 2011-20 Use-after-free vulnerability when viewing XUL
document with script disabled</p>
<p>MFSA 2011-21 Memory corruption due to multipart/x-mixed-replace
images</p>
<p>MFSA 2011-22 Integer overflow and arbitrary code execution in
Array.reduceRight()</p>
<p>MFSA 2011-23 Multiple dangling pointer vulnerabilities</p>
<p>MFSA 2011-24 Cookie isolation error</p>
<p>MFSA 2011-25 Stealing of cross-domain images using WebGL
textures</p>
<p>MFSA 2011-26 Multiple WebGL crashes</p>
<p>MFSA 2011-27 XSS encoding hazard with inline SVG</p>
<p>MFSA 2011-28 Non-whitelisted site can trigger xpinstall</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-19.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-20.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-21.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-22.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-23.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-24.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-25.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-26.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-27.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-28.html</url>
</references>
<dates>
<discovery>2011-06-21</discovery>
<entry>2011-06-21</entry>
<modified>2011-06-23</modified>
</dates>
</vuln>
<vuln vid="bfdbc7ec-9c3f-11e0-9bec-6c626dd55a41">
<topic>Samba -- Denial of service - memory corruption</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>3.4.*</gt><lt>3.4.12</lt></range>
</package>
<package>
<name>samba35</name>
<range><gt>3.5.*</gt><lt>3.5.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba team reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2011-0719.html">
<p>Samba is vulnerable to a denial of service, caused by a memory
corruption error related to missing range checks on file
descriptors being used in the "FD_SET" macro. By performing a
select on a bad file descriptor set, a remote attacker could
exploit this vulnerability to cause the application to crash or
possibly execute arbitrary code on the system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0719</cvename>
<url>http://www.samba.org/samba/security/CVE-2011-0719.html</url>
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0719</url>
</references>
<dates>
<discovery>2011-02-28</discovery>
<entry>2011-06-21</entry>
</dates>
</vuln>
<vuln vid="23c8423e-9bff-11e0-8ea2-0019d18c446a">
<topic>Piwik -- remote command execution vulnerability</topic>
<affects>
<package>
<name>piwik</name>
<range><ge>1.2</ge><lt>1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Piwik security advisory reports:</p>
<blockquote cite="http://piwik.org/blog/2011/06/piwik-1-5-security-advisory/">
<p>The Piwik 1.5 release addresses a critical security
vulnerability, which affect all Piwik users that have let
granted some access to the "anonymous" user.</p>
<p>Piwik contains a remotely exploitable vulnerability that could
allow a remote attacker to execute arbitrary code. Only
installations that have granted untrusted view access to their
stats (ie. grant "view" access to a website to anonymous) are
at risk.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/158084</freebsdpr>
<url>http://piwik.org/blog/2011/06/piwik-1-5-security-advisory/</url>
</references>
<dates>
<discovery>2011-06-21</discovery>
<entry>2011-06-21</entry>
</dates>
</vuln>
<vuln vid="0b535cd0-9b90-11e0-800a-00215c6a37bb">
<topic>Dokuwiki -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20110525a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dokuwiki reports:</p>
<blockquote cite="http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind">
<p>We just released a Hotfix Release "2011-05-25a Rincewind".
It contains the following changes:</p>
<p>Security fix for a Cross Site Scripting vulnerability.
Malicious users could abuse DokuWiki's RSS embedding mechanism
to create links containing arbitrary JavaScript. Note: this
security problem is present in at least Anteater and Rincewind
but probably in older releases as well.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind</url>
</references>
<dates>
<discovery>2011-06-14</discovery>
<entry>2011-06-20</entry>
</dates>
</vuln>
<vuln vid="55a528e8-9787-11e0-b24a-001b2134ef46">
<topic>linux-flashplugin -- remote code execution vulnerability</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r181.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-18.html">
<p>A critical vulnerability has been identified in Adobe Flash
Player 10.3.181.23 and earlier versions for Windows, Macintosh,
Linux and Solaris, and Adobe Flash Player 10.3.185.23 and
earlier versions for Android. This memory corruption
vulnerability (CVE-2011-2110) could cause a crash and
potentially allow an attacker to take control of the affected
system. There are reports that this vulnerability is being
exploited in the wild in targeted attacks via malicious Web
pages.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2110</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-18.html</url>
</references>
<dates>
<discovery>2011-05-13</discovery>
<entry>2011-06-15</entry>
</dates>
</vuln>
<vuln vid="3145faf1-974c-11e0-869e-000c29249b2e">
<topic>ikiwiki -- tty hijacking via ikiwiki-mass-rebuild</topic>
<affects>
<package>
<name>ikiwiki</name>
<range><lt>3.20110608</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The IkiWiki development team reports:</p>
<blockquote cite="http://ikiwiki.info/security/#index40h2">
<p>Ludwig Nussel discovered a way for users to hijack root's tty
when ikiwiki-mass-rebuild was run. Additionally, there was
some potential for information disclosure via symlinks.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1408</cvename>
<url>http://ikiwiki.info/security/#index40h2</url>
</references>
<dates>
<discovery>2011-06-08</discovery>
<entry>2011-06-15</entry>
</dates>
</vuln>
<vuln vid="57573136-920e-11e0-bdc9-001b2134ef46">
<topic>linux-flashplugin -- cross-site scripting vulnerability</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r181.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-13.html">
<p>An important vulnerability has been identified in Adobe
Flash Player 10.3.181.16 and earlier versions for Windows,
Macintosh, Linux and Solaris, and Adobe Flash Player
10.3.185.22 and earlier versions for Android. This universal
cross-site scripting vulnerability (CVE-2011-2107) could be
used to take actions on a user's behalf on any website or
webmail provider, if the user visits a malicious website.
There are reports that this vulnerability is being exploited
in the wild in active targeted attacks designed to trick
the user into clicking on a malicious link delivered in an
email message.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2107</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-13.html</url>
</references>
<dates>
<discovery>2011-05-13</discovery>
<entry>2011-06-08</entry>
</dates>
</vuln>
<vuln vid="1e1421f0-8d6f-11e0-89b4-001ec9578670">
<topic>BIND -- Large RRSIG RRsets and Negative Caching DoS</topic>
<affects>
<package>
<name>bind9-sdb-ldap</name>
<name>bind9-sdb-postgresql</name>
<range><lt>9.4.3.4</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R4.1</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.3.1</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.0.2</lt></range>
</package>
<system>
<name>FreeBSD</name>
<range><gt>7.3</gt><lt>7.3_6</lt></range>
<range><gt>7.4</gt><lt>7.4_2</lt></range>
<range><gt>8.1</gt><lt>8.1_4</lt></range>
<range><gt>8.2</gt><lt>8.2_2</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/bind/advisories/cve-2011-1910">
<p>A BIND 9 DNS server set up to be a caching resolver is
vulnerable to a user querying a domain with very large resource
record sets (RRSets) when trying to negatively cache a response.
This can cause the BIND 9 DNS server (named process) to crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1910</cvename>
<freebsdsa>SA-11:02.bind</freebsdsa>
<url>http://www.isc.org/software/bind/advisories/cve-2011-1910</url>
</references>
<dates>
<discovery>2011-05-26</discovery>
<entry>2011-06-04</entry>
</dates>
</vuln>
<vuln vid="f7d838f2-9039-11e0-a051-080027ef73ec">
<topic>fetchmail -- STARTTLS denial of service</topic>
<affects>
<package>
<name>fetchmail</name>
<range><lt>6.3.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2011-01.txt">
<p>Fetchmail version 5.9.9 introduced STLS support for POP3,
version 6.0.0 added STARTTLS for IMAP. However, the actual
S(TART)TLS-initiated in-band SSL/TLS negotiation was not guarded
by a timeout.</p>
<p>Depending on the operating system defaults as to TCP stream
keepalive mode, fetchmail hangs in excess of one week after
sending STARTTLS were observed if the connection failed without
notifying the operating system, for instance, through network
outages or hard server crashes.</p>
<p>A malicious server that does not respond, at the network level,
after acknowledging fetchmail's STARTTLS or STLS request, can
hold fetchmail in this protocol state, and thus render fetchmail
unable to complete the poll, or proceed to the next server,
effecting a denial of service.</p>
<p>SSL-wrapped mode on dedicated ports was unaffected by this
problem, so can be used as a workaround.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1947</cvename>
<url>http://www.fetchmail.info/fetchmail-SA-2011-01.txt</url>
<url>https://gitorious.org/fetchmail/fetchmail/commit/7dc67b8cf06f74aa57525279940e180c99701314</url>
</references>
<dates>
<discovery>2011-04-28</discovery>
<entry>2011-06-06</entry>
</dates>
</vuln>
<vuln vid="34ce5817-8d56-11e0-b5a2-6c626dd55a41">
<topic>asterisk -- Remote crash vulnerability</topic>
<affects>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://lists.digium.com/pipermail/asterisk-announce/2011-June/000325.html">
<p>If a remote user initiates a SIP call and the recipient picks
up, the remote user can reply with a malformed Contact header
that Asterisk will improperly handle and cause a crash due to a
segmentation fault.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2216</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2011-007.pdf</url>
</references>
<dates>
<discovery>2011-06-02</discovery>
<entry>2011-06-02</entry>
</dates>
</vuln>
<vuln vid="e27a1af3-8d21-11e0-a45d-001e8c75030d">
<topic>Subversion -- multiple vulnerabilities</topic>
<affects>
<package>
<name>subversion</name>
<range><lt>1.6.17</lt></range>
</package>
<package>
<name>subversion-freebsd</name>
<range><lt>1.6.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion tram reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2011-1752-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module will
dereference a NULL pointer if asked to deliver baselined WebDAV
resources.</p>
<p>This can lead to a DoS. An exploit has been tested, and tools
or users have been observed triggering this problem in the
wild.</p>
</blockquote>
<blockquote cite="http://subversion.apache.org/security/CVE-2011-1783-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module may in
certain scenarios enter a logic loop which does not exit and
which allocates memory in each iteration, ultimately exhausting
all the available memory on the server.</p>
<p>This can lead to a DoS. There are no known instances of this
problem being observed in the wild, but an exploit has been
tested.</p>
</blockquote>
<blockquote cite="http://subversion.apache.org/security/CVE-2011-1921-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module may leak to
remote users the file contents of files configured to be
unreadable by those users.</p>
<p>There are no known instances of this problem being observed in
the wild, but an exploit has been tested.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1752</cvename>
<cvename>CVE-2011-1783</cvename>
<cvename>CVE-2011-1921</cvename>
</references>
<dates>
<discovery>2011-05-28</discovery>
<entry>2011-06-02</entry>
</dates>
</vuln>
<vuln vid="1acf9ec5-877d-11e0-b937-001372fd0af2">
<topic>drupal6 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal6</name>
<range><lt>6.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Team reports:</p>
<blockquote cite="http://drupal.org/node/1168756">
<p>A reflected cross site scripting vulnerability was discovered
in Drupal's error handler. Drupal displays PHP errors in the
messages area, and a specially crafted URL can cause malicious
scripts to be injected into the message. The issue can be
mitigated by disabling on-screen error display at admin /
settings / error-reporting. This is the recommended setting
for production sites.</p>
<p>When using re-colorable themes, color inputs are not sanitized.
Malicious color values can be used to insert arbitrary CSS and
script code. Successful exploitation requires the "Administer
themes" permission.</p>
</blockquote>
</body>
</description>
<references>
<url>http://drupal.org/node/1168756</url>
</references>
<dates>
<discovery>2011-05-25</discovery>
<entry>2011-05-26</entry>
</dates>
</vuln>
<vuln vid="e4833927-86e5-11e0-a6b4-000a5e1e33c6">
<topic>Erlang -- ssh library uses a weak random number generator</topic>
<affects>
<package>
<name>erlang</name>
<range><lt>r14b03</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/178990">
<p>The Erlang/OTP ssh library implements a number of
cryptographic operations that depend on cryptographically
strong random numbers. Unfortunately the RNG used by the
library is not cryptographically strong, and is further
weakened by the use of predictable seed material. The RNG
(Wichman-Hill) is not mixed with an entropy source.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0766</cvename>
<url>http://www.erlang.org/download/otp_src_R14B03.readme</url>
<url>https://github.com/erlang/otp/commit/f228601de45c5b53241b103af6616453c50885a5</url>
</references>
<dates>
<discovery>2011-05-25</discovery>
<entry>2011-05-25</entry>
</dates>
</vuln>
<vuln vid="dc96ac1f-86b1-11e0-9e85-00215af774f0">
<topic>Unbound -- an empty error packet handling assertion failure</topic>
<affects>
<package>
<name>unbound</name>
<range><lt>1.4.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Unbound developer reports:</p>
<blockquote cite="http://unbound.nlnetlabs.nl/downloads/CVE-2011-1922.txt">
<p>NLnet Labs was notified of an error in Unbound's code-path
for error replies which is triggered under special conditions.
The error causes the program to abort.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1922</cvename>
<url>http://unbound.nlnetlabs.nl/downloads/CVE-2011-1922.txt</url>
</references>
<dates>
<discovery>2011-05-25</discovery>
<entry>2011-05-25</entry>
</dates>
</vuln>
<vuln vid="115a1389-858e-11e0-a76c-000743057ca2">
<topic>Pubcookie Login Server -- XSS vulnerability</topic>
<affects>
<package>
<name>pubcookie-login-server</name>
<range><lt>3.3.2d</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nathan Dors, Pubcookie Project reports:</p>
<blockquote cite="http://pubcookie.org/news/20070606-login-secadv.html">
<p>A new non-persistent XSS vulnerability was found in the
Pubcookie login server's compiled binary "index.cgi" CGI
program. The CGI program mishandles untrusted data when
printing responses to the browser. This makes the program
vulnerable to carefully crafted requests containing script
or HTML. If an attacker can lure an unsuspecting user to
visit carefully staged content, the attacker can use it to
redirect the user to his or her local Pubcookie login page
and attempt to exploit the XSS vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://pubcookie.org/news/20070606-login-secadv.html</url>
</references>
<dates>
<discovery>2007-05-25</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="1ca8228f-858d-11e0-a76c-000743057ca2">
<topic>mod_pubcookie -- Empty Authentication Security Advisory</topic>
<affects>
<package>
<name>ap20-mod_pubcookie</name>
<range><ge>3.1.0</ge><lt>3.3.2b</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nathan Dors, Pubcookie Project reports:</p>
<blockquote cite="http://pubcookie.org/news/20061106-empty-auth-secadv.html">
<p>An Abuse of Functionality vulnerability in the Pubcookie
authentication process was found. This vulnerability allows an
attacker to appear as if he or she were authenticated using an
empty userid when such a userid isn't expected. Unauthorized
access to web content and applications may result where access
is restricted to users who can authenticate successfully but
where no additional authorization is performed after
authentication.</p>
</blockquote>
</body>
</description>
<references>
<url>http://pubcookie.org/news/20061106-empty-auth-secadv.html</url>
</references>
<dates>
<discovery>2006-10-04</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="7af2fb85-8584-11e0-96b7-00300582f9fc">
<topic>ViewVC -- user-reachable override of cvsdb row limit</topic>
<affects>
<package>
<name>viewvc</name>
<range><lt>1.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ViewVC.org reports:</p>
<blockquote cite="http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2536&r2=2574">
<p>Security fix: remove user-reachable override of cvsdb row limit.</p>
</blockquote>
</body>
</description>
<references>
<url>http://viewvc.tigris.org/source/browse/*checkout*/viewvc/branches/1.1.x/CHANGES</url>
</references>
<dates>
<discovery>2011-05-17</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="99a5590c-857e-11e0-96b7-00300582f9fc">
<topic>Apache APR -- DoS vulnerabilities</topic>
<affects>
<package>
<name>apr1</name>
<range><lt>1.4.5.1.3.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Portable Runtime Project reports:</p>
<blockquote cite="http://www.apache.org/dist/apr/CHANGES-APR-1.4">
<p>A flaw was discovered in the apr_fnmatch() function in the
Apache Portable Runtime (APR) library 1.4.4 (or any backported
versions that contained the upstream fix for CVE-2011-0419).
This could cause httpd workers to enter a hung state (100% CPU
utilization).</p>
<p>apr-util 1.3.11 could cause crashes with httpd's
mod_authnz_ldap in some situations.</p>
</blockquote>
</body>
</description>
<references>
<bid>47929</bid>
<cvename>CVE-2011-1928</cvename>
<cvename>CVE-2011-0419</cvename>
<url>http://www.apache.org/dist/apr/Announcement1.x.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1928</url>
</references>
<dates>
<discovery>2011-05-19</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="d226626c-857f-11e0-95cc-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r181.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-12.html">
<p>Critical vulnerabilities have been identified in Adobe Flash
Player 10.2.159.1 and earlier versions (Adobe Flash Player
10.2.154.28 and earlier for Chrome users) for Windows,
Macintosh, Linux and Solaris, and Adobe Flash Player 10.2.157.51
and earlier versions for Android. These vulnerabilities could
cause the application to crash and could potentially allow an
attacker to take control of the affected system. There are
reports of malware attempting to exploit one of the
vulnerabilities, CVE-2011-0627, in the wild via a Flash (.swf)
file embedded in a Microsoft Word (.doc) or Microsoft Excel
(.xls) file delivered as an email attachment targeting the
Windows platform. However, to date, Adobe has not obtained a
sample that successfully completes an attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0579</cvename>
<cvename>CVE-2011-0618</cvename>
<cvename>CVE-2011-0619</cvename>
<cvename>CVE-2011-0620</cvename>
<cvename>CVE-2011-0621</cvename>
<cvename>CVE-2011-0622</cvename>
<cvename>CVE-2011-0623</cvename>
<cvename>CVE-2011-0624</cvename>
<cvename>CVE-2011-0625</cvename>
<cvename>CVE-2011-0626</cvename>
<cvename>CVE-2011-0627</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-12.html</url>
</references>
<dates>
<discovery>2011-01-20</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="e666498a-852a-11e0-8f78-080027ef73ec">
<topic>Opera -- code injection vulnerability through broken frameset handling</topic>
<affects>
<package><name>opera</name><range><lt>11.11</lt></range></package>
<package><name>opera-devel</name><range><lt>11.11</lt></range></package>
<package><name>linux-opera</name><range><lt>11.11</lt></range></package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera Software ASA reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1111/">
<p>Fixed an issue with framesets that could allow execution of
arbitrary code, as reported by an anonymous contributor working
with the SecuriTeam Secure Disclosure program.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/docs/changelogs/unix/1111/</url>
<url>http://www.opera.com/support/kb/view/992/</url>
</references>
<dates>
<discovery>2011-05-18</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="1495f931-8522-11e0-a1c1-00215c6a37bb">
<topic>pureftpd -- multiple vulnerabilities</topic>
<affects>
<package>
<name>pure-ftpd</name>
<range><lt>1.0.32</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pure-FTPd development team reports:</p>
<blockquote cite="http://www.pureftpd.org/project/pure-ftpd/news">
<p>Support for braces expansion in directory listings has been
disabled -- Cf. CVE-2011-0418.</p>
<p>Fix a STARTTLS flaw similar to Postfix's CVE-2011-0411.
If you're using TLS, upgrading is recommended.</p>
</blockquote>
</body>
</description>
<references>
<bid>46767</bid>
<cvename>CVE-2011-0418</cvename>
<cvename>CVE-2011-1575</cvename>
</references>
<dates>
<discovery>2011-04-01</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="36594c54-7be7-11e0-9838-0022156e8794">
<topic>Exim -- remote code execution and information disclosure</topic>
<affects>
<package>
<name>exim</name>
<range><ge>4.70</ge><lt>4.76</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Release notes for Exim 4.76 says:</p>
<blockquote cite="ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.76">
<p>Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to
a format-string attack -- SECURITY: remote arbitrary code
execution.</p>
<p>DKIM signature header parsing was double-expanded, second
time unintentionally subject to list matching rules, letting
the header cause arbitrary Exim lookups (of items which can
occur in lists, *not* arbitrary string expansion). This
allowed for information disclosure.</p>
</blockquote>
<p>Also, impact assessment was redone shortly after the original
announcement:</p>
<blockquote cite="https://lists.exim.org/lurker/message/20110512.102909.8136175a.en.html">
<p>Further analysis revealed that the second security was
more severe than I realised at the time that I wrote the
announcement. The second security issue has been assigned
CVE-2011-1407 and is also a remote code execution flaw.
For clarity: both issues were introduced with 4.70.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1764</cvename>
<cvename>CVE-2011-1407</cvename>
<mlist msgid="20110512102909.GA58484@redoubt.spodhuis.org">https://lists.exim.org/lurker/message/20110512.102909.8136175a.en.html</mlist>
<url>http://bugs.exim.org/show_bug.cgi?id=1106</url>
</references>
<dates>
<discovery>2011-05-10</discovery>
<entry>2011-05-14</entry>
</dates>
</vuln>
<vuln vid="00b296b6-7db1-11e0-96b7-00300582f9fc">
<topic>Apache APR -- DoS vulnerabilities</topic>
<affects>
<package>
<name>apr1</name>
<range><lt>1.4.4.1.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Portable Runtime Project reports:</p>
<blockquote cite="http://www.apache.org/dist/apr/CHANGES-APR-1.4">
<p>Note especially a security fix to APR 1.4.4, excessive CPU
consumption was possible due to an unconstrained, recursive
invocation of apr_fnmatch, as apr_fnmatch processed '*' wildcards.
Reimplement apr_fnmatch() from scratch using a non-recursive
algorithm now has improved compliance with the fnmatch() spec.
(William Rowe)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0419</cvename>
<url>http://www.apache.org/dist/apr/Announcement1.x.html</url>
</references>
<dates>
<discovery>2011-05-10</discovery>
<entry>2011-05-12</entry>
</dates>
</vuln>
<vuln vid="34e8ccf5-7d71-11e0-9d83-000c29cc39d3">
<topic>Zend Framework -- potential SQL injection when using PDO_MySql</topic>
<affects>
<package>
<name>ZendFramework</name>
<range><lt>1.11.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Zend Framework team reports:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2011-02">
<p>Developers using non-ASCII-compatible encodings in conjunction
with the MySQL PDO driver of PHP may be vulnerable to SQL
injection attacks. Developers using ASCII-compatible encodings
like UTF8 or latin1 are not affected by this PHP issue.</p>
</blockquote>
</body>
</description>
<references>
<url>http://framework.zend.com/security/advisory/ZF2011-02</url>
<url>http://zend-framework-community.634137.n4.nabble.com/Zend-Framework-1-11-6-and-1-10-9-released-td3503741.html</url>
</references>
<dates>
<discovery>2011-05-06</discovery>
<entry>2011-05-13</entry>
</dates>
</vuln>
<vuln vid="3fadb7c6-7b0a-11e0-89b4-001ec9578670">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><lt>1.16.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mediawiki reports:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-May/000098.html">
<p>(Bug 28534) XSS vulnerability for IE 6 clients. This is the
third attempt at fixing bug 28235.</p>
<p>(Bug 28639) Potential privilege escalation when
$wgBlockDisablesLogin is enabled.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=28534</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=28639</url>
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-May/000098.html</url>
<url>http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/RELEASE-NOTES</url>
</references>
<dates>
<discovery>2011-04-14</discovery>
<entry>2011-05-12</entry>
</dates>
</vuln>
<vuln vid="3eb2c100-738b-11e0-89f4-001e90d46635">
<topic>Postfix -- memory corruption vulnerability</topic>
<affects>
<package>
<name>postfix</name>
<name>postfix-base</name>
<range><ge>2.8.*,1</ge><lt>2.8.3,1</lt></range>
<range><ge>2.7.*,1</ge><lt>2.7.4,1</lt></range>
<range><ge>2.6.*,1</ge><lt>2.6.10,1</lt></range>
<range><ge>2.5.*,2</ge><lt>2.5.13,2</lt></range>
<range><le>2.4.16,1</le></range>
</package>
<package>
<name>postfix-current</name>
<name>postfix-current-base</name>
<range><lt>2.9.20110501,4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Postfix SMTP server has a memory corruption error, when the
Cyrus SASL library is used with authentication mechanisms other
than PLAIN and LOGIN (ANONYMOUS is not affected, but should not
be used for other reasons). This memory corruption is known to
result in a program crash (SIGSEV).</p>
</body>
</description>
<references>
<cvename>CVE-2011-1720</cvename>
<url>http://www.postfix.org/CVE-2011-1720.html</url>
</references>
<dates>
<discovery>2011-05-09</discovery>
<entry>2011-05-09</entry>
</dates>
</vuln>
<vuln vid="04b7d46c-7226-11e0-813a-6c626dd55a41">
<topic>Mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.17,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.19,1</lt></range>
<range><gt>4.0.*,1</gt><lt>4.0.1,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.17</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.17,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.19</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.14</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-12 Miscellaneous memory safety hazards</p>
<p>MFSA 2011-13 Multiple dangling pointer vulnerabilities</p>
<p>MFSA 2011-14 Information stealing via form history</p>
<p>MFSA 2011-15 Escalation of privilege through Java Embedding Plugin</p>
<p>MFSA 2011-16 Directory traversal in resource: protocol</p>
<p>MFSA 2011-17 WebGLES vulnerabilities</p>
<p>MFSA 2011-18 XSLT generate-id() function heap address leak</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-12.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-13.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-14.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-15.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-16.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-17.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-18.html</url>
</references>
<dates>
<discovery>2011-04-28</discovery>
<entry>2011-04-29</entry>
</dates>
</vuln>
<vuln vid="3c7d565a-6c64-11e0-813a-6c626dd55a41">
<topic>Asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.40.1</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.17.3</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.3.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://lists.digium.com/pipermail/asterisk-announce/2011-April/000316.html">
<p>It is possible for a user of the Asterisk Manager Interface to
bypass a security check and execute shell commands when they
should not have that ability. Sending the "Async" header with
the "Application" header during an Originate action, allows
authenticated manager users to execute shell commands. Only
users with the "system" privilege should be able to do this.</p>
<p>On systems that have the Asterisk Manager Interface, Skinny, SIP
over TCP, or the built in HTTP server enabled, it is possible for
an attacker to open as many connections to asterisk as he wishes.
This will cause Asterisk to run out of available file descriptors
and stop processing any new calls. Additionally, disk space can
be exhausted as Asterisk logs failures to open new file
descriptors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1507</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2011-005.pdf</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-006.pdf</url>
</references>
<dates>
<discovery>2011-04-21</discovery>
<entry>2011-04-21</entry>
</dates>
</vuln>
<vuln vid="6a4bfe75-692a-11e0-bce7-001eecdd401a">
<topic>VLC -- Heap corruption in MP4 demultiplexer</topic>
<affects>
<package>
<name>vlc</name>
<range><ge>1.0.0</ge><lt>1.1.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VideoLAN project reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1103.html">
<p>When parsing some MP4 (MPEG-4 Part 14) files, insufficient
buffer size might lead to corruption of the heap.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.videolan.org/security/sa1103.html</url>
</references>
<dates>
<discovery>2011-04-07</discovery>
<entry>2011-04-17</entry>
</dates>
</vuln>
<vuln vid="32b05547-6913-11e0-bdc4-001b2134ef46">
<topic>linux-flashplugin -- remote code execution vulnerability</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.2r159.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa11-02.html">
<p>A critical vulnerability exists in Flash Player 10.2.153.1
and earlier versions (Adobe Flash Player 10.2.154.25 and
earlier for Chrome users) for Windows, Macintosh, Linux
and Solaris, Adobe Flash Player 10.2.156.12 and earlier
versions for Android, and the Authplay.dll component that
ships with Adobe Reader and Acrobat X (10.0.2) and earlier
10.x and 9.x versions for Windows and Macintosh operating
systems.</p>
<p>This vulnerability (CVE-2011-0611) could cause a crash
and potentially allow an attacker to take control of the
affected system. There are reports that this vulnerability
is being exploited in the wild in targeted attacks via a
malicious Web page or a Flash (.swf) file embedded in a
Microsoft Word (.doc) or Microsoft Excel (.xls) file
delivered as an email attachment, targeting the Windows
platform. At this time, Adobe is not aware of any attacks
via PDF targeting Adobe Reader and Acrobat. Adobe Reader
X Protected Mode mitigations would prevent an exploit of
this kind from executing.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0611</cvename>
<url>http://www.adobe.com/support/security/advisories/apsa11-02.html</url>
</references>
<dates>
<discovery>2011-01-20</discovery>
<entry>2011-04-17</entry>
</dates>
</vuln>
<vuln vid="bf171509-68dd-11e0-afe6-0003ba02bf30">
<topic>rt -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rt36</name>
<range><lt>3.6.11</lt></range>
</package>
<package>
<name>rt38</name>
<range><lt>3.8.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Best Practical reports:</p>
<blockquote cite="http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html">
<p>In the process of preparing the release of RT 4.0.0, we performed
an extensive security audit of RT's source code. During this
audit, several vulnerabilities were found which affect earlier
releases of RT.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1685</cvename>
<cvename>CVE-2011-1686</cvename>
<cvename>CVE-2011-1687</cvename>
<cvename>CVE-2011-1688</cvename>
<cvename>CVE-2011-1689</cvename>
<cvename>CVE-2011-1690</cvename>
<url>http://secunia.com/advisories/44189</url>
</references>
<dates>
<discovery>2011-04-14</discovery>
<entry>2011-04-17</entry>
</dates>
</vuln>
<vuln vid="6a3c3e5c-66cb-11e0-a116-c535f3aa24f0">
<topic>krb5 -- MITKRB5-SA-2011-004, kadmind invalid pointer free() [CVE-2011-0285]</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><lt>1.8.4</lt></range>
<range><eq>1.9</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An advisory published by the MIT Kerberos team says:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt">
<p>The password-changing capability of the MIT krb5 administration
daemon (kadmind) has a bug that can cause it to attempt to free()
an invalid pointer under certain error conditions. This can cause
the daemon to crash or induce the execution of arbitrary code
(which is believed to be difficult). No exploit that executes
arbitrary code is known to exist, but it is easy to trigger a
denial of service manually.</p>
<p>Some platforms detect attempted freeing of invalid pointers and
protectively terminate the process, preventing arbitrary code
execution on those platforms.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0285</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt</url>
</references>
<dates>
<discovery>2011-04-12</discovery>
<entry>2011-04-14</entry>
</dates>
</vuln>
<vuln vid="7edac52a-66cd-11e0-9398-5d45f3aa24f0">
<topic>krb5 -- MITKRB5-SA-2011-003, KDC vulnerable to double-free when PKINIT enabled</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><lt>1.8.4</lt></range>
<range><eq>1.9</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An advisory published by the MIT Kerberos team says:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt">
<p>The MIT Kerberos 5 Key Distribution Center (KDC) daemon is
vulnerable to a double-free condition if the Public Key
Cryptography for Initial Authentication (PKINIT) capability is
enabled, resulting in daemon crash or arbitrary code execution
(which is believed to be difficult).</p>
<p>An unauthenticated remote attacker can induce a double-free
event, causing the KDC daemon to crash (denial of service),
or to execute arbitrary code. Exploiting a double-free event
to execute arbitrary code is believed to be difficult.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0284</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt</url>
</references>
<dates>
<discovery>2011-03-15</discovery>
<entry>2011-04-14</entry>
</dates>
</vuln>
<vuln vid="4ab413ea-66ce-11e0-bf05-d445f3aa24f0">
<topic>krb5 -- MITKRB5-SA-2011-002, KDC vulnerable to hang when using LDAP back end</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><le>1.8.4</le></range>
<range><eq>1.9</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An advisory published by the MIT Kerberos team says:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt">
<p>The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable
to denial of service attacks from unauthenticated remote
attackers. CVE-2011-0281 and CVE-2011-0282 occur only in KDCs
using LDAP back ends, but CVE-2011-0283 occurs in all krb5-1.9
KDCs.</p>
<p>Exploit code is not known to exist, but the vulnerabilities are
easy to trigger manually. The trigger for CVE-2011-0281 has
already been disclosed publicly, but that fact might not be
obvious to casual readers of the message in which it was
disclosed. The triggers for CVE-2011-0282 and CVE-2011-0283
have not yet been disclosed publicly, but they are also
trivial.</p>
<p>CVE-2011-0281: An unauthenticated remote attacker can cause a KDC
configured with an LDAP back end to become completely unresponsive
until restarted.</p>
<p>CVE-2011-0282: An unauthenticated remote attacker can cause a KDC
configured with an LDAP back end to crash with a null pointer
dereference.</p>
<p>CVE-2011-0283: An unauthenticated remote attacker can cause a
krb5-1.9 KDC with any back end to crash with a null pointer
dereference.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0281</cvename>
<cvename>CVE-2011-0282</cvename>
<cvename>CVE-2011-0283</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-04-14</entry>
</dates>
</vuln>
<vuln vid="64f24a1e-66cf-11e0-9deb-f345f3aa24f0">
<topic>krb5 -- MITKRB5-SA-2011-001, kpropd denial of service</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><lt>1.8.4</lt></range>
<range><eq>1.9</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An advisory published by the MIT Kerberos team says:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt">
<p>The MIT krb5 KDC database propagation daemon (kpropd) is
vulnerable to a denial-of-service attack triggered by invalid
network input. If a kpropd worker process receives invalid
input that causes it to exit with an abnormal status, it can
cause the termination of the listening process that spawned it,
preventing the slave KDC it was running on from receiving
database updates from the master KDC.</p>
<p>Exploit code is not known to exist, but the vulnerabilities are
easy to trigger manually.</p>
<p>An unauthenticated remote attacker can cause kpropd running in
standalone mode (the "-S" option) to terminate its listening
process, preventing database propagations to the KDC host on
which it was running. Configurations where kpropd runs in
incremental propagation mode ("iprop") or as an inetd server
are not affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4022</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-04-14</entry>
</dates>
</vuln>
<vuln vid="2eccb24f-61c0-11e0-b199-0015f2db7bde">
<topic>xrdb -- root hole via rogue hostname</topic>
<affects>
<package>
<name>xrdb</name>
<range><lt>1.0.6_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Hopf reports:</p>
<blockquote cite="http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html">
<p>By crafting hostnames with shell escape characters, arbitrary
commands can be executed in a root environment when a display
manager reads in the resource database via xrdb.</p>
<p>These specially crafted hostnames can occur in two environments:</p>
<p>Systems are affected are: systems set their hostname via DHCP,
and the used DHCP client allows setting of hostnames with illegal
characters. And systems that allow remote logins via xdmcp.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0465</cvename>
<url>http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html</url>
</references>
<dates>
<discovery>2011-04-05</discovery>
<entry>2011-04-14</entry>
</dates>
</vuln>
<vuln vid="a4372a68-652c-11e0-a25a-00151735203a">
<topic>OTRS -- Several XSS attacks possible</topic>
<affects>
<package>
<name>otrs</name>
<range><gt>2.3.*</gt><lt>3.0.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://otrs.org/advisory/OSA-2011-01-en/">
<ul>
<li>Several XSS attacks possible:
An attacker could trick a logged in user to following a prepared
URL inside of the OTRS system which causes a page to be shown that
possibly includes malicious !JavaScript code because of incorrect
escaping during the generation of the HTML page.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1518</cvename>
<url>http://otrs.org/advisory/OSA-2011-01-en/</url>
</references>
<dates>
<discovery>2011-03-12</discovery>
<entry>2011-04-12</entry>
</dates>
</vuln>
<vuln vid="7e69f00d-632a-11e0-9f3a-001d092480a4">
<topic>isc-dhcp-client -- dhclient does not strip or escape shell meta-characters</topic>
<affects>
<package>
<name>isc-dhcp31-client</name>
<range><lt>3.1.ESV_1,1</lt></range>
</package>
<package>
<name>isc-dhcp41-client</name>
<range><lt>4.1.e,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/dhcp/advisories/cve-2011-0997">
<p>ISC dhclient did not strip or escape certain shell meta-characters
in responses from the dhcp server (like hostname) before passing the
responses on to dhclient-script. Depending on the script and OS,
this can result in execution of exploit code on the client.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0997</cvename>
<certvu>107886</certvu>
</references>
<dates>
<discovery>2011-04-05</discovery>
<entry>2011-04-10</entry>
</dates>
</vuln>
<vuln vid="b9281fb9-61b2-11e0-b1ce-0019d1a7ece2">
<topic>tinyproxy -- ACL lists ineffective when range is configured</topic>
<affects>
<package>
<name>tinyproxy</name>
<range><lt>1.8.2_2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When including a line to allow a network of IP addresses, the access to tinyproxy
56 is actually allowed for all IP addresses.</p>
</body>
</description>
<references>
<cvename>CVE-2011-1499</cvename>
<url>https://banu.com/bugzilla/show_bug.cgi?id=90</url>
</references>
<dates>
<discovery>2010-05-18</discovery>
<entry>2011-04-08</entry>
</dates>
</vuln>
<vuln vid="b2a40507-5c88-11e0-9e85-00215af774f0">
<topic>quagga -- two DoS vulnerabilities</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.17_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Quagga developers report:</p>
<blockquote cite="http://www.quagga.net/news2.php?y=2011&m=3&d=21#id1300723200">
<p>Quagga 0.99.18 has been released.
This release fixes 2 denial of services in bgpd, which can be
remotely triggered by malformed AS-Pathlimit or Extended-Community
attributes. These issues have been assigned CVE-2010-1674 and
CVE-2010-1675. Support for AS-Pathlimit has been removed with this
release.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1674</cvename>
<cvename>CVE-2010-1675</cvename>
<url>http://www.quagga.net/news2.php?y=2011&m=3&d=21#id1300723200</url>
</references>
<dates>
<discovery>2010-04-30</discovery>
<entry>2011-04-01</entry>
</dates>
</vuln>
<vuln vid="c6fbd447-59ed-11e0-8d04-0015f2db7bde">
<topic>gdm -- privilege escalation vulnerability</topic>
<affects>
<package>
<name>gdm</name>
<range><lt>2.30.5_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sebastian Krahmer reports:</p>
<blockquote cite="http://mail.gnome.org/archives/distributor-list/2011-March/msg00008.html">
<p>It was discovered that the GNOME Display Manager (gdm) cleared the cache
directory, which is owned by an unprivileged user, with the privileges of the
root user. A race condition exists in gdm where a local user could take
advantage of this by writing to the cache directory between ending the session
and the signal to clean up the session, which could lead to the execution of
arbitrary code as the root user.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0727</cvename>
<url>http://mail.gnome.org/archives/distributor-list/2011-March/msg00008.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=688323</url>
</references>
<dates>
<discovery>2011-03-28</discovery>
<entry>2011-03-29</entry>
</dates>
</vuln>
<vuln vid="fe853666-56ce-11e0-9668-001fd0d616cf">
<topic>php -- ZipArchive segfault with FL_UNCHANGED on empty archive</topic>
<affects>
<package>
<name>php5-zip</name>
<range><lt>5.3.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT/NIST reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0421">
<p>The _zip_name_locate function in zip_name_locate.c in the Zip extension
in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
argument, which might allow context-dependent attackers to cause a
denial of service (application crash) via an empty ZIP archive that is
processed with a (1) locateName or (2) statName operation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0421</cvename>
</references>
<dates>
<discovery>2011-03-20</discovery>
<entry>2011-03-25</entry>
</dates>
</vuln>
<vuln vid="cc3bfec6-56cd-11e0-9668-001fd0d616cf">
<topic>php -- crash on crafted tag in exif</topic>
<affects>
<package>
<name>php5-exif</name>
<range><lt>5.3.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT/NIST reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0708">
<p>exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms
performs an incorrect cast, which allows remote attackers to cause a
denial of service (application crash) via an image with a crafted
Image File Directory (IFD) that triggers a buffer over-read.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0708</cvename>
</references>
<dates>
<discovery>2011-03-20</discovery>
<entry>2011-03-25</entry>
</dates>
</vuln>
<vuln vid="501ee07a-5640-11e0-985a-001b2134ef46">
<topic>linux-flashplugin -- remote code execution vulnerability</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.2r153</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa11-01.html">
<p>A critical vulnerability exists in Adobe Flash Player
10.2.152.33 and earlier versions (Adobe Flash Player
10.2.154.18 and earlier for Chrome users) for Windows,
Macintosh, Linux and Solaris operating systems, Adobe
Flash Player 10.1.106.16 and earlier versions for Android,
and the Authplay.dll component that ships with Adobe Reader
and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of
Reader and Acrobat for Windows and Macintosh operating systems.</p>
<p>This vulnerability (CVE-2011-0609) could cause a crash and
potentially allow an attacker to take control of the affected
system. There are reports that this vulnerability is being
exploited in the wild in targeted attacks via a Flash (.swf)
file embedded in a Microsoft Excel (.xls) file delivered as
an email attachment.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0609</cvename>
<url>http://www.adobe.com/support/security/advisories/apsa11-01.html</url>
</references>
<dates>
<discovery>2011-01-20</discovery>
<entry>2011-03-24</entry>
</dates>
</vuln>
<vuln vid="b2f09169-55af-11e0-9d6f-000f20797ede">
<topic>mozilla -- update to HTTPS certificate blacklist</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.16,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.18,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.16</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.16,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.18</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.13</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-11 Update to HTTPS certificate blacklist</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-11.html</url>
</references>
<dates>
<discovery>2011-03-22</discovery>
<entry>2011-03-24</entry>
</dates>
</vuln>
<vuln vid="14a6f516-502f-11e0-b448-bbfa2731f9c7">
<topic>postfix -- plaintext command injection with SMTP over TLS</topic>
<affects>
<package>
<name>postfix</name>
<name>postfix-base</name>
<range><ge>2.7.*,1</ge><lt>2.7.3,1</lt></range>
<range><ge>2.6.*,1</ge><lt>2.6.9,1</lt></range>
<range><ge>2.5.*,2</ge><lt>2.5.12,2</lt></range>
<range><ge>2.4.*,1</ge><lt>2.4.16,1</lt></range>
</package>
<package>
<name>postfix-current</name>
<name>postfix-current-base</name>
<range><lt>2.9.20100120,4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wietse Venema has discovered a software flaw that allows
an attacker to inject client commands into an SMTP session
during the unprotected plaintext SMTP protocol phase, such
that the server will execute those commands during the SMTP-
over-TLS protocol phase when all communication is supposed
to be protected.</p>
</body>
</description>
<references>
<cvename>CVE-2011-0411</cvename>
<url>http://www.postfix.org/CVE-2011-0411.html</url>
<url>http://secunia.com/advisories/43646/</url>
</references>
<dates>
<discovery>2011-03-07</discovery>
<entry>2011-03-19</entry>
</dates>
</vuln>
<vuln vid="b13414c9-50ba-11e0-975a-000c29cc39d3">
<topic>hiawatha -- integer overflow in Content-Length header parsing</topic>
<affects>
<package>
<name>hiawatha</name>
<range><lt>7.4_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hugo Leisink reports:</p>
<blockquote cite="http://www.hiawatha-webserver.org/weblog/16">
<p>A bug has been found in version 7.4 of the Hiawatha webserver,
which could lead to a server crash. This is caused by an integer
overflow in the routine that reads the HTTP request. A too large
value of the Content-Length HTTP header results in an overflow.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.hiawatha-webserver.org/weblog/16</url>
<url>http://secunia.com/advisories/43660/</url>
<url>http://securityvulns.com/Zdocument902.html</url>
<url>http://packetstormsecurity.org/files/99021/Hiawatha-WebServer-7.4-Denial-Of-Service.html</url>
<url>http://seclists.org/bugtraq/2011/Mar/65</url>
</references>
<dates>
<discovery>2011-02-25</discovery>
<entry>2011-03-17</entry>
</dates>
</vuln>
<vuln vid="bfe9c75e-5028-11e0-b2d2-00215c6a37bb">
<topic>asterisk -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.17.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://www.venturevoip.com/news.php?rssid=2521">
<p>The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1
resolve two issues:</p>
<ul>
<li>Resource exhaustion in Asterisk Manager Interface
(AST-2011-003)</li>
<li>Remote crash vulnerability in TCP/TLS server
(AST-2011-004)</li>
</ul>
<p>The issues and resolutions are described in the AST-2011-003
and AST-2011-004 security advisories.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2011-003.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-004.html</url>
</references>
<dates>
<discovery>2011-03-01</discovery>
<entry>2011-03-16</entry>
</dates>
</vuln>
<vuln vid="8b986a05-4dbe-11e0-8b9a-02e0184b8d35">
<topic>avahi -- denial of service</topic>
<affects>
<package>
<name>avahi</name>
<name>avahi-app</name>
<name>avahi-autoipd</name>
<name>avahi-gtk</name>
<name>avahi-libdns</name>
<name>avahi-qt3</name>
<name>avahi-qt4</name>
<name>avahi-sharp</name>
<range><lt>0.6.29</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Avahi developers reports:</p>
<blockquote cite="http://secunia.com/advisories/43361/">
<p>A vulnerability has been reported in Avahi, which can be exploited
by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when processing certain
UDP packets, which can be exploited to trigger an infinite loop by
e.g. sending an empty packet to port 5353/UDP.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1002</cvename>
<cvename>CVE-2010-2244</cvename>
<url>http://secunia.com/advisories/43361/</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=667187</url>
</references>
<dates>
<discovery>2011-02-21</discovery>
<entry>2011-03-13</entry>
</dates>
</vuln>
<vuln vid="64691c49-4b22-11e0-a226-00e0815b8da8">
<topic>mailman -- XSS vulnerability</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.14_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0707">
<p>Multiple cross-site scripting (XSS) vulnerabilities in
Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote
attackers to inject arbitrary web script or HTML via the (1)
full name or (2) username field in a confirmation message.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0707</cvename>
<url>http://mail.python.org/pipermail/mailman-announce/2011-February/000157.html</url>
</references>
<dates>
<discovery>2011-02-13</discovery>
<entry>2011-03-10</entry>
</dates>
</vuln>
<vuln vid="cf96cd8d-48fb-11e0-98a6-0050569b2d21">
<topic>redmine -- XSS vulnerability</topic>
<affects>
<package>
<name>redmine</name>
<range><gt>1.0</gt><lt>1.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jean-Philippe Lang reports:</p>
<blockquote cite="http://www.redmine.org/news/53">
<p>This maintenance release for 1.1.x users includes
13 bug fixes since 1.1.1 and a security fix (XSS
vulnerability affecting all Redmine versions from
1.0.1 to 1.1.1).
</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/news/53</url>
</references>
<dates>
<discovery>2011-03-07</discovery>
<entry>2011-03-07</entry>
</dates>
</vuln>
<vuln vid="e27ca763-4721-11e0-bdc4-001e8c75030d">
<topic>subversion -- remote HTTP DoS vulnerability</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.6</ge><le>1.6.15</le></range>
<range><ge>1.5</ge><le>1.6.9</le></range>
</package>
<package>
<name>subversion-freebsd</name>
<range><ge>1.6</ge><le>1.6.15</le></range>
<range><ge>1.5</ge><le>1.6.9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion project reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2011-0715-advisory.txt">
<p>Subversion HTTP servers up to 1.5.9 (inclusive) or 1.6.15 (inclusive)
are vulnerable to a remotely triggerable NULL-pointer dereference.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0715</cvename>
</references>
<dates>
<discovery>2011-02-27</discovery>
<entry>2011-03-05</entry>
</dates>
</vuln>
<vuln vid="45f102cd-4456-11e0-9580-4061862b8c22">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.14,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.17,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.14</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.14,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.17</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.12</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>3.1</ge><lt>3.1.8</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.12</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>3.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)</p>
<p>MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true</p>
<p>MFSA 2011-03 Use-after-free error in JSON.stringify</p>
<p>MFSA 2011-04 Buffer overflow in JavaScript upvarMap</p>
<p>MFSA 2011-05 Buffer overflow in JavaScript atom map</p>
<p>MFSA 2011-06 Use-after-free error using Web Workers</p>
<p>MFSA 2011-07 Memory corruption during text run construction (Windows)</p>
<p>MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents</p>
<p>MFSA 2011-09 Crash caused by corrupted JPEG image</p>
<p>MFSA 2011-10 CSRF risk with plugins and 307 redirects</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1585</cvename>
<cvename>CVE-2011-0051</cvename>
<cvename>CVE-2011-0053</cvename>
<cvename>CVE-2011-0054</cvename>
<cvename>CVE-2011-0055</cvename>
<cvename>CVE-2011-0056</cvename>
<cvename>CVE-2011-0057</cvename>
<cvename>CVE-2011-0058</cvename>
<cvename>CVE-2011-0059</cvename>
<cvename>CVE-2011-0061</cvename>
<cvename>CVE-2011-0062</cvename>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-01.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-02.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-03.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-04.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-05.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-06.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-07.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-08.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-09.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-10.html</url>
</references>
<dates>
<discovery>2011-03-01</discovery>
<entry>2011-03-01</entry>
</dates>
</vuln>
<vuln vid="be3dfe33-410b-11e0-9e02-00215c6a37bb">
<topic>openldap -- two security bypass vulnerabilities</topic>
<affects>
<package>
<name>openldap-server</name>
<range><gt>2.4.0</gt><lt>2.4.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/43331/">
<p>Two vulnerabilities have been reported in
OpenLDAP, which can be exploited by malicious
people to bypass certain security restrictions.</p>
<p>The vulnerabilities are reported in versions
prior to 2.4.24.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/43331/</url>
</references>
<dates>
<discovery>2011-02-14</discovery>
<entry>2011-02-25</entry>
</dates>
</vuln>
<vuln vid="65d16342-3ec8-11e0-9df7-001c42d23634">
<topic>asterisk -- Exploitable Stack and Heap Array Overflows</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.39.2</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.16.2</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://lists.digium.com/pipermail/asterisk-announce/2011-February/000302.html">
<p>The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and
1.8.2.4 resolve an issue that when decoding UDPTL packets, multiple
heap based arrays can be made to overflow by specially
crafted packets. Systems configured for T.38 pass through or
termination are vulnerable. The issue and resolution are described
in the AST-2011-002 security advisory.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2011-002.html</url>
<url>http://secunia.com/advisories/43429/</url>
</references>
<dates>
<discovery>2011-02-21</discovery>
<entry>2011-02-22</entry>
</dates>
</vuln>
<vuln vid="ae0e5835-3cad-11e0-b654-00215c6a37bb">
<topic>PivotX -- administrator password reset vulnerability</topic>
<affects>
<package>
<name>pivotx</name>
<range><lt>2.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/175068">
<p>PivotX contains a vulnerability that allows an
attacker to change the password of any account
just by guessing the username. Version 2.2.4 has
been reported to not be affected.
This vulnerability is being exploited in the wild
and users should immediately upgrade to 2.2.5 or
later. Mitigation steps for users that have been
compromised have been posted to the <a href="http://forum.pivotx.net/viewtopic.php?f=2&t=1967">PivotX
Support Community</a>.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1035</cvename>
</references>
<dates>
<discovery>2011-02-18</discovery>
<entry>2011-02-20</entry>
</dates>
</vuln>
<vuln vid="553ec4ed-38d6-11e0-94b1-000c29ba66d2">
<topic>tomcat -- Cross-site scripting vulnerability</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>5.5.0</gt><lt>5.5.32</lt></range>
</package>
<package>
<name>tomcat</name>
<range><gt>6.0.0</gt><lt>6.0.30</lt></range>
</package>
<package>
<name>tomcat</name>
<range><gt>7.0.0</gt><lt>7.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tomcat security team reports:</p>
<blockquote cite="http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32">
<p>The HTML Manager interface displayed web applciation
provided data, such as display names, without filtering.
A malicious web application could trigger script execution
by an administartive user when viewing the manager pages.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0013</cvename>
<url>http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32</url>
<url>http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30</url>
<url>http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6</url>
</references>
<dates>
<discovery>2010-11-12</discovery>
<entry>2011-02-15</entry>
<modified>2011-09-30</modified>
</dates>
</vuln>
<vuln vid="cd68ff50-362b-11e0-ad36-00215c6a37bb">
<topic>phpMyAdmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.3.9.2</lt></range>
</package>
<package>
<name>phpMyAdmin211</name>
<range><lt>2.11.11.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php">
<p>It was possible to create a bookmark which would be executed
unintentionally by other users.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php">
<p>When the files README, ChangeLog or LICENSE have been removed
from their original place (possibly by the distributor), the
scripts used to display these files can show their full path,
leading to possible further attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-02-11</entry>
</dates>
</vuln>
<vuln vid="4a3482da-3624-11e0-b995-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.2r152</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-02.html">
<p>Critical vulnerabilities have been identified in
Adobe Flash Player 10.1.102.64 and earlier versions for
Windows, Macintosh, Linux, and Solaris. These vulnerabilities
could cause the application to crash and could potentially
allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0558</cvename>
<cvename>CVE-2011-0559</cvename>
<cvename>CVE-2011-0560</cvename>
<cvename>CVE-2011-0561</cvename>
<cvename>CVE-2011-0571</cvename>
<cvename>CVE-2011-0572</cvename>
<cvename>CVE-2011-0573</cvename>
<cvename>CVE-2011-0574</cvename>
<cvename>CVE-2011-0575</cvename>
<cvename>CVE-2011-0577</cvename>
<cvename>CVE-2011-0578</cvename>
<cvename>CVE-2011-0607</cvename>
<cvename>CVE-2011-0608</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-02.html</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-02-11</entry>
</dates>
</vuln>
<vuln vid="53bde960-356b-11e0-8e81-0022190034c0">
<topic>mupdf -- Remote System Access</topic>
<affects>
<package>
<name>mupdf</name>
<range><lt>0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/43020/">
<p>The vulnerability is caused due to an error within the
"closedctd()" function in fitz/filt_dctd.c when processing PDF
files containing certain malformed JPEG images. This can be
exploited to cause a stack corruption by e.g. tricking a user
into opening a specially crafted PDF file.</p>
</blockquote>
</body>
</description>
<references>
<bid>46027</bid>
<url>http://secunia.com/advisories/43020/</url>
</references>
<dates>
<discovery>2011-01-26</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="1cae628c-3569-11e0-8e81-0022190034c0">
<topic>rubygem-mail -- Remote Arbitrary Shell Command Injection Vulnerability</topic>
<affects>
<package>
<name>rubygem-mail</name>
<range><lt>2.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/43077/">
<p>Input passed via an email from address is not properly sanitised
in the "deliver()" function (lib/mail/network/delivery_methods/sendmail.rb)
before being used as a command line argument. This can be exploited
to inject arbitrary shell commands.</p>
</blockquote>
</body>
</description>
<references>
<bid>46021</bid>
<cvename>CVE-2011-0739</cvename>
<url>http://secunia.com/advisories/43077/</url>
<url>http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1</url>
</references>
<dates>
<discovery>2011-01-25</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="7c492ea2-3566-11e0-8e81-0022190034c0">
<topic>plone -- Remote Security Bypass</topic>
<affects>
<package>
<name>plone</name>
<range><ge>2.5</ge><lt>3</lt></range>
</package>
<package>
<name>plone3</name>
<range><ge>3</ge><le>3.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Plone developer reports:</p>
<blockquote cite="http://plone.org/products/plone/security/advisories/cve-2011-0720">
<p>This is an escalation of privileges attack that can be used by
anonymous users to gain access to a Plone site's administration
controls, view unpublished content, create new content and modify a
site's skin. The sandbox protecting access to the underlying
system is still in place, and it does not grant access to other
applications running on the same Zope instance.</p>
</blockquote>
</body>
</description>
<references>
<bid>46102</bid>
<cvename>CVE-2011-0720</cvename>
<url>http://plone.org/products/plone/security/advisories/cve-2011-0720</url>
</references>
<dates>
<discovery>2011-02-02</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="44ccfab0-3564-11e0-8e81-0022190034c0">
<topic>exim -- local privilege escalation</topic>
<affects>
<package>
<name>exim</name>
<name>exim-ldap</name>
<name>exim-ldap2</name>
<name>exim-mysql</name>
<name>exim-postgresql</name>
<name>exim-sa-exim</name>
<range><lt>4.74</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>exim.org reports:</p>
<blockquote cite="ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74">
<p>CVE-2011-0017 - check return value of setuid/setgid. This is a
privilege escalation vulnerability whereby the Exim run-time user
can cause root to append content of the attacker's choosing to
arbitrary files.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0017</cvename>
<url>ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74</url>
</references>
<dates>
<discovery>2011-01-31</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="f2b43905-3545-11e0-8e81-0022190034c0">
<topic>openoffice.org -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>openoffice.org</name>
<range><lt>3.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenOffice.org Security Team reports:</p>
<blockquote cite="http://www.openoffice.org/security/bulletin.html">
<p>Fixed in OpenOffice.org 3.3</p>
<ul>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-2935_CVE-2010-2936.html">
CVE-2010-2935 / CVE-2010-2936</a>: Security Vulnerability in OpenOffice.org related to PowerPoint document processing</li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-3450.html">
CVE-2010-3450</a>: Security Vulnerability in OpenOffice.org related to Extensions and filter package files</li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-3451_CVE-2010-3452.html">
CVE-2010-3451 / CVE-2010-3452</a>: Security Vulnerability in OpenOffice.org related to RTF document processing </li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-3453_CVE-2010-3454.html">
CVE-2010-3453 / CVE-2010-3454</a>: Security Vulnerability in OpenOffice.org related to Word document processing </li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-3689.html">
CVE-2010-3689</a>: Insecure LD_LIBRARY_PATH usage in OpenOffice.org shell scripts </li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-3702_CVE-2010-3704.html">
CVE-2010-3702 / CVE-2010-3704</a>: Security Vulnerability in OpenOffice.org's PDF Import extension resulting from 3rd party library XPDF</li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-4008_CVE-2010-4494.html">
CVE-2010-4008 / CVE-2010-4494</a>: Possible Security Vulnerability in OpenOffice.org resulting from 3rd party library LIBXML2 </li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-4253.html">
CVE-2010-4253</a>: Security Vulnerability in OpenOffice.org related to PNG file processing </li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-4643.html">
CVE-2010-4643</a>: Security Vulnerability in OpenOffice.org related to TGA file processing </li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.openoffice.org/security/bulletin.html</url>
<url>http://secunia.com/advisories/40775/</url>
</references>
<dates>
<discovery>2010-08-04</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="35ecdcbe-3501-11e0-afcd-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vurnabilities.</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://permalink.gmane.org/gmane.os.opendarwin.webkit.gtk/405">
<p>This release has essentially security fixes. Refer to the
WebKit/gtk/NEWS file inside the tarball for details. We would like
to thank the Red Hat security team (Huzaifa Sidhpurwala in
particular) and Michael Gilbert from Debian for their help in
checking (and pushing!) security issues affecting the WebKitGTK+
stable branch for this release.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2901</cvename>
<cvename>CVE-2010-4040</cvename>
<cvename>CVE-2010-4042</cvename>
<cvename>CVE-2010-4199</cvename>
<cvename>CVE-2010-4492</cvename>
<cvename>CVE-2010-4493</cvename>
<cvename>CVE-2010-4578</cvename>
<cvename>CVE-2011-0482</cvename>
<cvename>CVE-2011-0778</cvename>
<url>https://bugs.webkit.org/show_bug.cgi?id=48328</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=50710</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=50840</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=50932</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=51993</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=53265</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=53276</url>
<url>http://permalink.gmane.org/gmane.os.opendarwin.webkit.gtk/405</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="ce6ce2f8-34ac-11e0-8103-00215c6a37bb">
<topic>awstats -- arbitrary commands execution vulnerability</topic>
<affects>
<package>
<name>awstats</name>
<range><lt>7.0,1</lt></range>
</package>
<package>
<name>awstats-devel</name>
<range><gt>0</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Awstats change log reports:</p>
<blockquote cite="http://awstats.sourceforge.net/docs/awstats_changelog.txt">
<ul>
<li>Security fix (Traverse directory of LoadPlugin)</li>
<li>Security fix (Limit config to defined directory
to avoid access to external config file via a nfs
or webdav link).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4367</cvename>
<url>http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.html</url>
<url>http://awstats.sourceforge.net/docs/awstats_changelog.txt</url>
</references>
<dates>
<discovery>2010-05-01</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="2eda0c54-34ab-11e0-8103-00215c6a37bb">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<name>opera-devel</name>
<name>linux-opera</name>
<range><lt>11.01</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1101/">
<p>Opera 11.01 is a recommended upgrade offering security and
stability enhancements.</p>
<p>The following security vulnerabilities have been fixed:</p>
<ul>
<li>Removed support for "<code>javascript:</code>" URLs in
CSS -o-link values, to make it easier for sites to filter
untrusted CSS.</li>
<li>Fixed an issue where large form inputs could allow
execution of arbitrary code, as reported by Jordi Chancel;
see our <a href="http://www.opera.com/support/kb/view/982/">advisory</a>.</li>
<li>Fixed an issue which made it possible to carry out
clickjacking attacks against internal opera: URLs;
see our <a href="http://www.opera.com/support/kb/view/983/">advisory</a>.</li>
<li>Fixed issues which allowed web pages to gain limited
access to files on the user's computer; see our
<a href="http://www.opera.com/support/kb/view/984/">advisory</a>.</li>
<li>Fixed an issue where email passwords were not immediately
deleted when deleting private data; see our
<a href="http://www.opera.com/support/kb/view/986/">advisory</a>.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0450</cvename>
<cvename>CVE-2011-0681</cvename>
<cvename>CVE-2011-0682</cvename>
<cvename>CVE-2011-0683</cvename>
<cvename>CVE-2011-0684</cvename>
<cvename>CVE-2011-0685</cvename>
<cvename>CVE-2011-0686</cvename>
<cvename>CVE-2011-0687</cvename>
<url>http://www.opera.com/support/kb/view/982/</url>
<url>http://www.opera.com/support/kb/view/983/</url>
<url>http://www.opera.com/support/kb/view/984/</url>
<url>http://secunia.com/advisories/43023</url>
</references>
<dates>
<discovery>2011-01-26</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="bd760627-3493-11e0-8103-00215c6a37bb">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py27-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><gt>1.2</gt><lt>1.2.5</lt></range>
<range><gt>1.1</gt><lt>1.1.4</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py27-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>15470,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django project reports:</p>
<blockquote cite="http://www.djangoproject.com/weblog/2011/feb/08/security/">
<p>Today the Django team is issuing multiple releases --
Django 1.2.5 and Django 1.1.4 -- to remedy three security
issues reported to us. All users of affected versions of
Django are urged to upgrade immediately.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.djangoproject.com/weblog/2011/feb/08/security/</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-02-09</entry>
</dates>
</vuln>
<vuln vid="8d04cfbd-344d-11e0-8669-0025222482c5">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><lt>1.16.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Medawiki reports:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-February/000095.html">
<p>An arbitrary script inclusion vulnerability was discovered. The
vulnerability only allows execution of files with names ending in
".php" which are already present in the local filesystem. Only servers
running Microsoft Windows and possibly Novell Netware are affected.
Despite these mitigating factors, all users are advised to upgrade,
since there is a risk of complete server compromise. MediaWiki 1.8.0
and later is affected.</p>
<p>Security researcher mghack discovered a CSS injection
vulnerability. For Internet Explorer and similar browsers, this is
equivalent to an XSS vulnerability, that is to say, it allows the
compromise of wiki user accounts. For other browsers, it allows private
data such as IP addresses and browsing patterns to be sent to a malicious
external web server. It affects all versions of MediaWiki. All users are
advised to upgrade.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0047</cvename>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=27094</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=27093</url>
<url>http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/RELEASE-NOTES</url>
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-February/000095.html</url>
</references>
<dates>
<discovery>2011-02-01</discovery>
<entry>2011-02-09</entry>
</dates>
</vuln>
<vuln vid="8c93e997-30e0-11e0-b300-485d605f4717">
<topic>wordpress -- SQL injection vulnerability</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.0.2,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>3.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Vendor reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4257">
<p>SQL injection vulnerability in the do_trackbacks function in
wp-includes/comment.php in WordPress before 3.0.2 allows remote
authenticated users to execute arbitrary SQL commands via the Send
Trackbacks field.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4257</cvename>
<url>http://www.cvedetails.com/cve/CVE-2010-4257/</url>
</references>
<dates>
<discovery>2010-11-16</discovery>
<entry>2011-02-05</entry>
<modified>2011-02-09</modified>
</dates>
</vuln>
<vuln vid="f9258873-2ee2-11e0-afcd-0015f2db7bde">
<topic>vlc -- Insufficient input validation in MKV demuxer</topic>
<affects>
<package>
<name>vlc</name>
<range><lt>1.1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VLC team reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1102.html">
<p>When parsing an invalid MKV (Matroska or WebM) file, input
validation are insufficient.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.videolan.org/security/sa1102.html</url>
</references>
<dates>
<discovery>2011-01-26</discovery>
<entry>2011-02-02</entry>
</dates>
</vuln>
<vuln vid="8015600f-2c80-11e0-9cc1-00163e5bf4f9">
<topic>maradns -- denial of service when resolving a long DNS hostname</topic>
<affects>
<package>
<name>maradns</name>
<range><lt>1.4.06</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MaraDNS developer Sam Trenholme reports:</p>
<blockquote cite="http://samiam.org/blog/20110129.html">
<p>... a mistake in allocating an array of integers, allocating it
in bytes instead of sizeof(int) units. This resulted in a buffer
being too small, allowing it to be overwritten. The impact of this
programming error is that MaraDNS can be crashed by sending
MaraDNS a single "packet of death". Since the data placed in the
overwritten array can not be remotely controlled (it is a list of
increasing integers), there is no way to increase privileges
exploiting this bug.</p>
</blockquote>
</body>
</description>
<references>
<bid>45966</bid>
<cvename>CVE-2011-0520</cvename>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610834</url>
</references>
<dates>
<discovery>2011-01-23</discovery>
<entry>2011-01-31</entry>
</dates>
</vuln>
<vuln vid="dc9f8335-2b3b-11e0-a91b-00e0815b8da8">
<topic>isc-dhcp-server -- DHCPv6 crash</topic>
<affects>
<package>
<name>isc-dhcp41-server</name>
<range><le>4.1.2,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/dhcp/advisories/cve-2011-0413">
<p>When the DHCPv6 server code processes a message for an address
that was previously declined and internally tagged as abandoned
it can trigger an assert failure resulting in the server crashing.
This could be used to crash DHCPv6 servers remotely. This issue
only affects DHCPv6 servers. DHCPv4 servers are unaffected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0413</cvename>
<url>http://www.isc.org/software/dhcp/advisories/cve-2011-0413</url>
<url>http://www.kb.cert.org/vuls/id/686084</url>
</references>
<dates>
<discovery>2011-01-26</discovery>
<entry>2011-01-28</entry>
</dates>
</vuln>
<vuln vid="c8c927e5-2891-11e0-8f26-00151735203a">
<topic>bugzilla -- multiple serious vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>2.14.*</ge><lt>3.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.2.9/">
<p>This advisory covers three security issues that have recently been
fixed in the Bugzilla code:</p>
<ul>
<li>A weakness in Bugzilla could allow a user to gain unauthorized
access to another Bugzilla account.</li>
<li>A weakness in the Perl CGI.pm module allows injecting HTTP
headers and content to users via several pages in Bugzilla.</li>
<li>If you put a harmful "javascript:" or "data:" URL into
Bugzilla's "URL" field, then there are multiple situations in
which Bugzilla will unintentionally make that link clickable.</li>
<li>Various pages lack protection against cross-site request
forgeries.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<bid>25425</bid>
<cvename>CVE-2010-4568</cvename>
<cvename>CVE-2010-2761</cvename>
<cvename>CVE-2010-4411</cvename>
<cvename>CVE-2010-4572</cvename>
<cvename>CVE-2010-4567</cvename>
<cvename>CVE-2010-0048</cvename>
<cvename>CVE-2011-0046</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621591</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=619594</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=591165</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621572</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=619588</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=628034</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621090</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621105</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621107</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621108</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621109</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621110</url>
</references>
<dates>
<discovery>2011-01-24</discovery>
<entry>2011-01-25</entry>
</dates>
</vuln>
<vuln vid="7580f00e-280c-11e0-b7c8-00215c6a37bb">
<topic>dokuwiki -- multiple privilege escalation vulnerabilities</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20101107a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dokuwiki reports:</p>
<blockquote cite="http://bugs.dokuwiki.org/index.php?do=details&task_id=2136">
<p>This security update fixes problems in the XMLRPC
interface where ACLs where not checked correctly
sometimes, making it possible to access and write
information that should not have been accessible/writable.
This only affects users who have enabled the XMLRPC
interface (default is off) and have enabled XMLRPC
access for users who can't access/write all content
anyway (default is nobody, see <a href="http://www.dokuwiki.org/config:xmlrpcuser">http://www.dokuwiki.org/config:xmlrpcuser</a>
for details).</p>
<p>This update also includes a fix for a problem in
the general ACL checking function that could be exploited
to gain access to restricted pages and media files in rare
conditions (when you had rights for an id you could get
the same rights on ids where one character has been
replaced by a ".").</p>
</blockquote>
</body>
</description>
<references>
<url>http://bugs.dokuwiki.org/index.php?do=details&task_id=2136</url>
</references>
<dates>
<discovery>2011-01-16</discovery>
<entry>2011-01-24</entry>
</dates>
</vuln>
<vuln vid="5ab9fb2a-23a5-11e0-a835-0003ba02bf30">
<topic>asterisk -- Exploitable Stack Buffer Overflow</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.39.1</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.16.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://lists.digium.com/pipermail/asterisk-announce/2011-January/000297.html">
<p>The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1,
1.6.2.16.2, 1.8.1.2, and 1.8.2.1 resolve an issue when forming an
outgoing SIP request while in pedantic mode, which can cause a stack
buffer to be made to overflow if supplied with carefully crafted
caller ID information. The issue and resolution are described in the
AST-2011-001 security advisory.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2011-001.pdf</url>
</references>
<dates>
<discovery>2011-01-18</discovery>
<entry>2011-01-19</entry>
</dates>
</vuln>
<vuln vid="2c2d4e83-2370-11e0-a91b-00e0815b8da8">
<topic>tarsnap -- cryptographic nonce reuse</topic>
<affects>
<package>
<name>tarsnap</name>
<range><ge>1.0.22</ge><le>1.0.27</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Colin Percival reports:</p>
<blockquote cite="http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html">
<p>In versions 1.0.22 through 1.0.27 of Tarsnap, the CTR nonce value
is not incremented after each chunk is encrypted. (The CTR counter
is correctly incremented after each 16 bytes of data was processed,
but this counter is reset to zero for each new chunk.)</p>
<p>Note that since the Tarsnap client-server protocol is encrypted,
being able to intercept Tarsnap client-server traffic does not
provide an attacker with access to the data.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html</url>
</references>
<dates>
<discovery>2011-01-18</discovery>
<entry>2011-01-19</entry>
</dates>
</vuln>
<vuln vid="4c017345-1d89-11e0-bbee-0014a5e3cda6">
<topic>MoinMoin -- cross-site scripting vulnerabilities</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MoinMoin developers reports:</p>
<blockquote cite="http://hg.moinmo.in/moin/1.9/raw-file/1.9.3/docs/CHANGES">
<p>Fix XSS in Despam action (CVE-2010-0828)</p>
</blockquote>
<blockquote cite="http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg">
<p>Fix XSS issues</p>
<ul>
<li>by escaping template name in messages</li>
<li>by fixing other places that had similar issues</li>
</ul>
</blockquote>
</body>
</description>
<references>
<bid>39110</bid>
<cvename>CVE-2010-0828</cvename>
<url>http://hg.moinmo.in/moin/1.9/raw-file/1.9.3/docs/CHANGES</url>
<url>http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg</url>
</references>
<dates>
<discovery>2010-04-05</discovery>
<entry>2011-01-11</entry>
</dates>
</vuln>
<vuln vid="38bdf10e-2293-11e0-bfa4-001676740879">
<topic>tor -- remote code execution and crash</topic>
<affects>
<package>
<name>tor</name>
<range><lt>0.2.1.29</lt></range>
</package>
<package>
<name>tor-devel</name>
<range><lt>0.2.2.21.a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tor Project reports:</p>
<blockquote cite="http://archives.seul.org/or/announce/Jan-2011/msg00000.html">
<p>A remote heap overflow vulnerability that can allow remote
code execution. Other fixes address a variety of assert and crash
bugs, most of which we think are hard to exploit remotely.
All Tor users should upgrade.</p>
</blockquote>
</body>
</description>
<references>
<bid>45832</bid>
<cvename>CVE-2011-0427</cvename>
<freebsdpr>ports/154099</freebsdpr>
<mlist msgid="20110117155813.GG3300@moria.seul.org">http://archives.seul.org/or/announce/Jan-2011/msg00000.html</mlist>
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.1:/ChangeLog</url>
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ChangeLog</url>
</references>
<dates>
<discovery>2011-01-15</discovery>
<entry>2011-01-17</entry>
</dates>
</vuln>
<vuln vid="908f4cf2-1e8b-11e0-a587-001b77d09812">
<topic>sudo -- local privilege escalation</topic>
<affects>
<package>
<name>sudo</name>
<range><ge>1.7.0</ge><lt>1.7.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.sudo.ws/sudo/alerts/runas_group_pw.html">
<p>Beginning with sudo version 1.7.0 it has been possible
to grant permission to run a command using a specified
group via sudo's -g option (run as group), if allowed by
the sudoers file. A flaw exists in sudo's password
checking logic that allows a user to run a command
with only the group changed without being prompted
for a password.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0010</cvename>
<url>http://www.sudo.ws/sudo/alerts/runas_group_pw.html</url>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641</url>
</references>
<dates>
<discovery>2011-01-11</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="71612099-1e93-11e0-a587-001b77d09812">
<topic>subversion -- multiple DoS</topic>
<affects>
<package>
<name>subversion</name>
<range><lt>1.6.15</lt></range>
</package>
<package>
<name>subversion-freebsd</name>
<range><lt>1.6.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2010-4539 says:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4539">
<p>The walk function in repos.c in the mod_dav_svn module
for the Apache HTTP Server, as distributed in Apache
Subversion before 1.6.15, allows remote authenticated
users to cause a denial of service (NULL pointer
dereference and daemon crash) via vectors that trigger
the walking of SVNParentPath collections.</p>
</blockquote>
<p>Entry for CVE-2010-4644 says:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4644">
<p>Multiple memory leaks in rev_hunt.c in Apache Subversion
before 1.6.15 allow remote authenticated users to cause
a denial of service (memory consumption and daemon crash)
via the -g option to the blame command.</p>
</blockquote>
</body>
</description>
<references>
<bid>45655</bid>
<cvename>CVE-2010-4539</cvename>
<cvename>CVE-2010-4644</cvename>
</references>
<dates>
<discovery>2011-01-02</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="2b6ed5c7-1a7f-11e0-b61d-000c29d1636d">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.5</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP developers reports:</p>
<blockquote cite="http://www.php.net/releases/5_3_5.php">
<p>Security Enhancements and Fixes in PHP 5.3.5:</p>
<ul>
<li>Fixed bug #53632 (PHP hangs on numeric value
2.2250738585072011e-308). (CVE-2010-4645)</li>
</ul>
</blockquote>
<blockquote cite="http://www.php.net/releases/5_2_17.php">
<p>Security Enhancements and Fixes in PHP 5.2.17:</p>
<ul>
<li>Fixed bug #53632 (PHP hangs on numeric value
2.2250738585072011e-308). (CVE-2010-4645)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4645</cvename>
</references>
<dates>
<discovery>2011-01-06</discovery>
<entry>2011-01-09</entry>
<modified>2011-01-09</modified>
</dates>
</vuln>
<vuln vid="e4fcf020-0447-11e0-becc-0022156e8794">
<topic>exim -- local privilege escalation</topic>
<affects>
<package>
<name>exim</name>
<range><lt>4.73</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Woodhouse reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3">
<p>Secondly a privilege escalation where the trusted 'exim'
user is able to tell Exim to use arbitrary config files,
in which further ${run ...} commands will be invoked as
root.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4345</cvename>
<url>http://www.exim.org/lurker/message/20101209.022730.dbb6732d.en.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3</url>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-08</entry>
</dates>
</vuln>
<vuln vid="e177c410-1943-11e0-9d1c-000c29ba66d2">
<topic>mediawiki -- Clickjacking vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><gt>1.16</gt><lt>1.16.1</lt></range>
<range><gt>1.15</gt><lt>1.15.5_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Clickjacking vulnerabilities:</p>
<blockquote cite="https://bugzilla.wikimedia.org/show_bug.cgi?id=26561">
<p>Clickjacking is a type of vulnerability discovered in 2008, which
is similar to CSRF. The attack involves displaying the target webpage
in a iframe embedded in a malicious website. Using CSS, the submit button
of the form on the targeit webpage is made invisible, and then overlaid
with some button or link on the malicious website that encourages
the user to click on it.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=26561</url>
</references>
<dates>
<discovery>2011-01-04</discovery>
<entry>2011-01-06</entry>
</dates>
</vuln>
<vuln vid="06a12e26-142e-11e0-bea2-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vulnabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS">
<p>The patches to fix the following CVEs are included with help
from Huzaifa Sidhpurwala from the Red Hat security team.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1791</cvename>
<cvename>CVE-2010-3812</cvename>
<cvename>CVE-2010-3813</cvename>
<cvename>CVE-2010-4197</cvename>
<cvename>CVE-2010-4198</cvename>
<cvename>CVE-2010-4204</cvename>
<cvename>CVE-2010-4206</cvename>
<cvename>CVE-2010-4577</cvename>
<url>http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS</url>
</references>
<dates>
<discovery>2010-12-28</discovery>
<entry>2010-12-30</entry>
</dates>
</vuln>
<vuln vid="14a37474-1383-11e0-8a58-00215c6a37bb">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py27-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><gt>1.2</gt><lt>1.2.4</lt></range>
<range><gt>1.1</gt><lt>1.1.3</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py27-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>15032,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django project reports:</p>
<blockquote cite="http://www.djangoproject.com/weblog/2010/dec/22/security/">
<p>Today the Django team is issuing multiple releases
-- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 --
to remedy two security issues reported to us. All users
of affected versions of Django are urged to upgrade
immediately.</p>
<h3>Information leakage in Django administrative interface</h3>
<p>The Django administrative interface, django.contrib.admin
supports filtering of displayed lists of objects by fields
on the corresponding models, including across database-level
relationships. This is implemented by passing lookup arguments
in the querystring portion of the URL, and options on the
ModelAdmin class allow developers to specify particular
fields or relationships which will generate automatic links
for filtering.</p>
<h3>Denial-of-service attack in password-reset mechanism</h3>
<p>Django's bundled authentication framework,
django.contrib.auth, offers views which allow users to
reset a forgotten password. The reset mechanism involves
generating a one-time token composed from the user's ID,
the timestamp of the reset request converted to a base36
integer, and a hash derived from the user's current password
hash (which will change once the reset is complete, thus
invalidating the token).</p>
</blockquote>
</body>
</description>
<references>
<bid>45562</bid>
<bid>45563</bid>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=665373</url>
<url>http://secunia.com/advisories/42715/</url>
</references>
<dates>
<discovery>2010-12-22</discovery>
<entry>2010-12-29</entry>
</dates>
</vuln>
<vuln vid="ff8b419a-0ffa-11e0-becc-0022156e8794">
<topic>Drupal Views plugin -- cross-site scripting</topic>
<affects>
<package>
<name>drupal6-views</name>
<range><lt>2.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal security team reports:</p>
<blockquote cite="http://drupal.org/node/999380">
<p>The Views module provides a flexible method for Drupal site
designers to control how lists and tables of content are
presented. Under certain circumstances, Views could display
parts of the page path without escaping, resulting in a
relected Cross Site Scripting (XSS) vulnerability. An attacker
could exploit this to gain full administrative access.</p>
<p>Mitigating factors: This vulnerability only occurs with a
specific combination of configuration options for a specific
View, but this combination is used in the default Views
provided by some additional modules. A malicious user would
need to get an authenticated administrative user to visit a
specially crafted URL.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4521</cvename>
<url>http://drupal.org/node/999380</url>
</references>
<dates>
<discovery>2010-12-15</discovery>
<entry>2010-12-28</entry>
</dates>
</vuln>
<vuln vid="584c506d-0e98-11e0-b59b-0050569b2d21">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>1.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jean-Philippe Lang reports:</p>
<blockquote cite="http://www.redmine.org/news/49">
<p>This release also fixes 3 security issues reported by
joernchen of Phenoelit:</p>
<ul>
<li>logged in users may be able to access private data
(affected versions: 1.0.x)</li>
<li>persistent XSS vulnerability in textile formatter
(affected versions: all previous releases)</li>
<li>remote command execution in bazaar repository adapter
(affected versions: 0.9.x, 1.0.x)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/news/49</url>
</references>
<dates>
<discovery>2010-12-23</discovery>
<entry>2010-12-23</entry>
</dates>
</vuln>
<vuln vid="4bd33bc5-0cd6-11e0-bfa4-001676740879">
<topic>tor -- remote crash and potential remote code execution</topic>
<affects>
<package>
<name>tor</name>
<range><lt>0.2.1.28</lt></range>
</package>
<package>
<name>tor-devel</name>
<range><lt>0.2.2.20-alpha</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tor Project reports:</p>
<blockquote cite="http://archives.seul.org/or/announce/Dec-2010/msg00000.html">
<p>Remotely exploitable bug that could be used to crash instances
of Tor remotely by overflowing on the heap. Remote-code execution
hasn't been confirmed, but can't be ruled out. Everyone should
upgrade.</p>
</blockquote>
</body>
</description>
<references>
<bid>45500</bid>
<cvename>CVE-2010-1676</cvename>
<freebsdpr>ports/153326</freebsdpr>
<mlist msgid="20101220135830.GU3300@moria.seul.org">http://archives.seul.org/or/announce/Dec-2010/msg00000.html</mlist>
<mlist msgid="20101220141526.GS3255@moria.seul.org">http://archives.seul.org/or/talk/Dec-2010/msg00167.html</mlist>
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.1:/ChangeLog</url>
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ChangeLog</url>
</references>
<dates>
<discovery>2010-12-17</discovery>
<entry>2010-12-22</entry>
</dates>
</vuln>
<vuln vid="d560b346-08a2-11e0-bcca-0050568452ac">
<topic>YUI JavaScript library -- JavaScript injection exploits in Flash components</topic>
<affects>
<package>
<name>yahoo-ui</name>
<range><lt>2.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The YUI team reports:</p>
<blockquote cite="http://yuilibrary.com/support/2.8.2/">
<p>A security-related defect was introduced in the YUI 2 Flash
component infrastructure beginning with the YUI 2.4.0 release.
This defect allows JavaScript injection exploits to be created
against domains that host affected YUI .swf files.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4207</cvename>
<cvename>CVE-2010-4208</cvename>
<cvename>CVE-2010-4209</cvename>
<url>http://www.yuiblog.com/blog/2010/10/25/yui-2-8-2-security-update/</url>
<url>http://secunia.com/advisories/41955</url>
<url>http://www.openwall.com/lists/oss-security/2010/11/07/1</url>
<url>http://yuilibrary.com/support/2.8.2/</url>
</references>
<dates>
<discovery>2010-10-25</discovery>
<entry>2010-12-15</entry>
</dates>
</vuln>
<vuln vid="2a41233d-10e7-11e0-becc-0022156e8794">
<topic>php-zip -- multiple Denial of Service vulnerabilities</topic>
<affects>
<package>
<name>php5-zip</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52-zip</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The following DoS conditions in Zip extension
were fixed in PHP 5.3.4 and PHP 5.2.15:</p>
<ul>
<li>
<blockquote cite="http://www.php.net/releases/5_3_4.php">
<p>Fixed crash in zip extract method (possible
CWE-170).</p>
</blockquote>
</li>
<li>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3709">
<p>The ZipArchive::getArchiveComment function
in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3
allows context-dependent attackers to cause a denial
of service (NULL pointer dereference and application
crash) via a crafted ZIP archive.</p>
</blockquote>
</li>
</ul>
</body>
</description>
<references>
<cvename>CVE-2010-3709</cvename>
<url>http://www.php.net/releases/5_3_4.php</url>
<url>http://www.php.net/releases/5_2_15.php</url>
<url>http://securityreason.com/achievement_securityalert/90</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="c623f058-10e7-11e0-becc-0022156e8794">
<topic>php-filter -- Denial of Service</topic>
<affects>
<package>
<name>php5-filter</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52-filter</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The following DoS condition in filter extension
was fixed in PHP 5.3.4 and PHP 5.2.15:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3710">
<p>Stack consumption vulnerability in the filter_var
function in PHP 5.2.x through 5.2.14 and 5.3.x through
5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows
remote attackers to cause a denial of service (memory
consumption and application crash) via a long e-mail
address string.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3710</cvename>
<url>http://www.php.net/releases/5_3_4.php</url>
<url>http://www.php.net/releases/5_2_15.php</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="1a0704e7-0edf-11e0-becc-0022156e8794">
<topic>php-imap -- Denial of Service</topic>
<affects>
<package>
<name>php5-imap</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52-imap</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The following DoS condition in IMAP extension
was fixed in PHP 5.3.4 and PHP 5.2.15:</p>
<blockquote cite="http://securitytracker.com/alerts/2010/Nov/1024761.html">
<p>A remote user can send specially crafted IMAP user name
or password data to trigger a double free memory error
in 'ext/imap/php_imap.c' and cause the target service
to crash.</p>
<p>It may be possible to execute arbitrary code.
However, code execution was not confirmed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4150</cvename>
<url>http://www.php.net/releases/5_3_4.php</url>
<url>http://www.php.net/releases/5_2_15.php</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="da3d381b-0ee6-11e0-becc-0022156e8794">
<topic>pecl-phar -- format string vulnerability</topic>
<affects>
<package>
<name>pecl-phar</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2010-2094 says:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2094">
<p>Multiple format string vulnerabilities in the phar
extension in PHP 5.3 before 5.3.2 allow context-dependent
attackers to obtain sensitive information (memory
contents) and possibly execute arbitrary code via a
crafted phar:// URI that is not properly handled by the
(1) phar_stream_flush, (2) phar_wrapper_unlink,
(3) phar_parse_url, or (4) phar_wrapper_open_url functions
in ext/phar/stream.c; and the (5) phar_wrapper_open_dir
function in ext/phar/dirstream.c, which triggers errors
in the php_stream_wrapper_log_error function.</p>
</blockquote>
<p>PECL source code for PHAR extension shares the same code,
so it is vulnerable too.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2094</cvename>
<url>http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html</url>
<url>http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.htm</url>
<url>http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.htm</url>
<url>http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.htm</url>
<url>http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="3761df02-0f9c-11e0-becc-0022156e8794">
<topic>php -- NULL byte poisoning</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP-specific version of NULL-byte poisoning was briefly
described by ShAnKaR:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded">
<p>Poison NULL byte vulnerability for perl CGI applications
was described in
<a href="http://artofhacking.com/files/phrack/phrack55/P55-07.TXT">[1]</a>.
ShAnKaR noted, that same vulnerability also affects
different PHP applications.</p>
</blockquote>
<p>PHP developers report that branch 5.3 received a fix:</p>
<blockquote cite="http://www.php.net/releases/5_3_4.php">
<p>Paths with NULL in them (foo\0bar.txt) are now considered
as invalid (CVE-2006-7243).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2006-7243</cvename>
<url>http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded</url>
<url>http://artofhacking.com/files/phrack/phrack55/P55-07.TXT</url>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="73634294-0fa7-11e0-becc-0022156e8794">
<topic>php -- open_basedir bypass</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3436">
<p>fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow
remote attackers to bypass open_basedir restrictions via
vectors related to the length of a filename.</p>
</blockquote>
</body>
</description>
<references>
<bid>44723</bid>
<cvename>CVE-2010-3436</cvename>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="f3148a05-0fa7-11e0-becc-0022156e8794">
<topic>php -- corruption of $GLOBALS and $this variables via extract() method</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Off-by-one error in the sanity validator for the extract()
method allowed attackers to replace the values of $GLOBALS
and $this when mode EXTR_OVERWRITE was used.</p>
</body>
</description>
<references>
<url>http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html</url>
<url>http://www.php.net/releases/5_2_15.php</url>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="b2a6fc0e-070f-11e0-a6e9-00215c6a37bb">
<cancelled/>
</vuln>
<vuln vid="1d8ff4a2-0445-11e0-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.13,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.16,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.13</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.13,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.16</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.11</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>3.1</ge><lt>3.1.7</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.11</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.11</lt></range>
<range><ge>3.1</ge><lt>3.1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)</p>
<p>MFSA 2010-75 Buffer overflow while line breaking after document.write with long string</p>
<p>MFSA 2010-76 Chrome privilege escalation with window.open and isindex element</p>
<p>MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree</p>
<p>MFSA 2010-78 Add support for OTS font sanitizer</p>
<p>MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh</p>
<p>MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver</p>
<p>MFSA 2010-81 Integer overflow vulnerability in NewIdArray</p>
<p>MFSA 2010-82 Incomplete fix for CVE-2010-0179</p>
<p>MFSA 2010-83 Location bar SSL spoofing using network error page</p>
<p>MFSA 2010-84 XSS hazard in multiple character encodings</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3766</cvename>
<cvename>CVE-2010-3767</cvename>
<cvename>CVE-2010-3768</cvename>
<cvename>CVE-2010-3769</cvename>
<cvename>CVE-2010-3770</cvename>
<cvename>CVE-2010-3771</cvename>
<cvename>CVE-2010-3772</cvename>
<cvename>CVE-2010-3773</cvename>
<cvename>CVE-2010-3774</cvename>
<cvename>CVE-2010-3775</cvename>
<cvename>CVE-2010-3776</cvename>
<cvename>CVE-2010-3777</cvename>
<cvename>CVE-2010-3778</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-74.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-75.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-76.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-77.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-78.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-79.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-80.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-81.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-82.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-83.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-84.html</url>
</references>
<dates>
<discovery>2010-12-09</discovery>
<entry>2010-12-10</entry>
</dates>
</vuln>
<vuln vid="4ccbd40d-03f7-11e0-bf50-001a926c7637">
<topic>krb5 -- client impersonation vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 KDC may issue tickets not requested
by a client, based on an attacker-chosen KrbFastArmoredReq.</p>
<p>An authenticated remote attacker that controls a legitimate service
principal could obtain a valid service ticket to itself containing
valid KDC-generated authorization data for a client whose TGS-REQ it
has intercepted. The attacker could then use this ticket for
S4U2Proxy to impersonate the targeted client even if the client
never authenticated to the subverted service. The vulnerable
configuration is believed to be rare.</p>
</blockquote>
</body>
</description>
<references>
<bid>45122</bid>
<cvename>CVE-2010-4021</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69607</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="1d193bba-03f6-11e0-bf50-001a926c7637">
<topic>krb5 -- RFC 3961 key-derivation checksum handling vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.8.0</ge><le>1.8.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 (releases incorrectly accepts RFC 3961
key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH
and AD-KDC-ISSUED authorization data.</p>
<p>An authenticated remote attacker that controls a legitimate service
principal has a 1/256 chance of forging the AD-SIGNEDPATH signature
if the TGT key is RC4, allowing it to use self-generated "evidence"
tickets for S4U2Proxy, instead of tickets obtained from the user or
with S4U2Self. Configurations using RC4 for the TGT key are
believed to be rare.</p>
<p>An authenticated remote attacker has a 1/256 chance of forging
AD-KDC-ISSUED signatures on authdata elements in tickets having
an RC4 service key, resulting in privilege escalation against
a service that relies on these signatures. There are no known
uses of the KDC-ISSUED authdata container at this time.</p>
</blockquote>
</body>
</description>
<references>
<bid>45117</bid>
<cvename>CVE-2010-4020</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69608</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="9f971cea-03f5-11e0-bf50-001a926c7637">
<topic>krb5 -- unkeyed PAC checksum handling vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 incorrectly accepts an unkeyed checksum for PAC
signatures.</p>
<p>An authenticated remote attacker can forge PACs if using a KDC that
does not filter client-provided PAC data. This can result in
privilege escalation against a service that relies on PAC contents
to make authorization decisions.</p>
</blockquote>
</body>
</description>
<references>
<bid>45116</bid>
<cvename>CVE-2010-1324</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69609</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="0d57c1d9-03f4-11e0-bf50-001a926c7637">
<topic>krb5 -- multiple checksum handling vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
<range><ge>1.8.0</ge><le>1.8.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb incorrectly accepts an unkeyed
checksum with DES session keys for version 2 (RFC 4121)
of the GSS-API krb5 mechanism.</p>
<p>An unauthenticated remote attacker can forge GSS tokens that are
intended to be integrity-protected but unencrypted, if the targeted
pre-existing application session uses a DES session key.</p>
<p>MIT krb5 KDC incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying the
req-checksum in a KrbFastArmoredReq.</p>
<p>An unauthenticated remote attacker has a 1/256 chance of swapping a
client-issued KrbFastReq into a different KDC-REQ, if the armor
key is RC4. The consequences are believed to be minor.</p>
</blockquote>
</body>
</description>
<references>
<bid>45116</bid>
<cvename>CVE-2010-1324</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69609</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="11bbccbc-03ee-11e0-bcdb-001fc61c2a55">
<topic>krb5 -- multiple checksum handling vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.3.0</ge><lt>1.7.2</lt></range>
<range><ge>1.8.0</ge><le>1.8.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 clients incorrectly accept an unkeyed checksums
in the SAM-2 preauthentication challenge.</p>
<p>An unauthenticated remote attacker could alter a SAM-2 challenge,
affecting the prompt text seen by the user or the kind of response
sent to the KDC. Under some circumstances, this can negate the
incremental security benefit of using a single-use authentication
mechanism token.</p>
<p>MIT krb5 incorrectly accepts RFC 3961 key-derivation checksums
using RC4 keys when verifying KRB-SAFE messages.</p>
<p>An unauthenticated remote attacker has a 1/256 chance of forging
KRB-SAFE messages in an application protocol if the targeted
pre-existing session uses an RC4 session key. Few application
protocols use KRB-SAFE messages.</p>
</blockquote>
</body>
</description>
<references>
<bid>45118</bid>
<cvename>CVE-2010-1323</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69610</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="6887828f-0229-11e0-b84d-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>15.0.874.121</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>Fixed in 15.0.874.121:<br/>
[103259] High CVE-2011-3900: Out-of-bounds write in v8. Credit to
Christian Holler.</p>
<p>Fixed in 15.0.874.120:<br/>
[100465] High CVE-2011-3892: Double free in Theora decoder. Credit
to Aki Helin of OUSPG.<br/>
[100492] [100543] Medium CVE-2011-3893: Out of bounds reads in MKV
and Vorbis media handlers. Credit to Aki Helin of OUSPG.<br/>
[101172] High CVE-2011-3894: Memory corruption regression in VP8
decoding. Credit to Andrew Scherkus of the Chromium development
community.<br/>
[101458] High CVE-2011-3895: Heap overflow in Vorbis decoder.
Credit to Aki Helin of OUSPG.<br/>
[101624] High CVE-2011-3896: Buffer overflow in shader variable
mapping. Credit to Ken "strcpy" Russell of the Chromium
development community.<br/>
[102242] High CVE-2011-3897: Use-after-free in editing. Credit to
pa_kt reported through ZDI (ZDI-CAN-1416).<br/>
[102461] Low CVE-2011-3898: Failure to ask for permission to run
applets in JRE7. Credit to Google Chrome Security Team (Chris
Evans).</p>
<p>Fixed in 15.0.874.102:<br/>
[86758] High CVE-2011-2845: URL bar spoof in history handling.
Credit to Jordi Chancel.<br/>
[88949] Medium CVE-2011-3875: URL bar spoof with drag+drop of URLs.
Credit to Jordi Chancel.<br/>
[90217] Low CVE-2011-3876: Avoid stripping whitespace at the end of
download filenames. Credit to Marc Novak.<br/>
[91218] Low CVE-2011-3877: XSS in appcache internals page. Credit
to Google Chrome Security Team (Tom Sepez) plus independent
discovery by Juho Nurminen.<br/>
[94487] Medium CVE-2011-3878: Race condition in worker process
initialization. Credit to miaubiz.<br/>
[95374] Low CVE-2011-3879: Avoid redirect to chrome scheme URIs.
Credit to Masato Kinugawa.<br/>
[95992] Low CVE-2011-3880: Don't permit as a HTTP header delimiter.
Credit to Vladimir Vorontsov, ONsec company.<br/>
[96047] [96885] [98053] [99512] [99750] High CVE-2011-3881:
Cross-origin policy violations. Credit to Sergey Glazunov.<br/>
[96292] High CVE-2011-3882: Use-after-free in media buffer handling.
Credit to Google Chrome Security Team (Inferno).<br/>
[96902] High CVE-2011-3883: Use-after-free in counter handling.
Credit to miaubiz.<br/>
[97148] High CVE-2011-3884: Timing issues in DOM traversal. Credit
to Brian Ryner of the Chromium development community.<br/>
[97599] [98064] [98556] [99294] [99880] [100059] High CVE-2011-3885:
Stale style bugs leading to use-after-free. Credit to
miaubiz.<br/>
[98773] [99167] High CVE-2011-3886: Out of bounds writes in v8.
Credit to Christian Holler.<br/>
[98407] Medium CVE-2011-3887: Cookie theft with javascript URIs.
Credit to Sergey Glazunov.<br/>
[99138] High CVE-2011-3888: Use-after-free with plug-in and editing.
Credit to miaubiz.<br/>
[99211] High CVE-2011-3889: Heap overflow in Web Audio. Credit to
miaubiz.<br/>
[99553] High CVE-2011-3890: Use-after-free in video source handling.
Credit to Ami Fischman of the Chromium development community.<br/>
[100332] High CVE-2011-3891: Exposure of internal v8 functions.
Credit to Steven Keuchel of the Chromium development community
plus independent discovery by Daniel Divricean.</p>
<p>Fixed in 14.0.835.202:<br/>
[93788] High CVE-2011-2876: Use-after-free in text line box
handling. Credit to miaubiz.<br/>
[95072] High CVE-2011-2877: Stale font in SVG text handling. Credit
to miaubiz.<br/>
[95671] High CVE-2011-2878: Inappropriate cross-origin access to the
window prototype. Credit to Sergey Glazunov.<br/>
[96150] High CVE-2011-2879: Lifetime and threading issues in audio
node handling. Credit to Google Chrome Security Team
(Inferno).<br/>
[97451] [97520] [97615] High CVE-2011-2880: Use-after-free in the v8
bindings. Credit to Sergey Glazunov.<br/>
[97784] High CVE-2011-2881: Memory corruption with v8 hidden
objects. Credit to Sergey Glazunov.<br/>
[98089] Critical CVE-2011-3873: Memory corruption in shader
translator. Credit to Zhenyao Mo of the Chromium development
community.</p>
<p>Fixed in 14.0.835.163:<br/>
[49377] High CVE-2011-2835: Race condition in the certificate cache. Credit to Ryan Sleevi of the Chromium development community.<br/>
[51464] Low CVE-2011-2836: Infobar the Windows Media Player plug-in
to avoid click-free access to the system Flash. Credit to
electronixtar.<br/>
[Linux only] [57908] Low CVE-2011-2837: Use PIC / pie compiler
flags. Credit to wbrana.<br/>
[75070] Low CVE-2011-2838: Treat MIME type more authoritatively when
loading plug-ins. Credit to Michal Zalewski of the Google Security
Team.<br/>
[76771] High CVE-2011-2839: Crash in v8 script object wrappers.
Credit to Kostya Serebryany of the Chromium development
community.<br/>
[78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with
unusual user interaction. Credit to kuzzcc.<br/>
[78639] High CVE-2011-2841: Garbage collection error in PDF. Credit
to Mario Gomes.<br/>
[82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers.
Credit to Kostya Serebryany of the Chromium development
community.<br/>
[85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files.
Credit to Mario Gomes.<br/>
[89219] High CVE-2011-2846: Use-after-free in unload event handling.
Credit to Arthur Gerkis.<br/>
[89330] High CVE-2011-2847: Use-after-free in document loader.
Credit to miaubiz.<br/>
[89564] Medium CVE-2011-2848: URL bar spoof with forward button.
Credit to Jordi Chancel.<br/>
[89795] Low CVE-2011-2849: Browser NULL pointer crash with
WebSockets. Credit to Arthur Gerkis.<br/>
[89991] Medium CVE-2011-3234: Out-of-bounds read in box handling.
Credit to miaubiz.<br/>
[90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer
characters. Credit to miaubiz.<br/>
[90173] Medium CVE-2011-2851: Out-of-bounds read in video handling.
Credit to Google Chrome Security Team (Inferno).<br/>
[91120] High CVE-2011-2852: Off-by-one in v8. Credit to Christian
Holler.<br/>
[91197] High CVE-2011-2853: Use-after-free in plug-in handling.
Credit to Google Chrome Security Team (SkyLined).<br/>
[92651] [94800] High CVE-2011-2854: Use-after-free in ruby / table
style handing. Credit to Slawomir Blazek, and independent later
discoveries by miaubiz and Google Chrome Security Team
(Inferno).<br/>
[92959] High CVE-2011-2855: Stale node in stylesheet handling.
Credit to Arthur Gerkis.<br/>
[93416] High CVE-2011-2856: Cross-origin bypass in v8. Credit to
Daniel Divricean.<br/>
[93420] High CVE-2011-2857: Use-after-free in focus controller.
Credit to miaubiz.<br/>
[93472] High CVE-2011-2834: Double free in libxml XPath handling.
Credit to Yang Dingning from NCNIPC, Graduate University of
Chinese Academy of Sciences.<br/>
[93497] Medium CVE-2011-2859: Incorrect permissions assigned to
non-gallery pages. Credit to Bernhard "Bruhns" Brehm of Recurity
Labs.<br/>
[93587] High CVE-2011-2860: Use-after-free in table style handling.
Credit to miaubiz.<br/>
[93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki
Helin of OUSPG.<br/>
[93906] High CVE-2011-2862: Unintended access to v8 built-in
objects. Credit to Sergey Glazunov.<br/>
[95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan
characters. Credit to Google Chrome Security Team (Inferno).<br/>
[95625] Medium CVE-2011-2858: Out-of-bounds read with triangle
arrays. Credit to Google Chrome Security Team (Inferno).<br/>
[95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a
session. Credit to Nishant Yadant of VMware and Craig Chamberlain
(@randomuserid).<br/>
High CVE-2011-2875: Type confusion in v8 object sealing. Credit to
Christian Holler.</p>
<p>Fixed in 13.0.782.215:<br/>
[89402] High CVE-2011-2821: Double free in libxml XPath handling.
Credit to Yang Dingning from NCNIPC, Graduate University of
Chinese Academy of Sciences.<br/>
[82552] High CVE-2011-2823: Use-after-free in line box handling.
Credit to Google Chrome Security Team (SkyLined) and independent
later discovery by miaubiz.<br/>
[88216] High CVE-2011-2824: Use-after-free with counter nodes.
Credit to miaubiz.<br/>
[88670] High CVE-2011-2825: Use-after-free with custom fonts. Credit
to wushi of team509 reported through ZDI (ZDI-CAN-1283), plus
indepdendent later discovery by miaubiz.<br/>
[87453] High CVE-2011-2826: Cross-origin violation with empty
origins. Credit to Sergey Glazunov.<br/>
[90668] High CVE-2011-2827: Use-after-free in text searching. Credit
to miaubiz.<br/>
[91517] High CVE-2011-2828: Out-of-bounds write in v8. Credit to
Google Chrome Security Team (SkyLined).<br/>
[32-bit only] [91598] High CVE-2011-2829: Integer overflow in
uniform arrays. Credit to Sergey Glazunov.<br/>
[Linux only] [91665] High CVE-2011-2839: Buggy memset() in PDF.
Credit to Aki Helin of OUSPG.</p>
<p>Fixed in 13.0.782.107:<br/>
[75821] Medium CVE-2011-2358: Always confirm an extension install
via a browser dialog. Credit to Sergey Glazunov.<br/>
[78841] High CVE-2011-2359: Stale pointer due to bad line box
tracking in rendering. Credit to miaubiz and Martin Barbella.<br/>
[79266] Low CVE-2011-2360: Potential bypass of dangerous file
prompt. Credit to kuzzcc.<br/>
[79426] Low CVE-2011-2361: Improve designation of strings in the
basic auth dialog. Credit to kuzzcc.<br/>
[Linux only] [81307] Medium CVE-2011-2782: File permissions error
with drag and drop. Credit to Evan Martin of the Chromium
development community.<br/>
[83273] Medium CVE-2011-2783: Always confirm a developer mode NPAPI
extension install via a browser dialog. Credit to Sergey
Glazunov.<br/>
[83841] Low CVE-2011-2784: Local file path disclosure via GL
program log. Credit to kuzzcc.<br/>
[84402] Low CVE-2011-2785: Sanitize the homepage URL in extensions.
Credit to kuzzcc.<br/>
[84600] Low CVE-2011-2786: Make sure the speech input bubble is
always on-screen. Credit to Olli Pettay of Mozilla.<br/>
[84805] Medium CVE-2011-2787: Browser crash due to GPU lock
re-entrancy issue. Credit to kuzzcc.<br/>
[85559] Low CVE-2011-2788: Buffer overflow in inspector
serialization. Credit to Mikolaj Malecki.<br/>
[85808] Medium CVE-2011-2789: Use after free in Pepper plug-in
instantiation. Credit to Mario Gomes and kuzzcc.<br/>
[86502] High CVE-2011-2790: Use-after-free with floating styles.
Credit to miaubiz.<br/>
[86900] High CVE-2011-2791: Out-of-bounds write in ICU. Credit to
Yang Dingning from NCNIPC, Graduate University of Chinese Academy
of Sciences.<br/>
[87148] High CVE-2011-2792: Use-after-free with float removal.
Credit to miaubiz.<br/>
[87227] High CVE-2011-2793: Use-after-free in media selectors.
Credit to miaubiz.<br/>
[87298] Medium CVE-2011-2794: Out-of-bounds read in text iteration.
Credit to miaubiz.<br/>
[87339] Medium CVE-2011-2795: Cross-frame function leak. Credit to
Shih Wei-Long.<br/>
[87548] High CVE-2011-2796: Use-after-free in Skia. Credit to Google
Chrome Security Team (Inferno) and Kostya Serebryany of the
Chromium development community.<br/>
[87729] High CVE-2011-2797: Use-after-free in resource caching.
Credit to miaubiz.<br/>
[87815] Low CVE-2011-2798: Prevent a couple of internal schemes from
being web accessible. Credit to sirdarckcat of the Google Security
Team.<br/>
[87925] High CVE-2011-2799: Use-after-free in HTML range handling.
Credit to miaubiz.<br/>
[88337] Medium CVE-2011-2800: Leak of client-side redirect target.
Credit to Juho Nurminen.<br/>
[88591] High CVE-2011-2802: v8 crash with const lookups. Credit to
Christian Holler.<br/>
[88827] Medium CVE-2011-2803: Out-of-bounds read in Skia paths.
Credit to Google Chrome Security Team (Inferno).<br/>
[88846] High CVE-2011-2801: Use-after-free in frame loader. Credit
to miaubiz.<br/>
[88889] High CVE-2011-2818: Use-after-free in display box rendering.
Credit to Martin Barbella.<br/>
[89142] High CVE-2011-2804: PDF crash with nested functions. Credit
to Aki Helin of OUSPG.<br/>
[89520] High CVE-2011-2805: Cross-origin script injection. Credit to
Sergey Glazunov.<br/>
[90222] High CVE-2011-2819: Cross-origin violation in base URI
handling. Credit to Sergey Glazunov.</p>
<p>Fixed in 12.0.742.112:<br/>
[77493] Medium CVE-2011-2345: Out-of-bounds read in NPAPI string
handling. Credit to Philippe Arteau.<br/>
[84355] High CVE-2011-2346: Use-after-free in SVG font handling.
Credit to miaubiz.<br/>
[85003] High CVE-2011-2347: Memory corruption in CSS parsing. Credit
to miaubiz.<br/>
[85102] High CVE-2011-2350: Lifetime and re-entrancy issues in the
HTML parser. Credit to miaubiz.<br/>
[85177] High CVE-2011-2348: Bad bounds check in v8. Credit to Aki
Helin of OUSPG.<br/>
[85211] High CVE-2011-2351: Use-after-free with SVG use element.
Credit to miaubiz.<br/>
[85418] High CVE-2011-2349: Use-after-free in text selection. Credit
to miaubiz.</p>
<p>Fixed in 12.0.742.91:<br/>
[73962] [79746] High CVE-2011-1808: Use-after-free due to integer
issues in float handling. Credit to miaubiz.<br/>
[75496] Medium CVE-2011-1809: Use-after-free in accessibility
support. Credit to Google Chrome Security Team (SkyLined).<br/>
[75643] Low CVE-2011-1810: Visit history information leak in CSS.
Credit to Jesse Mohrland of Microsoft and Microsoft Vulnerability
Research (MSVR).<br/>
[76034] Low CVE-2011-1811: Browser crash with lots of form
submissions. Credit to "DimitrisV22".<br/>
[77026] Medium CVE-2011-1812: Extensions permission bypass. Credit
to kuzzcc.<br/>
[78516] High CVE-2011-1813: Stale pointer in extension framework.
Credit to Google Chrome Security Team (Inferno).<br/>
[79362] Medium CVE-2011-1814: Read from uninitialized pointer.
Credit to Eric Roman of the Chromium development community.<br/>
[79862] Low CVE-2011-1815: Extension script injection into new tab
page. Credit to kuzzcc.<br/>
[80358] Medium CVE-2011-1816: Use-after-free in developer tools.
Credit to kuzzcc.<br/>
[81916] Medium CVE-2011-1817: Browser memory corruption in history
deletion. Credit to Collin Payne.<br/>
[81949] High CVE-2011-1818: Use-after-free in image loader. Credit
to miaubiz.<br/>
[83010] Medium CVE-2011-1819: Extension injection into chrome://
pages. Credit to Vladislavas Jarmalis, plus subsequent
independent discovery by Sergey Glazunov.<br/>
[83275] High CVE-2011-2332: Same origin bypass in v8. Credit to
Sergey Glazunov.<br/>
[83743] High CVE-2011-2342: Same origin bypass in DOM. Credit to
Sergey Glazunov.</p>
<p>Fixed in 11.0.696.71:<br/>
[72189] Low CVE-2011-1801: Pop-up blocker bypass. Credit to Chamal
De Silva.<br/>
[82546] High CVE-2011-1804: Stale pointer in floats rendering.
Credit to Martin Barbella.<br/>
[82873] Critical CVE-2011-1806: Memory corruption in GPU command
buffer. Credit to Google Chrome Security Team (Cris Neckar).<br/>
[82903] Critical CVE-2011-1807: Out-of-bounds write in blob
handling. Credit to Google Chrome Security Team (Inferno) and
Kostya Serebryany of the Chromium development community.</p>
<p>Fixed in 11.0.696.68:<br/>
[64046] High CVE-2011-1799: Bad casts in Chromium WebKit glue.
Credit to Google Chrome Security Team (SkyLined).<br/>
[80608] High CVE-2011-1800: Integer overflows in SVG filters.
Credit to Google Chrome Security Team (Cris Neckar).</p>
<p>Fixed in 11.0.696.57:<br/>
[61502] High CVE-2011-1303: Stale pointer in floating object
handling. Credit to Scott Hess of the Chromium development
community and Martin Barbella.<br/>
[70538] Low CVE-2011-1304: Pop-up block bypass via plug-ins. Credit
to Chamal De Silva.<br/>
[Linux / Mac only] [70589] Medium CVE-2011-1305: Linked-list race
in database handling. Credit to Kostya Serebryany of the
Chromium development community.<br/>
[71586] Medium CVE-2011-1434: Lack of thread safety in MIME
handling. Credit to Aki Helin.<br/>
[72523] Medium CVE-2011-1435: Bad extension with "tabs" permission
can capture local files. Credit to Cole Snodgrass.<br/>
[Linux only] [72910] Low CVE-2011-1436: Possible browser crash due
to bad interaction with X. Credit to miaubiz.<br/>
[73526] High CVE-2011-1437: Integer overflows in float rendering.
Credit to miaubiz.<br/>
[74653] High CVE-2011-1438: Same origin policy violation with
blobs. Credit to kuzzcc.<br/>
[Linux only] [74763] High CVE-2011-1439: Prevent interference
between renderer processes. Credit to Julien Tinnes of the
Google Security Team.<br/>
[75186] High CVE-2011-1440: Use-after-free with <ruby> tag
and CSS. Credit to Jose A. Vazquez.<br/>
[75347] High CVE-2011-1441: Bad cast with floating select lists.
Credit to Michael Griffiths.<br/>
[75801] High CVE-2011-1442: Corrupt node trees with mutation events.
Credit to Sergey Glazunov and wushi of team 509.<br/>
[76001] High CVE-2011-1443: Stale pointers in layering code. Credit
to Martin Barbella.<br/>
[Linux only] [76542] High CVE-2011-1444: Race condition in sandbox
launcher. Credit to Dan Rosenberg.<br/>
Medium CVE-2011-1445: Out-of-bounds read in SVG. Credit to wushi of
team509.<br/>
[76666] [77507] [78031] High CVE-2011-1446: Possible URL bar spoofs
with navigation errors and interrupted loads. Credit to
kuzzcc.<br/>
[76966] High CVE-2011-1447: Stale pointer in drop-down list
handling. Credit to miaubiz.<br/>
[77130] High CVE-2011-1448: Stale pointer in height calculations.
Credit to wushi of team509.<br/>
[77346] High CVE-2011-1449: Use-after-free in WebSockets. Credit to
Marek Majkowski.<br/>
Low CVE-2011-1450: Dangling pointers in file dialogs. Credit to
kuzzcc.<br/>
[77463] High CVE-2011-1451: Dangling pointers in DOM id map. Credit
to Sergey Glazunov.<br/>
[77786] Medium CVE-2011-1452: URL bar spoof with redirect and manual
reload. Credit to Jordi Chancel.<br/>
[79199] High CVE-2011-1454: Use-after-free in DOM id handling.
Credit to Sergey Glazunov.<br/>
[79361] Medium CVE-2011-1455: Out-of-bounds read with
multipart-encoded PDF. Credit to Eric Roman of the Chromium
development community.<br/>
[79364] High CVE-2011-1456: Stale pointers with PDF forms. Credit to
Eric Roman of the Chromium development community.</p>
<p>Fixed in 10.0.648.205:<br/>
[75629] Critical CVE-2011-1301: Use-after-free in the GPU process.
Credit to Google Chrome Security Team (Inferno).<br/>
[78524] Critical CVE-2011-1302: Heap overflow in the GPU process.
Credit to Christoph Diehl.</p>
<p>Fixed in 10.0.648.204:<br/>
[72517] High CVE-2011-1291: Buffer error in base string handling.
Credit to Alex Turpin.<br/>
[73216] High CVE-2011-1292: Use-after-free in the frame loader.
Credit to Slawomir Blazek.<br/>
[73595] High CVE-2011-1293: Use-after-free in HTMLCollection.
Credit to Sergey Glazunov.<br/>
[74562] High CVE-2011-1294: Stale pointer in CSS handling.
Credit to Sergey Glazunov.<br/>
[74991] High CVE-2011-1295: DOM tree corruption with broken node
parentage. Credit to Sergey Glazunov.<br/>
[75170] High CVE-2011-1296: Stale pointer in SVG text handling.
Credit to Sergey Glazunov.</p>
<p>Fixed in 10.0.648.133:<br/>
[75712] High Memory corruption in style handling.
Credit to Vincenzo Iozzo, Ralf Philipp Weinmann and Willem
Pinckaers reported through ZDI.</p>
<p>Fixed in 10.0.648.127:<br/>
[42765] Low Possible to navigate or close the top location in a
sandboxed frame. Credit to sirdarckcat of the Google Security
Team.<br/>
[Linux only] [49747] Low Work around an X server bug and crash with
long messages. Credit to Louis Lang.<br/>
[Linux only] [66962] Low Possible browser crash with parallel
print()s. Credit to Aki Helin of OUSPG.<br/>
[69187] Medium Cross-origin error message leak. Credit to Daniel
Divricean.<br/>
[69628] High Memory corruption with counter nodes. Credit to Martin
Barbella.<br/>
[70027] High Stale node in box layout. Credit to Martin
Barbella.<br/>
[70336] Medium Cross-origin error message leak with workers. Credit
to Daniel Divricean.<br/>
[70442] High Use after free with DOM URL handling. Credit to Sergey
Glazunov.<br/>
[Linux only] [70779] Medium Out of bounds read handling unicode
ranges. Credit to miaubiz.<br/>
[70877] High Same origin policy bypass in v8. Credit to Daniel
Divricean.<br/>
[70885] [71167] Low Pop-up blocker bypasses. Credit to Chamal de
Silva.<br/>
[71763] High Use-after-free in document script lifetime handling.
Credit to miaubiz.<br/>
[71788] High Out-of-bounds write in the OGG container. Credit to
Google Chrome Security Team (SkyLined); plus subsequent
independent discovery by David Weston of Microsoft and MSVR.<br/>
[72028] High Stale pointer in table painting. Credit to Martin
Barbella.<br/>
[73026] High Use of corrupt out-of-bounds structure in video code.
Credit to Tavis Ormandy of the Google Security Team.<br/>
[73066] High Crash with the DataView object. Credit to Sergey
Glazunov.<br/>
[73134] High Bad cast in text rendering. Credit to miaubiz.<br/>
[73196] High Stale pointer in WebKit context code. Credit to Sergey
Glazunov.<br/>
[73716] Low Leak of heap address in XSLT. Credit to Google Chrome
Security Team (Chris Evans).<br/>
[73746] High Stale pointer with SVG cursors. Credit to Sergey
Glazunov.<br/>
[74030] High DOM tree corruption with attribute handling. Credit to
Sergey Glazunov.<br/>
[74662] High Corruption via re-entrancy of RegExp code. Credit to
Christian Holler.<br/>
[74675] High Invalid memory access in v8. Credit to Christian
Holler.</p>
<p>Fixed in 9.0.597.107:<br/>
[54262] High URL bar spoof. Credit to Jordi Chancel.<br/>
[63732] High Crash with javascript dialogs. Credit to Sergey
Radchenko.<br/>
[68263] High Stylesheet node stale pointer. Credit to Sergey
Glazunov.<br/>
[68741] High Stale pointer with key frame rule. Credit to Sergey
Glazunov.<br/>
[70078] High Crash with forms controls. Credit to Stefan van
Zanden.<br/>
[70244] High Crash in SVG rendering. Credit to Slawomir Blazek.<br/>
[64-bit Linux only] [70376] Medium Out-of-bounds read in pickle
deserialization. Credit to Evgeniy Stepanov of the Chromium
development community.<br/>
[71114] High Stale node in table handling. Credit to Martin
Barbella.<br/>
[71115] High Stale pointer in table rendering. Credit to Martin
Barbella.<br/>
[71296] High Stale pointer in SVG animations. Credit to
miaubiz.<br/>
[71386] High Stale nodes in XHTML. Credit to wushi of team509.<br/>
[71388] High Crash in textarea handling. Credit to wushi of
team509.<br/>
[71595] High Stale pointer in device orientation. Credit to Sergey
Glazunov.<br/>
[71717] Medium Out-of-bounds read in WebGL. Credit to miaubiz.<br/>
[71855] High Integer overflow in textarea handling. Credit to
miaubiz.<br/>
[71960] Medium Out-of-bounds read in WebGL. Credit to Google Chrome
Security Team (Inferno).<br/>
[72214] High Accidental exposure of internal extension functions.
Credit to Tavis Ormandy of the Google Security Team.<br/>
[72437] High Use-after-free with blocked plug-ins. Credit to Chamal
de Silva.<br/>
[73235] High Stale pointer in layout. Credit to Martin Barbella.</p>
<p>Fixed in 9.0.597.94:<br/>
[67234] High Stale pointer in animation event handling. Credit to
Rik Cabanier.<br/>
[68120] High Use-after-free in SVG font faces. Credit to
miaubiz.<br/>
[69556] High Stale pointer with anonymous block handling. Credit to
Martin Barbella.<br/>
[69970] Medium Out-of-bounds read in plug-in handling. Credit to
Bill Budge of Google.<br/>
[70456] Medium Possible failure to terminate process on
out-of-memory condition. Credit to David Warren of CERT/CC.</p>
<p>Fixed in 9.0.597.84:<br/>
[Mac only] [42989] Low Minor sandbox leak via stat(). Credit to
Daniel Cheng of the Chromium development community.<br/>
[55831] High Use-after-free in image loading. Credit to Aki
Helin of OUSPG.<br/>
[59081] Low Apply some restrictions to cross-origin drag + drop.
Credit to Google Chrome Security Team (SkyLined) and the Google
Security Team (Michal Zalewski, David Bloom).<br/>
[62791] Low Browser crash with extension with missing key. Credit
to Brian Kirchoff.<br/>
[64051] High Crashing when printing in PDF event handler. Credit to
Aki Helin of OUSPG.<br/>
[65669] Low Handle merging of autofill profiles more gracefully.
Credit to Google Chrome Security Team (Inferno).<br/>
[Mac only] [66931] Low Work around a crash in the Mac OS 10.5 SSL
libraries. Credit to Dan Morrison.<br/>
[68244] Low Browser crash with bad volume setting. Credit to
Matthew Heidermann.<br/>
[69195] Critical Race condition in audio handling. Credit to the
gamers of Reddit!</p>
<p>Fixed in 8.0.552.237:<br/>
[58053] Medium Browser crash in extensions notification handling.
Credit to Eric Roman of the Chromium development community.<br/>
[65764] High Bad pointer handling in node iteration. Credit to
Sergey Glazunov.<br/>
[66334] High Crashes when printing multi-page PDFs. Credit to
Google Chrome Security Team (Chris Evans).<br/>
[66560] High Stale pointer with CSS + canvas. Credit to Sergey
Glazunov.<br/>
[66748] High Stale pointer with CSS + cursors. Credit to Jan
Tosovsk.<br/>
[67100] High Use after free in PDF page handling. Credit to Google
Chrome Security Team (Chris Evans).<br/>
[67208] High Stack corruption after PDF out-of-memory condition.
Credit to Jared Allar of CERT.<br/>
[67303] High Bad memory access with mismatched video frame sizes.
Credit to Aki Helin of OUSPG; plus independent discovery by
Google Chrome Security Team (SkyLined) and David Warren of
CERT.<br/>
[67363] High Stale pointer with SVG use element. Credited
anonymously; plus indepdent discovery by miaubiz.<br/>
[67393] Medium Uninitialized pointer in the browser triggered by
rogue extension. Credit to kuzzcc.<br/>
[68115] High Vorbis decoder buffer overflows. Credit to David
Warren of CERT.<br/>
[68170] High Buffer overflow in PDF shading. Credit to Aki Helin of
OUSPG.<br/>
[68178] High Bad cast in anchor handling. Credit to Sergey
Glazunov.<br/>
[68181] High Bad cast in video handling. Credit to Sergey
Glazunov.<br/>
[68439] High Stale rendering node after DOM node removal. Credit to
Martin Barbella; plus independent discovery by Google Chrome
Security Team (SkyLined).<br/>
[68666] Critical Stale pointer in speech handling. Credit to Sergey
Glazunov.</p>
<p>Fixed in 8.0.552.224:<br/>
[64-bit Linux only] [56449] High Bad validation for message
deserialization on 64-bit builds. Credit to Lei Zhang of the
Chromium development community.<br/>
[60761] Medium Bad extension can cause browser crash in tab
handling. Credit to kuzzcc.<br/>
[63529] Low Browser crash with NULL pointer in web worker handling.
Credit to Nathan Weizenbaum of Google.<br/>
[63866] Medium Out-of-bounds read in CSS parsing. Credit to Chris
Rohlf.<br/>
[64959] High Stale pointers in cursor handling. Credit to Slawomir
Blazek and Sergey Glazunov.</p>
<p>Fixed in 8.0.552.215:<br/>
[17655] Low Possible pop-up blocker bypass. Credit to Google Chrome
Security Team (SkyLined).<br/>
[55745] Medium Cross-origin video theft with canvas. Credit to
Nirankush Panchbhai and Microsoft Vulnerability Research
(MSVR).<br/>
[56237] Low Browser crash with HTML5 databases. Credit to Google
Chrome Security Team (Inferno).<br/>
[58319] Low Prevent excessive file dialogs, possibly leading to
browser crash. Credit to Cezary Tomczak (gosu.pl).<br/>
[59554] High Use after free in history handling. Credit to Stefan
Troger.<br/>
[Linux / Mac] [59817] Medium Make sure the "dangerous file types"
list is uptodate with the Windows platforms. Credit to Billy Rios
of the Google Security Team.<br/>
[61701] Low Browser crash with HTTP proxy authentication. Credit to
Mohammed Bouhlel.<br/>
[61653] Medium Out-of-bounds read regression in WebM video support.
Credit to Google Chrome Security Team (Chris Evans), based on
earlier testcases from Mozilla and Microsoft (MSVR).<br/>
[62127] High Crash due to bad indexing with malformed video. Credit
to miaubiz.<br/>
[62168] Medium Possible browser memory corruption via malicious
privileged extension. Credit to kuzzcc.<br/>
[62401] High Use after free with SVG animations. Credit to Slawomir
Blazek.<br/>
[63051] Medium Use after free in mouse dragging event handling.
Credit to kuzzcc.<br/>
[63444] High Double free in XPath handling. Credit to Yang Dingning
from NCNIPC, Graduate University of Chinese Academy of Sciences.</p>
<p>Fixed in 7.0.517.44:<br/>
[51602] High Use-after-free in text editing. Credit to David Bloom
of the Google Security Team, Google Chrome Security Team (Inferno)
and Google Chrome Security Team (Cris Neckar).<br/>
[55257] High Memory corruption with enormous text area. Credit to
wushi of team509.<br/>
[58657] High Bad cast with the SVG use element. Credit to the
kuzzcc.<br/>
[58731] High Invalid memory read in XPath handling. Credit to Bui
Quang Minh from Bkis (www.bkis.com).<br/>
[58741] High Use-after-free in text control selections. Credit to
"vkouchna".<br/>
[Linux only] [59320] High Integer overflows in font handling. Credit
to Aki Helin of OUSPG.<br/>
[60055] High Memory corruption in libvpx. Credit to Christoph
Diehl.<br/>
[60238] High Bad use of destroyed frame object. Credit to various
developers, including "gundlach".<br/>
[60327] [60769] [61255] High Type confusions with event objects.
Credit to "fam.lam" and Google Chrome Security Team
(Inferno).<br/>
[60688] High Out-of-bounds array access in SVG handling. Credit to
wushi of team509.</p>
<p>Fixed in 7.0.517.43:<br/>
[48225] [51727] Medium Possible autofill / autocomplete profile
spamming. Credit to Google Chrome Security Team (Inferno).<br/>
[48857] High Crash with forms. Credit to the Chromium development
community.<br/>
[50428] Critical Browser crash with form autofill. Credit to the
Chromium development community.<br/>
[51680] High Possible URL spoofing on page unload. Credit to kuzzcc;
plus independent discovery by Jordi Chancel.<br/>
[53002] Low Pop-up block bypass. Credit to kuzzcc.<br/>
[53985] Medium Crash on shutdown with Web Sockets. Credit to the
Chromium development community.<br/>
[Linux only] [54132] Low Bad construction of PATH variable. Credit
to Dan Rosenberg, Virtual Security Research.<br/>
[54500] High Possible memory corruption with animated GIF. Credit to
Simon Schaak.<br/>
[Linux only] [54794] High Failure to sandbox worker processes on
Linux. Credit to Google Chrome Security Team (Chris Evans).<br/>
[56451] High Stale elements in an element map. Credit to Michal
Zalewski of the Google Security Team.</p>
</blockquote>
</body>
</description>
<references>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
<cvename>CVE-2011-1290</cvename>
<cvename>CVE-2011-1291</cvename>
<cvename>CVE-2011-1292</cvename>
<cvename>CVE-2011-1293</cvename>
<cvename>CVE-2011-1294</cvename>
<cvename>CVE-2011-1295</cvename>
<cvename>CVE-2011-1296</cvename>
<cvename>CVE-2011-1301</cvename>
<cvename>CVE-2011-1302</cvename>
<cvename>CVE-2011-1303</cvename>
<cvename>CVE-2011-1304</cvename>
<cvename>CVE-2011-1305</cvename>
<cvename>CVE-2011-1434</cvename>
<cvename>CVE-2011-1435</cvename>
<cvename>CVE-2011-1436</cvename>
<cvename>CVE-2011-1437</cvename>
<cvename>CVE-2011-1438</cvename>
<cvename>CVE-2011-1439</cvename>
<cvename>CVE-2011-1440</cvename>
<cvename>CVE-2011-1441</cvename>
<cvename>CVE-2011-1442</cvename>
<cvename>CVE-2011-1443</cvename>
<cvename>CVE-2011-1444</cvename>
<cvename>CVE-2011-1445</cvename>
<cvename>CVE-2011-1446</cvename>
<cvename>CVE-2011-1447</cvename>
<cvename>CVE-2011-1448</cvename>
<cvename>CVE-2011-1449</cvename>
<cvename>CVE-2011-1450</cvename>
<cvename>CVE-2011-1451</cvename>
<cvename>CVE-2011-1452</cvename>
<cvename>CVE-2011-1454</cvename>
<cvename>CVE-2011-1455</cvename>
<cvename>CVE-2011-1456</cvename>
<cvename>CVE-2011-1799</cvename>
<cvename>CVE-2011-1800</cvename>
<cvename>CVE-2011-1801</cvename>
<cvename>CVE-2011-1804</cvename>
<cvename>CVE-2011-1806</cvename>
<cvename>CVE-2011-1807</cvename>
<cvename>CVE-2011-1808</cvename>
<cvename>CVE-2011-1809</cvename>
<cvename>CVE-2011-1810</cvename>
<cvename>CVE-2011-1811</cvename>
<cvename>CVE-2011-1812</cvename>
<cvename>CVE-2011-1813</cvename>
<cvename>CVE-2011-1814</cvename>
<cvename>CVE-2011-1815</cvename>
<cvename>CVE-2011-1816</cvename>
<cvename>CVE-2011-1817</cvename>
<cvename>CVE-2011-1818</cvename>
<cvename>CVE-2011-1819</cvename>
<cvename>CVE-2011-2332</cvename>
<cvename>CVE-2011-2342</cvename>
<cvename>CVE-2011-2345</cvename>
<cvename>CVE-2011-2346</cvename>
<cvename>CVE-2011-2347</cvename>
<cvename>CVE-2011-2348</cvename>
<cvename>CVE-2011-2349</cvename>
<cvename>CVE-2011-2350</cvename>
<cvename>CVE-2011-2351</cvename>
<cvename>CVE-2011-2358</cvename>
<cvename>CVE-2011-2359</cvename>
<cvename>CVE-2011-2360</cvename>
<cvename>CVE-2011-2361</cvename>
<cvename>CVE-2011-2782</cvename>
<cvename>CVE-2011-2783</cvename>
<cvename>CVE-2011-2784</cvename>
<cvename>CVE-2011-2785</cvename>
<cvename>CVE-2011-2786</cvename>
<cvename>CVE-2011-2787</cvename>
<cvename>CVE-2011-2788</cvename>
<cvename>CVE-2011-2789</cvename>
<cvename>CVE-2011-2790</cvename>
<cvename>CVE-2011-2791</cvename>
<cvename>CVE-2011-2792</cvename>
<cvename>CVE-2011-2793</cvename>
<cvename>CVE-2011-2794</cvename>
<cvename>CVE-2011-2795</cvename>
<cvename>CVE-2011-2796</cvename>
<cvename>CVE-2011-2797</cvename>
<cvename>CVE-2011-2798</cvename>
<cvename>CVE-2011-2799</cvename>
<cvename>CVE-2011-2800</cvename>
<cvename>CVE-2011-2801</cvename>
<cvename>CVE-2011-2802</cvename>
<cvename>CVE-2011-2803</cvename>
<cvename>CVE-2011-2804</cvename>
<cvename>CVE-2011-2805</cvename>
<cvename>CVE-2011-2818</cvename>
<cvename>CVE-2011-2819</cvename>
<cvename>CVE-2011-2821</cvename>
<cvename>CVE-2011-2823</cvename>
<cvename>CVE-2011-2824</cvename>
<cvename>CVE-2011-2825</cvename>
<cvename>CVE-2011-2826</cvename>
<cvename>CVE-2011-2827</cvename>
<cvename>CVE-2011-2828</cvename>
<cvename>CVE-2011-2829</cvename>
<cvename>CVE-2011-2834</cvename>
<cvename>CVE-2011-2835</cvename>
<cvename>CVE-2011-2836</cvename>
<cvename>CVE-2011-2837</cvename>
<cvename>CVE-2011-2838</cvename>
<cvename>CVE-2011-2839</cvename>
<cvename>CVE-2011-2840</cvename>
<cvename>CVE-2011-2841</cvename>
<cvename>CVE-2011-2842</cvename>
<cvename>CVE-2011-2843</cvename>
<cvename>CVE-2011-2844</cvename>
<cvename>CVE-2011-2845</cvename>
<cvename>CVE-2011-2846</cvename>
<cvename>CVE-2011-2847</cvename>
<cvename>CVE-2011-2848</cvename>
<cvename>CVE-2011-2849</cvename>
<cvename>CVE-2011-2850</cvename>
<cvename>CVE-2011-2851</cvename>
<cvename>CVE-2011-2852</cvename>
<cvename>CVE-2011-2853</cvename>
<cvename>CVE-2011-2854</cvename>
<cvename>CVE-2011-2855</cvename>
<cvename>CVE-2011-2856</cvename>
<cvename>CVE-2011-2857</cvename>
<cvename>CVE-2011-2858</cvename>
<cvename>CVE-2011-2859</cvename>
<cvename>CVE-2011-2860</cvename>
<cvename>CVE-2011-2861</cvename>
<cvename>CVE-2011-2862</cvename>
<cvename>CVE-2011-2864</cvename>
<cvename>CVE-2011-2874</cvename>
<cvename>CVE-2011-2875</cvename>
<cvename>CVE-2011-2876</cvename>
<cvename>CVE-2011-2877</cvename>
<cvename>CVE-2011-2878</cvename>
<cvename>CVE-2011-2879</cvename>
<cvename>CVE-2011-2880</cvename>
<cvename>CVE-2011-2881</cvename>
<cvename>CVE-2011-3234</cvename>
<cvename>CVE-2011-3873</cvename>
<cvename>CVE-2011-3873</cvename>
<cvename>CVE-2011-3875</cvename>
<cvename>CVE-2011-3876</cvename>
<cvename>CVE-2011-3877</cvename>
<cvename>CVE-2011-3878</cvename>
<cvename>CVE-2011-3879</cvename>
<cvename>CVE-2011-3880</cvename>
<cvename>CVE-2011-3881</cvename>
<cvename>CVE-2011-3882</cvename>
<cvename>CVE-2011-3883</cvename>
<cvename>CVE-2011-3884</cvename>
<cvename>CVE-2011-3885</cvename>
<cvename>CVE-2011-3886</cvename>
<cvename>CVE-2011-3887</cvename>
<cvename>CVE-2011-3888</cvename>
<cvename>CVE-2011-3889</cvename>
<cvename>CVE-2011-3890</cvename>
<cvename>CVE-2011-3891</cvename>
<cvename>CVE-2011-3892</cvename>
<cvename>CVE-2011-3893</cvename>
<cvename>CVE-2011-3894</cvename>
<cvename>CVE-2011-3895</cvename>
<cvename>CVE-2011-3896</cvename>
<cvename>CVE-2011-3897</cvename>
<cvename>CVE-2011-3898</cvename>
<cvename>CVE-2011-3900</cvename>
</references>
<dates>
<discovery>2010-10-19</discovery>
<entry>2010-12-07</entry>
<modified>2011-11-17</modified>
</dates>
</vuln>
<vuln vid="ed7fa1b4-ff59-11df-9759-080027284eaa">
<topic>proftpd -- Compromised source packages backdoor</topic>
<affects>
<package>
<name>proftpd</name>
<range><eq>1.3.3c_2</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The ProFTPD Project team reports:</p>
<blockquote cite="http://proftpd.org/">
<p>The security issue is caused due to the distribution of compromised
ProFTPD 1.3.3c source code packages via the project's main FTP server
and all of the mirror servers, which contain a backdoor allowing
remote root access.</p>
</blockquote>
</body>
</description>
<references>
<url>http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org</url>
<url>http://secunia.com/advisories/42449</url>
</references>
<dates>
<discovery>2010-11-28</discovery>
<entry>2010-12-04</entry>
</dates>
</vuln>
<vuln vid="753f8185-5ba9-42a4-be02-3f55ee580093">
<topic>phpMyAdmin -- XSS attack in database search</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.3.8.1</lt></range>
</package>
<package>
<name>phpMyAdmin211</name>
<range><lt>2.11.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php">
<p>It was possible to conduct a XSS attack using spoofed request on the
db search script.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/152685</freebsdpr>
<freebsdpr>ports/152686</freebsdpr>
<cvename>CVE-2010-4329</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php</url>
</references>
<dates>
<discovery>2010-11-29</discovery>
<entry>2010-11-30</entry>
</dates>
</vuln>
<vuln vid="f154a3c7-f7f4-11df-b617-00e0815b8da8">
<topic>isc-dhcp-server -- Empty link-address denial of service</topic>
<affects>
<package>
<name>isc-dhcp41-server</name>
<range><ge>4.1.0</ge><lt>4.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/dhcp/advisories/cve-2010-3611">
<p>If the server receives a DHCPv6 packet containing one or more
Relay-Forward messages, and none of them supply an address in the
Relay-Forward link-address field, then the server will crash. This
can be used as a single packet crash attack vector.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3611</cvename>
<url>http://www.isc.org/software/dhcp/advisories/cve-2010-3611</url>
<url>http://www.kb.cert.org/vuls/id/102047</url>
</references>
<dates>
<discovery>2010-11-02</discovery>
<entry>2010-11-24</entry>
</dates>
</vuln>
<vuln vid="373e412e-f748-11df-96cd-0015f2db7bde">
<topic>OpenTTD -- Denial of service (server/client) via invalid read</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>1.0.0</ge><lt>1.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2010-4168">
<p>When a client disconnects, without sending the "quit" or
"client error" message, the server has a chance of reading and
writing a just freed piece of memory. The writing can only
happen while the server is sending the map. Depending on what
happens directly after freeing the memory there is a chance of
segmentation fault, and thus a denial of service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4168</cvename>
<url>http://security.openttd.org/en/CVE-2010-4168</url>
</references>
<dates>
<discovery>2010-11-20</discovery>
<entry>2010-11-23</entry>
</dates>
</vuln>
<vuln vid="a3314314-f731-11df-a757-0011098ad87f">
<topic>horde-base -- XSS: VCARD attachments vulnerability</topic>
<affects>
<package>
<name>horde-base</name>
<range><lt>3.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/532">
<p>The major changes compared to Horde version 3.3.10 are:</p>
<p>* Fixed XSS vulnerability when viewing details of a vCard.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/532</url>
<url>http://bugs.horde.org/ticket/9357</url>
</references>
<dates>
<discovery>2010-11-02</discovery>
<entry>2010-11-23</entry>
</dates>
</vuln>
<vuln vid="533d20e7-f71f-11df-9ae1-000bcdf0a03b">
<topic>proftpd -- remote code execution vulnerability</topic>
<affects>
<package>
<name>proftpd</name>
<range><lt>1.3.3c</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tippingpoint reports:</p>
<blockquote cite="http://www.zerodayinitiative.com/advisories/ZDI-10-229/">
<p>This vulnerability allows remote attackers to execute arbitrary
code on vulnerable installations of ProFTPD. Authentication is not
required to exploit this vulnerability.</p>
<p>The flaw exists within the proftpd server component which
listens by default on TCP port 21. When reading user input if a
TELNET_IAC escape sequence is encountered the process
miscalculates a buffer length counter value allowing a user
controlled copy of data to a stack buffer. A remote attacker can
exploit this vulnerability to execute arbitrary code under the
context of the proftpd process.</p>
</blockquote>
</body>
</description>
<references>
<bid>44562</bid>
<cvename>CVE-2010-4221</cvename>
<url>http://www.zerodayinitiative.com/advisories/ZDI-10-229/</url>
</references>
<dates>
<discovery>2010-11-02</discovery>
<entry>2010-11-23</entry>
</dates>
</vuln>
<vuln vid="3042c33a-f237-11df-9d02-0018fe623f2b">
<topic>openssl -- TLS extension parsing race condition</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL Team reports:</p>
<blockquote cite="http://openssl.org/news/secadv_20101116.txt">
<p>Rob Hulswit has found a flaw in the OpenSSL TLS server extension
code parsing which on affected servers can be exploited in a buffer
overrun attack.</p>
<p>Any OpenSSL based TLS server is vulnerable if it is multi-threaded
and uses OpenSSL's internal caching mechanism. Servers that are
multi-process and/or disable internal session caching are NOT
affected.</p>
<p>In particular the Apache HTTP server (which never uses OpenSSL
internal caching) and Stunnel (which includes its own workaround)
are NOT affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3864</cvename>
<url>http://openssl.org/news/secadv_20101116.txt</url>
</references>
<dates>
<discovery>2010-10-08</discovery>
<entry>2010-11-17</entry>
</dates>
</vuln>
<vuln vid="76b597e4-e9c6-11df-9e10-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r289</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r102</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-26.html">
<p>Critical vulnerabilities have been identified in
Adobe Flash Player 10.1.85.3 and earlier versions for
Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player
10.1.95.1 for Android. These vulnerabilities, including
CVE-2010-3654 referenced in Security Advisory APSA10-05,
could cause the application to crash and could potentially
allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3636</cvename>
<cvename>CVE-2010-3637</cvename>
<cvename>CVE-2010-3638</cvename>
<cvename>CVE-2010-3639</cvename>
<cvename>CVE-2010-3640</cvename>
<cvename>CVE-2010-3641</cvename>
<cvename>CVE-2010-3642</cvename>
<cvename>CVE-2010-3643</cvename>
<cvename>CVE-2010-3644</cvename>
<cvename>CVE-2010-3645</cvename>
<cvename>CVE-2010-3646</cvename>
<cvename>CVE-2010-3647</cvename>
<cvename>CVE-2010-3648</cvename>
<cvename>CVE-2010-3649</cvename>
<cvename>CVE-2010-3650</cvename>
<cvename>CVE-2010-3652</cvename>
<cvename>CVE-2010-3654</cvename>
<cvename>CVE-2010-3676</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-26.html</url>
<url>http://www.adobe.com/support/security/advisories/apsa10-05.html</url>
</references>
<dates>
<discovery>2010-09-28</discovery>
<entry>2010-11-06</entry>
</dates>
</vuln>
<vuln vid="b2eaa7c2-e64a-11df-bc65-0022156e8794">
<topic>Wireshark -- DoS in the BER-based dissectors</topic>
<affects>
<package>
<name>wireshark</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
<package>
<name>tshark</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41535">
<p>A vulnerability has been discovered in Wireshark, which can
be exploited by malicious people to cause a DoS (Denial of
Service).</p>
<p>The vulnerability is caused due to an infinite recursion
error in the "dissect_unknown_ber()" function in
epan/dissectors/packet-ber.c and can be exploited to cause a
stack overflow e.g. via a specially crafted SNMP packet.</p>
<p>The vulnerability is confirmed in version 1.4.0 and
reported in version 1.2.11 and prior and version 1.4.0 and
prior.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3445</cvename>
<url>http://www.wireshark.org/lists/wireshark-announce/201010/msg00002.html</url>
<url>http://www.wireshark.org/lists/wireshark-announce/201010/msg00001.html</url>
</references>
<dates>
<discovery>2010-09-16</discovery>
<entry>2010-11-05</entry>
</dates>
</vuln>
<vuln vid="4ab29e12-e787-11df-adfa-00e0815b8da8">
<topic>Mailman -- cross-site scripting in web interface</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41265">
<p>Two vulnerabilities have been reported in Mailman, which
can be exploited by malicious users to conduct script
insertion attacks.</p>
<p>Certain input passed via the list descriptions is not
properly sanitised before being displayed to the user. This
can be exploited to insert arbitrary HTML and script code,
which will be executed in a user's browser session in context
of an affected site when the malicious data is being
viewed.</p>
<p>Successful exploitation requires "list owner" permissions.</p>
</blockquote>
</body>
</description>
<references>
<bid>43187</bid>
<cvename>CVE-2010-3089</cvename>
<url>http://secunia.com/advisories/41265</url>
</references>
<dates>
<discovery>2010-09-14</discovery>
<entry>2010-11-03</entry>
</dates>
</vuln>
<vuln vid="96e776c7-e75c-11df-8f26-00151735203a">
<topic>OTRS -- Multiple XSS and denial of service vulnerabilities</topic>
<affects>
<package>
<name>otrs</name>
<range><gt>2.3.*</gt><lt>2.4.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://otrs.org/advisory/OSA-2010-02-en/">
<ul>
<li>Multiple Cross Site Scripting issues:
Missing HTML quoting allows authenticated agents or
customers to inject HTML tags. This vulnerability
allows an attacker to inject script code into the OTRS
web-interface which will be loaded and executed
in the browsers of system users.</li>
<li>Possible Denial of Service Attack:
Perl's regular expressions consume 100% CPU time
on the server if an agent or customer views an affected
article. To exploit this vulnerability the malicious user
needs to send extremely large HTML emails to your
system address.</li>
</ul>
</blockquote>
<blockquote cite="http://otrs.org/advisory/OSA-2010-03-en/">
<p>AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails:</p>
<p>Whenever a customer sends an HTML e-mail and RichText is enabled
in OTRS, javascript contained in the email can do everything
in the OTRS agent interface that the agent himself could do.</p>
<p>Most relevant is that this type of exploit can be used in such
a way that the agent won't even detect he is being exploited.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2080</cvename>
<cvename>CVE-2010-4071</cvename>
<url>http://otrs.org/advisory/OSA-2010-02-en/</url>
<url>http://otrs.org/advisory/OSA-2010-03-en/</url>
</references>
<dates>
<discovery>2010-09-15</discovery>
<entry>2010-11-03</entry>
</dates>
</vuln>
<vuln vid="c223b00d-e272-11df-8e32-000f20797ede">
<topic>mozilla -- Heap buffer overflow mixing document.write and DOM insertion</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.12,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.15,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.12</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.12,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.15</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.0.10</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>3.1.6</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.10</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.10</lt></range>
<range><ge>3.1</ge><lt>3.1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3765</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-73.html</url>
</references>
<dates>
<discovery>2010-10-27</discovery>
<entry>2010-10-28</entry>
</dates>
</vuln>
<vuln vid="aab187d4-e0f3-11df-b1ea-001999392805">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Opera Desktop Team reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1063/">
<ul>
<li>Fixed an issue that allowed cross-domain checks to be bypassed,
allowing limited data theft using CSS, as reported by Isaac
Dawson.</li>
<li>Fixed an issue where manipulating the window could be used to
spoof the page address.</li>
<li>Fixed an issue with reloads and redirects that could allow
spoofing and cross-site scripting.</li>
<li>Fixed an issue that allowed private video streams to be
intercepted, as reported by Nirankush Panchbhai of Microsoft
Vulnerability Research.</li>
<li>Fixed an issue that caused JavaScript to run in the wrong
security context after manual interaction.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/971/</url>
<url>http://www.opera.com/support/kb/view/972/</url>
<url>http://www.opera.com/support/kb/view/973/</url>
<url>http://www.opera.com/support/kb/view/974/</url>
<url>http://www.opera.com/support/kb/view/976/</url>
</references>
<dates>
<discovery>2010-10-12</discovery>
<entry>2010-10-26</entry>
</dates>
</vuln>
<vuln vid="0ddb57a9-da20-4e99-b048-4366092f3d31">
<topic>bzip2 -- integer overflow vulnerability</topic>
<affects>
<package>
<name>bzip2</name>
<range><lt>1.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41452">
<p>A vulnerability has been reported in bzip2, which can be exploited by
malicious people to cause a DoS (Denial of Service) or potentially
compromise a vulnerable system.</p>
<p>The vulnerability is caused due to an integer overflow in the
"BZ2_decompress()" function in decompress.c and can be exploited to
cause a crash or potentially execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-10:08.bzip2</freebsdsa>
<freebsdpr>ports/151364</freebsdpr>
<cvename>CVE-2010-0405</cvename>
<bid>43331</bid>
<mlist>http://www.openwall.com/lists/oss-security/2010/09/21/4</mlist>
<url>http://secunia.com/advisories/41452</url>
</references>
<dates>
<discovery>2010-09-21</discovery>
<entry>2010-10-25</entry>
</dates>
</vuln>
<vuln vid="18dc48fe-ca42-11df-aade-0050568f000c">
<topic>FreeBSD -- Integer overflow in bzip2 decompression</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.4</gt><lt>6.4_11</lt></range>
<range><gt>7.1</gt><lt>7.1_14</lt></range>
<range><gt>7.3</gt><lt>7.3_3</lt></range>
<range><gt>8.0</gt><lt>8.0_5</lt></range>
<range><gt>8.1</gt><lt>8.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When decompressing data, the run-length encoded values are not
adequately sanity-checked, allowing for an integer overflow.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:08.bzip2</freebsdsa>
</references>
<dates>
<discovery>2010-09-20</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="7a09a8df-ca41-11df-aade-0050568f000c">
<topic>FreeBSD -- Lost mbuf flag resulting in data corruption</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>7.1</gt><lt>7.1_13</lt></range>
<range><gt>7.3</gt><lt>7.3_2</lt></range>
<range><gt>8.0</gt><lt>8.0_4</lt></range>
<range><gt>8.1</gt><lt>8.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The read-only flag is not correctly copied when a mbuf buffer
reference is duplicated. When the sendfile(2) system call is used to
transmit data over the loopback interface, this can result in the
backing pages for the transmitted file being modified, causing data
corruption.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:07.mbuf</freebsdsa>
</references>
<dates>
<discovery>2010-07-13</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="0dc91089-ca41-11df-aade-0050568f000c">
<topic>FreeBSD -- Unvalidated input in nfsclient</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>7.2</gt><lt>7.2_8</lt></range>
<range><gt>7.3</gt><lt>7.3_1</lt></range>
<range><gt>8.0</gt><lt>8.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The NFS client subsystem fails to correctly validate the length of a
parameter provided by the user when a filesystem is mounted.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:06.nfsclient</freebsdsa>
</references>
<dates>
<discovery>2010-05-27</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="768cfe70-ca40-11df-aade-0050568f000c">
<topic>FreeBSD -- OPIE off-by-one stack overflow</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.4</gt><lt>6.4_10</lt></range>
<range><gt>7.1</gt><lt>7.1_12</lt></range>
<range><gt>7.2</gt><lt>7.2_8</lt></range>
<range><gt>7.3</gt><lt>7.3_1</lt></range>
<range><gt>8.0</gt><lt>8.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A programming error in the OPIE library could allow an off-by-one
buffer overflow to write a single zero byte beyond the end of an
on-stack buffer.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:05.opie</freebsdsa>
</references>
<dates>
<discovery>2010-05-27</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="f6eb2279-ca3f-11df-aade-0050568f000c">
<topic>FreeBSD -- Insufficient environment sanitization in jail(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>8.0</gt><lt>8.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The jail(8) utility does not change the current working directory
while imprisoning. The current working directory can be accessed by
its descendants.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:04.jail</freebsdsa>
</references>
<dates>
<discovery>2010-05-27</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="97f09f2f-ca3f-11df-aade-0050568f000c">
<topic>FreeBSD -- ZFS ZIL playback with insecure permissions</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>7.1</gt><lt>7.1_10</lt></range>
<range><gt>7.2</gt><lt>7.2_6</lt></range>
<range><gt>8.0</gt><lt>8.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When replaying setattr transaction, the replay code would set the
attributes with certain insecure defaults, when the logged
transaction did not touch these attributes.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:03.zfs</freebsdsa>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="48103b0a-ca3f-11df-aade-0050568f000c">
<topic>FreeBSD -- ntpd mode 7 denial of service</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.3</gt><lt>6.3_15</lt></range>
<range><gt>6.4</gt><lt>6.4_9</lt></range>
<range><gt>7.1</gt><lt>7.1_10</lt></range>
<range><gt>7.2</gt><lt>7.2_6</lt></range>
<range><gt>8.0</gt><lt>8.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>If ntpd receives a mode 7 (MODE_PRIVATE) request or error response
from a source address not listed in either a 'restrict ... noquery'
or a 'restrict ... ignore' section it will log the even and send a
mode 7 error response.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:02.ntpd</freebsdsa>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="e500b9bf-ca3e-11df-aade-0050568f000c">
<topic>FreeBSD -- BIND named(8) cache poisoning with DNSSEC validation</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.3</gt><lt>6.3_15</lt></range>
<range><gt>6.4</gt><lt>6.4_9</lt></range>
<range><gt>7.1</gt><lt>7.1_10</lt></range>
<range><gt>7.2</gt><lt>7.2_6</lt></range>
<range><gt>8.0</gt><lt>8.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>If a client requests DNSSEC records with the Checking Disabled (CD)
flag set, BIND may cache the unvalidated responses. These responses
may later be returned to another client that has not set the CD
flag.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:01.bind</freebsdsa>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="6e87b696-ca3e-11df-aade-0050568f000c">
<topic>FreeBSD -- Inappropriate directory permissions in freebsd-update(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.3</gt><lt>6.3_14</lt></range>
<range><gt>6.4</gt><lt>6.4_8</lt></range>
<range><gt>7.1</gt><lt>7.1_9</lt></range>
<range><gt>7.2</gt><lt>7.2_5</lt></range>
<range><gt>8.0</gt><lt>8.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When downloading updates to FreeBSD via 'freebsd-update fetch' or
'freebsd-update upgrade', the freebsd-update(8) utility copies
currently installed files into its working directory
(/var/db/freebsd-update by default) both for the purpose of merging
changes to configuration files and in order to be able to roll back
installed updates.</p>
<p>The default working directory used by freebsd-update(8) is normally
created during the installation of FreeBSD with permissions which
allow all local users to see its contents, and freebsd-update(8) does
not take any steps to restrict access to files stored in said
directory.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:17.freebsd-update</freebsdsa>
</references>
<dates>
<discovery>2009-12-03</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="ad08d14b-ca3d-11df-aade-0050568f000c">
<topic>FreeBSD -- Improper environment sanitization in rtld(1)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>7.1</gt><lt>7.1_9</lt></range>
<range><gt>7.2</gt><lt>7.2_5</lt></range>
<range><gt>8.0</gt><lt>8.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When running setuid programs rtld will normally remove potentially
dangerous environment variables. Due to recent changes in FreeBSD
environment variable handling code, a corrupt environment may
result in attempts to unset environment variables failing.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:16.rtld</freebsdsa>
</references>
<dates>
<discovery>2009-12-03</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="406779fd-ca3b-11df-aade-0050568f000c">
<topic>FreeBSD -- SSL protocol flaw</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.3</gt><lt>6.3_14</lt></range>
<range><gt>6.4</gt><lt>6.4_8</lt></range>
<range><gt>7.1</gt><lt>7.1_9</lt></range>
<range><gt>7.2</gt><lt>7.2_5</lt></range>
<range><gt>8.0</gt><lt>8.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The SSL version 3 and TLS protocols support session
renegotiation without cryptographically tying the new
session parameters to the old parameters.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:15.ssl</freebsdsa>
</references>
<dates>
<discovery>2009-12-03</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="c9a6ae4a-df8b-11df-9573-00262d5ed8ee">
<topic>monotone -- remote denial of service in default setup</topic>
<affects>
<package>
<name>monotone</name>
<range><lt>0.48.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The monotone developers report:</p>
<blockquote cite="http://www.monotone.ca/NEWS">
<p>Running "mtn ''" or "mtn ls ''" doesn't cause an internal
error anymore. In monotone 0.48 and earlier this behavior
could be used to crash a server remotely (but only if it was
configured to allow execution of remote commands).</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/151665</freebsdpr>
<url>http://www.monotone.ca/NEWS</url>
<url>http://www.thomaskeller.biz/blog/2010/10/22/monotone-0-48-1-released-please-update-your-servers/</url>
</references>
<dates>
<discovery>2010-10-21</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="c4f067b9-dc4a-11df-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.11,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.14,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.11</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.11,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.14</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.9</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.9</lt></range>
<range><ge>3.1</ge><lt>3.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)</p>
<p>MFSA 2010-65 Buffer overflow and memory corruption using document.write</p>
<p>MFSA 2010-66 Use-after-free error in nsBarProp</p>
<p>MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter</p>
<p>MFSA 2010-68 XSS in gopher parser when parsing hrefs</p>
<p>MFSA 2010-69 Cross-site information disclosure via modal calls</p>
<p>MFSA 2010-70 SSL wildcard certificate matching IP addresses</p>
<p>MFSA 2010-71 Unsafe library loading vulnerabilities</p>
<p>MFSA 2010-72 Insecure Diffie-Hellman key exchange</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3170</cvename>
<cvename>CVE-2010-3173</cvename>
<cvename>CVE-2010-3174</cvename>
<cvename>CVE-2010-3175</cvename>
<cvename>CVE-2010-3176</cvename>
<cvename>CVE-2010-3177</cvename>
<cvename>CVE-2010-3178</cvename>
<cvename>CVE-2010-3179</cvename>
<cvename>CVE-2010-3180</cvename>
<cvename>CVE-2010-3181</cvename>
<cvename>CVE-2010-3182</cvename>
<cvename>CVE-2010-3183</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-64.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-65.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-66.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-67.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-68.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-69.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-70.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-71.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-72.html</url>
</references>
<dates>
<discovery>2010-10-19</discovery>
<entry>2010-10-20</entry>
</dates>
</vuln>
<vuln vid="e5090d2a-dbbe-11df-82f8-0015f2db7bde">
<topic>Webkit-gtk2 -- Multiple Vulnabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS">
<p>The patches to fix the following CVEs are included with help from
Vincent Danen and other members of the Red Hat security team:</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1780</cvename>
<cvename>CVE-2010-1807</cvename>
<cvename>CVE-2010-1812</cvename>
<cvename>CVE-2010-1814</cvename>
<cvename>CVE-2010-1815</cvename>
<cvename>CVE-2010-3113</cvename>
<cvename>CVE-2010-3114</cvename>
<cvename>CVE-2010-3115</cvename>
<cvename>CVE-2010-3116</cvename>
<cvename>CVE-2010-3255</cvename>
<cvename>CVE-2010-3257</cvename>
<cvename>CVE-2010-3259</cvename>
<url>http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS</url>
</references>
<dates>
<discovery>2010-10-01</discovery>
<entry>2010-10-19</entry>
</dates>
</vuln>
<vuln vid="dd943fbb-d0fe-11df-95a8-00219b0fc4d8">
<topic>apr -- multiple vunerabilities</topic>
<affects>
<package>
<name>apr1</name>
<range><lt>1.4.2.1.3.10</lt></range>
</package>
<package>
<name>apr0</name>
<range><lt>0.9.19.0.9.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41701">
<p>Multiple vulnerabilities have been reported in APR-util, which can
be exploited by malicious people to cause a DoS (Denial of
Service).</p>
<p>Two XML parsing vulnerabilities exist in the bundled version of
expat.</p>
<p>An error within the "apr_brigade_split_line()" function in
buckets/apr_brigade.c can be exploited to cause high memory
consumption.</p>
</blockquote>
</body>
</description>
<references>
<bid>43673</bid>
<cvename>CVE-2009-3560</cvename>
<cvename>CVE-2009-3720</cvename>
<cvename>CVE-2010-1623</cvename>
<url>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</url>
<url>http://secunia.com/advisories/41701</url>
</references>
<dates>
<discovery>2010-10-02</discovery>
<entry>2010-10-06</entry>
<modified>2010-10-20</modified>
</dates>
</vuln>
<vuln vid="99021f88-ca3c-11df-be21-00e018aa7788">
<topic>phpmyfaq -- cross site scripting vulnerabilities</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><lt>2.6.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyFAQ project reports:</p>
<blockquote cite="http://www.phpmyfaq.de/advisory_2010-09-28.php">
<p>The phpMyFAQ Team has learned of a security issue that has been
discovered in phpMyFAQ 2.6.x: phpMyFAQ doesn't sanitize
some variables in different pages correctly. With a
properly crafted URL it is e.g. possible to inject
JavaScript code into the output of a page, which could
result in the leakage of domain cookies (f.e. session
identifiers)..</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/151055</freebsdpr>
<url>http://www.phpmyfaq.de/advisory_2010-09-28.php</url>
</references>
<dates>
<discovery>2010-09-28</discovery>
<entry>2010-10-02</entry>
</dates>
</vuln>
<vuln vid="e08c596e-cb28-11df-9c1b-0011098ad87f">
<topic>horde-gollem -- XSS vulnerability</topic>
<affects>
<package>
<name>horde-gollem</name>
<range><lt>1.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/523">
<p>The major changes compared to Gollem version H3 (1.1.1) are:</p>
<p>* Fixed an XSS vulnerability in the file viewer.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/523</url>
<url>http://git.horde.org/diff.php/gollem/docs/CHANGES?rt=horde&r1=1.114.2.55&r2=1.114.2.59&ty=h</url>
<url>http://bugs.horde.org/ticket/9191</url>
</references>
<dates>
<discovery>2010-08-21</discovery>
<entry>2010-09-28</entry>
</dates>
</vuln>
<vuln vid="6c4db192-cb23-11df-9c1b-0011098ad87f">
<topic>horde-imp -- XSS vulnerability</topic>
<affects>
<package>
<name>horde-imp</name>
<range><gt>4.2,1</gt><lt>4.3.8,1</lt></range>
<range><lt>4.3.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/516">
<p>Thanks to Naumann IT Security Consulting for reporting the XSS
vulnerability.</p>
<p>The major changes compared to IMP version H3 (4.3.7) are:</p>
<p>* Fixed an XSS vulnerability in the Fetchmail configuration.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/516</url>
<url>http://git.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.424&r2=1.699.2.430&ty=h</url>
</references>
<dates>
<discovery>2010-09-28</discovery>
<entry>2010-09-28</entry>
<modified>2011-09-23</modified>
</dates>
</vuln>
<vuln vid="8fc55043-cb1e-11df-9c1b-0011098ad87f">
<topic>horde-base -- XSS and CSRF vulnerabilities</topic>
<affects>
<package>
<name>horde-base</name>
<range><lt>3.3.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/515">
<p>Thanks to Naumann IT Security Consulting for reporting the XSS
vulnerability.</p>
<p>Thanks to Secunia for releasing an advisory for the new CSRF
protection in the preference interface</p>
<p>The major changes compared to Horde version 3.3.8 are:</p>
<p>* Fixed XSS vulnerability in util/icon_browser.php.</p>
<p>* Protected preference forms against CSRF attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/515</url>
<url>http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.607&r2=1.515.2.620&ty=h</url>
<url>http://secunia.com/advisories/39860/</url>
<url>http://holisticinfosec.org/content/view/145/45/</url>
</references>
<dates>
<discovery>2010-06-03</discovery>
<entry>2010-09-28</entry>
</dates>
</vuln>
<vuln vid="80b6d6cc-c970-11df-bb18-0015587e2cc1">
<topic>openx -- remote code execution vulnerability</topic>
<affects>
<package>
<name>openx</name>
<range><lt>2.8.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenX project reported:</p>
<blockquote cite="http://blog.openx.org/09/security-update/">
<p>It has been brought to our attention that there is a vulnerability
in the 2.8 downloadable version of OpenX that can result in a server
running the downloaded version of OpenX being compromised.</p>
</blockquote>
<p>This vulnerability exists in the file upload functionality
and allows attackers to upload and execute PHP code of
their choice.</p>
</body>
</description>
<references>
<url>http://blog.openx.org/09/security-update/</url>
<url>http://www.h-online.com/security/news/item/Web-sites-distribute-malware-via-hacked-OpenX-servers-1079099.html</url>
</references>
<dates>
<discovery>2010-09-14</discovery>
<entry>2010-09-26</entry>
</dates>
</vuln>
<vuln vid="e4dac715-c818-11df-a92c-0015587e2cc1">
<topic>squid -- Denial of service vulnerability in request handling</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.0.1</ge><lt>3.0.25_3</lt></range>
<range><ge>3.1.0.1</ge><lt>3.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2010:3 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_3.txt">
<p>Due to an internal error in string handling Squid is
vulnerable to a denial of service attack when processing
specially crafted requests.</p>
<p>This problem allows any trusted client to perform a
denial of service attack on the Squid service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3072</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_3.txt</url>
</references>
<dates>
<discovery>2010-08-30</discovery>
<entry>2010-09-24</entry>
</dates>
</vuln>
<vuln vid="8a34d9e6-c662-11df-b2e1-001b2134ef46">
<topic>linux-flashplugin -- remote code execution</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r283</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r85</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa10-03.html">
<p>A critical vulnerability exists in Adobe Flash Player
10.1.82.76 and earlier versions for Windows, Macintosh,
Linux, Solaris, and Adobe Flash Player 10.1.92.10 for
Android. This vulnerability also affects Adobe Reader
9.3.4 and earlier versions for Windows, Macintosh and
UNIX, and Adobe Acrobat 9.3.4 and earlier versions for
Windows and Macintosh. This vulnerability (CVE-2010-2884)
could cause a crash and potentially allow an attacker
to take control of the affected system. There are
reports that this vulnerability is being actively
exploited in the wild against Adobe Flash Player on
Windows. Adobe is not aware of any attacks exploiting
this vulnerability against Adobe Reader or Acrobat to
date.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2884</cvename>
<url>http://www.adobe.com/support/security/advisories/apsa10-03.html</url>
</references>
<dates>
<discovery>2010-09-14</discovery>
<entry>2010-09-22</entry>
</dates>
</vuln>
<vuln vid="3ff95dd3-c291-11df-b0dc-00215c6a37bb">
<topic>django -- cross-site scripting vulnerability</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><gt>1.2</gt><lt>1.2.2</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>13698,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django project reports:</p>
<blockquote cite="http://www.djangoproject.com/weblog/2010/sep/08/security-release/">
<p>The provided template tag for inserting the CSRF
token into forms -- {% csrf_token %} -- explicitly
trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the
value of the CSRF cookie can cause arbitrary content
to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.</p>
</blockquote>
</body>
</description>
<references>
<bid>43116</bid>
<cvename>CVE-2010-3082</cvename>
<url>http://xforce.iss.net/xforce/xfdb/61729</url>
</references>
<dates>
<discovery>2010-09-13</discovery>
<entry>2010-09-17</entry>
</dates>
</vuln>
<vuln vid="9bcfd7b6-bcda-11df-9a6a-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vulnabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://gitorious.org/webkitgtk/stable/commit/9d07fda89aab7105962d933eef32ca15dda610d8">
<p>With help from Vincent Danen and other members of the Red Hat
security team, the following CVE's where fixed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1781</cvename>
<cvename>CVE-2010-1782</cvename>
<cvename>CVE-2010-1784</cvename>
<cvename>CVE-2010-1785</cvename>
<cvename>CVE-2010-1786</cvename>
<cvename>CVE-2010-1787</cvename>
<cvename>CVE-2010-1788</cvename>
<cvename>CVE-2010-1790</cvename>
<cvename>CVE-2010-1792</cvename>
<cvename>CVE-2010-1793</cvename>
<cvename>CVE-2010-2647</cvename>
<cvename>CVE-2010-2648</cvename>
<cvename>CVE-2010-3119</cvename>
<url>http://gitorious.org/webkitgtk/stable/commit/9d07fda89aab7105962d933eef32ca15dda610d8</url>
</references>
<dates>
<discovery>2010-09-7</discovery>
<entry>2010-09-10</entry>
</dates>
</vuln>
<vuln vid="f866d2af-bbba-11df-8a8d-0008743bf21a">
<topic>vim6 -- heap-based overflow while parsing shell metacharacters</topic>
<affects>
<package>
<name>vim6</name>
<name>vim6+ruby</name>
<range><ge>6.2.429</ge><lt>6.3.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Description for CVE-2008-3432 says:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432">
<p>Heap-based buffer overflow in the mch_expand_wildcards
function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted
attackers to execute arbitrary code via shell metacharacters
in filenames, as demonstrated by the netrw.v3 test case.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-3432</cvename>
<url>http://www.openwall.com/lists/oss-security/2008/07/15/4</url>
</references>
<dates>
<discovery>2008-07-31</discovery>
<entry>2010-09-09</entry>
</dates>
</vuln>
<vuln vid="4a21ce2c-bb13-11df-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.9,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.12,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.9</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.9,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.12</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.7</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.7</lt></range>
<range><ge>3.1</ge><lt>3.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)</p>
<p>MFSA 2010-50 Frameset integer overflow vulnerability</p>
<p>MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array</p>
<p>MFSA 2010-52 Windows XP DLL loading vulnerability</p>
<p>MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText</p>
<p>MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection</p>
<p>MFSA 2010-55 XUL tree removal crash and remote code execution</p>
<p>MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView</p>
<p>MFSA 2010-57 Crash and remote code execution in normalizeDocument</p>
<p>MFSA 2010-58 Crash on Mac using fuzzed font in data: URL</p>
<p>MFSA 2010-59 SJOW creates scope chains ending in outer object</p>
<p>MFSA 2010-60 XSS using SJOW scripted function</p>
<p>MFSA 2010-61 UTF-7 XSS by overriding document charset using object type attribute</p>
<p>MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS</p>
<p>MFSA 2010-63 Information leak via XMLHttpRequest statusText</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2762</cvename>
<cvename>CVE-2010-2763</cvename>
<cvename>CVE-2010-2764</cvename>
<cvename>CVE-2010-2765</cvename>
<cvename>CVE-2010-2766</cvename>
<cvename>CVE-2010-2767</cvename>
<cvename>CVE-2010-2768</cvename>
<cvename>CVE-2010-2769</cvename>
<cvename>CVE-2010-2770</cvename>
<cvename>CVE-2010-2760</cvename>
<cvename>CVE-2010-3131</cvename>
<cvename>CVE-2010-3166</cvename>
<cvename>CVE-2010-3167</cvename>
<cvename>CVE-2010-3168</cvename>
<cvename>CVE-2010-3169</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-49.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-50.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-51.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-52.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-53.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-54.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-55.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-56.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-57.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-58.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-59.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-60.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-61.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-62.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-63.html</url>
</references>
<dates>
<discovery>2010-09-07</discovery>
<entry>2010-09-08</entry>
<modified>2010-09-15</modified>
</dates>
</vuln>
<vuln vid="67b514c3-ba8f-11df-8f6e-000c29a67389">
<topic>sudo -- Flaw in Runas group matching</topic>
<affects>
<package>
<name>sudo</name>
<range><ge>1.7.0</ge><lt>1.7.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.sudo.ws/sudo/alerts/runas_group.html">
<p>Beginning with sudo version 1.7.0 it has been possible to grant
permission to run a command using a specified group via sudo -g
option (run as group). A flaw exists in the logic that matches
Runas groups in the sudoers file when the -u option is also
specified (run as user). This flaw results in a positive match for
the user specified via -u so long as the group specified via -g
is allowed by the sudoers file.</p>
<p>Exploitation of the flaw requires that Sudo be configured with
sudoers entries that contain a Runas group. Entries that do not
contain a Runas group, or only contain a Runas user are not
affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2956</cvename>
<url>http://www.sudo.ws/sudo/alerts/runas_group.html</url>
</references>
<dates>
<discovery>2010-09-07</discovery>
<entry>2010-09-07</entry>
</dates>
</vuln>
<vuln vid="29b7e3f4-b6a9-11df-ae63-f255a795cb21">
<topic>lftp -- multiple HTTP client download filename vulnerability</topic>
<affects>
<package>
<name>lftp</name>
<range><lt>4.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The get1 command, as used by lftpget, in LFTP before 4.0.6 does
not properly validate a server-provided filename before determining
the destination filename of a download, which allows remote servers
to create or overwrite arbitrary files via a Content-Disposition
header that suggests a crafted filename, and possibly execute
arbitrary code as a consequence of writing to a dotfile in a home
directory.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2251</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=591580</url>
</references>
<dates>
<discovery>2010-06-09</discovery>
<entry>2010-09-03</entry>
</dates>
</vuln>
<vuln vid="d754b7d2-b6a7-11df-826c-e464a695cb21">
<topic>wget -- multiple HTTP client download filename vulnerability</topic>
<affects>
<package>
<name>wget</name>
<name>wget-devel</name>
<range><le>1.12_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GNU Wget version 1.12 and earlier uses a server-provided filename
instead of the original URL to determine the destination filename of
a download, which allows remote servers to create or overwrite
arbitrary files via a 3xx redirect to a URL with a .wgetrc filename
followed by a 3xx redirect to a URL with a crafted filename, and
possibly execute arbitrary code as a consequence of writing to a
dotfile in a home directory.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2252</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=602797</url>
</references>
<dates>
<discovery>2010-06-09</discovery>
<entry>2010-09-03</entry>
</dates>
</vuln>
<vuln vid="3a7c5fc4-b50c-11df-977b-ecc31dd8ad06">
<topic>p5-libwww -- possibility to remote servers to create file with a .(dot) character</topic>
<affects>
<package>
<name>p5-libwww</name>
<range><lt>5.835</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>lwp-download in libwww-perl before 5.835 does not reject downloads
to filenames that begin with a `.' (dot) character, which allows
remote servers to create or overwrite files via a 3xx redirect to a
URL with a crafted filename or a Content-Disposition header that
suggests a crafted filename, and possibly execute arbitrary code as
a consequence of writing to a dotfile in a home directory.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2253</cvename>
<url>http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes</url>
</references>
<dates>
<discovery>2010-06-09</discovery>
<entry>2010-08-31</entry>
</dates>
</vuln>
<vuln vid="167953a4-b01c-11df-9a98-0015587e2cc1">
<topic>quagga -- stack overflow and DoS vulnerabilities</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Red Hat security team reported two vulnerabilities:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/08/24/3">
<p>A stack buffer overflow flaw was found in the way Quagga's bgpd
daemon processed Route-Refresh messages. A configured
Border Gateway Protocol (BGP) peer could send a
Route-Refresh message with specially-crafted Outbound
Route Filtering (ORF) record, which would cause the
master BGP daemon (bgpd) to crash or, possibly, execute
arbitrary code with the privileges of the user running
bgpd.</p>
<p>A NULL pointer dereference flaw was found in the way
Quagga's bgpd daemon parsed paths of autonomous systems
(AS). A configured BGP peer could send a BGP update AS
path request with unknown AS type, which could lead to
denial of service (bgpd daemon crash).</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2010/08/24/3</url>
<url>http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100</url>
</references>
<dates>
<discovery>2010-08-24</discovery>
<entry>2010-08-25</entry>
</dates>
</vuln>
<vuln vid="8cbf4d65-af9a-11df-89b8-00151735203a">
<topic>bugzilla -- information disclosure, denial of service</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>2.17.1</gt><lt>3.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.2.7/">
<ul>
<li>Remote Information Disclosure:
An unprivileged user is normally not allowed to view
other users' group membership. But boolean charts
let the user use group-based pronouns, indirectly
disclosing group membership. This security fix
restricts the use of pronouns to groups the user
belongs to.</li>
<li>Notification Bypass:
Normally, when a user is impersonated, he receives
an email informing him that he is being impersonated,
containing the identity of the impersonator. However,
it was possible to impersonate a user without this
notification being sent.</li>
<li>Remote Information Disclosure:
An error message thrown by the "Reports" and "Duplicates"
page confirmed the non-existence of products, thus
allowing users to guess confidential product names.
(Note that the "Duplicates" page was not vulnerable
in Bugzilla 3.6rc1 and above though.)</li>
<li>Denial of Service:
If a comment contained the phrases "bug X" or
"attachment X", where X was an integer larger than the
maximum 32-bit signed integer size, PostgreSQL would
throw an error, and any page containing that comment would
not be viewable. On most Bugzillas, any user can enter
a comment on any bug, so any user could have used this to
deny access to one or all bugs. Bugzillas running on
databases other than PostgreSQL are not affected.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2756</cvename>
<cvename>CVE-2010-2757</cvename>
<cvename>CVE-2010-2758</cvename>
<cvename>CVE-2010-2759</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=417048</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=450013</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=577139</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=519835</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=583690</url>
</references>
<dates>
<discovery>2010-08-05</discovery>
<entry>2010-08-24</entry>
</dates>
</vuln>
<vuln vid="b6069837-aadc-11df-82df-0015f2db7bde">
<topic>OpenTTD -- Denial of service (server) via infinite loop</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>1.0.1</ge><lt>1.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenTTD project reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2010-2534">
<p>When multiple commands are queued (at the server) for execution
in the next game tick and an client joins the server can get into
an infinite loop. With the default settings triggering this bug
is difficult (if not impossible), however the larger value of
the "frame_freq" setting is easier it is to trigger the bug.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2534</cvename>
<url>http://security.openttd.org/en/CVE-2010-2534</url>
</references>
<dates>
<discovery>2010-06-27</discovery>
<entry>2010-08-22</entry>
</dates>
</vuln>
<vuln vid="67a1c3ae-ad69-11df-9be6-0015587e2cc1">
<topic>corkscrew -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>corkscrew</name>
<range><le>2.0</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The affected corkscrew versions use sscanf calls without proper
bounds checking. In the authentication file parsing routine
this can cause an exploitable buffer overflow condition.
A similar but issue exists in the server response code but
appears to be non-exploitable.</p>
</body>
</description>
<references>
<url>http://people.freebsd.org/~niels/issues/corkscrew-20100821.txt</url>
</references>
<dates>
<discovery>2010-08-21</discovery>
<entry>2010-08-21</entry>
</dates>
</vuln>
<vuln vid="274922b8-ad20-11df-af1f-00e0814cab4e">
<topic>phpmyadmin -- Several XSS vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.3.5.1</lt></range>
</package>
<package>
<name>phpMyAdmin211</name>
<range><lt>2.11.10.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin Team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php">
<p>It was possible to conduct a XSS attack using crafted URLs org
POST parameters on several pages.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3056</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php</url>
</references>
<dates>
<discovery>2010-08-09</discovery>
<entry>2010-08-21</entry>
</dates>
</vuln>
<vuln vid="68c7187a-abd2-11df-9be6-0015587e2cc1">
<topic>slim -- insecure PATH assignment</topic>
<affects>
<package>
<name>slim</name>
<range><lt>1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SLiM assigns logged on users a PATH in which the current
working directory ("./") is included. This PATH can allow
unintentional code execution through planted binaries and
has therefore been fixed SLiM version 1.3.2.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2945</cvename>
<url>http://seclists.org/oss-sec/2010/q3/198</url>
</references>
<dates>
<discovery>2010-05-12</discovery>
<entry>2010-08-19</entry>
<modified>2010-08-20</modified>
</dates>
</vuln>
<vuln vid="34e0316a-aa91-11df-8c2e-001517289bf8">
<topic>ruby -- UTF-7 encoding XSS vulnerability in WEBrick</topic>
<affects>
<package>
<name>ruby</name>
<name>ruby+pthreads</name>
<name>ruby+pthreads+oniguruma</name>
<name>ruby+oniguruma</name>
<range><ge>1.8.*,1</ge><lt>1.8.7.248_3,1</lt></range>
<range><ge>1.9.*,1</ge><lt>1.9.1.430,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/">
<p>WEBrick have had a cross-site scripting vulnerability that allows
an attacker to inject arbitrary script or HTML via a crafted URI.
This does not affect user agents that strictly implement HTTP/1.1,
however, some user agents do not.</p>
</blockquote>
</body>
</description>
<references>
<bid>40895</bid>
<cvename>CVE-2010-0541</cvename>
<url>http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/</url>
</references>
<dates>
<discovery>2010-08-16</discovery>
<entry>2010-08-17</entry>
<modified>2010-08-20</modified>
</dates>
</vuln>
<vuln vid="b74a8076-9b1f-11df-9f58-021e8c343e76">
<topic>isolate -- local root exploit</topic>
<affects>
<package>
<name>isolate</name>
<range><lt>20100717</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://code.google.com/p/isolate/">
<p>Isolate currently suffers from some bad security bugs! These
are local root privilege escalation bugs. Thanks to the helpful
person who reported them (email Chris if you want credit!).
We're working to fix them ASAP, but until then, isolate is
unsafe and you should uninstall it. Sorry!</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/148911</freebsdpr>
<url>http://code.google.com/p/isolate/</url>
</references>
<dates>
<discovery>2010-07-29</discovery>
<entry>2010-08-13</entry>
</dates>
</vuln>
<vuln vid="e7d91a3c-a7c9-11df-870c-00242b513d7c">
<topic>vlc -- invalid id3v2 tags may lead to invalid memory dereferencing</topic>
<affects>
<package>
<name>vlc</name>
<range><gt>0.9.0,3</gt><lt>1.1.2_1,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VideoLAN project reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1004.html">
<p>VLC fails to perform sufficient input validation when trying to
extract some meta-informations about input media through ID3v2
tags. In the failure case, VLC attempt dereference an invalid
memory address, and a crash will ensure.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2937</cvename>
<url>http://www.videolan.org/security/sa1004.html</url>
</references>
<dates>
<discovery>2010-07-29</discovery>
<entry>2010-08-14</entry>
</dates>
</vuln>
<vuln vid="e19e74a4-a712-11df-b234-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r280</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r82</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-16.html">
<p>Critical vulnerabilities have been identified in Adobe
Flash Player version 10.1.53.64 and earlier. These
vulnerabilities could cause the application to crash and
could potentially allow an attacker to take control of the
affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0209</cvename>
<cvename>CVE-2010-2188</cvename>
<cvename>CVE-2010-2213</cvename>
<cvename>CVE-2010-2214</cvename>
<cvename>CVE-2010-2215</cvename>
<cvename>CVE-2010-2216</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-16.html</url>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-08-13</entry>
</dates>
</vuln>
<vuln vid="71273c4d-a6ec-11df-8a8d-0008743bf21a">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.61</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Opera Destkop Team reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1061/">
<ul>
<li>Fixed an issue where heap buffer overflow in HTML5 canvas could
be used to execute arbitrary code, as reported by Kuzzcc.</li>
<li>Fixed an issue where unexpected changes in tab focus could be
used to run programs from the Internet, as reported by Jakob Balle
and Sven Krewitt of Secunia.</li>
<li>Fixed an issue where news feed preview could subscribe to feeds
without interaction, as reported by Alexios Fakos.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/search/view/966/</url>
<url>http://www.opera.com/support/search/view/967/</url>
<url>http://www.opera.com/support/search/view/968/</url>
</references>
<dates>
<discovery>2010-08-12</discovery>
<entry>2010-08-13</entry>
</dates>
</vuln>
<vuln vid="c2eac2b5-9a7d-11df-8e32-000f20797ede">
<topic>firefox -- Dangling pointer crash regression from plugin parameter array fix</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.8,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.8,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2755</cvename>
<url>https://www.mozilla.org/security/announce/2010/mfsa2010-48.html</url>
</references>
<dates>
<discovery>2010-07-20</discovery>
<entry>2010-08-09</entry>
</dates>
</vuln>
<vuln vid="26e1c48a-9fa7-11df-81b5-00e0814cab4e">
<topic>Piwik -- Local File Inclusion Vulnerability</topic>
<affects>
<package>
<name>piwik</name>
<range><gt>0.6</gt><lt>0.6.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Piwik versions 0.6 through 0.6.3 are vulnerable to arbitrary,
remote file inclusion using a directory traversal pattern infinite
a crafted request for a data renderer.</p>
<blockquote cite="http://secunia.com/advisories/40703">
<p>A vulnerability has been reported in Piwik, which can before
exploited by malicious people to disclose potentially
sensitive information. Input passed to unspecified parameters
when requesting a data renderer is not properly verified before
being used to include files. This can be exploited to includes
arbitrary files from local resources via directory traversal
attacks.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2786</cvename>
<url>http://secunia.com/advisories/40703</url>
</references>
<dates>
<discovery>2010-07-28</discovery>
<entry>2010-08-04</entry>
</dates>
</vuln>
<vuln vid="43024078-9b63-11df-8983-001d60d86f38">
<topic>libmspack -- infinite loop denial of service</topic>
<affects>
<package>
<name>libmspack</name>
<range><le>0.0.20060920</le></range>
</package>
<package>
<name>cabextract</name>
<range><lt>1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>There is a denial of service vulnerability in libmspack. The
libmspack code is built into cabextract, so it is also
vulnerable.</p>
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/40719/">
<p>The vulnerability is caused due to an error when copying data
from an uncompressed block (block type 0) and can be exploited
to trigger an infinite loop by tricking an application using the
library into processing specially crafted MS-ZIP archives.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/40719/</url>
</references>
<dates>
<discovery>2010-07-26</discovery>
<entry>2010-07-30</entry>
</dates>
</vuln>
<vuln vid="28a7310f-9855-11df-8d36-001aa0166822">
<topic>apache -- Remote DoS bug in mod_cache and mod_dav</topic>
<affects>
<package>
<name>apache</name>
<range><ge>2.2.0</ge><lt>2.2.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache ChangeLog reports:</p>
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.2.16">
<p>mod_dav, mod_cache: Fix Handling of requests without a path segment.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1452</cvename>
<url>http://www.apache.org/dist/httpd/CHANGES_2.2.16</url>
<url>https://issues.apache.org/bugzilla/show_bug.cgi?id=49246</url>
<url>http://svn.apache.org/viewvc?view=revision&revision=966349</url>
</references>
<dates>
<discovery>2010-07-21</discovery>
<entry>2010-07-26</entry>
</dates>
</vuln>
<vuln vid="827bc2b7-95ed-11df-9160-00e0815b8da8">
<topic>git -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>git</name>
<range><ge>1.5.6</ge><lt>1.7.1.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Greg Brockman reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/07/22/1">
<p>If an attacker were to create a crafted working copy where the
user runs any git command, the attacker could force execution
of arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2542</cvename>
<url>http://git.kernel.org/?p=git/git.git;a=commit;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc</url>
<url>http://www.openwall.com/lists/oss-security/2010/07/22/1</url>
</references>
<dates>
<discovery>2010-07-20</discovery>
<entry>2010-07-23</entry>
</dates>
</vuln>
<vuln vid="0502c1cb-8f81-11df-a0bb-0050568452ac">
<topic>codeigniter -- file upload class vulnerability</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>1.7.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Derek Jones reports:</p>
<blockquote cite="http://codeigniter.com/news/codeigniter_1.7.2_security_patch/">
<p>A fix has been implemented for a security flaw in
CodeIgniter 1.7.2. All applications using the File
Upload class should install the patch to ensure that
their application is not subject to a vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://codeigniter.com/news/codeigniter_1.7.2_security_patch/</url>
<url>http://www.phpframeworks.com/news/p/16365/codeigniter-1-7-2-security-patch</url>
</references>
<dates>
<discovery>2010-07-12</discovery>
<entry>2010-07-21</entry>
</dates>
</vuln>
<vuln vid="8c2ea875-9499-11df-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.7,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.11,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.7,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.11</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.6</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)</p>
<p>MFSA 2010-35 DOM attribute cloning remote code execution vulnerability</p>
<p>MFSA 2010-36 Use-after-free error in NodeIterator</p>
<p>MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability</p>
<p>MFSA 2010-38 Arbitrary code execution using SJOW and fast native function</p>
<p>MFSA 2010-39 nsCSSValue::Array index integer overflow</p>
<p>MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability</p>
<p>MFSA 2010-41 Remote code execution using malformed PNG image</p>
<p>MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts</p>
<p>MFSA 2010-43 Same-origin bypass using canvas context</p>
<p>MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish</p>
<p>MFSA 2010-45 Multiple location bar spoofing vulnerabilities</p>
<p>MFSA 2010-46 Cross-domain data theft using CSS</p>
<p>MFSA 2010-47 Cross-origin data leakage from script filename in error messages</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0654</cvename>
<cvename>CVE-2010-1205</cvename>
<cvename>CVE-2010-1206</cvename>
<cvename>CVE-2010-1207</cvename>
<cvename>CVE-2010-1208</cvename>
<cvename>CVE-2010-1209</cvename>
<cvename>CVE-2010-1210</cvename>
<cvename>CVE-2010-1211</cvename>
<cvename>CVE-2010-1212</cvename>
<cvename>CVE-2010-1213</cvename>
<cvename>CVE-2010-1214</cvename>
<cvename>CVE-2010-1215</cvename>
<cvename>CVE-2010-2751</cvename>
<cvename>CVE-2010-2752</cvename>
<cvename>CVE-2010-2753</cvename>
<cvename>CVE-2010-2754</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-34.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-35.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-36.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-37.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-38.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-39.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-40.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-41.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-42.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-43.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-44.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-45.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-46.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-47.html</url>
</references>
<dates>
<discovery>2010-07-20</discovery>
<entry>2010-07-21</entry>
</dates>
</vuln>
<vuln vid="9a8fecef-92c0-11df-b140-0015f2db7bde">
<topic>vte -- Classic terminal title set+query attack</topic>
<affects>
<package>
<name>vte</name>
<range><lt>0.24.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kees Cook reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/512388">
<p>Janne Snabb discovered that applications using VTE, such as
gnome-terminal, did not correctly filter window and icon title
request escape codes. If a user were tricked into viewing
specially crafted output in their terminal, a remote attacker
could execute arbitrary commands with user privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2713</cvename>
<url>http://www.securityfocus.com/archive/1/512388</url>
</references>
<dates>
<discovery>2010-07-15</discovery>
<entry>2010-07-18</entry>
</dates>
</vuln>
<vuln vid="19419b3b-92bd-11df-b140-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vulnabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha reports:</p>
<blockquote cite="http://blog.kov.eti.br/?p=116">
<p>Debian's Michael Gilbert has done a great job going through all
CVEs released about WebKit, and including patches in the Debian
package. 1.2.3 includes all of the commits from trunk to fix those,
too.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1386</cvename>
<cvename>CVE-2010-1392</cvename>
<cvename>CVE-2010-1405</cvename>
<cvename>CVE-2010-1407</cvename>
<cvename>CVE-2010-1416</cvename>
<cvename>CVE-2010-1417</cvename>
<cvename>CVE-2010-1418</cvename>
<cvename>CVE-2010-1421</cvename>
<cvename>CVE-2010-1422</cvename>
<cvename>CVE-2010-1501</cvename>
<cvename>CVE-2010-1664</cvename>
<cvename>CVE-2010-1665</cvename>
<cvename>CVE-2010-1758</cvename>
<cvename>CVE-2010-1759</cvename>
<cvename>CVE-2010-1760</cvename>
<cvename>CVE-2010-1761</cvename>
<cvename>CVE-2010-1762</cvename>
<cvename>CVE-2010-1767</cvename>
<cvename>CVE-2010-1770</cvename>
<cvename>CVE-2010-1771</cvename>
<cvename>CVE-2010-1772</cvename>
<cvename>CVE-2010-1773</cvename>
<cvename>CVE-2010-1774</cvename>
<cvename>CVE-2010-2264</cvename>
<url>http://blog.kov.eti.br/?p=116</url>
</references>
<dates>
<discovery>2010-07-16</discovery>
<entry>2010-07-18</entry>
</dates>
</vuln>
<vuln vid="ba61ce15-8a7b-11df-87ec-0050569b2d21">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>0.9.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Eric Davis reports:</p>
<blockquote cite="http://www.redmine.org/news/41">
<p>This security release addresses some security
vulnerabilities found in the advanced subversion
integration module (Redmine.pm perl script).</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/news/41</url>
</references>
<dates>
<discovery>2010-07-08</discovery>
<entry>2010-07-10</entry>
</dates>
</vuln>
<vuln vid="25ed4ff8-8940-11df-a339-0026189baca3">
<topic>bogofilter -- heap underrun on malformed base64 input</topic>
<affects>
<package>
<name>bogofilter</name>
<range><lt>1.2.1_2</lt></range>
</package>
<package>
<name>bogofilter-sqlite</name>
<range><lt>1.2.1_1</lt></range>
</package>
<package>
<name>bogofilter-tc</name>
<range><lt>1.2.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Julius Plenz reports:</p>
<blockquote cite="http://www.bogofilter.org/pipermail/bogofilter-dev/2010-June/003475.html">
<p>I found a bug in the base64_decode function which may cause memory
corruption when the function is executed on a malformed base64
encoded string.</p>
<p>If a string starting with an equal-sign is passed to the
base64_decode function it triggers a memory corruption that
in some cases makes bogofilter crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2494</cvename>
<url>http://bogofilter.sourceforge.net/security/bogofilter-SA-2010-01</url>
</references>
<dates>
<discovery>2010-06-28</discovery>
<entry>2010-07-06</entry>
</dates>
</vuln>
<vuln vid="f1331504-8849-11df-89b8-00151735203a">
<topic>bugzilla -- information disclosure</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>2.17.1</gt><lt>3.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.2.6/">
<ul>
<li>Normally, information about time-tracking (estimated
hours, actual hours, hours worked, and deadlines) is
restricted to users in the "time-tracking group".
However, any user was able, by crafting their own
search URL, to search for bugs based using those
fields as criteria, thus possibly exposing sensitive
time-tracking information by a user seeing that a bug
matched their search.</li>
<li>If $use_suexec was set to "1" in the localconfig file,
then the localconfig file's permissions were set as
world-readable by checksetup.pl. This allowed any user
with local shell access to see the contents of the file,
including the database password and the site_wide_secret
variable used for CSRF protection.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1204</cvename>
<cvename>CVE-2010-0180</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=309952</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=561797</url>
</references>
<dates>
<discovery>2010-06-24</discovery>
<entry>2010-07-05</entry>
</dates>
</vuln>
<vuln vid="8685d412-8468-11df-8d45-001d7d9eb79a">
<topic>kvirc -- multiple vulnerabilities</topic>
<affects>
<package>
<name>kvirc</name>
<name>kvirc-devel</name>
<range><lt>4.0.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two security vulnerabilities have been discovered:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2451">
<p>Multiple format string vulnerabilities in the DCC functionality
in KVIrc 3.4 and 4.0 have unspecified impact and remote attack vectors.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2452">
<p>Directory traversal vulnerability in the DCC functionality
in KVIrc 3.4 and 4.0 allows remote attackers to overwrite
arbitrary files via unknown vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2451</cvename>
<cvename>CVE-2010-2452</cvename>
<url>http://lists.omnikron.net/pipermail/kvirc/2010-May/000867.html</url>
</references>
<dates>
<discovery>2010-05-17</discovery>
<entry>2010-06-30</entry>
</dates>
</vuln>
<vuln vid="edef3f2f-82cf-11df-bcce-0018f3e2eb82">
<topic>png -- libpng decompression buffer overflow</topic>
<affects>
<package>
<name>png</name>
<range>
<lt>1.4.3</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PNG project describes the problem in an advisory:</p>
<blockquote cite="http://www.libpng.org/pub/png/libpng.html">
<p>Several versions of libpng through 1.4.2 (and through 1.2.43
in the older series) contain a bug whereby progressive
applications such as web browsers (or the rpng2 demo app included
in libpng) could receive an extra row of image data beyond the
height reported in the header, potentially leading to an
out-of-bounds write to memory (depending on how the application
is written) and the possibility of execution of an attacker's
code with the privileges of the libpng user (including remote
compromise in the case of a libpng-based browser visiting a
hostile web site).</p>
</blockquote>
</body>
</description>
<references>
<bid>41174</bid>
<cvename>CVE-2010-1205</cvename>
<url>http://www.libpng.org/pub/png/libpng.html</url>
</references>
<dates>
<discovery>2010-03-30</discovery>
<entry>2010-06-28</entry>
<modified>2010-06-28</modified>
</dates>
</vuln>
<vuln vid="66759ce6-7530-11df-9c33-000c29ba66d2">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle</name>
<range><lt>1.9.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Moodle release notes report multiple vulnerabilities
which could allow cross site scripting, XSS attacks,
unauthorised deletion of attempts in some instances.</p>
</body>
</description>
<references>
<url>http://docs.moodle.org/en/Moodle_1.9.9_release_notes</url>
</references>
<dates>
<discovery>2010-06-08</discovery>
<entry>2010-06-28</entry>
</dates>
</vuln>
<vuln vid="1cd87e2a-81e3-11df-81d8-00262d5ed8ee">
<topic>mDNSResponder -- corrupted stack crash when parsing bad resolv.conf</topic>
<affects>
<package>
<name>mDNSResponder</name>
<range><le>214</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Juli Mallett reports:</p>
<blockquote cite="http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/147007">
<p>mdnsd will crash on some systems with a corrupt stack and once
that's fixed it will still leak a file descriptor when parsing
resolv.conf. The crash is because scanf is used with %10s for a
buffer that is only 10 chars long. The buffer size needs increased
to 11 chars to hold the trailing NUL. To fix the leak, an fclose
needs added.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/147007</freebsdpr>
</references>
<dates>
<discovery>2010-05-26</discovery>
<entry>2010-06-27</entry>
</dates>
</vuln>
<vuln vid="77b9f9bc-7fdf-11df-8a8d-0008743bf21a">
<topic>opera -- Data URIs can be used to allow cross-site scripting</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.11</lt></range>
</package>
<package>
<name>opera-devel</name>
<range><le>10.20_2,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Opera Desktop Team reports:</p>
<blockquote cite="http://www.opera.com/support/kb/view/955/">
<p>Data URIs are allowed to run scripts that manipulate
pages from the site that directly opened them. In some cases, the opening site
is not correctly detected. In these cases, Data URIs may erroneously be able to
run scripts so that they interact with sites that did not directly cause them to
be opened.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/955/</url>
</references>
<dates>
<discovery>2010-06-21</discovery>
<entry>2010-06-25</entry>
</dates>
</vuln>
<vuln vid="e02e6a4e-6b26-11df-96b2-0015587e2cc1">
<topic>cacti -- multiple vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.7f</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple vulnerabilities have been reported to exist in older version of
Cacti. The release notes of Cacti 0.8.7f summarizes the problems as
follows:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_7f.php">
<ul>
<li>SQL injection and shell escaping issues</li>
<li>Cross-site scripting issues</li>
<li>Cacti Graph Viewer SQL injection vulnerability</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html</url>
<url>http://www.cacti.net/release_notes_0_8_7f.php</url>
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php</url>
<url>http://www.vupen.com/english/advisories/2010/1204</url>
</references>
<dates>
<discovery>2010-05-24</discovery>
<entry>2010-06-24</entry>
</dates>
</vuln>
<vuln vid="99858b7c-7ece-11df-a007-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.4,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.10,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.10</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.5</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-33 User tracking across sites using Math.random()</p>
<p>MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present</p>
<p>MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes</p>
<p>MFSA 2010-30 Integer Overflow in XSLT Node Sorting</p>
<p>MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal</p>
<p>MFSA 2010-28 Freed object reuse across plugin instances</p>
<p>MFSA 2010-27 Use-after-free error in nsCycleCollector::MarkRoots()</p>
<p>MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)</p>
<p>MFSA 2010-25 Re-use of freed object due to scope confusion</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-5913</cvename>
<cvename>CVE-2010-0183</cvename>
<cvename>CVE-2010-1121</cvename>
<cvename>CVE-2010-1125</cvename>
<cvename>CVE-2010-1197</cvename>
<cvename>CVE-2010-1199</cvename>
<cvename>CVE-2010-1196</cvename>
<cvename>CVE-2010-1198</cvename>
<cvename>CVE-2010-1200</cvename>
<cvename>CVE-2010-1201</cvename>
<cvename>CVE-2010-1202</cvename>
<cvename>CVE-2010-1203</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-33.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-32.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-31.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-30.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-29.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-28.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-27.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-26.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-25.html</url>
</references>
<dates>
<discovery>2010-06-22</discovery>
<entry>2010-06-23</entry>
</dates>
</vuln>
<vuln vid="25673e6e-786b-11df-a921-0245fb008c0b">
<topic>ziproxy -- security vulnerability in PNG decoder</topic>
<affects>
<package>
<name>ziproxy</name>
<range><ge>3.1.0</ge></range>
<range><lt>3.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel Mealha Cabrita reports:</p>
<blockquote cite="http://ziproxy.sourceforge.net/#news">
<p>Fixed security vulnerability (heap-related) in PNG decoder.
(new bug from 3.1.0)</p>
</blockquote>
</body>
</description>
<references>
<url>http://ziproxy.sourceforge.net/#news</url>
<mlist msgid="201006150731.30474.dancab@gmx.net">http://sourceforge.net/mailarchive/message.php?msg_name=201006150731.30474.dancab%40gmx.net</mlist>
</references>
<dates>
<discovery>2010-06-15</discovery>
<entry>2010-06-15</entry>
</dates>
</vuln>
<vuln vid="8816bf3a-7929-11df-bcce-0018f3e2eb82">
<topic>tiff -- Multiple integer overflows</topic>
<affects>
<package>
<name>tiff</name>
<range><lt>3.9.4</lt></range>
</package>
<package>
<name>linux-tiff</name>
<range><lt>3.9.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tielei Wang:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2009-012.html">
<p>Multiple integer overflows in inter-color spaces conversion
tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow
context-dependent attackers to execute arbitrary code via a
TIFF image with large (1) width and (2) height values, which
triggers a heap-based buffer overflow in the (a) cvt_whole_image
function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2347</cvename>
<url>http://www.remotesensing.org/libtiff/v3.9.4.html</url>
<url>http://www.ocert.org/advisories/ocert-2009-012.html</url>
</references>
<dates>
<discovery>2009-05-22</discovery>
<entry>2010-06-16</entry>
</dates>
</vuln>
<vuln vid="144e524a-77eb-11df-ae06-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r277</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r53</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-14.html">
<p>Critical vulnerabilities have been identified in Adobe
Flash Player version 10.0.45.2 and earlier. These
vulnerabilities could cause the application to crash and
could potentially allow an attacker to take control of the
affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-4546</cvename>
<cvename>CVE-2009-3793</cvename>
<cvename>CVE-2010-1297</cvename>
<cvename>CVE-2010-2160</cvename>
<cvename>CVE-2010-2161</cvename>
<cvename>CVE-2010-2162</cvename>
<cvename>CVE-2010-2163</cvename>
<cvename>CVE-2010-2164</cvename>
<cvename>CVE-2010-2165</cvename>
<cvename>CVE-2010-2166</cvename>
<cvename>CVE-2010-2167</cvename>
<cvename>CVE-2010-2169</cvename>
<cvename>CVE-2010-2170</cvename>
<cvename>CVE-2010-2171</cvename>
<cvename>CVE-2010-2172</cvename>
<cvename>CVE-2010-2173</cvename>
<cvename>CVE-2010-2174</cvename>
<cvename>CVE-2010-2175</cvename>
<cvename>CVE-2010-2176</cvename>
<cvename>CVE-2010-2177</cvename>
<cvename>CVE-2010-2178</cvename>
<cvename>CVE-2010-2179</cvename>
<cvename>CVE-2010-2180</cvename>
<cvename>CVE-2010-2181</cvename>
<cvename>CVE-2010-2182</cvename>
<cvename>CVE-2010-2183</cvename>
<cvename>CVE-2010-2184</cvename>
<cvename>CVE-2010-2185</cvename>
<cvename>CVE-2010-2186</cvename>
<cvename>CVE-2010-2187</cvename>
<cvename>CVE-2010-2188</cvename>
<cvename>CVE-2010-2189</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-14.html</url>
</references>
<dates>
<discovery>2008-10-02</discovery>
<entry>2010-06-14</entry>
</dates>
</vuln>
<vuln vid="313da7dc-763b-11df-bcce-0018f3e2eb82">
<topic>tiff -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>tiff</name>
<range><lt>3.9.3</lt></range>
</package>
<package>
<name>linux-tiff</name>
<range><lt>3.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kevin Finisterre reports:</p>
<blockquote cite="http://support.apple.com/kb/HT4196">
<p>Multiple integer overflows in the handling of TIFF files may
result in a heap buffer overflow. Opening a maliciously crafted
TIFF file may lead to an unexpected application termination or
arbitrary code execution. The issues are addressed through
improved bounds checking. Credit to Kevin Finisterre of
digitalmunition.com for reporting these issues.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1411</cvename>
<url>http://www.remotesensing.org/libtiff/v3.9.3.html</url>
<url>http://support.apple.com/kb/HT4196</url>
</references>
<dates>
<discovery>2010-04-15</discovery>
<entry>2010-06-12</entry>
</dates>
</vuln>
<vuln vid="d42e5b66-6ea0-11df-9c8d-00e0815b8da8">
<topic>sudo -- Secure path vulnerability</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.7.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://sudo.ws/sudo/alerts/secure_path.html">
<p>Most versions of the C library function getenv() return the
first instance of an environment variable to the caller. However,
some programs, notably the GNU Bourne Again SHell (bash), do
their own environment parsing and may choose the last instance
of a variable rather than the first one.</p>
<p>An attacker may manipulate the environment of the process that
executes Sudo such that a second PATH variable is present. When
Sudo runs a bash script, it is this second PATH variable that
is used by bash, regardless of whether or not Sudo has overwritten
the first instance of PATH. This may allow an attacker to
subvert the program being run under Sudo and execute commands
he/she would not otherwise be allowed to run.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1646</cvename>
<url>http://sudo.ws/sudo/alerts/secure_path.html</url>
</references>
<dates>
<discovery>2010-06-02</discovery>
<entry>2010-06-02</entry>
</dates>
</vuln>
<vuln vid="b43004b8-6a53-11df-bc7b-0245fb008c0b">
<topic>ziproxy -- atypical huge picture files vulnerability</topic>
<affects>
<package>
<name>ziproxy</name>
<range><lt>3.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ziproxy 3.0.1 release fixes a security vulnerability related
to atypical huge picture files (>4GB of size once expanded).</p>
</body>
</description>
<references>
<bid>40344</bid>
<cvename>CVE-2010-1513</cvename>
<url>http://ziproxy.sourceforge.net/#news</url>
<url>http://secunia.com/advisories/39941</url>
<mlist msgid="201005210019.37119.dancab@gmx.net">http://sourceforge.net/mailarchive/message.php?msg_name=201005210019.37119.dancab%40gmx.net</mlist>
</references>
<dates>
<discovery>2010-05-20</discovery>
<entry>2010-05-28</entry>
</dates>
</vuln>
<vuln vid="fc55e396-6deb-11df-8b8e-000c29ba66d2">
<topic>mediawiki -- two security vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><lt>1.15.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two security vulnerabilities were discovered:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html">
<p>Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated
as safe by previous versions of MediaWiki, but are decoded
to unsafe strings by Internet Explorer.</p>
<p>A CSRF vulnerability was discovered in our login interface.
Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset
reset features were not protected from CSRF. This could lead
to unauthorised access to private wikis.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/39922/</url>
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html</url>
</references>
<dates>
<discovery>2010-05-28</discovery>
<entry>2010-06-02</entry>
</dates>
</vuln>
<vuln vid="fcc39d22-5777-11df-bf33-001a92771ec2">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>0.9.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Redmine release announcement reports that
several cross side scripting vulnerabilities
and a potential data disclosure vulnerability have
been fixed in the latest release.</p>
</body>
</description>
<references>
<url>http://www.redmine.org/news/39</url>
</references>
<dates>
<discovery>2010-05-01</discovery>
<entry>2010-05-14</entry>
</dates>
</vuln>
<vuln vid="28022228-5a0e-11df-942d-0015587e2cc1">
<topic>wireshark -- DOCSIS dissector denial of service</topic>
<affects>
<package>
<name>wireshark</name>
<range><le>1.2.6_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A vulnerability found in the DOCSIS dissector can cause
Wireshark to crash when a malformed packet trace file is
opened. This means that an attacker will have to trick a
victim into opening such a trace file before being able
to crash the application</p>
</body>
</description>
<references>
<cvename>CVE-2010-1455</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2010-03.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2010-04.html</url>
</references>
<dates>
<discovery>2010-05-05</discovery>
<entry>2010-05-07</entry>
</dates>
</vuln>
<vuln vid="c0869649-5a0c-11df-942d-0015587e2cc1">
<topic>piwik -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>piwik</name>
<range><le>0.5.5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Piwik security advisory reports:</p>
<blockquote cite="http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/">
<p>A non-persistent, cross-site scripting vulnerability
(XSS) was found in Piwik's Login form that reflected
the form_url parameter without being properly escaped
or filtered.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1453</cvename>
<url>http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/</url>
</references>
<dates>
<discovery>2010-04-15</discovery>
<entry>2010-05-07</entry>
</dates>
</vuln>
<vuln vid="7132c842-58e2-11df-8d80-0015587e2cc1">
<topic>spamass-milter -- remote command execution vulnerability</topic>
<affects>
<package>
<name>spamass-milter</name>
<range><le>0.3.1_8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The spamassassin milter plugin contains a vulnerability
that can allow remote attackers to execute commands on
affected systems.</p>
<p>The vulnerability can be exploited trough a special-crafted
email header when the plugin was started with the '-x'
(expand) flag.</p>
</body>
</description>
<references>
<cvename>CVE-2010-1132</cvename>
<url>http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html</url>
<url>http://xforce.iss.net/xforce/xfdb/56732</url>
</references>
<dates>
<discovery>2010-03-07</discovery>
<entry>2010-05-06</entry>
</dates>
</vuln>
<vuln vid="694da5b4-5877-11df-8d80-0015587e2cc1">
<topic>mediawiki -- authenticated CSRF vulnerability</topic>
<affects>
<package>
<name>mediawiki</name>
<range><lt>1.15.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A MediaWiki security announcement reports:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html">
<p>MediaWiki was found to be vulnerable to login CSRF.
An attacker who controls a user account on the target
wiki can force the victim to log in as the attacker,
via a script on an external website.</p>
<p>If the wiki is configured to allow user scripts, say
with "$wgAllowUserJs = true" in LocalSettings.php, then
the attacker can proceed to mount a phishing-style
attack against the victim to obtain their password.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1150</cvename>
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=23076</url>
</references>
<dates>
<discovery>2010-04-07</discovery>
<entry>2010-05-05</entry>
</dates>
</vuln>
<vuln vid="0491d15a-5875-11df-8d80-0015587e2cc1">
<topic>lxr -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>lxr</name>
<range><le>0.9.6</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dan Rosenberg reports:</p>
<blockquote cite="http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com">
<p>There are several cross-site scripting vulnerabilities
in LXR. These vulnerabilities could allow an attacker
to execute scripts in a user's browser, steal cookies
associated with vulnerable domains, redirect the user
to malicious websites, etc.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4497</cvename>
<freebsdpr>ports/146337</freebsdpr>
<url>http://secunia.com/advisories/38117</url>
<url>http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com</url>
</references>
<dates>
<discovery>2010-01-05</discovery>
<entry>2010-05-05</entry>
</dates>
</vuln>
<vuln vid="752ce039-5242-11df-9139-00242b513d7c">
<topic>vlc -- unintended code execution with specially crafted data</topic>
<affects>
<package>
<name>vlc</name>
<range><lt>1.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VideoLAN project reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1003.html">
<p>VLC media player suffers from various vulnerabilities when
attempting to parse malformatted or overly long byte streams.</p>
</blockquote>
</body>
</description>
<references>
<bid>39629</bid>
<url>http://www.videolan.org/security/sa1003.html</url>
</references>
<dates>
<discovery>2010-04-19</discovery>
<entry>2010-05-01</entry>
<modified>2010-05-05</modified>
</dates>
</vuln>
<vuln vid="8d10038e-515c-11df-83fb-0015587e2cc1">
<topic>joomla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>joomla15</name>
<range><ge>1.5.1</ge><le>1.5.15</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Joomla! reported the following vulnerabilities:</p>
<blockquote cite="http://developer.joomla.org/security/news/311-20100423-core-negative-values-for-limit-and-offset.html">
<p>If a user entered a URL with a negative query limit
or offset, a PHP notice would display revealing information
about the system..</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/news/310-20100423-core-installer-migration-script.html">
<p>The migration script in the Joomla! installer does not
check the file type being uploaded. If the installation
application is present, an attacker could use it to
upload malicious files to a server.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/news/309-20100423-core-sessation-fixation.html">
<p>Session id doesn't get modified when user logs in. A
remote site may be able to forward a visitor to the
Joomla! site and set a specific cookie. If the user
then logs in, the remote site can use that cookie to
authenticate as that user.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/news/308-20100423-core-password-reset-tokens.html">
<p>When a user requests a password reset, the reset tokens
were stored in plain text in the database. While this
is not a vulnerability in itself, it allows user accounts
to be compromised if there is an extension on the site
with an SQL injection vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://developer.joomla.org/security/news/308-20100423-core-password-reset-tokens.html</url>
<url>http://developer.joomla.org/security/news/309-20100423-core-sessation-fixation.html</url>
<url>http://developer.joomla.org/security/news/310-20100423-core-installer-migration-script.html</url>
<url>http://developer.joomla.org/security/news/311-20100423-core-negative-values-for-limit-and-offset.html</url>
</references>
<dates>
<discovery>2010-04-23</discovery>
<entry>2010-04-26</entry>
</dates>
</vuln>
<vuln vid="5198ef84-4fdc-11df-83fb-0015587e2cc1">
<topic>cacti -- SQL injection and command execution vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><le>0.8.7e4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Bonsai information security reports:</p>
<blockquote cite="http://www.bonsai-sec.com/en/research/vulnerability.php">
<p>A Vulnerability has been discovered in Cacti, which
can be exploited by any user to conduct SQL Injection
attacks. Input passed via the "export_item_id" parameter
to "templates_export.php" script is not properly sanitized
before being used in a SQL query.</p>
</blockquote>
<p>The same source also reported a command execution
vulnerability. This second issue can be exploited by
Cacti users who have the rights to modify device or
graph configurations.</p>
</body>
</description>
<references>
<cvename>CVE-2010-1431</cvename>
<freebsdpr>ports/146021</freebsdpr>
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php</url>
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php</url>
<url>http://www.debian.org/security/2010/dsa-2039</url>
</references>
<dates>
<discovery>2010-04-21</discovery>
<entry>2010-04-24</entry>
<modified>2010-05-12</modified>
</dates>
</vuln>
<vuln vid="f6429c24-4fc9-11df-83fb-0015587e2cc1">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle</name>
<range><lt>1.9.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Moodle release notes report multiple vulnerabilities
which could allow remote attackers to perform, amongst
others, cross site scripting, user enumeration and SQL
injection attacks.</p>
</body>
</description>
<references>
<url>http://docs.moodle.org/en/Moodle_1.9.8_release_notes</url>
</references>
<dates>
<discovery>2010-03-25</discovery>
<entry>2010-04-24</entry>
</dates>
</vuln>
<vuln vid="3383e706-4fc3-11df-83fb-0015587e2cc1">
<topic>tomcat -- information disclosure vulnerability</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>5.5.0</gt><lt>5.5.30</lt></range>
<range><gt>6.0.0</gt><lt>6.0.27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache software foundation reports:</p>
<blockquote cite="http://seclists.org/bugtraq/2010/Apr/200">
<p>The "WWW-Authenticate" header for BASIC and DIGEST
authentication includes a realm name. If a <realm-name>
element is specified for the application in web.xml it
will be used. However, a <realm-name> is not
specified then Tomcat will generate one.</p>
<p>In some circumstances this can expose the local
hostname or IP address of the machine running Tomcat.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1157</cvename>
<freebsdpr>ports/146022</freebsdpr>
<url>http://seclists.org/bugtraq/2010/Apr/200</url>
</references>
<dates>
<discovery>2010-04-22</discovery>
<entry>2010-04-24</entry>
</dates>
</vuln>
<vuln vid="f6b6beaa-4e0e-11df-83fb-0015587e2cc1">
<cancelled/>
</vuln>
<vuln vid="86b8b655-4d1a-11df-83fb-0015587e2cc1">
<topic>krb5 -- KDC double free vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><lt>1.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt">
<p>An authenticated remote attacker can crash the KDC by
inducing the KDC to perform a double free. Under some
circumstances on some platforms, this could also allow
malicious code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1320</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt</url>
</references>
<dates>
<discovery>2010-04-20</discovery>
<entry>2010-04-21</entry>
</dates>
</vuln>
<vuln vid="a4746a86-4c89-11df-83fb-0015587e2cc1">
<topic>e107 -- code execution and XSS vulnerabilities</topic>
<affects>
<package>
<name>e107</name>
<range><lt>0.7.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia Research reported two vulnerabilities in e107:</p>
<p>The first problem affects installations that have the
Content Manager plugin enabled. This plugin does not
sanitize the "content_heading" parameter correctly and
is therefore vulnerable to a cross site scripting attack.</p>
<p>The second vulnerability is related to the avatar upload
functionality. Images containing PHP code can be uploaded
and executed.</p>
</body>
</description>
<references>
<bid>39540</bid>
<cvename>CVE-2010-0996</cvename>
<cvename>CVE-2010-0997</cvename>
<freebsdpr>ports/145885</freebsdpr>
<url>http://e107.org/comment.php?comment.news.864</url>
<url>http://secunia.com/secunia_research/2010-43/</url>
<url>http://secunia.com/secunia_research/2010-44/</url>
<url>http://xforce.iss.net/xforce/xfdb/57932</url>
</references>
<dates>
<discovery>2010-04-15</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="09910d76-4c82-11df-83fb-0015587e2cc1">
<topic>fetchmail -- denial of service vulnerability</topic>
<affects>
<package>
<name>fetchmail</name>
<range>
<ge>4.6.3</ge>
<le>6.3.16</le>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Fetchmail developer Matthias Andree reported a vulnerability
that allows remote attackers to crash the application
when it is runs in verbose mode.</p>
<blockquote cite="http://gitorious.org/fetchmail/fetchmail/commit/ec06293">
<p>Fetchmail before release 6.3.17 did not properly
sanitize external input (mail headers and UID). When a
multi-character locale (such as UTF-8) was in use, this
could cause memory exhaustion and thus a denial of
service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1167</cvename>
<freebsdpr>ports/145857</freebsdpr>
<url>http://gitorious.org/fetchmail/fetchmail/commit/ec06293</url>
<url>http://seclists.org/oss-sec/2010/q2/76</url>
</references>
<dates>
<discovery>2010-04-18</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="a2c4d3d5-4c7b-11df-83fb-0015587e2cc1">
<topic>pidgin -- multiple remote denial of service vulnerabilities</topic>
<affects>
<package>
<name>pidgin</name>
<range><lt>2.6.6</lt></range>
</package>
<package>
<name>libpurple</name>
<range><lt>2.6.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Three denial of service vulnerabilities where found in
pidgin and allow remote attackers to crash the application.
The developers summarized these problems as follows:</p>
<blockquote cite="http://pidgin.im/news/security/?id=45">
<p>Pidgin can become unresponsive when displaying large
numbers of smileys</p>
</blockquote>
<blockquote cite="http://pidgin.im/news/security/?id=44">
<p>Certain nicknames in group chat rooms can trigger a
crash in Finch</p>
</blockquote>
<blockquote cite="http://pidgin.im/news/security/?id=43">
<p>Failure to validate all fields of an incoming message
can trigger a crash</p>
</blockquote>
</body>
</description>
<references>
<bid>38294</bid>
<cvename>CVE-2010-0277</cvename>
<cvename>CVE-2010-0420</cvename>
<cvename>CVE-2010-0423</cvename>
<url>http://pidgin.im/news/security/?id=43</url>
<url>http://pidgin.im/news/security/?id=44</url>
<url>http://pidgin.im/news/security/?id=45</url>
</references>
<dates>
<discovery>2010-02-18</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="4fb5d2cd-4c77-11df-83fb-0015587e2cc1">
<topic>png -- libpng decompression denial of service</topic>
<affects>
<package>
<name>png</name>
<range>
<gt>1.2.43</gt>
<lt>1.4.1</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A vulnerability in libpng can result in denial of service
conditions when a remote attacker tricks a victim to open
a specially-crafted PNG file.</p>
<p>The PNG project describes the problem in an advisory:</p>
<blockquote cite="http://libpng.sourceforge.net/ADVISORY-1.4.1.html">
<p>Because of the efficient compression method used in
Portable Network Graphics (PNG) files, a small PNG file
can expand tremendously, acting as a "decompression
bomb".</p>
<p>Malformed PNG chunks can consume a large amount of CPU
and wall-clock time and large amounts of memory, up to
all memory available on a system</p>
</blockquote>
</body>
</description>
<references>
<bid>38478</bid>
<certvu>576029</certvu>
<cvename>CVE-2010-0205</cvename>
<url>http://libpng.sourceforge.net/ADVISORY-1.4.1.html</url>
<url>http://secunia.com/advisories/38774</url>
<url>http://xforce.iss.net/xforce/xfdb/56661</url>
</references>
<dates>
<discovery>2010-02-27</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="c8c31c41-49ed-11df-83fb-0015587e2cc1">
<topic>curl -- libcurl buffer overflow vulnerability</topic>
<affects>
<package>
<name>curl</name>
<range>
<ge>7.10.5</ge>
<lt>7.20.0</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports in a security advisory:</p>
<blockquote cite="http://curl.haxx.se/docs/adv_20100209.html">
<p>Using the affected libcurl version to download compressed
content over HTTP, an application can ask libcurl to
automatically uncompress data. When doing so, libcurl
can wrongly send data up to 64K in size to the callback
which thus is much larger than the documented maximum
size.</p>
<p>An application that blindly trusts libcurl's max limit
for a fixed buffer size or similar is then a possible
target for a buffer overflow vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0734</cvename>
<url>http://curl.haxx.se/docs/adv_20100209.html</url>
<url>http://www.debian.org/security/2010/dsa-2023</url>
<url>http://www.openwall.com/lists/oss-security/2010/02/09/5</url>
</references>
<dates>
<discovery>2010-02-09</discovery>
<entry>2010-04-19</entry>
</dates>
</vuln>
<vuln vid="a04a3c13-4932-11df-83fb-0015587e2cc1">
<topic>ejabberd -- queue overload denial of service vulnerability</topic>
<affects>
<package>
<name>ejabberd</name>
<range><lt>2.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Red Hat security response team reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/01/29/1">
<p>A remotely exploitable DoS from XMPP client to ejabberd
server via too many "client2server" messages (causing the
message queue on the server to get overloaded, leading
to server crash) has been found.</p>
</blockquote>
</body>
</description>
<references>
<bid>38003</bid>
<cvename>CVE-2010-0305</cvename>
<url>http://secunia.com/advisories/38337</url>
<url>http://support.process-one.net/browse/EJAB-1173</url>
<url>http://www.openwall.com/lists/oss-security/2010/01/29/1</url>
<url>http://xforce.iss.net/xforce/xfdb/56025</url>
</references>
<dates>
<discovery>2010-01-29</discovery>
<entry>2010-04-19</entry>
</dates>
</vuln>
<vuln vid="3b7967f1-49e8-11df-83fb-0015587e2cc1">
<topic>irssi -- multiple vulnerabilities</topic>
<affects>
<package>
<name>irssi</name>
<range><lt>0.8.15</lt></range>
</package>
<package>
<name>zh-irssi</name>
<range><lt>0.8.15</lt></range>
</package>
<package>
<name>irssi-devel</name>
<range><lt>20100325</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two vulnerabilities have found in irssi. The first issue
could allow man-in-the-middle attacks due to a missing
comparison of SSL server hostnames and the certificate
domain names (e.g. CN).</p>
<p>A second vulnerability, related to the nick matching code,
could be triggered by remote attackers in order to crash
an irssi client when leaving a channel.</p>
</body>
</description>
<references>
<cvename>CVE-2010-1155</cvename>
<cvename>CVE-2010-1156</cvename>
<url>http://xforce.iss.net/xforce/xfdb/57790</url>
<url>http://xforce.iss.net/xforce/xfdb/57791</url>
</references>
<dates>
<discovery>2010-04-16</discovery>
<entry>2010-04-19</entry>
</dates>
</vuln>
<vuln vid="a30573dc-4893-11df-a5f9-001641aeabdf">
<topic>krb5 -- remote denial of service vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><le>1.6.3_9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An authenticated remote attacker can causing a denial
of service by using a newer version of the kadmin protocol
than the server supports.</p>
<p>The MIT Kerberos team also reports the cause:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt">
<p>The Kerberos administration daemon (kadmind) can crash
due to referencing freed memory.</p>
</blockquote>
</body>
</description>
<references>
<bid>39247</bid>
<cvename>CVE-2010-0629</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt</url>
</references>
<dates>
<discovery>2010-04-06</discovery>
<entry>2010-04-18</entry>
</dates>
</vuln>
<vuln vid="9ac0f9c4-492b-11df-83fb-0015587e2cc1">
<topic>krb5 -- multiple denial of service vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range>
<ge>1.7</ge><le>1.7_2</le>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two vulnerabilities in krb5 can be used by remote
attackers in denial of service attacks. The MIT security
advisories report this as follows:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt">
<p>An unauthenticated remote attacker can send an invalid
request to a KDC process that will cause it to crash
due to an assertion failure, creating a denial of
service.</p>
</blockquote>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt">
<p>An unauthenticated remote attacker could cause a GSS-API
application, including the Kerberos administration
daemon (kadmind) to crash.</p>
</blockquote>
</body>
</description>
<references>
<bid>38260</bid>
<bid>38904</bid>
<cvename>CVE-2010-0283</cvename>
<cvename>CVE-2010-0628</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt</url>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt</url>
</references>
<dates>
<discovery>2010-04-23</discovery>
<entry>2010-04-18</entry>
</dates>
</vuln>
<vuln vid="5053420c-4935-11df-83fb-0015587e2cc1">
<topic>mahara -- sql injection vulnerability</topic>
<affects>
<package>
<name>mahara</name>
<range><lt>1.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Debian security team reports:</p>
<blockquote cite="http://www.debian.org/security/2010/dsa-2030">
<p>It was discovered that mahara, an electronic portfolio,
weblog, and resume builder is not properly escaping input
when generating a unique username based on a remote user
name from a single sign-on application. An attacker can
use this to compromise the mahara database via crafted
user names.</p>
</blockquote>
</body>
</description>
<references>
<bid>39253</bid>
<cvename>CVE-2010-0400</cvename>
<url>http://www.debian.org/security/2010/dsa-2030</url>
</references>
<dates>
<discovery>2010-04-06</discovery>
<entry>2010-04-18</entry>
</dates>
</vuln>
<vuln vid="1a9f678d-48ca-11df-85f8-000c29a67389">
<topic>sudo -- Privilege escalation with sudoedit</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.7.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="">
<p>Sudo's command matching routine expects actual commands to include
one or more slash ('/') characters. The flaw is that sudo's path
resolution code did not add a "./" prefix to commands found in the
current working directory. This creates an ambiguity between a
"sudoedit" command found in the cwd and the "sudoedit"
pseudo-command in the sudoers file. As a result, a user may be
able to run an arbitrary command named "sudoedit" in the current
working directory. For the attack to be successful, the PATH
environment variable must include "." and may not include any other
directory that contains a "sudoedit" command.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1163</cvename>
<url>http://www.sudo.ws/pipermail/sudo-announce/2010-April/000093.html</url>
<url>http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html</url>
</references>
<dates>
<discovery>2010-04-09</discovery>
<entry>2010-04-15</entry>
</dates>
</vuln>
<vuln vid="3987c5d1-47a9-11df-a0d5-0016d32f24fb">
<topic>KDM -- local privilege escalation vulnerability</topic>
<affects>
<package>
<name>kdebase</name>
<range><le>3.5.10_6</le></range>
</package>
<package>
<name>kdebase-workspace</name>
<range><le>4.3.5_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>KDE Security Advisory reports:</p>
<blockquote cite="http://www.kde.org/info/security/advisory-20100413-1.txt">
<p>KDM contains a race condition that allows local attackers
to make arbitrary files on the system world-writeable.
This can happen while KDM tries to create its control
socket during user login. A local attacker with a valid
local account can under certain circumstances make use of
this vulnerability to execute arbitrary code as root.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0436</cvename>
<url>http://www.kde.org/info/security/advisory-20100413-1.txt</url>
</references>
<dates>
<discovery>2010-04-13</discovery>
<entry>2010-04-14</entry>
<modified>2010-04-14</modified>
</dates>
</vuln>
<vuln vid="805603a1-3e7a-11df-a5a1-0050568452ac">
<topic>dojo -- cross-site scripting and other vulnerabilities</topic>
<affects>
<package>
<name>dojo</name>
<range><lt>1.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Dojo Toolkit team reports:</p>
<blockquote cite="http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/">
<p>Some PHP files did not properly escape input.</p>
<p>Some files could operate like "open redirects". A bad actor
could form an URL that looks like it came from a trusted
site, but the user would be redirected or load content from
the bad actor's site.</p>
<p>A file exposed a more serious cross-site scripting
vulnerability with the possibility of executing code on the
domain where the file exists.</p>
<p>The Dojo build process defaulted to copying over tests and
demos, which are normally not needed and just increased the
number of files that could be targets of attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/</url>
<url>http://osdir.com/ml/bugtraq.security/2010-03/msg00133.html</url>
<url>http://packetstormsecurity.org/1003-exploits/dojo-xss.txt</url>
<url>http://secunia.com/advisories/38964</url>
<url>http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/</url>
</references>
<dates>
<discovery>2010-03-11</discovery>
<entry>2010-04-06</entry>
</dates>
</vuln>
<vuln vid="8ad1c404-3e78-11df-a5a1-0050568452ac">
<topic>Zend Framework -- security issues in bundled Dojo library</topic>
<affects>
<package>
<name>ZendFramework</name>
<range><lt>1.10.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Zend Framework team reports:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-07">
<p>Several files in the bundled Dojo library were identified
as having potential exploits, and the Dojo team also advised
disabling or removing any PHP scripts in the Dojo library tree
when deploying to production.</p>
</blockquote>
</body>
</description>
<references>
<url>http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/</url>
<url>http://framework.zend.com/security/advisory/ZF2010-07</url>
<url>http://osdir.com/ml/bugtraq.security/2010-03/msg00133.html</url>
<url>http://packetstormsecurity.org/1003-exploits/dojo-xss.txt</url>
<url>http://secunia.com/advisories/38964</url>
<url>http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/</url>
</references>
<dates>
<discovery>2010-04-01</discovery>
<entry>2010-04-06</entry>
</dates>
</vuln>
<vuln vid="ec8f449f-40ed-11df-9edc-000f20797ede">
<topic>firefox -- Re-use of freed object due to scope confusion</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6,1</gt><lt>3.6.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2009-25 Re-use of freed object due to scope confusion</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1121</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-25.html</url>
</references>
<dates>
<discovery>2010-04-01</discovery>
<entry>2010-04-05</entry>
</dates>
</vuln>
<vuln vid="9ccfee39-3c3b-11df-9edc-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>seamonkey</name>
<range><gt>2.0</gt><lt>2.0.4</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.4</lt></range>
</package>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.9,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.19,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.0.19,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy</p>
<p>MFSA 2010-23 Image src redirect to mailto: URL opens email editor</p>
<p>MFSA 2010-22 Update NSS to support TLS renegotiation indication</p>
<p>MFSA 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy</p>
<p>MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop</p>
<p>MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray</p>
<p>MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView</p>
<p>MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection</p>
<p>MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0181</cvename>
<cvename>CVE-2009-3555</cvename>
<cvename>CVE-2010-0179</cvename>
<cvename>CVE-2010-0178</cvename>
<cvename>CVE-2010-0177</cvename>
<cvename>CVE-2010-0176</cvename>
<cvename>CVE-2010-0175</cvename>
<cvename>CVE-2010-0174</cvename>
<cvename>CVE-2010-0173</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-24.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-23.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-22.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-21.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-20.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-19.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-18.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-17.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-16.html</url>
</references>
<dates>
<discovery>2010-03-30</discovery>
<entry>2010-03-30</entry>
</dates>
</vuln>
<vuln vid="e050119b-3856-11df-b2b2-002170daae37">
<topic>postgresql -- bitsubstr overflow</topic>
<affects>
<package>
<name>postgresql-server</name>
<range><ge>7.4</ge><lt>7.4.28</lt></range>
<range><ge>8.0</ge><lt>8.0.24</lt></range>
<range><ge>8.1</ge><lt>8.1.20</lt></range>
<range><ge>8.2</ge><lt>8.2.16</lt></range>
<range><ge>8.3</ge><lt>8.3.10</lt></range>
<range><ge>8.4</ge><lt>8.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BugTraq reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/37973">
<p>PostgreSQL is prone to a buffer-overflow
vulnerability because the application fails to
perform adequate boundary checks on user-supplied
data.</p>
<p>Attackers can exploit this issue to execute
arbitrary code with elevated privileges or
crash the affected application.</p>
</blockquote>
</body>
</description>
<references>
<bid>37973</bid>
<cvename>CVE-2010-0442</cvename>
</references>
<dates>
<discovery>2010-01-27</discovery>
<entry>2010-03-25</entry>
</dates>
</vuln>
<vuln vid="c175d72f-3773-11df-8bb8-0211d880e350">
<topic>gtar -- buffer overflow in rmt client</topic>
<affects>
<package>
<name>gtar</name>
<range><lt>1.22_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jakob Lell reports:</p>
<blockquote cite="http://www.agrs.tu-berlin.de/index.php?id=78327">
<p>The rmt client implementation of GNU Tar/Cpio contains
a heap-based buffer overflow which possibly allows
arbitrary code execution.</p>
<p>The problem can be exploited when using an
untrusted/compromised rmt server.</p>
</blockquote>
</body>
</description> <references>
<cvename>CVE-2010-0624</cvename>
<url>http://www.agrs.tu-berlin.de/index.php?id=78327</url>
</references> <dates>
<discovery>2010-03-24</discovery> <entry>2010-03-24</entry>
</dates>
</vuln>
<vuln vid="5d5ed535-3653-11df-9edc-000f20797ede">
<topic>firefox -- WOFF heap corruption due to integer overflow</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6,1</gt><lt>3.6.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-08 WOFF heap corruption due to integer overflow</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1028</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-08.html</url>
</references>
<dates>
<discovery>2010-03-22</discovery>
<entry>2010-03-23</entry>
</dates>
</vuln>
<vuln vid="56cfe192-329f-11df-abb2-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>1.1.19</lt></range>
</package>
<package>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>2.0.0.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-07 Fixes for potentially exploitable crashes ported to the legacy branch</p>
<p>MFSA 2010-06 Scriptable plugin execution in SeaMonkey mail</p>
<p>MFSA 2009-68 NTLM reflection vulnerability</p>
<p>MFSA 2009-62 Download filename spoofing with RTL override</p>
<p>MFSA 2009-59 Heap buffer overflow in string to number conversion</p>
<p>MFSA 2009-49 TreeColumns dangling pointer vulnerability</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0161</cvename>
<cvename>CVE-2010-0163</cvename>
<cvename>CVE-2009-3075</cvename>
<cvename>CVE-2009-3072</cvename>
<cvename>CVE-2009-2463</cvename>
<cvename>CVE-2009-3385</cvename>
<cvename>CVE-2009-3983</cvename>
<cvename>CVE-2009-3376</cvename>
<cvename>CVE-2009-0689</cvename>
<cvename>CVE-2009-3077</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-07.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-06.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-68.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-62.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-59.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-49.html</url>
</references>
<dates>
<discovery>2010-03-16</discovery>
<entry>2010-03-19</entry>
</dates>
</vuln>
<vuln vid="e39caf05-2d6f-11df-aec2-000c29ba66d2">
<topic>egroupware -- two vulnerabilities</topic>
<affects>
<package>
<name>egroupware</name>
<range><lt>1.6.003</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Egroupware Team report:</p>
<blockquote cite="http://www.egroupware.org/Home?category_id=95&item=93">
<p>Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:</p>
<p>Serious remote command execution (allowing to run arbitrary command
on the web server by simply issuing a HTTP request!).</p>
<p>A reflected cross-site scripting (XSS).</p>
<p>Both require NO valid EGroupware account and work without being logged
in!</p>
</blockquote>
</body>
</description>
<references>
<bid>38609</bid>
<url>http://secunia.com/advisories/38859/</url>
<url>http://www.egroupware.org/Home?category_id=95&item=93</url>
</references>
<dates>
<discovery>2010-03-09</discovery>
<entry>2010-03-11</entry>
</dates>
</vuln>
<vuln vid="b3531fe1-2b03-11df-b6db-00248c9b4be7">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal5</name>
<range><lt>5.22</lt></range>
</package>
<package>
<name>drupal6</name>
<range><lt>6.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Team reports:</p>
<blockquote cite="http://drupal.org/node/731710">
<p>A user-supplied value is directly output during installation
allowing a malicious user to craft a URL and perform a cross-site
scripting attack. The exploit can only be conducted on sites not yet
installed.</p>
<p>The API function drupal_goto() is susceptible to a phishing attack.
An attacker could formulate a redirect in a way that gets the Drupal
site to send the user to an arbitrarily provided URL. No user
submitted data will be sent to that URL.</p>
<p>Locale module and dependent contributed modules do not sanitize the
display of language codes, native and English language names properly.
While these usually come from a preselected list, arbitrary
administrator input is allowed. This vulnerability is mitigated by the
fact that the attacker must have a role with the 'administer
languages' permission.</p>
<p>Under certain circumstances, a user with an open session that is
blocked can maintain his/her session on the Drupal site, despite being
blocked.</p>
</blockquote>
</body>
</description>
<references>
<url>http://drupal.org/node/731710</url>
</references>
<dates>
<discovery>2010-03-03</discovery>
<entry>2010-03-08</entry>
</dates>
</vuln>
<vuln vid="018a84d0-2548-11df-b4a3-00e0815b8da8">
<topic>sudo -- Privilege escalation with sudoedit</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.7.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="">
<p>When sudo performs its command matching, there is a special case
for pseudo-commands in the sudoers file (currently, the only
pseudo-command is sudoedit). Unlike a regular command,
pseudo-commands do not begin with a slash ('/'). The flaw is that
sudo's the matching code would only check against the list of
pseudo-commands if the user-specified command also contained no
slashes. As a result, if the user ran "sudo ./sudoedit" the normal
matching code path was followed, which uses stat(2) to verify that
the user-specified command matches the one in sudoers. In this
case, it would compare the "./sudoedit" specified by the user with
"sudoedit" from the sudoers file, resulting in a positive
match.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.sudo.ws/pipermail/sudo-announce/2010-February/000092.html</url>
<url>http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html</url>
<url>http://secunia.com/advisories/38659</url>
<cvename>CVE-2010-0426</cvename>
<bid>38362</bid>
</references>
<dates>
<discovery>2010-01-29</discovery>
<entry>2010-03-01</entry>
</dates>
</vuln>
<vuln vid="c97d7a37-2233-11df-96dd-001b2134ef46">
<topic>openoffice.org -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openoffice.org</name>
<range><lt>3.2.0</lt></range>
<range><ge>3.2.20010101</ge><lt>3.2.20100203</lt></range>
<range><ge>3.3.20010101</ge><lt>3.3.20100207</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenOffice.org Security Team reports:</p>
<blockquote cite="http://www.openoffice.org/security/bulletin.html">
<p>Fixed in OpenOffice.org 3.2</p>
<p>CVE-2006-4339: Potential vulnerability from 3rd party
libxml2 libraries</p>
<p>CVE-2009-0217: Potential vulnerability from 3rd party
libxmlsec libraries</p>
<p>CVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable
version of MSVC Runtime</p>
<p>CVE-2009-2949: Potential vulnerability related to XPM file
processing</p>
<p>CVE-2009-2950: Potential vulnerability related to GIF file
processing</p>
<p>CVE-2009-3301/2: Potential vulnerability related to MS-Word
document processing</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openoffice.org/security/bulletin.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2006-4339.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-0217.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-2493.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-2949.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-2950.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html</url>
<cvename>CVE-2006-4339</cvename>
<cvename>CVE-2009-0217</cvename>
<cvename>CVE-2009-2493</cvename>
<cvename>CVE-2009-2949</cvename>
<cvename>CVE-2009-2950</cvename>
<cvename>CVE-2009-3301</cvename>
<cvename>CVE-2009-3302</cvename>
</references>
<dates>
<discovery>2006-08-24</discovery>
<entry>2010-02-25</entry>
<modified>2010-02-27</modified>
</dates>
</vuln>
<vuln vid="f82c85d8-1c6e-11df-abb2-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.8,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.18,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.0.18,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.8</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.3</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-05 XSS hazard using SVG document and binary Content-Type</p>
<p>MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain</p>
<p>MFSA 2010-03 Use-after-free crash in HTML parser</p>
<p>MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability</p>
<p>MFSA 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0159</cvename>
<cvename>CVE-2010-0160</cvename>
<cvename>CVE-2009-1571</cvename>
<cvename>CVE-2009-3988</cvename>
<cvename>CVE-2010-0162</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-01.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-02.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-03.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-04.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-05.html</url>
</references>
<dates>
<discovery>2010-02-17</discovery>
<entry>2010-02-18</entry>
<modified>2010-02-28</modified>
</dates>
</vuln>
<vuln vid="1a3bd81f-1b25-11df-bd1a-002170daae37">
<topic>lighttpd -- denial of service vulnerability</topic>
<affects>
<package>
<name>lighttpd</name>
<range><lt>1.4.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Lighttpd security advisory reports:</p>
<blockquote cite="http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt">
<p>If you send the request data very slow (e.g. sleep
0.01 after each byte), lighttpd will easily use all
available memory and die (especially for parallel
requests), allowing a DoS within minutes.</p>
</blockquote>
</body>
</description>
<references>
<bid>38036</bid>
<cvename>CVE-2010-0295</cvename>
<url>http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt</url>
</references>
<dates>
<discovery>2010-02-02</discovery>
<entry>2010-02-16</entry>
</dates>
</vuln>
<vuln vid="81d9dc0c-1988-11df-8e66-0019996bc1f7">
<topic>squid -- Denial of Service vulnerability in HTCP</topic>
<affects>
<package>
<name>squid</name>
<range><ge>2.7.1</ge><lt>2.7.7_4</lt></range>
<range><ge>3.0.1</ge><lt>3.0.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2010:2 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_2.txt">
<p>Due to incorrect processing Squid is vulnerable to a
denial of service attack when receiving specially crafted
HTCP packets.</p>
<p>This problem allows any machine to perform a denial
of service attack on the Squid service when its HTCP port
is open.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0639</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_2.txt</url>
</references>
<dates>
<discovery>2010-02-12</discovery>
<entry>2010-02-14</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="ff6519ad-18e5-11df-9bdd-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r262</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.0r45</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-06.html">
<p>A critical vulnerability has been identified in Adobe
Flash Player version 10.0.42.34 and earlier. This
vulnerability (CVE-2010-0186) could subvert the domain sandbox
and make unauthorized cross-domain requests. This update also
resolves a potential Denial of Service issue (CVE-2010-0187).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0186</cvename>
<cvename>CVE-2010-0187</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-06.html</url>
</references>
<dates>
<discovery>2010-02-11</discovery>
<entry>2010-02-13</entry>
</dates>
</vuln>
<vuln vid="0a82ac0c-1886-11df-b0d1-0015f2db7bde">
<topic>gnome-screensaver -- Multiple monitor hotplug issues</topic>
<affects>
<package>
<name>gnome-screensaver</name>
<range><lt>2.28.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ray Strode reports:</p>
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=609337">
<p>Under certain circumstances it is possible to circumvent the security of screen
locking functionality of gnome-screensaver by changing the systems physical
monitor configuration.</p>
</blockquote>
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=609789">
<p>gnome-screensaver can lose its keyboard grab when locked, exposing the system
to intrusion by adding and removing monitors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0414</cvename>
<cvename>CVE-2010-0422</cvename>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=609337</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=609789</url>
</references>
<dates>
<discovery>2010-02-08</discovery>
<entry>2010-02-13</entry>
</dates>
</vuln>
<vuln vid="2a6a966f-1774-11df-b5c1-0026189baca3">
<topic>fetchmail -- heap overflow on verbose X.509 display</topic>
<affects>
<package>
<name>fetchmail</name>
<range><ge>6.3.11</ge><lt>6.3.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2010-01.txt">
<p>In verbose mode, fetchmail prints X.509 certificate subject and
issuer information to the user, and counts and allocates a malloc()
buffer for that purpose.</p>
<p>If the material to be displayed contains characters with high bit
set and the platform treats the "char" type as signed, this can cause
a heap buffer overrun because non-printing characters are escaped as
\xFF..FFnn, where nn is 80..FF in hex.</p>
</blockquote>
</body>
</description>
<references>
<bid>38088</bid>
<cvename>CVE-2010-0562</cvename>
<url>http://www.fetchmail.info/fetchmail-SA-2010-01.txt</url>
<mlist msgid="20100205014643.GA25506@merlin.emma.line.org">https://lists.berlios.de/pipermail/fetchmail-announce/2010-February/000073.html</mlist>
</references>
<dates>
<discovery>2010-02-04</discovery>
<entry>2010-02-12</entry>
</dates>
</vuln>
<vuln vid="bb0a8795-15dc-11df-bf0a-002170daae37">
<topic>wireshark -- LWRES vulnerability</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<range><lt>1.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark project reports:</p>
<blockquote cite="http://www.wireshark.org/security/wnpa-sec-2010-02.html">
<p>Babi discovered several buffer overflows in the
LWRES dissector.</p>
<p>It may be possible to make Wireshark crash remotely
or by convincing someone to read a malformed packet
trace file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0304</cvename>
<url>http://secunia.com/advisories/38257/</url>
<url>http://www.wireshark.org/security/wnpa-sec-2010-02.html</url>
</references>
<dates>
<discovery>2010-01-27</discovery>
<entry>2010-02-10</entry>
</dates>
</vuln>
<vuln vid="6b575419-14cf-11df-a628-001517351c22">
<topic>otrs -- SQL injection</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>2.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://otrs.org/advisory/OSA-2010-01-en/">
<p>Missing security quoting for SQL statements allows agents and
customers to manipulate SQL queries. So it's possible for
authenticated users to inject SQL queries
via string manipulation of statements.</p>
<p>A malicious user may be able to manipulate SQL queries to read
or modify records in the database. This way it could also be
possible to get access to more permissions (e. g. administrator
permissions).</p>
<p>To use this vulnerability the malicious user needs to have
a valid Agent- or Customer-session.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0438</cvename>
<url>http://otrs.org/advisory/OSA-2010-01-en/</url>
</references>
<dates>
<discovery>2010-02-08</discovery>
<entry>2010-02-08</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="cae01d7b-110d-11df-955a-00219b0fc4d8">
<topic>apache -- Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long)</topic>
<affects>
<package>
<name>apache</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache+mod_perl</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache+ipv6</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache_fp</name>
<range><ge>0</ge></range>
</package>
<package>
<name>ru-apache</name>
<range><lt>1.3.42+30.23</lt></range>
</package>
<package>
<name>ru-apache+mod_ssl</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache+ssl</name>
<range><lt>1.3.42.1.57_2</lt></range>
</package>
<package>
<name>apache+mod_ssl</name>
<name>apache+mod_ssl+ipv6</name>
<name>apache+mod_ssl+mod_accel</name>
<name>apache+mod_ssl+mod_accel+ipv6</name>
<name>apache+mod_ssl+mod_accel+mod_deflate</name>
<name>apache+mod_ssl+mod_accel+mod_deflate+ipv6</name>
<name>apache+mod_ssl+mod_deflate</name>
<name>apache+mod_ssl+mod_deflate+ipv6</name>
<name>apache+mod_ssl+mod_snmp</name>
<name>apache+mod_ssl+mod_snmp+mod_accel</name>
<name>apache+mod_ssl+mod_snmp+mod_accel+ipv6</name>
<name>apache+mod_ssl+mod_snmp+mod_deflate</name>
<name>apache+mod_ssl+mod_snmp+mod_deflate+ipv6</name>
<name>apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6</name>
<range><lt>1.3.41+2.8.27_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache ChangeLog reports:</p>
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_1.3.42">
<p>Integer overflow in the ap_proxy_send_fb function in
proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before
1.3.42 on 64-bit platforms allows remote origin servers to cause a
denial of service (daemon crash) or possibly execute arbitrary code
via a large chunk size that triggers a heap-based buffer overflow.</p>
</blockquote>
</body>
</description>
<references>
<url>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0010</url>
<url>http://www.security-database.com/detail.php?alert=CVE-2010-0010</url>
<url>http://security-tracker.debian.org/tracker/CVE-2010-0010</url>
<url>http://www.vupen.com/english/Reference-CVE-2010-0010.php</url>
</references>
<dates>
<discovery>2009-06-30</discovery>
<entry>2010-02-03</entry>
<modified>2010-02-03</modified>
</dates>
</vuln>
<vuln vid="296ecb59-0f6b-11df-8bab-0019996bc1f7">
<topic>squid -- Denial of Service vulnerability in DNS handling</topic>
<affects>
<package>
<name>squid</name>
<range><ge>2.7.1</ge><lt>2.7.7_3</lt></range>
<range><ge>3.0.1</ge><lt>3.0.23</lt></range>
<range><ge>3.1.0.1</ge><lt>3.1.0.15_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2010:1 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_1.txt">
<p>Due to incorrect data validation Squid is vulnerable to a denial
of service attack when processing specially crafted DNS packets.</p>
<p>This problem allows any trusted client or external server who can
determine the squid receiving port to perform a short-term denial
of service attack on the Squid service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0308</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_1.txt</url>
</references>
<dates>
<discovery>2010-01-14</discovery>
<entry>2010-02-01</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="696053c6-0f50-11df-a628-001517351c22">
<topic>bugzilla -- information leak</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>3.3.1</gt><lt>3.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.0.10/">
<p>When moving a bug from one product to another, an intermediate
page is displayed letting you select the groups the bug should
be restricted to in the new product. However, a regression in
the 3.4.x series made it ignore all groups which are not
available in both products. As a workaround, you had to move
the bug to the new product first and then restrict it to the
desired groups, in two distinct steps, which could make the bug
temporarily public.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3387</cvename>
<url>http://www.bugzilla.org/security/3.0.10/</url>
</references>
<dates>
<discovery>2010-01-31</discovery>
<entry>2010-02-01</entry>
</dates>
</vuln>
<vuln vid="192609c8-0c51-11df-82a0-00248c9b4be7">
<topic>irc-ratbox -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ircd-ratbox</name>
<range><lt>2.2.9</lt></range>
</package>
<package>
<name>ircd-ratbox-devel</name>
<range><lt>3.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/509201">
<p>The first affects the /quote HELP module and allows a user
to trigger an IRCD crash on some platforms.</p>
<p>The second affects the /links processing module when the
flatten_links configuration option is not enabled.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4016</cvename>
<cvename>CVE-2010-0300</cvename>
<url>http://www.debian.org/security/2010/dsa-1980</url>
<url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000890.html</url>
<url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000891.html</url>
</references>
<dates>
<discovery>2010-01-25</discovery>
<entry>2010-01-28</entry>
</dates>
</vuln>
<vuln vid="848539dc-0458-11df-8dd7-002170daae37">
<topic>dokuwiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20091225_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dokuwiki reports:</p>
<blockquote cite="http://bugs.splitbrain.org/index.php?do=details&task_id=1853">
<p>The plugin does no checks against cross-site request
forgeries (CSRF) which can be exploited to e.g. change
the access control rules by tricking a logged in
administrator into visiting a malicious web site.</p>
</blockquote>
<blockquote cite="http://bugs.splitbrain.org/index.php?do=details&task_id=1847">
<p>The bug allows listing the names of arbitrary file on
the webserver - not their contents. This could leak
private information about wiki pages and server structure.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0288</cvename>
<cvename>CVE-2010-0287</cvename>
<cvename>CVE-2010-0289</cvename>
<url>http://bugs.splitbrain.org/index.php?do=details&task_id=1847</url>
<url>http://bugs.splitbrain.org/index.php?do=details&task_id=1853</url>
</references>
<dates>
<discovery>2010-01-17</discovery>
<entry>2010-01-18</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="c9263916-006f-11df-94cb-0050568452ac">
<topic>Zend Framework -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ZendFramework</name>
<range><lt>1.9.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Zend Framework team reports:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-06">
<p>Potential XSS or HTML Injection vector in Zend_Json.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-05">
<p>Potential XSS vector in Zend_Service_ReCaptcha_MailHide.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-04">
<p>Potential MIME-type Injection in Zend_File_Transfer
Executive Summary.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-03">
<p>Potential XSS vector in Zend_Filter_StripTags when
comments allowed.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-02">
<p>Potential XSS vector in Zend_Dojo_View_Helper_Editor.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-01">
<p>Potential XSS vectors due to inconsistent encodings.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2009-02">
<p>XSS vector in Zend_Filter_StripTags.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2009-01">
<p>LFI vector in Zend_View::setScriptPath() and render().</p>
</blockquote>
</body>
</description>
<references>
<url>http://framework.zend.com/security/advisory/ZF2010-06</url>
<url>http://framework.zend.com/security/advisory/ZF2010-05</url>
<url>http://framework.zend.com/security/advisory/ZF2010-04</url>
<url>http://framework.zend.com/security/advisory/ZF2010-03</url>
<url>http://framework.zend.com/security/advisory/ZF2010-02</url>
<url>http://framework.zend.com/security/advisory/ZF2010-01</url>
<url>http://framework.zend.com/security/advisory/ZF2009-02</url>
<url>http://framework.zend.com/security/advisory/ZF2009-01</url>
</references>
<dates>
<discovery>2009-12-31</discovery>
<entry>2010-01-11</entry>
</dates>
</vuln>
<vuln vid="dd8f2394-fd08-11de-b425-00215c6a37bb">
<topic>powerdns-recursor -- multiple vulnerabilities</topic>
<affects>
<package>
<name>powerdns-recursor</name>
<range><lt>3.1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PowerDNS Security Advisory reports:</p>
<blockquote cite="http://doc.powerdns.com/powerdns-advisory-2010-01.html">
<p>PowerDNS Recursor up to and including 3.1.7.1 can be
brought down and probably exploited.</p>
</blockquote>
<blockquote cite="http://doc.powerdns.com/powerdns-advisory-2010-02.html">
<p>PowerDNS Recursor up to and including 3.1.7.1 can be
spoofed into accepting bogus data</p>
</blockquote>
</body>
</description>
<references>
<bid>37650</bid>
<bid>37653</bid>
<cvename>CVE-2009-4010</cvename>
<cvename>CVE-2009-4009</cvename>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-01-09</entry>
</dates>
</vuln>
<vuln vid="56ba8728-f987-11de-b28d-00215c6a37bb">
<topic>PEAR -- Net_Ping and Net_Traceroute remote arbitrary command injection</topic>
<affects>
<package>
<name>pear-Net_Ping</name>
<range><lt>2.4.5</lt></range>
</package>
<package>
<name>pear-Net_Traceroute</name>
<range><lt>0.21.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PEAR Security Advisory reports:</p>
<blockquote cite="http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/">
<p>Multiple remote arbitrary command injections have been
found in the Net_Ping and Net_Traceroute.</p>
<p>When input from forms are used directly, the attacker
could pass variables that would allow him to execute
remote arbitrary command injections.</p>
</blockquote>
</body>
</description>
<references>
<bid>37093</bid>
<bid>37094</bid>
<cvename>CVE-2009-4024</cvename>
<cvename>CVE-2009-4025</cvename>
<url>http://pear.php.net/advisory20091114-01.txt</url>
</references>
<dates>
<discovery>2009-11-14</discovery>
<entry>2010-01-04</entry>
</dates>
</vuln>
<vuln vid="751823d4-f189-11de-9344-00248c9b4be7">
<topic>drupal -- multiple cross-site scripting</topic>
<affects>
<package>
<name>drupal5</name>
<range><lt>5.21</lt></range>
</package>
<package>
<name>drupal6</name>
<range><lt>6.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Team reports:</p>
<blockquote cite="http://drupal.org/node/661586">
<p>The Contact module does not correctly handle certain user input
when displaying category information. Users privileged to create
contact categories can insert arbitrary HTML and script code into the
contact module administration page. Such a cross-site scripting attack
may lead to the malicious user gaining administrative access.</p>
<p>The Menu module does not correctly handle certain user input when
displaying the menu administration overview. Users privileged to
create new menus can insert arbitrary HTML and script code into the
menu module administration page. Such a cross-site scripting attack
may lead to the malicious user gaining administrative access.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4370</cvename>
<url>http://drupal.org/node/661586</url>
</references>
<dates>
<discovery>2009-12-16</discovery>
<entry>2009-12-25</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="4d6076fe-ee7a-11de-9cd0-001a926c7637">
<topic>fuser -- missing user's privileges check</topic>
<affects>
<package>
<name>fuser</name>
<range><lt>1142334561_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Denis Barov reports:</p>
<blockquote cite="http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/141852">
<p>sysutils/fuser allows user to send any signal to any process when
installed with suid bit.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/141852</url>
</references>
<dates>
<discovery>2009-09-15</discovery>
<entry>2009-12-21</entry>
</dates>
</vuln>
<vuln vid="4465c897-ee5c-11de-b6ef-00215c6a37bb">
<topic>monkey -- improper input validation vulnerability</topic>
<affects>
<package>
<name>monkey</name>
<range><lt>0.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Census Labs reports:</p>
<blockquote cite="http://census-labs.com/news/2009/12/14/monkey-httpd/">
<p>We have discovered a remotely exploitable
"improper input validation" vulnerability in the Monkey
web server that allows an attacker to perform denial of
service attacks by repeatedly crashing worker threads
that process HTTP requests.</p>
</blockquote>
</body>
</description>
<references>
<url>http://census-labs.com/news/2009/12/14/monkey-httpd/</url>
<url>http://groups.google.com/group/monkeyd/browse_thread/thread/055b4e9b83973861/</url>
</references>
<dates>
<discovery>2009-12-14</discovery>
<entry>2009-12-21</entry>
</dates>
</vuln>
<vuln vid="39a25a63-eb5c-11de-b650-00215c6a37bb">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.2.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP developers reports:</p>
<blockquote cite="http://www.php.net/releases/5_2_12.php">
<p>This release focuses on improving the stability of the
PHP 5.2.x branch with over 60 bug fixes, some of which
are security related. All users of PHP 5.2 are encouraged
to upgrade to this release.</p>
<p>Security Enhancements and Fixes in PHP 5.2.12:</p>
<ul>
<li>Fixed a safe_mode bypass in tempnam() identified by
Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)</li>
<li>Fixed a open_basedir bypass in posix_mkfifo()
identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)</li>
<li>Added "max_file_uploads" INI directive, which can
be set to limit the number of file uploads per-request
to 20 by default, to prevent possible DOS via temporary
file exhaustion, identified by Bogdan Calin.
(CVE-2009-4017, Ilia)</li>
<li>Added protection for $_SESSION from interrupt
corruption and improved "session.save_path" check,
identified by Stefan Esser. (CVE-2009-4143, Stas)</li>
<li>Fixed bug #49785 (insufficient input string
validation of htmlspecialchars()). (CVE-2009-4142,
Moriyoshi, hello at iwamot dot com)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3557</cvename>
<cvename>CVE-2009-3558</cvename>
<cvename>CVE-2009-4017</cvename>
<cvename>CVE-2009-4142</cvename>
<cvename>CVE-2009-4143</cvename>
<url>http://www.php.net/releases/5_2_12.php</url>
</references>
<dates>
<discovery>2009-12-17</discovery>
<entry>2009-12-17</entry>
</dates>
</vuln>
<vuln vid="e7bc5600-eaa0-11de-bd9c-00215c6a37bb">
<topic>postgresql -- multiple vulnerabilities</topic>
<affects>
<package>
<name>postgresql-client</name>
<name>postgresql-server</name>
<range><ge>7.4</ge><lt>7.4.27</lt></range>
<range><ge>8.0</ge><lt>8.0.23</lt></range>
<range><ge>8.1</ge><lt>8.1.19</lt></range>
<range><ge>8.2</ge><lt>8.2.15</lt></range>
<range><ge>8.3</ge><lt>8.3.9</lt></range>
<range><ge>8.4</ge><lt>8.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PostgreSQL project reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4034">
<p>PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23,
8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9,
and 8.4.x before 8.4.2 does not properly handle a '\0' character
in a domain name in the subject's Common Name (CN) field of an
X.509 certificate, which (1) allows man-in-the-middle attackers
to spoof arbitrary SSL-based PostgreSQL servers via a crafted
server certificate issued by a legitimate Certification Authority,
and (2) allows remote attackers to bypass intended client-hostname
restrictions via a crafted client certificate issued by a legitimate
Certification Authority, a related issue to CVE-2009-2408.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4136">
<p>PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23,
8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9,
and 8.4.x before 8.4.2 does not properly manage session-local
state during execution of an index function by a database
superuser, which allows remote authenticated users to gain
privileges via a table with crafted index functions, as
demonstrated by functions that modify (1) search_path or
(2) a prepared statement, a related issue to CVE-2007-6600
and CVE-2009-3230.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4034</cvename>
<cvename>CVE-2009-4136</cvename>
</references>
<dates>
<discovery>2009-11-20</discovery>
<entry>2009-12-17</entry>
</dates>
</vuln>
<vuln vid="5486669e-ea9f-11de-bd9c-00215c6a37bb">
<topic>tptest -- pwd Remote Stack Buffer Overflow</topic>
<affects>
<package>
<name>tptest</name>
<range><gt>0</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/33785">
<p>TPTEST is prone to a remote stack-based buffer-overflow
vulnerability. An attacker can exploit this issue to
execute arbitrary code within the context of the affected
application. Failed exploit attempts will result in a
denial-of-service condition.</p>
</blockquote>
</body>
</description>
<references>
<bid>33785</bid>
</references>
<dates>
<discovery>2009-02-16</discovery>
<entry>2009-12-17</entry>
</dates>
</vuln>
<vuln vid="01c57d20-ea26-11de-bd39-00248c9b4be7">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.6,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.16,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.0.16,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.0.1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2009-71 GeckoActiveXObject exception messages can be used to
enumerate installed COM objects</p>
<p>MFSA 2009-70 Privilege escalation via chrome window.opener</p>
<p>MFSA 2009-69 Location bar spoofing vulnerabilities</p>
<p>MFSA 2009-68 NTLM reflection vulnerability</p>
<p>MFSA 2009-67 Integer overflow, crash in libtheora video
library</p>
<p>MFSA 2009-66 Memory safety fixes in liboggplay media library</p>
<p>MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/
1.9.0.16)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3388</cvename>
<cvename>CVE-2009-3389</cvename>
<cvename>CVE-2009-3979</cvename>
<cvename>CVE-2009-3980</cvename>
<cvename>CVE-2009-3981</cvename>
<cvename>CVE-2009-3982</cvename>
<cvename>CVE-2009-3983</cvename>
<cvename>CVE-2009-3984</cvename>
<cvename>CVE-2009-3985</cvename>
<cvename>CVE-2009-3986</cvename>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-71.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-70.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-69.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-68.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-67.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-66.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-65.html</url>
</references>
<dates>
<discovery>2009-12-16</discovery>
<entry>2009-12-16</entry>
<modified>2010-01-21</modified>
</dates>
</vuln>
<vuln vid="1b3f854b-e4bd-11de-b276-000d8787e1be">
<topic>freeradius -- remote packet of death vulnerability</topic>
<affects>
<package>
<name>freeradius</name>
<range><lt>1.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>freeRADIUS Vulnerability Notifications reports:</p>
<blockquote cite="http://freeradius.org/security.html">
<p>2009.09.09 v1.1.7 - Anyone who can send packets to
the server can crash it by sending a Tunnel-Password
attribute in an Access-Request packet. This
vulnerability is not otherwise exploitable. We have
released 1.1.8 to correct this vulnerability.</p>
<p>This issue is similar to the previous Tunnel-Password
issue noted below. The vulnerable versions are 1.1.3
through 1.1.7. Version 2.x is not affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3111</cvename>
<url>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3111</url>
<url>http://freeradius.org/security.html</url>
<url>http://www.milw0rm.com/exploits/9642</url>
</references>
<dates>
<discovery>2009-09-09</discovery>
<entry>2009-12-14</entry>
<modified>2009-12-14</modified>
</dates>
</vuln>
<vuln vid="bec38383-e6cb-11de-bdd4-000c2930e89b">
<topic>pligg -- Cross-Site Scripting and Cross-Site Request Forgery</topic>
<affects>
<package>
<name>pligg</name>
<range><lt>1.0.3b</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/37349">
<p>Russ McRee has discovered some vulnerabilities in Pligg, which can
be exploited by malicious people to conduct cross-site scripting and
request forgery attacks.</p>
<p>Input passed via the "Referer" HTTP header to various scripts (e.g.
admin/admin_config.php, admin/admin_modules.php, delete.php, editlink.php,
submit.php, submit_groups.php, user_add_remove_links.php, and
user_settings.php) is not properly sanitised before being returned to
the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.</p>
<p>The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests.
This can be exploited to e.g. create an arbitrary user with administrative
privileges if a logged-in administrative user visits a malicious web
site.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4786</cvename>
<cvename>CVE-2009-4787</cvename>
<cvename>CVE-2009-4788</cvename>
<url>http://secunia.com/advisories/37349/</url>
<url>http://www.pligg.com/blog/775/pligg-cms-1-0-3-release/</url>
</references>
<dates>
<discovery>2009-12-02</discovery>
<entry>2009-12-12</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="fcbf56dd-e667-11de-920a-00248c9b4be7">
<topic>piwik -- php code execution</topic>
<affects>
<package>
<name>piwik</name>
<range><lt>0.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/37649">
<p>Stefan Esser has reported a vulnerability in Piwik, which can be
exploited by malicious people to compromise a vulnerable system.</p>
<p>The vulnerability is caused due to the core/Cookie.php script using
"unserialize()" with user controlled input. This can be exploited to
e.g. execute arbitrary PHP code via the "__wakeup()" or "__destruct()"
methods of a serialized object passed via an HTTP cookie.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4137</cvename>
<url>http://secunia.com/advisories/37649/</url>
<url>http://www.sektioneins.de/de/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/index.html</url>
<url>http://piwik.org/blog/2009/12/piwik-response-to-shocking-news-in-php-exploitation/</url>
</references>
<dates>
<discovery>2009-12-10</discovery>
<entry>2009-12-11</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="30211c45-e52a-11de-b5cd-00e0815b8da8">
<topic>dovecot -- Insecure directory permissions</topic>
<affects>
<package>
<name>dovecot</name>
<range><ge>1.2.*</ge><lt>1.2.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dovecot author reports:</p>
<blockquote cite="http://www.dovecot.org/list/dovecot-news/2009-November/000143.html">
<p>Dovecot v1.2.x had been creating base_dir (and its parents if
necessary) with 0777 permissions. The base_dir's permissions get
changed to 0755 automatically at startup, but you may need to
chmod the parent directories manually.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3897</cvename>
<bid>37084</bid>
<url>http://secunia.com/advisories/37443</url>
</references>
<dates>
<discovery>2009-11-20</discovery>
<entry>2009-12-10</entry>
</dates>
</vuln>
<vuln vid="3c1a672e-e508-11de-9f4a-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r260</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.0r42</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb09-19.html">
<p>Critical vulnerabilities have been identified in Adobe
Flash Player version 10.0.32.18 and earlier. These
vulnerabilities could cause the application to crash and
could potentially allow an attacker to take control of the
affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3794</cvename>
<cvename>CVE-2009-3796</cvename>
<cvename>CVE-2009-3797</cvename>
<cvename>CVE-2009-3798</cvename>
<cvename>CVE-2009-3799</cvename>
<cvename>CVE-2009-3800</cvename>
<cvename>CVE-2009-3951</cvename>
<url>http://www.zerodayinitiative.com/advisories/ZDI-09-092/</url>
<url>http://www.zerodayinitiative.com/advisories/ZDI-09-093/</url>
<url>http://www.adobe.com/support/security/bulletins/apsb09-19.html</url>
</references>
<dates>
<discovery>2009-07-14</discovery>
<entry>2009-12-09</entry>
</dates>
</vuln>
<vuln vid="eab8c3bd-e50c-11de-9cd0-001a926c7637">
<topic>ruby -- heap overflow vulnerability</topic>
<affects>
<package>
<name>ruby</name>
<range><ge>1.9.1,1</ge><lt>1.9.1.376,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/">
<p>There is a heap overflow vulnerability in String#ljust,
String#center and String#rjust. This has allowed an attacker to run
arbitrary code in some rare cases.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4124</cvename>
<url>http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/</url>
</references>
<dates>
<discovery>2009-11-30</discovery>
<entry>2009-12-09</entry>
</dates>
</vuln>
<vuln vid="714c1406-e4cf-11de-883a-003048590f9e">
<topic>rt -- Session fixation vulnerability</topic>
<affects>
<package>
<name>rt</name>
<range><lt>3.8.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/37546">
<p>A vulnerability has been reported in RT, which can be exploited by
malicious people to conduct session fixation attacks.
The vulnerability is caused due to an error in the handling of
sessions and can be exploited to hijack another user's session by
tricking the user into logging in after following a specially crafted
link.</p>
</blockquote>
</body>
</description>
<references>
<bid>37162</bid>
<cvename>CVE-2009-3585</cvename>
</references>
<dates>
<discovery>2009-12-01</discovery>
<entry>2009-12-09</entry>
</dates>
</vuln>
<vuln vid="5f030587-e39a-11de-881e-001aa0166822">
<topic>expat2 -- Parser crash with specially formatted UTF-8 sequences</topic>
<affects>
<package>
<name>expat2</name>
<range><lt>2.0.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720">
<p>The updatePosition function in lib/xmltok_impl.c in
libexpat in Expat 2.0.1, as used in Python, PyXML,
w3c-libwww, and other software, allows context-dependent
attackers to cause a denial of service (application crash)
via an XML document with crafted UTF-8 sequences that
trigger a buffer over-read.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3720</cvename>
</references>
<dates>
<discovery>2009-01-17</discovery>
<entry>2009-12-08</entry>
</dates>
</vuln>
<vuln vid="e9fca207-e399-11de-881e-001aa0166822">
<topic>expat2 -- buffer over-read and crash</topic>
<affects>
<package>
<name>expat2</name>
<range><lt>2.0.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560">
<p>The big2_toUtf8 function in lib/xmltok.c in libexpat in
Expat 2.0.1, as used in the XML-Twig module for Perl, allows
context-dependent attackers to cause a denial of service
(application crash) via an XML document with malformed UTF-8
sequences that trigger a buffer over-read, related to the
doProlog function in lib/xmlparse.c.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3560</cvename>
</references>
<dates>
<discovery>2009-10-05</discovery>
<entry>2009-12-08</entry>
</dates>
</vuln>
<vuln vid="6431c4db-deb4-11de-9078-0030843d3802">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.10.20091120</lt></range>
</package>
<package>
<name>linux-opera</name>
<range><lt>10.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera Team reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1010/">
<ul>
<li>Fixed a heap buffer overflow in string to number conversion</li>
<li>Fixed an issue where error messages could leak onto unrelated
sites</li>
<li>Fixed a moderately severe issue, as reported by Chris Evans of
the Google Security Team; details will be disclosed at a later
date.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0689</cvename>
<cvename>CVE-2009-4071</cvename>
<url>http://www.opera.com/support/kb/view/941/</url>
<url>http://www.opera.com/support/kb/view/942/</url>
</references>
<dates>
<discovery>2009-11-23</discovery>
<entry>2009-12-01</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="77c14729-dc5e-11de-92ae-02e0184b8d35">
<topic>libtool -- Library Search Path Privilege Escalation Issue</topic>
<affects>
<package>
<name>libtool</name>
<range><lt>2.2.6b</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia.com</p>
<blockquote cite="http://secunia.com/advisories/37414/">
<p>Do not attempt to load an unqualified module.la file from the
current directory (by default) since doing so is insecure and is
not compliant with the documentation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3736</cvename>
<url>http://secunia.com/advisories/37414/</url>
<url>http://lists.gnu.org/archive/html/libtool/2009-11/msg00059.html</url>
</references>
<dates>
<discovery>2009-11-25</discovery>
<entry>2009-11-28</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="94edff42-d93d-11de-a434-0211d880e350">
<topic>libvorbis -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libvorbis</name>
<range><lt>1.2.3_1,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Ubuntu security team reports:</p>
<blockquote cite="http://www.ubuntu.com/usn/usn-861-1">
<p>It was discovered that libvorbis did not correctly
handle certain malformed vorbis files. If a user were
tricked into opening a specially crafted vorbis file
with an application that uses libvorbis, an attacker
could cause a denial of service or possibly execute
arbitrary code with the user's privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-1420</cvename>
<cvename>CVE-2009-3379</cvename>
</references>
<dates>
<discovery>2009-11-24</discovery>
<entry>2009-11-24</entry>
</dates>
</vuln>
<vuln vid="92ca92c1-d859-11de-89f9-001517351c22">
<topic>bugzilla -- information leak</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>3.3.1</gt><lt>3.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4.3/">
<p>When a bug is in a group, none of its information
(other than its status and resolution) should be visible
to users outside that group. It was discovered that
as of 3.3.2, Bugzilla was showing the alias of the bug
(a very short string used as a shortcut for looking up
the bug) to users outside of the group, if the protected
bug ended up in the "Depends On" or "Blocks" list of any
other bug.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3386</cvename>
<url>http://www.bugzilla.org/security/3.4.3/</url>
</references>
<dates>
<discovery>2009-11-18</discovery>
<entry>2009-11-23</entry>
</dates>
</vuln>
<vuln vid="04104985-d846-11de-84e4-00215af774f0">
<topic>cacti -- cross-site scripting issues</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.7e4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cacti development team reports:</p>
<blockquote cite="http://docs.cacti.net/#cross-site_scripting_fixes">
<p>The Cross-Site Scripting patch has been posted.</p>
<p>This patch addresses cross-site scripting issues reported
by Moritz Naumann.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4032</cvename>
<url>http://docs.cacti.net/#cross-site_scripting_fixes</url>
</references>
<dates>
<discovery>2009-11-21</discovery>
<entry>2009-11-23</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="0640198a-d117-11de-b667-0030843d3802">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>2.8.6,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<range><lt>2.8.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/37332/">
<p>The security issue is caused due to the wp_check_filetype()
function in /wp-includes/functions.php improperly validating uploaded
files. This can be exploited to execute arbitrary PHP code by
uploading a malicious PHP script with multiple extensions.</p>
<p>Successful exploitation of this vulnerability requires that Apache
is not configured to handle the mime-type for media files with an e.g.
"gif", "jpg", "png", "tif", "wmv" extension.</p>
<p>Input passed via certain parameters to press-this.php is not
properly sanitised before being displayed to the user. This can be
exploited to insert arbitrary HTML and script code, which will be
executed in a user's browser session in context of an affected site
when the malicious data is being viewed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3890</cvename>
<cvename>CVE-2009-3891</cvename>
<url>http://wordpress.org/development/2009/11/wordpress-2-8-6-security-release/</url>
<url>http://secunia.com/advisories/37332/</url>
</references>
<dates>
<discovery>2009-11-12</discovery>
<entry>2009-11-14</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="68bda678-caab-11de-a97e-be89dfd1042e">
<topic>p5-HTML-Parser -- denial of service</topic>
<affects>
<package>
<name>p5-HTML-Parser</name>
<range><lt>3.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3627">
<p>The decode_entities function in util.c in HTML-Parser before
3.63 allows context-dependent attackers to cause a denial of service
(infinite loop) via an incomplete SGML numeric character reference,
which triggers generation of an invalid UTF-8 character.</p>
</blockquote>
</body>
</description>
<references>
<bid>36807</bid>
<cvename>CVE-2009-3627</cvename>
<url>http://secunia.com/advisories/37155</url>
</references>
<dates>
<discovery>2009-10-23</discovery>
<entry>2009-11-06</entry>
</dates>
</vuln>
<vuln vid="4e8344a3-ca52-11de-8ee8-00215c6a37bb">
<topic>gd -- '_gdGetColors' remote buffer overflow vulnerability</topic>
<affects>
<package>
<name>gd</name>
<range><lt>2.0.35_2,1</lt></range>
</package>
<package>
<name>php5-gd</name>
<range><lt>5.2.11_2</lt></range>
</package>
<package>
<name>php4-gd</name>
<range><lt>4.4.9_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546">
<p>The _gdGetColors function in gd_gd.c in PHP 5.2.11 and
5.3.0, and the GD Graphics Library 2.x, does not properly
verify a certain colorsTotal structure member, which might
allow remote attackers to conduct buffer overflow or buffer
over-read attacks via a crafted GD file, a different
vulnerability than CVE-2009-3293.</p>
</blockquote>
</body>
</description>
<references>
<bid>36712</bid>
<cvename>CVE-2009-3546</cvename>
<url>http://secunia.com/advisories/37069</url>
<url>http://secunia.com/advisories/37080</url>
</references>
<dates>
<discovery>2009-10-15</discovery>
<entry>2009-11-05</entry>
<modified>2010-06-17</modified>
</dates>
</vuln>
<vuln vid="6693bad2-ca50-11de-8ee8-00215c6a37bb">
<topic>typo3 -- multiple vulnerabilities in TYPO3 Core</topic>
<affects>
<package>
<name>typo3</name>
<range><lt>4.2.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>TYPO3 develop team reports:</p>
<blockquote cite="http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/">
<p>Affected versions: TYPO3 versions 4.0.13 and below, 4.1.12
and below, 4.2.9 and below, 4.3.0beta1 and below.</p>
<p>SQL injection, Cross-site scripting (XSS), Information
disclosure, Frame hijacking, Remote shell command execution
and Insecure Install Tool authentication/session handling.</p>
</blockquote>
</body>
</description>
<references>
<bid>36801</bid>
<cvename>CVE-2009-3628</cvename>
<cvename>CVE-2009-3629</cvename>
<cvename>CVE-2009-3630</cvename>
<cvename>CVE-2009-3631</cvename>
<cvename>CVE-2009-3632</cvename>
<cvename>CVE-2009-3633</cvename>
<cvename>CVE-2009-3634</cvename>
<cvename>CVE-2009-3635</cvename>
<cvename>CVE-2009-3636</cvename>
<url>http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/</url>
<url>http://secunia.com/advisories/37122/</url>
</references>
<dates>
<discovery>2009-10-22</discovery>
<entry>2009-11-05</entry>
</dates>
</vuln>
<vuln vid="3149ab1c-c8b9-11de-b87b-0011098ad87f">
<topic>vlc -- stack overflow in MPA, AVI and ASF demuxer</topic>
<affects>
<package>
<name>vlc</name>
<range><ge>0.5.0</ge><lt>1.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VideoLAN reports:</p>
<blockquote cite="http://www.videolan.org/security/sa0901.html">
<p>When parsing a MP4, ASF or AVI file with an overly deep box
structure, a stack overflow might occur. It would overwrite the
return address and thus redirect the execution flow.</p>
<p>If successful, a malicious third party could trigger execution
of arbitrary code within the context of the VLC media player.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.videolan.org/security/sa0901.html</url>
</references>
<dates>
<discovery>2009-09-14</discovery>
<entry>2009-11-03</entry>
</dates>
</vuln>
<vuln vid="6f358f5a-c7ea-11de-a9f3-0030843d3802">
<topic>KDE -- multiple vulnerabilities</topic>
<affects>
<package>
<name>kdebase-runtime</name>
<range><ge>4.0.*</ge><lt>4.3.1_2</lt></range>
</package>
<package>
<name>kdelibs</name>
<range><ge>4.0.*</ge><lt>4.3.1_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2009-015.html">
<p>Ark input sanitization errors: The KDE archiving tool, Ark,
performs insufficient validation which leads to specially crafted
archive files, using unknown MIME types, to be rendered using a KHTML
instance, this can trigger uncontrolled XMLHTTPRequests to remote
sites.</p>
<p>IO Slaves input sanitization errors: KDE protocol handlers perform
insufficient input validation, an attacker can craft malicious URI
that would trigger JavaScript execution. Additionally the 'help://'
protocol handler suffer from directory traversal. It should be noted
that the scope of this issue is limited as the malicious URIs cannot
be embedded in Internet hosted content.</p>
<p>KMail input sanitization errors: The KDE mail client, KMail, performs
insufficient validation which leads to specially crafted email
attachments, using unknown MIME types, to be rendered using a KHTML
instance, this can trigger uncontrolled XMLHTTPRequests to remote
sites.</p>
<p>The exploitation of these vulnerabilities is unlikely according to
Portcullis and KDE but the execution of active content is nonetheless
unexpected and might pose a threat.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.ocert.org/advisories/ocert-2009-015.html</url>
</references>
<dates>
<discovery>2009-10-30</discovery>
<entry>2009-11-02</entry>
</dates>
</vuln>
<vuln vid="2fda6bd2-c53c-11de-b157-001999392805">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.01.20091019</lt></range>
</package>
<package>
<name>linux-opera</name>
<range><lt>10.01</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera Team Reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1001/">
<ul>
<li>Fixed an issue where certain domain names could allow execution
of arbitrary code, as reported by Chris Weber of Casaba Security</li>
<li>Fixed an issue where scripts can run on the feed subscription
page, as reported by Inferno</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3831</cvename>
<url>http://www.opera.com/support/kb/view/938/</url>
<url>http://www.opera.com/support/kb/view/939/</url>
</references>
<dates>
<discovery>2009-10-28</discovery>
<entry>2009-10-31</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="83d7d149-b965-11de-a515-0022156e8794">
<topic>Enhanced cTorrent -- stack-based overflow</topic>
<affects>
<package>
<name>ctorrent</name>
<range><lt>3.3.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Securityfocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/34584">
<p>cTorrent and dTorrent are prone to a remote buffer-overflow
vulnerability because the software fails to properly
bounds-check user-supplied input before copying it to an
insufficiently sized memory buffer.</p>
<p>Successful exploits allow remote attackers to execute
arbitrary machine code in the context of a vulnerable
application. Failed exploit attempts will likely result in
denial-of-service conditions.</p>
</blockquote>
</body>
</description>
<references>
<bid>34584</bid>
<cvename>CVE-2009-1759</cvename>
<url>http://sourceforge.net/tracker/?func=detail&aid=2782875&group_id=202532&atid=981959</url>
</references>
<dates>
<discovery>2009-10-15</discovery>
<entry>2009-10-28</entry>
</dates>
</vuln>
<vuln vid="c87aa2d2-c3c4-11de-ab08-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.4,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.15,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.0.15</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>2.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="http://www.mozilla.org/security/announce/">
<p>MFSA 2009-64 Crashes with evidence of memory
corruption (rv:1.9.1.4/ 1.9.0.15)</p>
<p>MFSA 2009-63 Upgrade media libraries to fix memory
safety bugs</p>
<p>MFSA 2009-62 Download filename spoofing with RTL
override</p>
<p>MFSA 2009-61 Cross-origin data theft through
document.getSelection()</p>
<p>MFSA 2009-59 Heap buffer overflow in string to
number conversion</p>
<p>MFSA 2009-57 Chrome privilege escalation in
XPCVariant::VariantDataToJS()</p>
<p>MFSA 2009-56 Heap buffer overflow in GIF color map
parser</p>
<p>MFSA 2009-55 Crash in proxy auto-configuration
regexp parsing</p>
<p>MFSA 2009-54 Crash with recursive web-worker calls</p>
<p>MFSA 2009-53 Local downloaded file tampering</p>
<p>MFSA 2009-52 Form history vulnerable to stealing</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3380</cvename>
<cvename>CVE-2009-3381</cvename>
<cvename>CVE-2009-3382</cvename>
<cvename>CVE-2009-3383</cvename>
<cvename>CVE-2009-3379</cvename>
<cvename>CVE-2009-3378</cvename>
<cvename>CVE-2009-3377</cvename>
<cvename>CVE-2009-3376</cvename>
<cvename>CVE-2009-3375</cvename>
<cvename>CVE-2009-1563</cvename>
<cvename>CVE-2009-3374</cvename>
<cvename>CVE-2009-3373</cvename>
<cvename>CVE-2009-3372</cvename>
<cvename>CVE-2009-3371</cvename>
<cvename>CVE-2009-3274</cvename>
<cvename>CVE-2009-3370</cvename>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-64.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-63.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-62.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-61.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-59.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-57.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-56.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-55.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-54.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-53.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-52.html</url>
</references>
<dates>
<discovery>2009-10-27</discovery>
<entry>2009-10-28</entry>
<modified>2009-12-14</modified>
</dates>
</vuln>
<vuln vid="2544f543-c178-11de-b175-001cc0377035">
<topic>elinks -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>elinks</name>
<range><lt>0.11.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/36574/discuss">
<p>ELinks is prone to an off-by-one buffer-overflow vulnerability
because the application fails to accurately reference the last
element of a buffer.</p>
<p>Attackers may leverage this issue to execute arbitrary code in
the context of the application. Failed attacks will cause
denial-of-service conditions.</p>
</blockquote>
</body>
</description>
<references>
<bid>36574</bid>
<cvename>CVE-2008-7224</cvename>
<mlist msgid="20080204235429.GA28006@diku.dk">http://linuxfromscratch.org/pipermail/elinks-users/2008-February/001604.html</mlist>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=380347</url>
</references>
<dates>
<discovery>2006-07-29</discovery>
<entry>2009-10-25</entry>
</dates>
</vuln>
<vuln vid="692ab645-bf5d-11de-849b-00151797c2d4">
<topic>squidGuard -- multiple vulnerabilities</topic>
<affects>
<package>
<name>squidGuard</name>
<range><lt>1.4_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SquidGuard website reports:</p>
<blockquote cite="http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20091015">
<p>Patch 20091015 fixes one buffer overflow problem
in sgLog.c when overlong URLs are requested.
SquidGuard will then go into emergency mode were
no blocking occurs. This is not required in this
situation.</p>
</blockquote>
<blockquote cite="http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20091019">
<p>Patch 20091019 fixes two bypass problems with URLs
which length is close to the limit defined by MAX_BUF
(default: 4096) in squidGuard and MAX_URL (default:
4096 in squid 2.x and 8192 in squid 3.x) in squid.
For this kind of URLs the proxy request exceeds MAX_BUF
causing squidGuard to complain about not being able to
parse the squid request. Increasing the buffer limit
to be higher than the one defined in MAX_URL solves the
issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3700</cvename>
<cvename>CVE-2009-3826</cvename>
<url>http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20091015</url>
<url>http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20091019</url>
</references>
<dates>
<discovery>2009-10-15</discovery>
<entry>2009-10-22</entry>
<modified>2010-05-06</modified>
</dates>
</vuln>
<vuln vid="8581189c-bd5f-11de-8709-0017a4cccfc6">
<topic>Xpdf -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>xpdf</name>
<range><lt>3.02_11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/507261">
<p>Some vulnerabilities have been reported in Xpdf, which can be
exploited by malicious people to potentially compromise a user's
system.</p>
<p>1) Multiple integer overflows in "SplashBitmap::SplashBitmap()"
can be exploited to cause heap-based buffer overflows.</p>
<p>2) An integer overflow error in "ObjectStream::ObjectStream()"
can be exploited to cause a heap-based buffer overflow.</p>
<p>3) Multiple integer overflows in "Splash::drawImage()" can be
exploited to cause heap-based buffer overflows.</p>
<p>4) An integer overflow error in "PSOutputDev::doImageL1Sep()"
can be exploited to cause a heap-based buffer overflow when
converting a PDF document to a PS file.</p>
<p>Successful exploitation of the vulnerabilities may allow execution
of arbitrary code by tricking a user into opening a specially crafted
PDF file.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/archive/1/507261</url>
<url>http://secunia.com/advisories/37053/</url>
</references>
<dates>
<discovery>2009-10-14</discovery>
<entry>2009-10-20</entry>
</dates>
</vuln>
<vuln vid="87917d6f-ba76-11de-bac2-001a4d563a0f">
<topic>django -- denial-of-service attack</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><lt>1.1.1</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>11603,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django project reports:</p>
<blockquote cite="http://www.djangoproject.com/weblog/2009/oct/09/security/">
<p>Django's forms library includes field types which perform
regular-expression-based validation of email addresses and
URLs. Certain addresses/URLs could trigger a pathological
performance case in these regular expression, resulting in
the server process/thread becoming unresponsive, and consuming
excessive CPU over an extended period of time. If deliberately
triggered, this could result in an effectively
denial-of-service attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3695</cvename>
<url>http://www.djangoproject.com/weblog/2009/oct/09/security/</url>
</references>
<dates>
<discovery>2009-10-09</discovery>
<entry>2009-10-16</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="4769914e-b844-11de-b159-0030843d3802">
<topic>phpmyadmin -- XSS and SQL injection vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.2.2.1</lt></range>
</package>
<package>
<name>phpMyAdmin211</name>
<range><lt>2.11.9.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin Team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2009-6.php">
<p>Cross-site scripting (XSS) vulnerability allows remote attackers to
inject arbitrary web script or HTML via a crafted MySQL table name.</p>
<p>SQL injection vulnerability allows remote attackers to inject SQL via
various interface parameters of the PDF schema generator feature.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3696</cvename>
<cvename>CVE-2009-3697</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2009-6.php</url>
</references>
<dates>
<discovery>2009-10-13</discovery>
<entry>2009-10-13</entry>
</dates>
</vuln>
<vuln vid="437a68cf-b752-11de-b6eb-00e0815b8da8">
<topic>php5 -- Multiple security issues</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.2.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Vendor reports</p>
<blockquote cite="http://www.php.net/releases/5_2_11.php">
<p>Security Enhancements and Fixes in PHP 5.2.11:
Fixed certificate validation inside
php_openssl_apply_verification_policy.
Fixed sanity check for the color index in imagecolortransparent.
Added missing sanity checks around exif processing.
Fixed bug 44683 popen crashes when an invalid mode is passed.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.php.net/releases/5_2_11.php</url>
<cvename>CVE-2009-3291</cvename>
<cvename>CVE-2009-3292</cvename>
<cvename>CVE-2009-3293</cvename>
</references>
<dates>
<discovery>2009-09-17</discovery>
<entry>2009-10-12</entry>
</dates>
</vuln>
<vuln vid="ebeed063-b328-11de-b6a5-0030843d3802">
<topic>virtualbox -- privilege escalation</topic>
<affects>
<package>
<name>virtualbox</name>
<range><lt>3.0.51.r22902_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sun reports:</p>
<blockquote cite="http://sunsolve.sun.com/search/document.do?assetkey=1-66-268188-1">
<p>A security vulnerability in the VBoxNetAdpCtl configuration tool
for certain Sun VirtualBox 3.0 packages may allow local unprivileged
users who are authorized to run VirtualBox to execute arbitrary
commands with root privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3692</cvename>
<url>http://sunsolve.sun.com/search/document.do?assetkey=1-66-268188-1</url>
<url>http://secunia.com/advisories/36929</url>
</references>
<dates>
<discovery>2009-10-07</discovery>
<entry>2009-10-07</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="50383bde-b25b-11de-8c83-02e0185f8d72">
<topic>FreeBSD -- Devfs / VFS NULL pointer race condition</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><gt>6.3</gt><lt>6.3_13</lt></range>
<range><gt>6.4</gt><lt>6.4_7</lt></range>
<range><gt>7.1</gt><lt>7.1_8</lt></range>
<range><gt>7.2</gt><lt>7.2_4</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>Due to the interaction between devfs and VFS, a race condition
exists where the kernel might dereference a NULL pointer.</p>
<h1>Impact:</h1>
<p>Successful exploitation of the race condition can lead to local
kernel privilege escalation, kernel data corruption and/or
crash.</p>
<p>To exploit this vulnerability, an attacker must be able to run
code with user privileges on the target system.</p>
<h1>Workaround:</h1>
<p>An errata note, FreeBSD-EN-09:05.null has been released
simultaneously to this advisory, and contains a kernel patch
implementing a workaround for a more broad class of
vulnerabilities. However, prior to those changes, no workaround
is available.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:14.devfs</freebsdsa>
</references>
<dates>
<discovery>2009-10-02</discovery>
<entry>2009-10-06</entry>
</dates>
</vuln>
<vuln vid="90d2e58f-b25a-11de-8c83-02e0185f8d72">
<topic>FreeBSD -- kqueue pipe race conditions</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><gt>6.3</gt><lt>6.4_7</lt></range>
<range><gt>6.4</gt><lt>6.3_13</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description</h1>
<p>A race condition exists in the pipe close() code relating
to kqueues, causing use-after-free for kernel memory, which
may lead to an exploitable NULL pointer vulnerability in the
kernel, kernel memory corruption, and other unpredictable
results.</p>
<h1>Impact:</h1>
<p>Successful exploitation of the race condition can lead to
local kernel privilege escalation, kernel data corruption
and/or crash.</p>
<p>To exploit this vulnerability, an attacker must be able to
run code on the target system.</p>
<h1>Workaround</h1>
<p>An errata notice, FreeBSD-EN-09:05.null has been released
simultaneously to this advisory, and contains a kernel patch
implementing a workaround for a more broad class of
vulnerabilities. However, prior to those changes, no
workaround is available.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:13.pipe</freebsdsa>
</references>
<dates>
<discovery>2009-10-02</discovery>
<entry>2009-10-06</entry>
</dates>
</vuln>
<vuln vid="beb6f4a8-add5-11de-8b55-0030843d3802">
<topic>mybb -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mybb</name>
<range><lt>1.4.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>mybb team reports:</p>
<blockquote cite="http://blog.mybboard.net/2009/09/21/mybb-1-4-9-released-security-update/">
<p>Input passed via avatar extensions is not properly sanitised before
being used in SQL queries. This can be exploited to manipulate SQL
queries by uploading specially named avatars.</p>
<p>The script allows to sign up with usernames containing zero width
space characters, which can be exploited to e.g. conduct spoofing
attacks.</p>
</blockquote>
</body>
</description>
<references>
<bid>36460</bid>
<url>http://dev.mybboard.net/issues/464</url>
<url>http://dev.mybboard.net/issues/418</url>
<url>http://secunia.com/advisories/36803</url>
<url>http://blog.mybboard.net/2009/09/21/mybb-1-4-9-released-security-update/</url>
</references>
<dates>
<discovery>2009-09-21</discovery>
<entry>2009-09-30</entry>
</dates>
</vuln>
<vuln vid="bad1b090-a7ca-11de-873f-0030843d3802">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal5</name>
<range><lt>5.20</lt></range>
</package>
<package>
<name>drupal6</name>
<range><lt>6.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Team reports:</p>
<blockquote cite="http://drupal.org/node/579482">
<p>The core OpenID module does not correctly implement Form API for
the form that allows one to link user accounts with OpenID
identifiers. A malicious user is therefore able to use cross site
request forgeries to add attacker controlled OpenID identities to
existing accounts. These OpenID identities can then be used to gain
access to the affected accounts.</p>
<p>The OpenID module is not a compliant implementation of the OpenID
Authentication 2.0 specification. An implementation error allows a
user to access the account of another user when they share the same
OpenID 2.0 provider.</p>
<p>File uploads with certain extensions are not correctly processed by
the File API. This may lead to the creation of files that are
executable by Apache. The .htaccess that is saved into the files
directory by Drupal should normally prevent execution. The files are
only executable when the server is configured to ignore the directives
in the .htaccess file.</p>
<p>Drupal doesn't regenerate the session ID when an anonymous user
follows the one time login link used to confirm email addresses and
reset forgotten passwords. This enables a malicious user to fix and
reuse the session id of a victim under certain circumstances.</p>
</blockquote>
</body>
</description>
<references>
<url>http://drupal.org/node/579482</url>
<url>http://secunia.com/advisories/36787/</url>
<url>http://secunia.com/advisories/36786/</url>
<url>http://secunia.com/advisories/36781/</url>
<url>http://secunia.com/advisories/36776/</url>
<url>http://secunia.com/advisories/36785/</url>
</references>
<dates>
<discovery>2009-09-17</discovery>
<entry>2009-09-22</entry>
</dates>
</vuln>
<vuln vid="113cd7e9-a4e2-11de-84af-001195e39404">
<topic>fwbuilder -- security issue in temporary file handling</topic>
<affects>
<package>
<name>fwbuilder</name>
<range><lt>3.0.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Firewall Builder release notes reports:</p>
<blockquote cite="http://www.fwbuilder.org/docs/firewall_builder_release_notes.html#3.0.7">
<p>Vadim Kurland (vadim.kurland@fwbuilder.org) reports:</p>
<p>Fwbuilder and libfwbuilder 3.0.4 through to 3.0.6 generate
iptables scripts with a security issue when also used to
generate static routing configurations.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4664</cvename>
<url>http://www.fwbuilder.org/docs/firewall_builder_release_notes.html#3.0.7</url>
</references>
<dates>
<discovery>2009-09-18</discovery>
<entry>2009-09-18</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="b9ec7fe3-a38a-11de-9c6b-003048818f40">
<topic>bugzilla -- two SQL injections, sensitive data exposure</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>3.3.1</gt><lt>3.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4/">
<ul>
<li>It is possible to inject raw SQL into the Bugzilla
database via the "Bug.create" and "Bug.search" WebService
functions.</li>
<li>When a user would change his password, his new password would
be exposed in the URL field of the browser if he logged in right
after changing his password.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3125</cvename>
<cvename>CVE-2009-3165</cvename>
<cvename>CVE-2009-3166</cvename>
<url>http://www.bugzilla.org/security/3.0.8/</url>
</references>
<dates>
<discovery>2009-09-11</discovery>
<entry>2009-09-17</entry>
</dates>
</vuln>
<vuln vid="ee23aa09-a175-11de-96c0-0011098ad87f">
<topic>horde-base -- multiple vulnerabilities</topic>
<affects>
<package>
<name>horde-base</name>
<range><lt>3.3.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.558&r2=1.515.2.559">
<p>An error within the form library when handling image form fields can
be exploited to overwrite arbitrary local files.</p>
<p>An error exists within the MIME Viewer library when rendering unknown
text parts. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site if
malicious data is viewed.</p>
<p>The preferences system does not properly sanitise numeric preference
types. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in contact of an affected site.</p>
</blockquote>
</body>
</description>
<references>
<url>http://bugs.horde.org/ticket/?id=8311</url>
<url>http://bugs.horde.org/ticket/?id=8399</url>
<url>http://secunia.com/advisories/36665/</url>
<url>http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.558&r2=1.515.2.559</url>
</references>
<dates>
<discovery>2009-05-28</discovery>
<entry>2009-09-14</entry>
<modified>2009-09-22</modified>
</dates>
</vuln>
<vuln vid="152b27f0-a158-11de-990c-e5b1d4c882e0">
<topic>nginx -- remote denial of service vulnerability</topic>
<affects>
<package>
<name>nginx</name>
<range><lt>0.7.62</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><lt>0.8.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>nginx development team reports:</p>
<blockquote cite="http://nginx.net/CHANGES">
<p>A segmentation fault might occur in worker process while
specially crafted request handling.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2629</cvename>
<url>http://nginx.net/CHANGES</url>
<mlist msgid="20090914155338.GA2529@ngolde.de">http://lists.debian.org/debian-security-announce/2009/msg00205.html</mlist>
</references>
<dates>
<discovery>2009-09-14</discovery>
<entry>2009-09-14</entry>
<modified>2009-09-15</modified>
</dates>
</vuln>
<vuln vid="6e8f54af-a07d-11de-a649-000c2955660f">
<topic>ikiwiki -- insufficient blacklisting in teximg plugin</topic>
<affects>
<package>
<name>ikiwiki</name>
<range><lt>3.1415926</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The IkiWiki development team reports:</p>
<blockquote cite="http://ikiwiki.info/security/#index35h2">
<p>IkiWikis teximg plugin's blacklisting of insecure TeX commands
is insufficient; it can be bypassed and used to read arbitrary
files.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2944</cvename>
<url>http://ikiwiki.info/security/#index35h2</url>
</references>
<dates>
<discovery>2009-08-28</discovery>
<entry>2009-09-13</entry>
</dates>
</vuln>
<vuln vid="b46f3a1e-a052-11de-a649-000c2955660f">
<topic>xapian-omega -- cross-site scripting vulnerability</topic>
<affects>
<package>
<name>xapian-omega</name>
<range><lt>1.0.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Olly Betts reports:</p>
<blockquote cite="http://lists.xapian.org/pipermail/xapian-discuss/2009-September/007115.html">
<p>There's a cross-site scripting issue in Omega - exception
messages don't currently get HTML entities escaped, but can
contain CGI parameter values in some cases.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2947</cvename>
<url>http://lists.xapian.org/pipermail/xapian-discuss/2009-September/007115.html</url>
</references>
<dates>
<discovery>2009-09-09</discovery>
<entry>2009-09-13</entry>
</dates>
</vuln>
<vuln vid="922d2398-9e2d-11de-a998-0030843d3802">
<topic>mozilla firefox -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.3,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.13,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="http://www.mozilla.org/security/announce/">
<p>MFSA 2009-51 Chrome privilege escalation with FeedWriter</p>
<p>MFSA 2009-50 Location bar spoofing via tall line-height Unicode
characters</p>
<p>MFSA 2009-49 TreeColumns dangling pointer vulnerability</p>
<p>MFSA 2009-48 Insufficient warning for PKCS11 module installation
and removal</p>
<p>MFSA 2009-47 Crashes with evidence of memory corruption
(rv:1.9.1.3/1.9.0.14)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3069</cvename>
<cvename>CVE-2009-3070</cvename>
<cvename>CVE-2009-3071</cvename>
<cvename>CVE-2009-3072</cvename>
<cvename>CVE-2009-3073</cvename>
<cvename>CVE-2009-3074</cvename>
<cvename>CVE-2009-3075</cvename>
<cvename>CVE-2009-3076</cvename>
<cvename>CVE-2009-3077</cvename>
<cvename>CVE-2009-3078</cvename>
<cvename>CVE-2009-3079</cvename>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-47.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-48.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-49.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-50.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-51.html</url>
<url>http://secunia.com/advisories/36671/2/</url>
</references>
<dates>
<discovery>2009-09-10</discovery>
<entry>2009-09-10</entry>
</dates>
</vuln>
<vuln vid="012b495c-9d51-11de-8d20-001bd3385381">
<topic>cyrus-imapd -- Potential buffer overflow in Sieve</topic>
<affects>
<package>
<name>cyrus-imapd</name>
<range><gt>2.2.0</gt><lt>2.2.13_6</lt></range>
<range><gt>2.3.0</gt><lt>2.3.14_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Cyrus IMAP Server ChangeLog states:</p>
<blockquote cite="http://cyrusimap.web.cmu.edu/imapd/changes.html">
<p>Fixed CERT VU#336053 - Potential buffer overflow in Sieve.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2632</cvename>
<bid>36296</bid>
<url>http://www.kb.cert.org/vuls/id/336053</url>
<url>http://www.debian.org/security/2009/dsa-1881</url>
</references>
<dates>
<discovery>2009-09-02</discovery>
<entry>2009-09-09</entry>
<modified>2009-09-14</modified>
</dates>
</vuln>
<vuln vid="24aa9970-9ccd-11de-af10-000c29a67389">
<topic>silc-toolkit -- Format string vulnerabilities</topic>
<affects>
<package>
<name>silc-toolkit</name>
<range><lt>1.1.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SILC Changlog reports:</p>
<blockquote cite="http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.10">
<p>An unspecified format string vulnerability exists in
silc-toolkit.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3051</cvename>
<url>http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.10</url>
<url>http://www.openwall.com/lists/oss-security/2009/09/03/5</url>
</references>
<dates>
<discovery>2009-08-07</discovery>
<entry>2009-09-08</entry>
</dates>
</vuln>
<vuln vid="4582948a-9716-11de-83a5-001999392805">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.00.20090830</lt></range>
</package>
<package>
<name>opera-devel</name>
<range><le>10.00.b3_1,1</le></range>
</package>
<package>
<name>linux-opera</name>
<range><lt>10.00</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera Team Reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/freebsd/1000/">
<ul>
<li>Issue where sites using revoked intermediate certificates might be shown as secure</li>
<li>Issue where the collapsed address bar didn't show the current domain</li>
<li>Issue where pages could trick users into uploading files</li>
<li>Some IDNA characters not correctly displaying in the address bar</li>
<li>Issue where Opera accepts nulls and invalid wild-cards in certificates</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/search/view/929/</url>
<url>http://www.opera.com/support/search/view/930/</url>
<url>http://www.opera.com/support/search/view/931/</url>
<url>http://www.opera.com/support/search/view/932/</url>
<url>http://www.opera.com/support/search/view/934/</url>
</references>
<dates>
<discovery>2009-09-01</discovery>
<entry>2009-09-04</entry>
<modified>2009-10-29</modified>
</dates>
</vuln>
<vuln vid="80aa98e0-97b4-11de-b946-0030843d3802">
<topic>dnsmasq -- TFTP server remote code injection vulnerability</topic>
<affects>
<package>
<name>dnsmasq</name>
<range><lt>2.50</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon Kelley reports:</p>
<blockquote cite="http://www.thekelleys.org.uk/dnsmasq/CHANGELOG">
<p>Fix security problem which allowed any host permitted to
do TFTP to possibly compromise dnsmasq by remote buffer
overflow when TFTP enabled.</p>
<p>Fix a problem which allowed a malicious TFTP client to
crash dnsmasq.</p>
</blockquote>
</body>
</description>
<references>
<bid>36121</bid>
<bid>36120</bid>
<cvename>CVE-2009-2957</cvename>
<cvename>CVE-2009-2958</cvename>
<url>http://www.coresecurity.com/content/dnsmasq-vulnerabilities</url>
<url>https://rhn.redhat.com/errata/RHSA-2009-1238.html</url>
</references>
<dates>
<discovery>2009-08-31</discovery>
<entry>2009-09-02</entry>
</dates>
</vuln>
<vuln vid="e15f2356-9139-11de-8f42-001aa0166822">
<topic>apache22 -- several vulnerability</topic>
<affects>
<package>
<name>apache</name>
<range><gt>2.2.0</gt><lt>2.2.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache ChangeLog reports:</p>
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.2.12">
<p>CVE-2009-1891: Fix a potential Denial-of-Service attack against mod_deflate or other modules.</p>
<p>CVE-2009-1195: Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it.</p>
<p>CVE-2009-1890: Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration.</p>
<p>CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body.</p>
<p>CVE-2009-0023, CVE-2009-1955, CVE-2009-1956: The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules (was already fixed in 2.2.11_5).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1891</cvename><!-- vul: 2.2.11 -->
<cvename>CVE-2009-1195</cvename><!-- vul: 2.2.x to 2.2.11 -->
<cvename>CVE-2009-1890</cvename><!-- ok: 2.3.3 -->
<cvename>CVE-2009-1191</cvename><!-- vul: 2.2.11 -->
<cvename>CVE-2009-0023</cvename><!-- ok: apr 1.3.5 -->
<cvename>CVE-2009-1955</cvename><!-- ok: apr-util 1.3.7 -->
<cvename>CVE-2009-1956</cvename><!-- ok: apr-util 1.3.5 -->
</references>
<dates>
<discovery>2009-07-28</discovery><!-- release date of 2.2.12 -->
<entry>2009-08-25</entry>
</dates>
</vuln>
<vuln vid="59e7af2d-8db7-11de-883b-001e3300a30d">
<topic>pidgin -- MSN overflow parsing SLP messages</topic>
<affects>
<package>
<name>pidgin</name>
<name>libpurple</name>
<name>finch</name>
<range><lt>2.5.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/36384">
<p>A vulnerability has been reported in Pidgin, which can be
exploited by malicious people to potentially compromise a user's
system.</p>
<p>The vulnerability is caused due to an error in the
"msn_slplink_process_msg()" function when processing MSN SLP
messages and can be exploited to corrupt memory.</p>
<p>Successful exploitation may allow execution of arbitrary
code.</p>
<p>The vulnerability is reported in versions 2.5.8 and prior.
Other versions may also be affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2694</cvename>
<url>http://secunia.com/advisories/36384/</url>
<url>http://www.pidgin.im/news/security/?id=34</url>
</references>
<dates>
<discovery>2009-08-18</discovery>
<entry>2009-08-20</entry>
</dates>
</vuln>
<vuln vid="b31a1088-460f-11de-a11a-0022156e8794">
<topic>GnuTLS -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>2.6.6</lt></range>
</package>
<package>
<name>gnutls-devel</name>
<range><lt>2.7.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/34783/discuss">
<p>GnuTLS is prone to multiple remote vulnerabilities:</p>
<ul>
<li>A remote code-execution vulnerability.</li>
<li>A denial-of-service vulnerability.</li>
<li>A signature-generation vulnerability.</li>
<li>A signature-verification vulnerability.</li>
</ul>
<p>An attacker can exploit these issues to potentially execute
arbitrary code, trigger denial-of-service conditions, carry
out attacks against data signed with weak signatures, and
cause clients to accept expired or invalid certificates from
servers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1415</cvename>
<cvename>CVE-2009-1416</cvename>
<cvename>CVE-2009-1417</cvename>
<bid>34783</bid>
<url>http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515</url>
<url>http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3516</url>
<url>http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3517</url>
</references>
<dates>
<discovery>2009-05-21</discovery>
<entry>2009-08-17</entry>
</dates>
</vuln>
<vuln vid="856a6f84-8b30-11de-8062-00e0815b8da8">
<topic>GnuTLS -- improper SSL certificate verification</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>2.8.3</lt></range>
</package>
<package>
<name>gnutls-devel</name>
<range><lt>2.9.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GnuTLS reports:</p>
<blockquote cite="http://article.gmane.org/gmane.network.gnutls.general/1733">
<p>By using a NUL byte in CN/SAN fields, it was possible to fool
GnuTLS into 1) not printing the entire CN/SAN field value when
printing a certificate and 2) cause incorrect positive matches
when matching a hostname against a certificate.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2730</cvename>
<url>http://article.gmane.org/gmane.network.gnutls.general/1733</url>
<url>http://secunia.com/advisories/36266</url>
</references>
<dates>
<discovery>2009-08-11</discovery>
<entry>2009-08-17</entry>
</dates>
</vuln>
<vuln vid="86ada694-8b30-11de-b9d0-000c6e274733">
<topic>memcached -- memcached stats maps Information Disclosure Weakness</topic>
<affects>
<package>
<name>memcached</name>
<range><lt>1.2.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/34915/">
<p>A weakness has been reported in memcached, which can be exploited
by malicious people to disclose system information.</p>
<p>The weakness is caused due to the application disclosing the
content of /proc/self/maps if a stats maps command is received.
This can be exploited to disclose e.g. the addresses of allocated
memory regions.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1255</cvename>
<url>http://secunia.com/advisories/34915/</url>
</references>
<dates>
<discovery>2009-04-29</discovery>
<entry>2009-08-17</entry>
</dates>
</vuln>
<vuln vid="2430e9c3-8741-11de-938e-003048590f9e">
<topic>wordpress -- remote admin password reset vulnerability</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>2.8.4,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<range><lt>2.8.4</lt></range>
</package>
<package>
<name>wordpress-mu</name>
<range><lt>2.8.4a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>WordPress reports:</p>
<blockquote cite="http://wordpress.org/development/2009/08/2-8-4-security-release/">
<p>A specially crafted URL could be requested that would allow an
attacker to bypass a security check to verify a user requested a
password reset. As a result, the first account without a key in the
database (usually the admin account) would have its password reset and
a new password would be emailed to the account owner.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2762</cvename>
<url>http://wordpress.org/development/2009/08/2-8-4-security-release/</url>
<url>http://www.milw0rm.com/exploits/9410</url>
</references>
<dates>
<discovery>2009-08-10</discovery>
<entry>2009-08-12</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="5179d85c-8683-11de-91b9-0022157515b2">
<topic>fetchmail -- improper SSL certificate subject verification</topic>
<affects>
<package>
<name>fetchmail</name>
<range><lt>6.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://fetchmail.berlios.de/fetchmail-SA-2009-01.txt">
<p>Moxie Marlinspike demonstrated in July 2009 that some CAs would
sign certificates that contain embedded NUL characters in the
Common Name or subjectAltName fields of ITU-T X.509
certificates.</p>
<p>Applications that would treat such X.509 strings as
NUL-terminated C strings (rather than strings that contain an
explicit length field) would only check the part up to and
excluding the NUL character, so that certificate names such as
www.good.example\0www.bad.example.com would be mistaken as a
certificate name for www.good.example. fetchmail also had this
design and implementation flaw.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2666</cvename>
<url>http://fetchmail.berlios.de/fetchmail-SA-2009-01.txt</url>
</references>
<dates>
<discovery>2009-08-06</discovery>
<entry>2009-08-11</entry>
<modified>2009-08-13</modified>
</dates>
</vuln>
<vuln vid="739b94a4-838b-11de-938e-003048590f9e">
<topic>joomla15 -- com_mailto Timeout Issue</topic>
<affects>
<package>
<name>joomla15</name>
<range><lt>1.5.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Joomla! Security Center reports:</p>
<blockquote cite="http://developer.joomla.org/security/news/303-20090723-core-com-mailto-timeout-issue.html">
<p>In com_mailto, it was possible to bypass timeout protection against
sending automated emails.</p>
</blockquote>
</body>
</description>
<references>
<url>http://developer.joomla.org/security.html</url>
<url>http://secunia.com/advisories/36097/</url>
</references>
<dates>
<discovery>2009-07-22</discovery>
<entry>2009-08-07</entry>
<modified>2009-08-11</modified>
</dates>
</vuln>
<vuln vid="bce1f76d-82d0-11de-88ea-001a4d49522b">
<topic>subversion -- heap overflow vulnerability</topic>
<affects>
<package>
<name>subversion</name>
<name>subversion-freebsd</name>
<name>p5-subversion</name>
<name>py-subversion</name>
<range><lt>1.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Subversion Security Advisory reports:</p>
<blockquote cite="http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt">
<p>Subversion clients and servers have multiple heap
overflow issues in the parsing of binary deltas. This is
related to an allocation vulnerability in the APR library
used by Subversion.</p>
<p>Clients with commit access to a vulnerable server can
cause a remote heap overflow; servers can cause a heap
overflow on vulnerable clients that try to do a checkout
or update.</p>
<p>This can lead to a DoS (an exploit has been tested) and
to arbitrary code execution (no exploit tested, but the
possibility is clear).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2411</cvename>
<url>http://subversion.tigris.org/security/CVE-2009-2411-advisory.txt</url>
</references>
<dates>
<discovery>2009-08-06</discovery>
<entry>2009-08-06</entry>
<modified>2009-08-07</modified>
</dates>
</vuln>
<vuln vid="d67b517d-8214-11de-88ea-001a4d49522b">
<topic>bugzilla -- product name information leak</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>3.3.4</gt><lt>3.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4/">
<p>Normally, users are only supposed to see products that
they can file bugs against in the "Product" drop-down on
the bug-editing page. Instead, users were being shown all
products, even those that they normally could not see. Any
user who could edit any bug could see all product
names.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.bugzilla.org/security/3.4/</url>
</references>
<dates>
<discovery>2009-07-30</discovery>
<entry>2009-08-05</entry>
</dates>
</vuln>
<vuln vid="49e8f2ee-8147-11de-a994-0030843d3802">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<name>linux-firefox</name>
<range><lt>3.*,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.13,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.2,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.2</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>1.1.18</lt></range>
</package>
<package>
<name>linux-seamonkey-devel</name>
<range><gt>0</gt></range>
</package>
<package>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>2.0.0.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/announce/">
<p>MFSA 2009-38: Data corruption with SOCKS5 reply containing DNS name
longer than 15 characters</p>
<p>MFSA 2009-42: Compromise of SSL-protected communication</p>
<p>MFSA 2009-43: Heap overflow in certificate regexp parsing</p>
<p>MFSA 2009-44: Location bar and SSL indicator spoofing via window.open()
on invalid URL</p>
<p>MFSA 2009-45: Crashes with evidence of memory corruption
(rv:1.9.1.2/1.9.0.13)</p>
<p>MFSA 2009-46: Chrome privilege escalation due to incorrectly cached
wrapper</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2404</cvename>
<cvename>CVE-2009-2408</cvename>
<cvename>CVE-2009-2454</cvename>
<cvename>CVE-2009-2470</cvename>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-38.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-42.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-43.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-44.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-45.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-46.html</url>
</references>
<dates>
<discovery>2009-08-03</discovery>
<entry>2009-08-04</entry>
<modified>2009-09-04</modified>
</dates>
</vuln>
<vuln vid="4e306850-811f-11de-8a67-000c29a67389">
<topic>silc-client -- Format string vulnerability</topic>
<affects>
<package>
<name>silc-client</name>
<name>silc-irssi-client</name>
<range><lt>1.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SILC changelog reports:</p>
<blockquote cite="http://silcnet.org/docs/changelog/SILC%20Client%201.1.8">
<p>An unspecified format string vulnerability exists in
silc-client.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3051</cvename>
<url>http://silcnet.org/docs/changelog/SILC%20Client%201.1.8</url>
</references>
<dates>
<discovery>2009-07-31</discovery>
<entry>2009-08-04</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="0d0237d0-7f68-11de-984d-0011098ad87f">
<topic>SquirrelMail -- Plug-ins compromise</topic>
<affects>
<package>
<name>squirrelmail-multilogin-plugin</name>
<range><ge>2.3.4</ge><lt>2.3.4_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The SquirrelMail Web Server has been compromised, and three plugins
are affected.</p>
<p>The port of squirrelmail-sasql-plugin is safe (right MD5), and
change_pass is not in the FreeBSD ports tree, but multilogin has a
wrong MD5.</p>
</body>
</description>
<references>
<url>http://sourceforge.net/mailarchive/message.php?msg_name=4A727634.3080008%40squirrelmail.org</url>
<url>http://squirrelmail.org/index.php</url>
</references>
<dates>
<discovery>2009-07-31</discovery>
<entry>2009-08-02</entry>
</dates>
</vuln>
<vuln vid="83725c91-7c7e-11de-9672-00e0815b8da8">
<topic>BIND -- Dynamic update message remote DoS</topic>
<affects>
<package>
<name>bind9</name>
<range><lt>9.3.6.1.1</lt></range>
</package>
<package>
<name>bind9-sdb-postgresql</name>
<name>bind9-sdb-ldap</name>
<range><lt>9.4.3.3</lt></range>
</package>
<system>
<name>FreeBSD</name>
<range><ge>6.3</ge><lt>6.3_12</lt></range>
<range><ge>6.4</ge><lt>6.4_6</lt></range>
<range><ge>7.1</ge><lt>7.1_7</lt></range>
<range><ge>7.2</ge><lt>7.2_3</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When named(8) receives a specially crafted dynamic update
message an internal assertion check is triggered which causes
named(8) to exit.</p>
<p>To trigger the problem, the dynamic update message must contains
a record of type "ANY" and at least one resource record set (RRset)
for this fully qualified domain name (FQDN) must exist on the
server.</p>
<h1>Impact:</h1>
<p>An attacker which can send DNS requests to a nameserver can cause
it to exit, thus creating a Denial of Service situation.</p>
<h1>Workaround:</h1>
<p>No generally applicable workaround is available, but some firewalls
may be able to prevent nsupdate DNS packets from reaching the
nameserver.</p>
<p>NOTE WELL: Merely configuring named(8) to ignore dynamic updates
is NOT sufficient to protect it from this vulnerability.</p>
</body>
</description>
<references>
<cvename>CVE-2009-0696</cvename>
<freebsdsa>SA-09:12.bind</freebsdsa>
<url>http://www.kb.cert.org/vuls/id/725188</url>
<url>https://www.isc.org/node/474</url>
</references>
<dates>
<discovery>2009-07-28</discovery>
<entry>2009-08-01</entry>
<modified>2009-08-04</modified>
</dates>
</vuln>
<vuln vid="708c65a5-7c58-11de-a994-0030843d3802">
<topic>mono -- XML signature HMAC truncation spoofing</topic>
<affects>
<package>
<name>mono</name>
<range><lt>2.4.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/35852/">
<p>A security issue has been reported in Mono, which can be
exploited by malicious people to conduct spoofing attacks.</p>
<p>The security issue is caused due to an error when processing
certain XML signatures.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0217</cvename>
<url>http://secunia.com/advisories/35852/</url>
<url>http://www.kb.cert.org/vuls/id/466161</url>
</references>
<dates>
<discovery>2009-07-15</discovery>
<entry>2009-07-29</entry>
</dates>
</vuln>
<vuln vid="e1156e90-7ad6-11de-b26a-0048543d60ce">
<topic>squid -- several remote denial of service vulnerabilities</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.0.1</ge><lt>3.0.17</lt></range>
<range><ge>3.1.0.1</ge><lt>3.1.0.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2009:2 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2009_2.txt">
<p>Due to incorrect buffer limits and related bound checks Squid
is vulnerable to a denial of service attack when processing
specially crafted requests or responses.</p>
<p>Due to incorrect data validation Squid is vulnerable to a
denial of service attack when processing specially crafted
responses.</p>
<p>These problems allow any trusted client or external server to
perform a denial of service attack on the Squid service.</p>
</blockquote>
<p>Squid-2.x releases are not affected.</p>
</body>
</description>
<references>
<cvename>CVE-2009-2621</cvename>
<cvename>CVE-2009-2622</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2009_2.txt</url>
</references>
<dates>
<discovery>2009-07-27</discovery>
<entry>2009-07-27</entry>
<modified>2009-08-06</modified>
</dates>
</vuln>
<vuln vid="c1ef9b33-72a6-11de-82ea-0030843d3802">
<topic>mozilla -- corrupt JIT state after deep return from native function</topic>
<affects>
<package>
<name>firefox</name>
<range><ge>3.5.*,1</ge><lt>3.5.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/announce/2009/mfsa2009-41.html">
<p>Firefox user zbyte reported a crash that we determined could result
in an exploitable memory corruption problem. In certain cases after a
return from a native function, such as escape(), the Just-in-Time
(JIT) compiler could get into a corrupt state. This could be exploited
by an attacker to run arbitrary code such as installing malware.</p>
<p>This vulnerability does not affect earlier versions of Firefox
which do not support the JIT feature.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2477</cvename>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-41.html</url>
<url>http://www.kb.cert.org/vuls/id/443060</url>
</references>
<dates>
<discovery>2009-07-16</discovery>
<entry>2009-07-17</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="c444c8b7-7169-11de-9ab7-000c29a67389">
<topic>isc-dhcp-client -- Stack overflow vulnerability</topic>
<affects>
<package>
<name>isc-dhcp31-client</name>
<range><le>3.1.1</le></range>
</package>
<package>
<name>isc-dhcp30-client</name>
<range><lt>3.0.7_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/410676">
<p>The ISC DHCP dhclient application contains a stack buffer
overflow, which may allow a remote, unauthenticated attacker to
execute arbitrary code with root privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0692</cvename>
<url>https://www.isc.org/node/468</url>
<url>http://secunia.com/advisories/35785</url>
<url>http://www.kb.cert.org/vuls/id/410676</url>
</references>
<dates>
<discovery>2009-07-14</discovery>
<entry>2009-07-15</entry>
<modified>2009-07-21</modified>
</dates>
</vuln>
<vuln vid="be927298-6f97-11de-b444-001372fd0af2">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal5</name>
<range><lt>5.19</lt></range>
</package>
<package>
<name>drupal6</name>
<range><lt>6.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Drupal Security Team reports:</p>
<blockquote cite="http://drupal.org/node/507572">
<p>Cross-site scripting</p>
<p>The Forum module does not correctly handle certain arguments
obtained from the URL. By enticing a suitably privileged user
to visit a specially crafted URL, a malicious user is able to
insert arbitrary HTML and script code into forum pages. Such a
cross-site scripting attack may lead to the malicious user
gaining administrative access. Wikipedia has more information
about cross-site scripting (XSS).</p>
<p>User signatures have no separate input format, they use the
format of the comment with which they are displayed. A user
will no longer be able to edit a comment when an administrator
changes the comment's input format to a format that is not
accessible to the user. However they will still be able to
modify their signature, which will then be processed by the new
input format.</p>
<p>If the new format is very permissive, via their signature, the
user may be able to insert arbitrary HTML and script code into
pages or, when the PHP filter is enabled for the new format,
execute PHP code. This issue affects Drupal 6.x only.</p>
<p>When an anonymous user fails to login due to mistyping his
username or password, and the page he is on contains a sortable
table, the (incorrect) username and password are included in
links on the table. If the user visits these links the password
may then be leaked to external sites via the HTTP referer.</p>
<p>In addition, if the anonymous user is enticed to visit the site
via a specially crafted URL while the Drupal page cache is
enabled, a malicious user might be able to retrieve the
(incorrect) username and password from the page cache.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2372</cvename>
<cvename>CVE-2009-2374</cvename>
<cvename>CVE-2009-2373</cvename>
<url>http://drupal.org/node/507572</url>
<url>http://secunia.com/advisories/35681</url>
</references>
<dates>
<discovery>2009-07-01</discovery>
<entry>2009-07-13</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="70372cda-6771-11de-883a-00e0815b8da8">
<topic>nfsen -- remote command execution</topic>
<affects>
<package>
<name>nfsen</name>
<range><lt>1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>nfsen reports:</p>
<blockquote cite="http://sourceforge.net/forum/forum.php?forum_id=967583">
<p>Due to double input checking, a remote command execution security
bug exists in all NfSen versions 1.3 and 1.3.1. Users are
requested to update to nfsen-1.3.2.</p>
</blockquote>
</body>
</description>
<references>
<url>http://sourceforge.net/forum/forum.php?forum_id=967583</url>
</references>
<dates>
<discovery>2009-06-18</discovery>
<entry>2009-07-03</entry>
</dates>
</vuln>
<vuln vid="ba73f494-65a8-11de-aef5-001c2514716c">
<topic>phpmyadmin -- XSS vulnerability</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.2.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin project reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2009-5.php">
<p>It was possible to conduct an XSS attack via a crafted
SQL bookmark.</p>
<p>All 3.x releases on which the "bookmarks" feature is
active are affected, previous versions are not.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2284</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2009-5.php</url>
</references>
<dates>
<discovery>2009-06-30</discovery>
<entry>2009-06-30</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="3ebd4cb5-657f-11de-883a-00e0815b8da8">
<topic>nagios -- Command Injection Vulnerability</topic>
<affects>
<package>
<name>nagios</name>
<range><le>3.0.6_1</le></range>
</package>
<package>
<name>nagios2</name>
<range><le>2.12_3</le></range>
</package>
<package>
<name>nagios-devel</name>
<range><le>3.1.0_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/35543?">
<p>A vulnerability has been reported in Nagios, which can be
exploited by malicious users to potentially compromise a
vulnerable system.</p>
<p>Input passed to the "ping" parameter in statuswml.cgi is not
properly sanitised before being used to invoke the ping command.
This can be exploited to inject and execute arbitrary shell
commands.</p>
<p>Successful exploitation requires access to the ping feature
of the WAP interface.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2288</cvename>
<url>http://secunia.com/advisories/35543</url>
<url>http://tracker.nagios.org/view.php?id=15</url>
</references>
<dates>
<discovery>2009-05-29</discovery>
<entry>2009-06-30</entry>
<modified>2009-07-13</modified>
</dates>
</vuln>
<vuln vid="f59dda75-5ff4-11de-a13e-00e0815b8da8">
<topic>tor-devel -- DNS resolution vulnerabiliity</topic>
<affects>
<package>
<name>tor-devel</name>
<range><lt>0.2.1.15-rc</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tor Project reports:</p>
<blockquote cite="https://git.torproject.org/checkout/tor/master/ChangeLog">
<p>A malicious exit relay could convince a controller that the
client's DNS question resolves to an internal IP address.</p>
</blockquote>
</body>
</description>
<references>
<url>https://git.torproject.org/checkout/tor/master/ChangeLog</url>
</references>
<dates>
<discovery>2009-06-20</discovery>
<entry>2009-06-23</entry>
</dates>
</vuln>
<vuln vid="c14aa48c-5ab7-11de-bc9b-0030843d3802">
<topic>cscope -- multiple buffer overflows</topic>
<affects>
<package>
<name>cscope</name>
<range><lt>15.7a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/34978">
<p>Some vulnerabilities have been reported in Cscope, which
potentially can be exploited by malicious people to compromise a
user's system.</p>
<p>The vulnerabilities are caused due to various boundary errors,
which can be exploited to cause buffer overflows when parsing
specially crafted files or directories.</p>
</blockquote>
</body>
</description>
<references>
<bid>34805</bid>
<cvename>CVE-2009-0148</cvename>
<url>http://secunia.com/advisories/34978</url>
</references>
<dates>
<discovery>2009-05-31</discovery>
<entry>2009-06-16</entry>
</dates>
</vuln>
<vuln vid="91a2066b-5ab6-11de-bc9b-0030843d3802">
<topic>cscope -- buffer overflow</topic>
<affects>
<package>
<name>cscope</name>
<range><lt>15.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/34832">
<p>Attackers may leverage this issue to execute arbitrary code
in the context of the application. Failed attacks will cause
denial-of-service conditions.</p>
</blockquote>
</body>
</description>
<references>
<bid>34832</bid>
<cvename>CVE-2009-1577</cvename>
<url>http://cscope.cvs.sourceforge.net/viewvc/cscope/cscope/src/find.c?view=log#rev1.19</url>
</references>
<dates>
<discovery>2009-05-31</discovery>
<entry>2009-06-16</entry>
</dates>
</vuln>
<vuln vid="bdccd14b-5aac-11de-a438-003048590f9e">
<topic>joomla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>joomla15</name>
<range><lt>1.5.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/35278/">
<p>Some vulnerabilities have been reported in Joomla!, which can be
exploited by malicious users to conduct script insertion attacks and
by malicious people to conduct cross-site scripting attacks.</p>
<p>Certain unspecified input is not properly sanitised before being
used. This can be exploited to insert arbitrary HTML and script code,
which will be executed in a user's browser session in the context of
an affected site when the malicious data is displayed.</p>
<p>Certain unspecified input passed to the user view of the com_users
core component is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.</p>
<p>Input passed via certain parameters to the "JA_Purity" template is
not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1938</cvename>
<cvename>CVE-2009-1939</cvename>
<cvename>CVE-2009-1940</cvename>
<url>http://secunia.com/advisories/35278/</url>
<url>http://www.joomla.org/announcements/release-news/5235-joomla-1511-security-release-now-available.html</url>
</references>
<dates>
<discovery>2009-06-03</discovery>
<entry>2009-06-16</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="b1ca65e6-5aaf-11de-bc9b-0030843d3802">
<topic>pidgin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>pidgin</name>
<name>libpurple</name>
<name>finch</name>
<range><lt>2.5.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/35194/">
<p>Some vulnerabilities and weaknesses have been reported in Pidgin,
which can be exploited by malicious people to cause a DoS or to
potentially compromise a user's system.</p>
<p>A truncation error in the processing of MSN SLP messages can be
exploited to cause a buffer overflow.</p>
<p>A boundary error in the XMPP SOCKS5 "bytestream" server when
initiating an outgoing file transfer can be exploited to cause a
buffer overflow.</p>
<p>A boundary error exists in the implementation of the
"PurpleCircBuffer" structure. This can be exploited to corrupt memory
and cause a crash via specially crafted XMPP or Sametime
packets.</p>
<p>A boundary error in the "decrypt_out()" function can be exploited
to cause a stack-based buffer overflow with 8 bytes and crash the
application via a specially crafted QQ packet.</p>
</blockquote>
</body>
</description>
<references>
<bid>35067</bid>
<cvename>CVE-2009-1373</cvename>
<cvename>CVE-2009-1374</cvename>
<cvename>CVE-2009-1375</cvename>
<cvename>CVE-2009-1376</cvename>
<url>http://secunia.com/advisories/35194/</url>
<url>http://www.pidgin.im/news/security/?id=29</url>
<url>http://www.pidgin.im/news/security/?id=30</url>
<url>http://www.pidgin.im/news/security/?id=32</url>
</references>
<dates>
<discovery>2009-06-03</discovery>
<entry>2009-06-16</entry>
</dates>
</vuln>
<vuln vid="d9b01c08-59b3-11de-828e-00e0815b8da8">
<topic>git -- denial of service vulnerability</topic>
<affects>
<package>
<name>git</name>
<range><lt>1.6.3.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/35338/discuss">
<p>Git is prone to a denial-of-service vulnerability because it
fails to properly handle some client requests.</p>
<p>Attackers can exploit this issue to cause a daemon process to
enter an infinite loop. Repeated exploits may consume excessive
system resources, resulting in a denial of service condition.</p>
</blockquote>
</body>
</description>
<references>
<bid>35338</bid>
<cvename>CVE-2009-2108</cvename>
<url>https://www.redhat.com/archives/fedora-security-list/2009-June/msg00000.html</url>
<url>http://article.gmane.org/gmane.comp.version-control.git/120724</url>
</references>
<dates>
<discovery>2009-06-04</discovery>
<entry>2009-06-15</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="62e0fbe5-5798-11de-bb78-001cc0377035">
<topic>ruby -- BigDecimal denial of service vulnerability</topic>
<affects>
<package>
<name>ruby</name>
<name>ruby+pthreads</name>
<name>ruby+pthreads+oniguruma</name>
<name>ruby+oniguruma</name>
<range><ge>1.8.*,1</ge><lt>1.8.7.160_1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/">
<p>A denial of service (DoS) vulnerability was found on the
BigDecimal standard library of Ruby. Conversion from BigDecimal
objects into Float numbers had a problem which enables attackers
to effectively cause segmentation faults.</p>
<p>An attacker can cause a denial of service by causing BigDecimal
to parse an insanely large number, such as:</p>
<p><code>BigDecimal("9E69999999").to_s("F")</code></p>
</blockquote>
</body>
</description>
<references>
<bid>35278</bid>
<cvename>CVE-2009-1904</cvename>
<url>http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/</url>
</references>
<dates>
<discovery>2009-06-09</discovery>
<entry>2009-06-13</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="da185955-5738-11de-b857-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>2.0.0.20_8,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.11,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<name>linux-firefox-devel</name>
<range><lt>3.0.11</lt></range>
</package>
<package>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>2.0.0.22</lt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>1.1.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/firefox30.html">
<p>MFSA 2009-32 JavaScript chrome privilege escalation</p>
<p>MFSA 2009-31 XUL scripts bypass content-policy checks</p>
<p>MFSA 2009-30 Incorrect principal set for file: resources
loaded via location bar</p>
<p>MFSA 2009-29 Arbitrary code execution using event listeners
attached to an element whose owner document is null</p>
<p>MFSA 2009-28 Race condition while accessing the private data
of a NPObject JS wrapper class object</p>
<p>MFSA 2009-27 SSL tampering via non-200 responses to proxy
CONNECT requests</p>
<p>MFSA 2009-26 Arbitrary domain cookie access by local file:
resources</p>
<p>MFSA 2009-25 URL spoofing with invalid unicode characters</p>
<p>MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1392</cvename>
<cvename>CVE-2009-1832</cvename>
<cvename>CVE-2009-1833</cvename>
<cvename>CVE-2009-1834</cvename>
<cvename>CVE-2009-1835</cvename>
<cvename>CVE-2009-1836</cvename>
<cvename>CVE-2009-1837</cvename>
<cvename>CVE-2009-1838</cvename>
<cvename>CVE-2009-1839</cvename>
<cvename>CVE-2009-1840</cvename>
<cvename>CVE-2009-1841</cvename>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-24.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-25.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-26.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-27.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-28.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-29.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-30.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-31.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-32.html</url>
<url>http://secunia.com/advisories/35331/</url>
</references>
<dates>
<discovery>2009-06-11</discovery>
<entry>2009-06-12</entry>
<modified>2009-12-12</modified>
</dates>
</vuln>
<vuln vid="eb9212f7-526b-11de-bbf2-001b77d09812">
<topic>apr -- multiple vulnerabilities</topic>
<affects>
<package>
<name>apr</name>
<range><lt>1.3.5.1.3.7</lt></range>
</package>
<package>
<name>apache</name>
<range><ge>2.2.0</ge><lt>2.2.11_5</lt></range>
<range><ge>2.0.0</ge><lt>2.0.63_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/35284/">
<p>Some vulnerabilities have been reported in APR-util, which
can be exploited by malicious users and malicious people to
cause a DoS (Denial of Service).</p>
<p>A vulnerability is caused due to an error in the processing
of XML files and can be exploited to exhaust all available
memory via a specially crafted XML file containing a
predefined entity inside an entity definition.</p>
<p>A vulnerability is caused due to an error within the
"apr_strmatch_precompile()" function in
strmatch/apr_strmatch.c, which can be exploited to crash an
application using the library.</p>
</blockquote>
<p>RedHat reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=3D504390">
<p>A single NULL byte buffer overflow flaw was found in
apr-util's apr_brigade_vprintf() function.</p>
</blockquote>
</body>
</description>
<references>
<bid>35221</bid>
<cvename>CVE-2009-1955</cvename>
<cvename>CVE-2009-1956</cvename>
<cvename>CVE-2009-0023</cvename>
<url>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</url>
<url>http://secunia.com/advisories/35284/</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=3D504390</url>
</references>
<dates>
<discovery>2009-06-05</discovery>
<entry>2009-06-08</entry>
</dates>
</vuln>
<vuln vid="4f838b74-50a1-11de-b01f-001c2514716c">
<topic>dokuwiki -- Local File Inclusion with register_globals on</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20090214_2</lt></range>
</package>
<package>
<name>dokuwiki-devel</name>
<range><gt>0</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>DokuWiki reports:</p>
<blockquote cite="http://bugs.splitbrain.org/index.php?do=details&task_id=1700">
<p>A security hole was discovered which allows an attacker
to include arbitrary files located on the attacked DokuWiki
installation. The included file is executed in the PHP context.
This can be escalated by introducing malicious code through
uploading file via the media manager or placing PHP code in
editable pages.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1960</cvename>
<url>http://bugs.splitbrain.org/index.php?do=details&task_id=1700</url>
</references>
<dates>
<discovery>2009-05-26</discovery>
<entry>2009-06-04</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="82b55df8-4d5a-11de-8811-0030843d3802">
<topic>openssl -- denial of service in DTLS implementation</topic>
<affects>
<package>
<name>openssl</name>
<range><ge>0.9.8</ge><lt>0.9.8k_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/35128/">
<p>Some vulnerabilities have been reported in OpenSSL, which can be
exploited by malicious people to cause a DoS.</p>
<p>The library does not limit the number of buffered DTLS records with
a future epoch. This can be exploited to exhaust all available memory
via specially crafted DTLS packets.</p>
<p>An error when processing DTLS messages can be exploited to exhaust
all available memory by sending a large number of out of sequence
handshake messages.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1377</cvename>
<cvename>CVE-2009-1378</cvename>
<url>http://secunia.com/advisories/35128/</url>
</references>
<dates>
<discovery>2009-05-18</discovery>
<entry>2009-05-30</entry>
<modified>2009-12-21</modified>
</dates>
</vuln>
<vuln vid="399f4cd7-4d59-11de-8811-0030843d3802">
<topic>eggdrop -- denial of service vulnerability</topic>
<affects>
<package>
<name>eggdrop</name>
<range><lt>1.6.19_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/35104/">
<p>The vulnerability is caused due to an error in the processing of
private messages within the server module
(/mod/server.mod/servrmsg.c). This can be exploited to cause a
crash by sending a specially crafted message to the bot.</p>
</blockquote>
</body>
</description>
<references>
<bid>34985</bid>
<cvename>CVE-2009-1789</cvename>
<url>http://www.eggheads.org/news/2009/05/14/35</url>
<url>http://secunia.com/advisories/35104/</url>
</references>
<dates>
<discovery>2009-05-15</discovery>
<entry>2009-05-30</entry>
</dates>
</vuln>
<vuln vid="a2d4a330-4d54-11de-8811-0030843d3802">
<topic>wireshark -- PCNFSD Dissector Denial of Service Vulnerability</topic>
<affects>
<package>
<name>ethereal</name>
<name>ethereal-lite</name>
<name>tethereal</name>
<name>tethereal-lite</name>
<name>wireshark</name>
<name>wireshark-lite</name>
<range><lt>1.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/35201/">
<p>A vulnerability has been reported in Wireshark, which can be
exploited by malicious people to cause a DoS.</p>
<p>The vulnerability is caused due to an error in the PCNFSD dissector
and can be exploited to cause a crash via a specially crafted PCNFSD
packet.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1829</cvename>
<url>http://secunia.com/advisories/35201/</url>
<url>http://www.wireshark.org/security/wnpa-sec-2009-03.html</url>
</references>
<dates>
<discovery>2009-05-21</discovery>
<entry>2009-05-30</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="6355efdb-4d4d-11de-8811-0030843d3802">
<topic>libsndfile -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libsndfile</name>
<range><lt>1.0.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/35076/">
<p>Two vulnerabilities have been reported in libsndfile, which can be
exploited by malicious people to compromise an application using the
library.</p>
<p>A boundary error exists within the "voc_read_header()" function in
src/voc.c. This can be exploited to cause a heap-based buffer overflow
via a specially crafted VOC file.</p>
<p>A boundary error exists within the "aiff_read_header()" function in
src/aiff.c. This can be exploited to cause a heap-based buffer overflow
via a specially crafted AIFF file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1788</cvename>
<cvename>CVE-2009-1791</cvename>
<url>http://secunia.com/advisories/35076/</url>
<url>http://www.trapkit.de/advisories/TKADV2009-006.txt</url>
</references>
<dates>
<discovery>2009-05-15</discovery>
<entry>2009-05-30</entry>
</dates>
</vuln>
<vuln vid="80f13884-4d4c-11de-8811-0030843d3802">
<topic>slim -- local disclosure of X authority magic cookie</topic>
<affects>
<package>
<name>slim</name>
<range><lt>1.3.1_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/35132/">
<p>A security issue has been reported in SLiM, which can be
exploited by malicious, local users to disclose sensitive
information.</p>
<p>The security issue is caused due to the application
generating the X authority file by passing the X authority
cookie via the command line to "xauth". This can be exploited
to disclose the X authority cookie by consulting the process
list and e.g. gain access the user's display.</p>
</blockquote>
</body>
</description>
<references>
<bid>35015</bid>
<cvename>CVE-2009-1756</cvename>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529306</url>
</references>
<dates>
<discovery>2009-05-20</discovery>
<entry>2009-05-30</entry>
</dates>
</vuln>
<vuln vid="4175c811-f690-4898-87c5-755b3cf1bac6">
<topic>ntp -- stack-based buffer overflow</topic>
<affects>
<package>
<name>ntp</name>
<range><lt>4.2.4p7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/853097">
<p>ntpd contains a stack buffer overflow which may allow a remote
unauthenticated attacker to execute arbitrary code on a vulnerable
system or create a denial of service.</p>
</blockquote>
</body>
</description>
<references>
<bid>35017</bid>
<cvename>CVE-2009-0159</cvename>
<cvename>CVE-2009-1252</cvename>
<url>http://www.kb.cert.org/vuls/id/853097</url>
</references>
<dates>
<discovery>2009-05-06</discovery>
<entry>2009-05-20</entry>
</dates>
</vuln>
<vuln vid="5ed2f96b-33b7-4863-8c6b-540d22344424">
<topic>imap-uw -- University of Washington IMAP c-client Remote Format String Vulnerability</topic>
<affects>
<package>
<name>imap-uw</name>
<range><lt>2007e</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/33795">
<p>University of Washington IMAP c-client is prone to a remote
format-string vulnerability because the software fails to adequately
sanitize user-supplied input before passing it as the
format-specifier to a formatted-printing function.</p>
</blockquote>
</body>
</description>
<references>
<bid>33795</bid>
</references>
<dates>
<discovery>2009-02-17</discovery>
<entry>2009-05-21</entry>
<modified>2009-05-22</modified>
</dates>
</vuln>
<vuln vid="37a8603d-4494-11de-bea7-000c29a67389">
<topic>nsd -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>nsd</name>
<range><lt>3.2.2</lt></range>
</package>
<package>
<name>nsd2</name>
<range><lt>2.3.7_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NLnet Labs:</p>
<blockquote cite="http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html">
<p>A one-byte buffer overflow has been reported in NSD. The
problem affects all versions 2.0.0 to 3.2.1. The bug allows
a carefully crafted exploit to bring down your DNS server. It
is highly unlikely that this one byte overflow can lead to
other (system) exploits.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1755</cvename>
<url>http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html</url>
</references>
<dates>
<discovery>2009-05-19</discovery>
<entry>2009-05-19</entry>
<modified>2009-05-22</modified>
</dates>
</vuln>
<vuln vid="48e14d86-42f1-11de-ad22-000e35248ad7">
<topic>libxine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libxine</name>
<range><lt>1.1.16.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>xine developers report:</p>
<blockquote cite="http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233">
<ul>
<li>Fix another possible int overflow in the 4XM demuxer.
(ref. TKADV2009-004, CVE-2009-0385)</li>
<li>Fix an integer overflow in the Quicktime demuxer.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0385</cvename>
<cvename>CVE-2009-1274</cvename>
<url>http://trapkit.de/advisories/TKADV2009-004.txt</url>
<url>http://trapkit.de/advisories/TKADV2009-005.txt</url>
<url>http://sourceforge.net/project/shownotes.php?release_id=660071</url>
</references>
<dates>
<discovery>2009-04-04</discovery>
<entry>2009-05-17</entry>
</dates>
</vuln>
<vuln vid="51d1d428-42f0-11de-ad22-000e35248ad7">
<topic>libxine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libxine</name>
<range><lt>1.1.16.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple vulnerabilities were fixed in libxine 1.1.16.2.</p>
<p>Tobias Klein reports:</p>
<blockquote cite="http://trapkit.de/advisories/TKADV2009-004.txt">
<p>FFmpeg contains a type conversion vulnerability while
parsing malformed 4X movie files. The vulnerability may be
exploited by a (remote) attacker to execute arbitrary code in
the context of FFmpeg or an application using the FFmpeg
library.</p>
<p>Note: A similar issue also affects xine-lib < version
1.1.16.2.</p>
</blockquote>
<p>xine developers report:</p>
<blockquote cite="http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=660071">
<ul>
<li>Fix broken size checks in various input plugins (ref.
CVE-2008-5239).</li>
<li>More malloc checking (ref. CVE-2008-5240).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0698</cvename>
<cvename>CVE-2008-5234</cvename>
<cvename>CVE-2008-5240</cvename>
<url>http://trapkit.de/advisories/TKADV2009-004.txt</url>
<url>http://sourceforge.net/project/shownotes.php?release_id=660071</url>
</references>
<dates>
<discovery>2009-02-15</discovery>
<entry>2009-05-17</entry>
</dates>
</vuln>
<vuln vid="1e8031be-4258-11de-b67a-0030843d3802">
<topic>php -- ini database truncation inside dba_replace() function</topic>
<affects>
<package>
<name>php4-dba</name>
<range><lt>4.4.9_1</lt></range>
</package>
<package>
<name>php5-dba</name>
<range><lt>5.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>securityfocus research reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/498746/30/0/threaded">
<p>A bug that leads to the emptying of the INI file contents if
the database key was not found exists in PHP dba extension in
versions 5.2.6, 4.4.9 and earlier.</p>
<p>Function dba_replace() are not filtering strings key and value.
There is a possibility for the destruction of the file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-7068</cvename>
<url>http://www.securityfocus.com/archive/1/498746/30/0/threaded</url>
<url>http://securityreason.com/achievement_securityalert/58</url>
</references>
<dates>
<discovery>2009-11-28</discovery>
<entry>2009-05-16</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="6a245f31-4254-11de-b67a-0030843d3802">
<topic>libwmf -- embedded GD library Use-After-Free vulnerability</topic>
<affects>
<package>
<name>libwmf</name>
<range><lt>0.2.8.4_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/34901">
<p>A vulnerability has been reported in libwmf, which can be exploited
by malicious people to cause a DoS (Denial of Service) or compromise
an application using the library.</p>
<p>The vulnerability is caused due to a use-after-free error within the
embedded GD library, which can be exploited to cause a crash or
potentially to execute arbitrary code via a specially crafted WMF
file.</p>
</blockquote>
</body>
</description>
<references>
<bid>34792</bid>
<cvename>CVE-2009-1364</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=496864</url>
<url>https://rhn.redhat.com/errata/RHSA-2009-0457.html</url>
<url>http://secunia.com/advisories/34901/</url>
</references>
<dates>
<discovery>2009-05-05</discovery>
<entry>2009-05-16</entry>
</dates>
</vuln>
<vuln vid="48aab1d0-4252-11de-b67a-0030843d3802">
<topic>libwmf -- integer overflow vulnerability</topic>
<affects>
<package>
<name>libwmf</name>
<range><lt>0.2.8.4_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/20921">
<p>infamous41md has reported a vulnerability in libwmf, which
potentially can be exploited by malicious people to compromise an
application using the vulnerable library.</p>
<p>The vulnerability is caused due to an integer overflow error when
allocating memory based on a value taken directly from a WMF file
without performing any checks. This can be exploited to cause a
heap-based buffer overflow when a specially crafted WMF file is
processed.</p>
</blockquote>
</body>
</description>
<references>
<bid>18751</bid>
<cvename>CVE-2006-3376</cvename>
<url>http://secunia.com/advisories/20921/</url>
</references>
<dates>
<discovery>2006-07-03</discovery>
<entry>2009-05-16</entry>
</dates>
</vuln>
<vuln vid="bfe218a5-4218-11de-b67a-0030843d3802">
<topic>moinmoin -- cross-site scripting vulnerabilities</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.8.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/34821/">
<p>Input passed via multiple parameters to action/AttachFile.py is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in the context of an affected site.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1482</cvename>
<url>http://secunia.com/advisories/34821/</url>
<url>http://moinmo.in/SecurityFixes</url>
</references>
<dates>
<discovery>2009-04-21</discovery>
<entry>2009-05-16</entry>
</dates>
</vuln>
<vuln vid="4a638895-41b7-11de-b1cc-00219b0fc4d8">
<topic>mod_perl -- cross-site scripting</topic>
<affects>
<package>
<name>mod_perl</name>
<range><lt>1.31</lt></range>
</package>
<package>
<name>mod_perl2</name>
<range><lt>2.05</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/3459796">
<p>Certain input passed to the "Apache::Status" and "Apache2::Status"
modules is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected website.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0796</cvename>
<url>http://secunia.com/advisories/34597</url>
</references>
<dates>
<discovery>2009-02-28</discovery>
<entry>2009-05-16</entry>
<modified>2009-05-16</modified>
</dates>
</vuln>
<vuln vid="a6605f4b-4067-11de-b444-001372fd0af2">
<topic>drupal -- cross-site scripting</topic>
<affects>
<package>
<name>drupal5</name>
<range><lt>5.18</lt></range>
</package>
<package>
<name>drupal6</name>
<range><lt>6.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Drupal Security Team reports:</p>
<blockquote cite="http://drupal.org/node/461886">
<p>When outputting user-supplied data Drupal strips potentially
dangerous HTML attributes and tags or escapes characters which
have a special meaning in HTML. This output filtering secures the
site against cross site scripting attacks via user input.</p>
<p>Certain byte sequences that are valid in the UTF-8 specification
are potentially dangerous when interpreted as UTF-7. Internet
Explorer 6 and 7 may decode these characters as UTF-7 if they
appear before the <meta http-equiv="Content-Type" /> tag that
specifies the page content as UTF-8, despite the fact that Drupal
also sends a real HTTP header specifying the content as UTF-8.
This enables attackers to execute cross site scripting attacks
with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting
contained an incomplete fix for the issue. HTML exports of books
are still vulnerable, which means that anyone with edit
permissions for pages in outlines is able to insert arbitrary HTML
and script code in these exports.</p>
<p>Additionally, the taxonomy module allows users with the
'administer taxonomy' permission to inject arbitrary HTML and
script code in the help text of any vocabulary.</p>
</blockquote>
</body>
</description>
<references>
<url>http://drupal.org/node/461886</url>
<url>http://secunia.com/advisories/35045</url>
</references>
<dates>
<discovery>2009-05-13</discovery>
<entry>2009-05-14</entry>
<modified>2009-05-16</modified>
</dates>
</vuln>
<vuln vid="14ab174c-40ef-11de-9fd5-001bd3385381">
<topic>cyrus-sasl -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>cyrus-sasl</name>
<range><lt>2.1.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/238019">
<p>The sasl_encode64() function converts a string into
base64. The Cyrus SASL library contains buffer overflows
that occur because of unsafe use of the sasl_encode64()
function.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0688</cvename>
<url>http://www.kb.cert.org/vuls/id/238019</url>
</references>
<dates>
<discovery>2009-04-08</discovery>
<entry>2009-05-15</entry>
</dates>
</vuln>
<vuln vid="fc4d0ae8-3fa3-11de-a3fd-0030843d3802">
<topic>moinmoin -- multiple cross site scripting vulnerabilities</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/33593/">
<p>Some vulnerabilities have been reported in MoinMoin, which can be
exploited by malicious people to conduct cross-site scripting attacks.</p>
<p>Input passed to multiple parameters in action/AttachFile.py is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in the context of an affected site.</p>
<p>Certain input passed to security/antispam.py is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0260</cvename>
<cvename>CVE-2009-0312</cvename>
<url>http://moinmo.in/SecurityFixes</url>
<url>http://secunia.com/advisories/33593</url>
</references>
<dates>
<discovery>2009-01-21</discovery>
<entry>2009-05-13</entry>
</dates>
</vuln>
<vuln vid="f0f97b94-3f95-11de-a3fd-0030843d3802">
<topic>ghostscript -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>ghostscript8</name>
<name>ghostscript8-nox11</name>
<range><lt>8.64</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/34340/discuss">
<p>Ghostscript is prone to a remote buffer-overflow vulnerability
because it fails to properly bounds-check user-supplied input before
copying it into a finite-sized buffer.</p>
<p>Exploiting this issue allows remote attackers to overwrite a
sensitive memory buffer with arbitrary data, potentially allowing them
to execute malicious machine code in the context of the affected
application. This vulnerability may facilitate the compromise of
affected computers.</p>
</blockquote>
</body>
</description>
<references>
<bid>34340</bid>
<cvename>CVE-2008-6679</cvename>
</references>
<dates>
<discovery>2009-02-03</discovery>
<entry>2009-05-13</entry>
</dates>
</vuln>
<vuln vid="4b172278-3f46-11de-becb-001cc0377035">
<topic>pango -- integer overflow</topic>
<affects>
<package>
<name>pango</name>
<name>linux-pango</name>
<name>linux-f8-pango</name>
<name>linux-f10-pango</name>
<range><lt>1.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2009-001.html">
<p>Pango suffers from a multiplicative integer overflow which
may lead to a potentially exploitable, heap overflow depending
on the calling conditions.</p>
<p>For example, this vulnerability is remotely reachable in Firefox
by creating an overly large document.location value but only results
in a process-terminating, allocation error (denial of service).</p>
<p>The affected function is pango_glyph_string_set_size. An overflow
check when doubling the size neglects the overflow possible on the
subsequent allocation.</p>
</blockquote>
</body>
</description>
<references>
<bid>34870</bid>
<cvename>CVE-2009-1194</cvename>
<url>http://secunia.com/advisories/35021/</url>
</references>
<dates>
<discovery>2009-02-22</discovery>
<entry>2009-05-13</entry>
<modified>2009-10-01</modified>
</dates>
</vuln>
<vuln vid="defce068-39aa-11de-a493-001b77d09812">
<topic>wireshark -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ethereal</name>
<name>ethereal-lite</name>
<name>tethereal</name>
<name>tethereal-lite</name>
<name>wireshark</name>
<name>wireshark-lite</name>
<range><lt>1.0.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark team reports:</p>
<blockquote cite="http://www.wireshark.org/security/wnpa-sec-2009-02.html">
<p>Wireshark 1.0.7 fixes the following vulnerabilities:</p>
<ul>
<li>The PROFINET dissector was vulnerable to a format
string overflow. (Bug 3382) Versions affected: 0.99.6 to
1.0.6, CVE-2009-1210.</li>
<li>The Check Point High-Availability Protocol (CPHAP)
dissector could crash. (Bug 3269) Versions affected: 0.9.6
to 1.0.6; CVE-2009-1268.</li>
<li>Wireshark could crash while loading a Tektronix .rf5
file. (Bug 3366) Versions affected: 0.99.6 to 1.0.6,
CVE-2009-1269.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<bid>34291</bid>
<bid>34457</bid>
<cvename>CVE-2009-1210</cvename>
<cvename>CVE-2009-1268</cvename>
<cvename>CVE-2009-1269</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2009-02.html</url>
<url>http://secunia.com/advisories/34542</url>
</references>
<dates>
<discovery>2009-04-06</discovery>
<entry>2009-05-09</entry>
<modified>2009-05-13</modified>
</dates>
</vuln>
<vuln vid="736e55bc-39bb-11de-a493-001b77d09812">
<topic>cups -- remote code execution and DNS rebinding</topic>
<affects>
<package>
<name>cups-base</name>
<range><lt>1.3.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gentoo security team summarizes:</p>
<blockquote cite="http://www.gentoo.org/security/en/glsa/glsa-200904-20.xml">
<p>The following issues were reported in CUPS:</p>
<ul>
<li>iDefense reported an integer overflow in the
_cupsImageReadTIFF() function in the "imagetops" filter,
leading to a heap-based buffer overflow (CVE-2009-0163).</li>
<li>Aaron Siegel of Apple Product Security reported that the
CUPS web interface does not verify the content of the "Host"
HTTP header properly (CVE-2009-0164).</li>
<li>Braden Thomas and Drew Yao of Apple Product Security
reported that CUPS is vulnerable to CVE-2009-0146,
CVE-2009-0147 and CVE-2009-0166, found earlier in xpdf and
poppler.</li>
</ul>
<p>A remote attacker might send or entice a user to send a
specially crafted print job to CUPS, possibly resulting in the
execution of arbitrary code with the privileges of the
configured CUPS user -- by default this is "lp", or a Denial
of Service. Furthermore, the web interface could be used to
conduct DNS rebinding attacks.</p>
</blockquote>
</body>
</description>
<references>
<bid>34571</bid>
<bid>34665</bid>
<bid>34568</bid>
<cvename>CVE-2009-0163</cvename>
<cvename>CVE-2009-0164</cvename>
<cvename>CVE-2009-0146</cvename>
<cvename>CVE-2009-0147</cvename>
<cvename>CVE-2009-0166</cvename>
<url>http://www.cups.org/articles.php?L582</url>
</references>
<dates>
<discovery>2009-05-05</discovery>
<entry>2009-05-07</entry>
<modified>2009-05-13</modified>
</dates>
</vuln>
<vuln vid="fbc8413f-2f7a-11de-9a3f-001b77d09812">
<topic>FreeBSD -- remotely exploitable crash in OpenSSL</topic>
<affects>
<system>
<name>FreeBSD</name>
<range><ge>6.3</ge><lt>6.3_10</lt></range>
<range><ge>6.4</ge><lt>6.4_4</lt></range>
<range><ge>7.0</ge><lt>7.0_12</lt></range>
<range><ge>7.1</ge><lt>7.1_5</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description</h1>
<p>The function ASN1_STRING_print_ex does not properly validate
the lengths of BMPString or UniversalString objects before
attempting to print them.</p>
<h1>Impact</h1>
<p>An application which attempts to print a BMPString or
UniversalString which has an invalid length will crash as a
result of OpenSSL accessing invalid memory locations. This
could be used by an attacker to crash a remote application.</p>
<h1>Workaround</h1>
<p>No workaround is available, but applications which do not use
the ASN1_STRING_print_ex function (either directly or indirectly)
are not affected.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:08.openssl</freebsdsa>
<cvename>CVE-2009-0590</cvename>
</references>
<dates>
<discovery>2009-03-25</discovery>
<entry>2009-05-07</entry>
<modified>2009-05-13</modified>
</dates>
</vuln>
<vuln vid="2748fdde-3a3c-11de-bbc5-00e0815b8da8">
<topic>quagga -- Denial of Service</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.11_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian Security Team reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/503220">
<p>It was discovered that Quagga, an IP routing daemon, could
no longer process the Internet routing table due to broken
handling of multiple 4-byte AS numbers in an AS path. If such
a prefix is received, the BGP daemon crashes with an assert
failure leading to a denial of service.</p>
</blockquote>
</body>
</description>
<references>
<bid>34656</bid>
<mlist msgid="Pine.LNX.4.64.0904301931590.24373@nacho.alt.net">http://lists.quagga.net/pipermail/quagga-dev/2009-April/006541.html</mlist>
<cvename>CVE-2009-1572</cvename>
</references>
<dates>
<discovery>2009-05-04</discovery>
<entry>2009-05-06</entry>
<modified>2009-05-07</modified>
</dates>
</vuln>
<vuln vid="e3e30d99-58a8-4a3f-8059-a8b7cd59b881">
<topic>openfire -- Openfire No Password Changes Security Bypass</topic>
<affects>
<package>
<name>openfire</name>
<range><lt>3.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/34984/">
<p>A vulnerability has been reported in Openfire which can
be exploited by malicious users to bypass certain security
restrictions. The vulnerability is caused due to Openfire
not properly respecting the no password changes setting which
can be exploited to change passwords by sending jabber:iq:auth
passwd_change requests to the server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1596</cvename>
<url>http://secunia.com/advisories/34984/</url>
<url>http://www.igniterealtime.org/issues/browse/JM-1532</url>
<url>http://www.igniterealtime.org/community/message/190288#190288</url>
</references>
<dates>
<discovery>2009-05-04</discovery>
<entry>2009-05-04</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="7a1ab8d4-35c1-11de-9672-0030843d3802">
<topic>drupal -- cross site scripting</topic>
<affects>
<package>
<name>drupal5</name>
<range><lt>5.17</lt></range>
</package>
<package>
<name>drupal6</name>
<range><lt>6.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team reports:</p>
<blockquote cite="http://drupal.org/node/449078">
<p>When outputting user-supplied data Drupal strips potentially
dangerous HTML attributes and tags or escapes characters which have a
special meaning in HTML. This output filtering secures the site
against cross site scripting attacks via user input.</p>
<p>Certain byte sequences that are valid in the UTF-8 specification
are potentially dangerous when interpreted as UTF-7. Internet Explorer
6 and 7 may decode these characters as UTF-7 if they appear before the
meta http-equiv="Content-Type" tag that specifies the page content
as UTF-8, despite the fact that Drupal also sends a real HTTP header
specifying the content as UTF-8. This behaviour enables malicious
users to insert and execute Javascript in the context of the website
if site visitors are allowed to post content.</p>
<p>In addition, Drupal core also has a very limited information
disclosure vulnerability under very specific conditions. If a user is
tricked into visiting the site via a specially crafted URL and then
submits a form (such as the search box) from that page, the
information in their form submission may be directed to a third-party
site determined by the URL and thus disclosed to the third party. The
third party site may then execute a CSRF attack against the submitted
form.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1575</cvename>
<cvename>CVE-2009-1576</cvename>
<url>http://drupal.org/node/449078</url>
</references>
<dates>
<discovery>2009-04-30</discovery>
<entry>2009-04-30</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="3b18e237-2f15-11de-9672-0030843d3802">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>2.0.0.20_7,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.9,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<name>linux-firefox-devel</name>
<range><lt>3.0.9</lt></range>
</package>
<package>
<name>linux-seamonkey-devel</name>
<range><gt>0</gt></range>
</package>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>1.1.17</lt></range>
</package>
<package>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>2.0.0.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Foundation reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2009-22: Firefox allows Refresh header to redirect to
javascript: URIs</p>
<p>MFSA 2009-21: POST data sent to wrong site when saving web page
with embedded frame</p>
<p>MFSA 2009-20: Malicious search plugins can inject code into
arbitrary sites</p>
<p>MFSA 2009-19: Same-origin violations in XMLHttpRequest and
XPCNativeWrapper.toString</p>
<p>MFSA 2009-18: XSS hazard using third-party stylesheets and XBL
bindings</p>
<p>MFSA 2009-17: Same-origin violations when Adobe Flash loaded via
view-source: scheme</p>
<p>MFSA 2009-16: jar: scheme ignores the content-disposition: header
on the inner URI</p>
<p>MFSA 2009-15: URL spoofing with box drawing character</p>
<p>MFSA 2009-14 Crashes with evidence of memory corruption
(rv:1.9.0.9)</p>
</blockquote>
</body>
</description>
<references>
<bid>34656</bid>
<cvename>CVE-2009-1303</cvename>
<cvename>CVE-2009-1306</cvename>
<cvename>CVE-2009-1307</cvename>
<cvename>CVE-2009-1308</cvename>
<cvename>CVE-2009-1309</cvename>
<cvename>CVE-2009-1312</cvename>
<cvename>CVE-2009-1311</cvename>
<cvename>CVE-2009-1302</cvename>
<cvename>CVE-2009-1304</cvename>
<cvename>CVE-2009-1305</cvename>
<cvename>CVE-2009-1310</cvename>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-22.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-21.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-20.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-19.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-18.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-17.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-16.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-15.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-14.html</url>
</references>
<dates>
<discovery>2009-04-21</discovery>
<entry>2009-04-22</entry>
<modified>2009-12-12</modified>
</dates>
</vuln>
<vuln vid="50d233d9-374b-46ce-922d-4e6b3f777bef">
<topic>poppler -- Poppler Multiple Vulnerabilities</topic>
<affects>
<package>
<name>poppler</name>
<range><lt>0.10.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite=" http://secunia.com/advisories/34746/">
<p>Some vulnerabilities have been reported in Poppler which can be
exploited by malicious people to potentially compromise an
application using the library.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/34746/</url>
</references>
<dates>
<discovery>2009-04-17</discovery>
<entry>2009-04-18</entry>
</dates>
</vuln>
<vuln vid="a21037d5-2c38-11de-ab3b-0017a4cccfc6">
<topic>xpdf -- multiple vulnerabilities</topic>
<affects>
<package>
<name>xpdf</name>
<range><lt>3.02_11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://www.vupen.com/english/advisories/2009/1065">
<p>Some vulnerabilities have been reported in Xpdf, which can be
exploited by malicious people to potentially compromise a user's
system.</p>
<p>A boundary error exists when decoding JBIG2 symbol dictionary
segments. This can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code.</p>
<p>Multiple integer overflows in the JBIG2 decoder can be
exploited to potentially execute arbitrary code.</p>
<p>Multiple boundary errors in the JBIG2 decoder can be
exploited to cause buffer overflows and potentially execute
arbitrary code.</p>
<p>Multiple errors in the JBIG2 decoder can be exploited can be
exploited to free arbitrary memory and potentially execute arbitrary
code.</p>
<p>Multiple unspecified input validation errors in the JBIG2 decoder can
be exploited to potentially execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0146</cvename>
<cvename>CVE-2009-0147</cvename>
<cvename>CVE-2009-0166</cvename>
<cvename>CVE-2009-0799</cvename>
<cvename>CVE-2009-0800</cvename>
<cvename>CVE-2009-1179</cvename>
<cvename>CVE-2009-1180</cvename>
<cvename>CVE-2009-1181</cvename>
<cvename>CVE-2009-1182</cvename>
<cvename>CVE-2009-1183</cvename>
<url>http://secunia.com/advisories/34291</url>
<url>http://www.vupen.com/english/advisories/2009/1065</url>
</references>
<dates>
<discovery>2009-04-16</discovery>
<entry>2009-04-18</entry>
<modified>2009-04-18</modified>
</dates>
</vuln>
<vuln vid="20b4f284-2bfc-11de-bdeb-0030843d3802">
<topic>freetype2 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>freetype2</name>
<range><lt>2.3.9_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/34723/">
<p>Some vulnerabilities have been reported in FreeType, which can be
exploited by malicious people to potentially compromise an application
using the library.</p>
<p>An integer overflow error within the "cff_charset_compute_cids()"
function in cff/cffload.c can be exploited to potentially cause a
heap-based buffer overflow via a specially crafted font.</p>
<p>Multiple integer overflow errors within validation functions in
sfnt/ttcmap.c can be exploited to bypass length validations and
potentially cause buffer overflows via specially crafted fonts.</p>
<p>An integer overflow error within the "ft_smooth_render_generic()"
function in smooth/ftsmooth.c can be exploited to potentially cause a
heap-based buffer overflow via a specially crafted font.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0946</cvename>
<url>http://secunia.com/advisories/34723/</url>
</references>
<dates>
<discovery>2009-04-16</discovery>
<entry>2009-04-18</entry>
</dates>
</vuln>
<vuln vid="cf91c1e4-2b6d-11de-931b-00e0815b8da8">
<topic>ejabberd -- cross-site scripting vulnerability</topic>
<affects>
<package>
<name>ejabberd</name>
<range><lt>2.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/34133">
<p>The ejabberd application is prone to a cross-site scripting
vulnerability.</p>
<p>An attacker may leverage this issue to execute arbitrary script code
in the browser of an unsuspecting user in the context of the affected
site and to steal cookie-based authentication credentials.</p>
</blockquote>
</body>
</description>
<references>
<bid>34133</bid>
<cvename>CVE-2009-0934</cvename>
</references>
<dates>
<discovery>2009-03-16</discovery>
<entry>2009-04-17</entry>
</dates>
</vuln>
<vuln vid="872ae5be-29c0-11de-bdeb-0030843d3802">
<topic>ziproxy -- multiple vulnerability</topic>
<affects>
<package>
<name>ziproxy</name>
<range><lt>2.7.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ziproxy Developers reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/MAPG-7N9GN8">
<p>Multiple HTTP proxy implementations are prone to an
information-disclosure vulnerability related to the interpretation of
the 'Host' HTTP header. Specifically, this issue occurs when the proxy
makes a forwarding decision based on the 'Host' HTTP header instead of
the destination IP address.</p>
<p>Attackers may exploit this issue to obtain sensitive information
such as internal intranet webpages. Additional attacks may also be
possible.</p>
</blockquote>
</body>
</description>
<references>
<bid>33858</bid>
<cvename>CVE-2009-0804</cvename>
<url>http://www.kb.cert.org/vuls/id/MAPG-7N9GN8</url>
</references>
<dates>
<discovery>2009-02-23</discovery>
<entry>2009-04-15</entry>
</dates>
</vuln>
<vuln vid="1a0e4cc6-29bf-11de-bdeb-0030843d3802">
<topic>phpmyadmin -- insufficient output sanitizing when generating configuration file</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin Team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php">
<p>Setup script used to generate configuration can be fooled using a
crafted POST request to include arbitrary PHP code in generated
configuration file. Combined with ability to save files on server,
this can allow unauthenticated users to execute arbitrary PHP code.
This issue is on different parameters than PMASA-2009-3 and it was
missed out of our radar because it was not existing in 2.11.x
branch.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1285</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php</url>
</references>
<dates>
<discovery>2009-04-14</discovery>
<entry>2009-04-15</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="03d22656-2690-11de-8226-0030843d3802">
<topic>drupal6-cck -- cross-site scripting</topic>
<affects>
<package>
<name>drupal6-cck</name>
<range><lt>2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal CCK plugin developer reports:</p>
<blockquote cite="http://drupal.org/node/406520">
<p>The Node reference and User reference sub-modules, which
are part of the Content Construction Kit (CCK) project, lets
administrators define node fields that are references to other
nodes or to users. When displaying a node edit form, the
titles of candidate referenced nodes or names of candidate
referenced users are not properly filtered, allowing malicious
users to inject arbitrary code on those pages. Such a cross
site scripting (XSS) attack may lead to a malicious user
gaining full administrative access.</p>
</blockquote>
</body>
</description>
<references>
<bid>34172</bid>
<cvename>CVE-2009-1069</cvename>
<url>http://drupal.org/node/406520</url>
</references>
<dates>
<discovery>2009-03-23</discovery>
<entry>2009-04-11</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="0fe73a4a-1b18-11de-8226-0030843d3802">
<topic>pivot-weblog -- file deletion vulnerability</topic>
<affects>
<package>
<name>pivot-weblog</name>
<range><lt>1.40.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/34302">
<p>A vulnerability has been discovered in Pivot, which can be
exploited by malicious people to delete certain files.</p>
<p>Input passed to the "refkey" parameter in
extensions/bbclone_tools/count.php is not properly sanitised
before being used to delete files. This can be exploited to
delete files with the permissions of the web server via directory
traversal sequences passed within the "refkey" parameter.</p>
<p>NOTE: Users with the "Advanced" user level are able to include and
execute uploaded PHP code via the "pivot_path" parameter in
extensions/bbclone_tools/getkey.php when
extensions/bbclone_tools/hr_conf.php can be deleted.</p>
</blockquote>
</body>
</description>
<references>
<bid>34160</bid>
<url>http://secunia.com/advisories/34302/</url>
</references>
<dates>
<discovery>2009-03-18</discovery>
<entry>2009-03-27</entry>
</dates>
</vuln>
<vuln vid="06f9174f-190f-11de-b2f0-001c2514716c">
<topic>phpmyadmin -- insufficient output sanitizing when generating configuration file</topic>
<affects>
<package>
<name>phpMyAdmin211</name>
<range><lt>2.11.9.5</lt></range>
</package>
<package>
<name>phpMyAdmin</name>
<range><lt>3.1.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php">
<p>Setup script used to generate configuration can be fooled
using a crafted POST request to include arbitrary PHP code
in generated configuration file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1151</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php</url>
</references>
<dates>
<discovery>2009-03-24</discovery>
<entry>2009-03-25</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="6bb6188c-17b2-11de-ae4d-0030843d3802">
<topic>amarok -- multiple vulnerabilities</topic>
<affects>
<package>
<name>amarok</name>
<range><lt>1.4.10_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/33505">
<p>Tobias Klein has reported some vulnerabilities in Amarok, which
potentially can be exploited by malicious people to compromise a
user's system.</p>
<p>Two integer overflow errors exist within the
"Audible::Tag::readTag()" function in
src/metadata/audible/audibletag.cpp. These can be exploited to cause
heap-based buffer overflows via specially crafted Audible Audio
files.</p>
<p>Two errors within the "Audible::Tag::readTag()" function in
src/metadata/audible/audibletag.cpp can be exploited to corrupt
arbitrary memory via specially crafted Audible Audio files.</p>
</blockquote>
</body>
</description>
<references>
<bid>33210</bid>
<cvename>CVE-2009-0135</cvename>
<cvename>CVE-2009-0136</cvename>
<url>http://www.debian.org/security/2009/dsa-1706</url>
<url>http://secunia.com/advisories/33505</url>
</references>
<dates>
<discovery>2009-01-12</discovery>
<entry>2009-03-23</entry>
</dates>
</vuln>
<vuln vid="f6f19735-9245-4918-8a60-87948ebb4907">
<topic>wireshark -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ethereal</name>
<name>ethereal-lite</name>
<name>tethereal</name>
<name>tethereal-lite</name>
<name>wireshark</name>
<name>wireshark-lite</name>
<range><lt>1.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Vendor reports:</p>
<blockquote cite="http://www.wireshark.org/security/wnpa-sec-2009-01.html">
<p>On non-Windows systems Wireshark could crash if the HOME
environment variable contained sprintf-style string formatting
characters. Wireshark could crash while reading a malformed
NetScreen snoop file. Wireshark could crash while reading a
Tektronix K12 text capture file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0599</cvename>
<cvename>CVE-2009-0600</cvename>
<cvename>CVE-2009-0601</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2009-01.html</url>
</references>
<dates>
<discovery>2009-02-06</discovery>
<entry>2009-03-22</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="72cba7b0-13cd-11de-a964-0030843d3802">
<topic>netatalk -- arbitrary command execution in papd daemon</topic>
<affects>
<package>
<name>netatalk</name>
<range><lt>2.0.3_5,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/33227/">
<p>A vulnerability has been reported in Netatalk, which potentially
can be exploited by malicious users to compromise a vulnerable system.</p>
<p>The vulnerability is caused due to the papd daemon improperly
sanitising several received parameters before passing them in a call
to popen(). This can be exploited to execute arbitrary commands via
a specially crafted printing request.</p>
<p>Successful exploitation requires that a printer is configured to
pass arbitrary values as parameters to a piped command.</p>
</blockquote>
</body>
</description>
<references>
<bid>32925</bid>
<cvename>CVE-2008-5718</cvename>
<url>http://secunia.com/advisories/33227/</url>
<url>http://www.openwall.com/lists/oss-security/2009/01/13/3</url>
</references>
<dates>
<discovery>2008-12-19</discovery>
<entry>2009-03-18</entry>
<modified>2009-03-18</modified>
</dates>
</vuln>
<vuln vid="37a365ed-1269-11de-a964-0030843d3802">
<topic>gstreamer-plugins-good -- multiple memory overflows</topic>
<affects>
<package>
<name>gstreamer-plugins-good</name>
<range><ge>0.10.9,3</ge><lt>0.10.12,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/33650/">
<p>Tobias Klein has reported some vulnerabilities in GStreamer Good
Plug-ins, which can potentially be exploited by malicious people to
compromise a vulnerable system.</p>
<p>A boundary error occurs within the "qtdemux_parse_samples()"
function in gst/gtdemux/qtdemux.c when performing QuickTime "ctts"
Atom parsing. This can be exploited to cause a heap-based buffer
overflow via a specially crafted QuickTime media file.</p>
<p>An array indexing error exists in the "qtdemux_parse_samples()"
function in gst/gtdemux/qtdemux.c when performing QuickTime "stss"
Atom parsing. This can be exploited to corrupt memory via a specially
crafted QuickTime media file.</p>
<p>A boundary error occurs within the "qtdemux_parse_samples()"
function in gst/gtdemux/qtdemux.c when performing QuickTime "stts"
Atom parsing. This can be exploited to cause a heap-based buffer
overflow via a specially crafted QuickTime media file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0386</cvename>
<cvename>CVE-2009-0387</cvename>
<cvename>CVE-2009-0397</cvename>
<url>http://secunia.com/advisories/33650/</url>