view
![[BACK]](/gifs/back.gif){kind=small} Return to vuln.xml CVS log ![[TXT]](/gifs/text.gif){kind=small} | ![[DIR]](/gifs/dir.gif){kind=small} Up to [FreeBSD] / ports / security / vuxml |
File:
[FreeBSD] / ports / security / vuxml / vuln.xml
Revision 1.2888: download - view: text, annotated - select for diffs
Sat Nov 10 15:17:31 2012 UTC (7 months ago) by swills
Branches: MAIN
CVS tags: HEAD
Revision 1.2888: download - view: text, annotated - select for diffs
Sat Nov 10 15:17:31 2012 UTC (7 months ago) by swills
Branches: MAIN
CVS tags: HEAD
SVN rev 307286 on 2012-11-10 15:17:31Z by swills - Improve latest ruby entry slightly Feature safe: yes
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE vuxml PUBLIC "-//vuxml.org//DTD VuXML 1.1//EN" "http://www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd">
<!--
Copyright 2003-2012 Jacques Vidrine and contributors
Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
HTML, PDF, PostScript, RTF and so forth) with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code (VuXML) must retain the above
copyright notice, this list of conditions and the following
disclaimer as the first lines of this file unmodified.
2. Redistributions in compiled form (transformed to other DTDs,
published online in any format, converted to PDF, PostScript,
RTF and other formats) must reproduce the above copyright
notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the
distribution.
THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
$FreeBSD: ports/security/vuxml/vuln.xml,v 1.2888 2012/11/10 15:17:31 swills Exp $
QUICK GUIDE TO ADDING A NEW ENTRY
1. run 'make newentry' to add a template to the top of the document
2. fill in the template
3. use 'make validate' to verify syntax correctness (you might need to install
textproc/libxml2 for parser, and this port for catalogs)
4. fix any errors
5. profit!
Extensive documentation of the format and help with writing and verifying
a new entry is available in The Porter's Handbook at:
http://www.freebsd.org/doc/en/books/porters-handbook/security-notify.html
Help is also available from ports-security@freebsd.org.
Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="e02c572f-2af0-11e2-bb44-003067b2972c">
<topic>weechat -- Crash or freeze when decoding IRC colors in strings</topic>
<affects>
<package>
<name>weechat</name>
<range><ge>0.3.6</ge><lt>0.3.9.1</lt></range>
</package>
<package>
<name>weechat-devel</name>
<range><ge>20110614</ge><lt>20121110</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sebastien Helleu reports:</p>
<blockquote cite="https://savannah.nongnu.org/bugs/?37704">
<p>A buffer overflow is causing a crash or freeze of WeeChat when
decoding IRC colors in strings.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/173513</freebsdpr>
<url>http://weechat.org/security/</url>
<url>https://savannah.nongnu.org/bugs/?37704</url>
</references>
<dates>
<discovery>2012-11-09</discovery>
<entry>2012-11-10</entry>
<modified>2012-11-10</modified>
</dates>
</vuln>
<vuln vid="5e647ca3-2aea-11e2-b745-001fd0af1a4c">
<topic>ruby -- Hash-flooding DoS vulnerability for ruby 1.9</topic>
<affects>
<package>
<name>ruby</name>
<range><ge>1.9</ge><lt>1.9.3.327</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/">
<p>Carefully crafted sequence of strings can cause a denial of service
attack on the service that parses the sequence to create a Hash
object by using the strings as keys. For instance, this
vulnerability affects web application that parses the JSON data
sent from untrusted entity.</p>
<p>This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby
1.9 versions were using modified MurmurHash function but it's
reported that there is a way to create sequence of strings that
collide their hash values each other. This fix changes the Hash
function of String object from the MurmurHash to SipHash 2-4.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5371</cvename>
<url>http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/</url>
</references>
<dates>
<discovery>2012-11-10</discovery>
<entry>2012-11-10</entry>
</dates>
</vuln>
<vuln vid="152e4c7e-2a2e-11e2-99c7-00a0d181e71d">
<topic>tomcat -- authentication weaknesses</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>5.5.0</gt><lt>5.5.36</lt></range>
<range><gt>6.0.0</gt><lt>6.0.36</lt></range>
<range><gt>7.0.0</gt><lt>7.0.30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://tomcat.apache.org/security.html">
<p>Three weaknesses in Tomcat's implementation of DIGEST
authentication were identified and resolved:</p>
<ul>
<li> Tomcat tracked client rather than server nonces and nonce count.</li>
<li> When a session ID was present, authentication was bypassed.</li>
<li> The user name and password were not checked before when indicating
that a nonce was stale.</li>
</ul>
<p>These issues reduced the security of DIGEST authentication making
replay attacks possible in some circumstances.</p>
<p>The first issue was identified by Tilmann Kuhn. The second and third
issues were identified by the Tomcat security team during the code
review resulting from the first issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3439</cvename>
<url>http://tomcat.apache.org/security.html</url>
<url>http://tomcat.apache.org/security-5.html</url>
<url>http://tomcat.apache.org/security-6.html</url>
<url>http://tomcat.apache.org/security-7.html</url>
</references>
<dates>
<discovery>2012-11-05</discovery>
<entry>2012-11-08</entry>
<modified>2012-11-09</modified>
</dates>
</vuln>
<vuln vid="4ca26574-2a2c-11e2-99c7-00a0d181e71d">
<topic>tomcat -- Denial of Service</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>6.0.0</gt><lt>6.0.36</lt></range>
<range><gt>7.0.0</gt><lt>7.0.28</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://tomcat.apache.org/security.html">
<p>The checks that limited the permitted size of request headers were
implemented too late in the request parsing process for the HTTP NIO
connector. This enabled a malicious user to trigger an
OutOfMemoryError by sending a single request with very large
headers. This issue was identified by Josh Spiewak.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2733</cvename>
<url>http://tomcat.apache.org/security.html</url>
<url>http://tomcat.apache.org/security-6.html</url>
<url>http://tomcat.apache.org/security-7.html</url>
</references>
<dates>
<discovery>2012-11-05</discovery>
<entry>2012-11-08</entry>
<modified>2012-11-09</modified>
</dates>
</vuln>
<vuln vid="4b8b748e-2a24-11e2-bb44-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><le>11.2r202.243</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-22.html">
<p>These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5274</cvename>
<cvename>CVE-2012-5275</cvename>
<cvename>CVE-2012-5276</cvename>
<cvename>CVE-2012-5277</cvename>
<cvename>CVE-2012-5278</cvename>
<cvename>CVE-2012-5279</cvename>
<cvename>CVE-2012-5280</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-24.html</url>
</references>
<dates>
<discovery>2012-10-08</discovery>
<entry>2012-11-02</entry>
</dates>
</vuln>
<vuln vid="209c068d-28be-11e2-9160-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>23.0.1271.64</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/search/label/Stable%20updates">
<p>[157079] Medium CVE-2012-5127: Integer overflow leading to
out-of-bounds read in WebP handling. Credit to Phil Turnbull.</p>
<p>[Linux 64-bit only] [150729] Medium CVE-2012-5120: Out-of-bounds
array access in v8. Credit to Atte Kettunen of OUSPG.</p>
<p>[143761] High CVE-2012-5116: Use-after-free in SVG filter
handling. Credit to miaubiz.</p>
<p>[Mac OS only] [149717] High CVE-2012-5118: Integer bounds check
issue in GPU command buffers. Credit to miaubiz.</p>
<p>[154055] High CVE-2012-5121: Use-after-free in video layout.
Credit to Atte Kettunen of OUSPG.</p>
<p>[145915] Low CVE-2012-5117: Inappropriate load of SVG subresource
in img context. Credit to Felix Gröbert of the Google Security
Team.</p>
<p>[149759] Medium CVE-2012-5119: Race condition in Pepper buffer
handling. Credit to Fermin Serna of the Google Security Team.</p>
<p>[154465] Medium CVE-2012-5122: Bad cast in input handling. Credit
to Google Chrome Security Team (Inferno).</p>
<p>[154590] [156826] Medium CVE-2012-5123: Out-of-bounds reads in
Skia. Credit to Google Chrome Security Team (Inferno).</p>
<p>[155323] High CVE-2012-5124: Memory corruption in texture handling.
Credit to Al Patrick of the Chromium development community.</p>
<p>[156051] Medium CVE-2012-5125: Use-after-free in extension tab
handling. Credit to Alexander Potapenko of the Chromium development
community.</p>
<p>[156366] Medium CVE-2012-5126: Use-after-free in plug-in
placeholder handling. Credit to Google Chrome Security Team
(Inferno).</p>
<p>[157124] High CVE-2012-5128: Bad write in v8. Credit to Google
Chrome Security Team (Cris Neckar).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5127</cvename>
<cvename>CVE-2012-5120</cvename>
<cvename>CVE-2012-5116</cvename>
<cvename>CVE-2012-5118</cvename>
<cvename>CVE-2012-5121</cvename>
<cvename>CVE-2012-5117</cvename>
<cvename>CVE-2012-5119</cvename>
<cvename>CVE-2012-5122</cvename>
<cvename>CVE-2012-5123</cvename>
<cvename>CVE-2012-5124</cvename>
<cvename>CVE-2012-5125</cvename>
<cvename>CVE-2012-5126</cvename>
<cvename>CVE-2012-5128</cvename>
<url>http://googlechromereleases.blogspot.nl/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-11-06</discovery>
<entry>2012-11-07</entry>
</dates>
</vuln>
<vuln vid="38daea4f-2851-11e2-9483-14dae938ec40">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<name>opera-devel</name>
<name>linux-opera</name>
<name>linux-opera-devel</name>
<range><lt>12.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera reports:</p>
<blockquote cite="http://www.opera.com/support/kb/view/1030/">
<p>CORS (Cross-Origin Resource Sharing) allows web pages to retrieve
the contents of pages from other sites, with their permission,
as they would appear for the current user.
When requests are made in this way, the browser should only allow
the page content to be retrieved if the target site sends the
correct headers that give permission for their contents to be
used in this way. Specially crafted requests may trick Opera
into thinking that the target site has given permission when it
had not done so. This can result in the contents of any target page
being revealed to untrusted sites, including any
sensitive information or session IDs contained within the
source of those pages.</p>
</blockquote>
<p>Also reported are vulnerabilities involving SVG graphics and XSS.</p>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/1030/</url>
<url>http://www.opera.com/support/kb/view/1031/</url>
<url>http://www.opera.com/support/kb/view/1033/</url>
</references>
<dates>
<discovery>2012-11-06</discovery>
<entry>2012-11-06</entry>
</dates>
</vuln>
<vuln vid="36533a59-2770-11e2-bb44-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><le>11.2r202.238</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-22.html">
<p>These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5248</cvename>
<cvename>CVE-2012-5249</cvename>
<cvename>CVE-2012-5250</cvename>
<cvename>CVE-2012-5251</cvename>
<cvename>CVE-2012-5252</cvename>
<cvename>CVE-2012-5253</cvename>
<cvename>CVE-2012-5254</cvename>
<cvename>CVE-2012-5255</cvename>
<cvename>CVE-2012-5256</cvename>
<cvename>CVE-2012-5257</cvename>
<cvename>CVE-2012-5258</cvename>
<cvename>CVE-2012-5259</cvename>
<cvename>CVE-2012-5260</cvename>
<cvename>CVE-2012-5261</cvename>
<cvename>CVE-2012-5262</cvename>
<cvename>CVE-2012-5263</cvename>
<cvename>CVE-2012-5264</cvename>
<cvename>CVE-2012-5265</cvename>
<cvename>CVE-2012-5266</cvename>
<cvename>CVE-2012-5267</cvename>
<cvename>CVE-2012-5269</cvename>
<cvename>CVE-2012-5270</cvename>
<cvename>CVE-2012-5271</cvename>
<cvename>CVE-2012-5272</cvename>
<cvename>CVE-2012-5285</cvename>
<cvename>CVE-2012-5286</cvename>
<cvename>CVE-2012-5287</cvename>
<cvename>CVE-2012-5673</cvename>
<cvename>CVE-2012-2034</cvename>
<cvename>CVE-2012-2035</cvename>
<cvename>CVE-2012-2036</cvename>
<cvename>CVE-2012-2037</cvename>
<cvename>CVE-2012-2038</cvename>
<cvename>CVE-2012-2039</cvename>
<cvename>CVE-2012-2040</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-22.html</url>
</references>
<dates>
<discovery>2012-10-08</discovery>
<entry>2012-11-02</entry>
</dates>
</vuln>
<vuln vid="65539c54-2517-11e2-b9d6-20cf30e32f6d">
<topic>apache22 -- several vulnerabilities</topic>
<affects>
<package>
<name>apache22</name>
<range><gt>2.2.0</gt><lt>2.2.23</lt></range>
</package>
<package>
<name>apache22-event-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.23</lt></range>
</package>
<package>
<name>apache22-itk-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.23</lt></range>
</package>
<package>
<name>apache22-peruser-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.23</lt></range>
</package>
<package>
<name>apache22-worker-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Apache HTTP SERVER PROJECT reports:</h1>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_22.html">
<h1>low: XSS in mod_negotiation when untrusted uploads are supported CVE-2012-2687</h1>
<p>Possible XSS for sites which use mod_negotiation and
allow untrusted uploads to locations which have MultiViews enabled.</p>
<h1>low: insecure LD_LIBRARY_PATH handling CVE-2012-0883</h1>
<p>This issue was already fixed in port version 2.2.22_5</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2687</cvename>
<cvename>CVE-2012-0833</cvename><!-- already fixed in r301849 -->
</references>
<dates>
<discovery>2012-09-13</discovery>
<entry>2012-11-02</entry>
</dates>
</vuln>
<vuln vid="ec89dc70-2515-11e2-8eda-000a5e1e33c6">
<topic>webmin -- potential XSS attack via real name field</topic>
<affects>
<package>
<name>webmin</name>
<range><lt>1.600_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The webmin updates site reports</p>
<blockquote cite="http://www.webmin.com/updates.html">
<p>Module: Change Passwords; Version: 1.600; Problem: Fix for potential XSS attack
via real name field; Solution: New module.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.webmin.com/updates.html</url>
</references>
<dates>
<discovery>2012-11-02</discovery>
<entry>2012-11-02</entry>
</dates>
</vuln>
<vuln vid="3decc87d-2498-11e2-b0c7-000d601460a4">
<topic>ruby - Unintentional file creation caused by inserting an illegal NUL character</topic>
<affects>
<package>
<name>ruby</name>
<range><gt>1.9.3,1</gt><lt>1.9.3.286,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/">
<p>A vulnerability was found that file creation routines can create
unintended files by strategically inserting NUL(s) in file paths.
This vulnerability has been reported as CVE-2012-4522.</p>
<p>Ruby can handle arbitrary binary patterns as Strings, including
NUL chars. On the other hand OSes and other libraries tend not.
They usually treat a NUL as an End of String mark. So to interface
them with Ruby, NUL chars should properly be avoided.</p>
<p>However methods like IO#open did not check the filename passed to
them, and just passed those strings to lower layer routines. This
led to create unintentional files.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4522</cvename>
<url>http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/</url>
<url>https://access.redhat.com/security/cve/CVE-2012-4522/</url>
</references>
<dates>
<discovery>2012-10-12</discovery>
<entry>2012-11-01</entry>
</dates>
</vuln>
<vuln vid="2a093853-2495-11e2-b0c7-000d601460a4">
<topic>ruby - $SAFE escaping vulnerability about Exception#to_s/NameError#to_s</topic>
<affects>
<package>
<name>ruby</name>
<range><gt>1.8.7,1</gt><lt>1.8.7.371,1</lt></range>
<range><gt>1.9.3,1</gt><lt>1.9.3.286,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/">
<p>Vulnerabilities found for Exception#to_s, NameError#to_s, and
name_err_mesg_to_s() which is Ruby interpreter-internal API. A
malicious user code can bypass $SAFE check by utilizing one of
those security holes.</p>
<p>Ruby's $SAFE mechanism enables untrusted user codes to run in
$SAFE >= 4 mode. This is a kind of sandboxing so some operations
are restricted in that mode to protect other data outside the
sandbox.</p>
<p>The problem found was around this mechanism. Exception#to_s,
NameError#to_s, and name_err_mesg_to_s() interpreter-internal API
was not correctly handling the $SAFE bits so a String object which
is not tainted can destructively be marked as tainted using them.
By using this an untrusted code in a sandbox can modify a
formerly-untainted string destructively.</p>
<p>Ruby 1.8 once had a similar security issue. It fixed
Exception#to_s and NameError#to_s, but name_err_mesg_to_str() issue
survived previous security fix</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4464</cvename>
<cvename>CVE-2012-4466</cvename>
<url>http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/</url>
<url>https://access.redhat.com/security/cve/CVE-2012-4464/</url>
</references>
<dates>
<discovery>2012-08-21</discovery>
<entry>2012-11-01</entry>
</dates>
</vuln>
<vuln vid="4b738d54-2427-11e2-9817-c8600054b392">
<topic>RT -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>rt40</name>
<range><ge>4.0</ge><lt>4.0.8</lt></range>
</package>
<package>
<name>rt38</name>
<range><lt>3.8.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BestPractical report:</p>
<blockquote cite="http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html">
<p>All versions of RT are vulnerable to an email header injection
attack. Users with ModifySelf or AdminUser can cause RT to add
arbitrary headers or content to outgoing mail. Depending on the
scrips that are configured, this may be be leveraged for information
leakage or phishing.</p>
<p>RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability
due to lack of proper rights checking, allowing any privileged user
to create Articles in any class.</p>
<p>All versions of RT with cross-site-request forgery (CSRF)
protection (RT 3.8.12 and above, RT 4.0.6 and above, and any
instances running the security patches released 2012-05-22) contain
a vulnerability which incorrectly allows though CSRF requests which
toggle ticket bookmarks.</p>
<p>All versions of RT are vulnerable to a confused deputy attack on
the user. While not strictly a CSRF attack, users who are not logged
in who are tricked into following a malicious link may, after
supplying their credentials, be subject to an attack which leverages
their credentials to modify arbitrary state. While users who were
logged in would have observed the CSRF protection page, users who
were not logged in receive no such warning due to the intervening
login process. RT has been extended to notify users of pending
actions during the login process.</p>
<p>RT 3.8.0 and above are susceptible to a number of vulnerabilities
concerning improper signing or encryption of messages using GnuPG;
if GnuPG is not enabled, none of the following affect you.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4730</cvename>
<cvename>CVE-2012-4731</cvename>
<cvename>CVE-2012-4732</cvename>
<cvename>CVE-2012-4734</cvename>
<cvename>CVE-2012-4735</cvename>
<cvename>CVE-2012-4884</cvename>
<url>http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html</url>
</references>
<dates>
<discovery>2012-10-26</discovery>
<entry>2012-11-01</entry>
</dates>
</vuln>
<vuln vid="2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5">
<topic>drupal7 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal7</name>
<range><lt>7.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team reports:</p>
<blockquote cite="http://drupal.org/node/1815912">
<ol>
<li>
<p>Arbitrary PHP code execution</p>
<p>A bug in the installer code was identified that allows an attacker
to re-install Drupal using an external database server under certain
transient conditions. This could allow the attacker to execute
arbitrary PHP code on the original server.</p>
</li>
<li>
<p>Information disclosure - OpenID module</p>
<p>For sites using the core OpenID module, an information disclosure
vulnerability was identified that allows an attacker to read files
on the local filesystem by attempting to log in to the site using a
malicious OpenID server.</p>
</li>
</ol>
</blockquote>
</body>
</description>
<references>
<url>http://drupal.org/node/1815912</url>
</references>
<dates>
<discovery>2012-10-17</discovery>
<entry>2012-10-31</entry>
</dates>
</vuln>
<vuln vid="6b3b1b97-207c-11e2-a03f-c8600054b392">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>16.0.2,1</lt></range>
<range><lt>10.0.10,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.10,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.13.2</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.10</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.13.2</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>16.0.2</lt></range>
<range><lt>10.0.10</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-90 Fixes for Location object issues</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4194</cvename>
<cvename>CVE-2012-4195</cvename>
<cvename>CVE-2012-4196</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-90.html</url>
</references>
<dates>
<discovery>2012-10-26</discovery>
<entry>2012-10-27</entry>
</dates>
</vuln>
<vuln vid="b0f3ab1f-1f3b-11e2-8fe9-0022156e8794">
<topic>Exim -- remote code execution</topic>
<affects>
<package>
<name>exim</name>
<range><ge>4.70</ge><lt>4.80.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>This vulnerability affects Exim instances built with DKIM
enabled (this is the default for FreeBSD Exim port) and running
verification of DKIM signatures on the incoming mail
messages.</p>
<p>Phil Penncock reports:</p>
<blockquote cite="https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html">
<p>This is a SECURITY release, addressing a CRITICAL remote
code execution flaw in versions of Exim between 4.70 and
4.80 inclusive, when built with DKIM support (the default).</p>
<p>This security vulnerability can be exploited by anyone
who can send email from a domain for which they control the
DNS.</p>
<p>You are not vulnerable if you built Exim with DISABLE_DKIM
or if you put this at the start of an ACL plumbed into
acl_smtp_connect or acl_smtp_rcpt:</p>
<pre>warn control = dkim_disable_verify</pre>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5671</cvename>
<url>https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html</url>
</references>
<dates>
<discovery>2012-10-25</discovery>
<entry>2012-10-26</entry>
</dates>
</vuln>
<vuln vid="5f326d75-1db9-11e2-bc8f-d0df9acfd7e5">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>django</name>
<range><lt>1.4.2</lt></range>
</package>
<package>
<name>django13</name>
<range><lt>1.3.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django Project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2012/oct/17/security/">
<ol>
<li>
<p>Host header poisoning</p>
<p>Some parts of Django -- independent of end-user-written applications
-- make use of full URLs, including domain name, which are generated
from the HTTP Host header. Some attacks against this are beyond Django's
ability to control, and require the web server to be properly configured;
Django's documentation has for some time contained notes advising users
on such configuration.</p>
<p>Django's own built-in parsing of the Host header is, however, still
vulnerable, as was reported to us recently. The Host header parsing
in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host()
-- was incorrectly handling username/password information in the header.
Thus, for example, the following Host header would be accepted by Django when
running on "validsite.com":</p>
<p>Host: validsite.com:random@evilsite.com</p>
<p>Using this, an attacker can cause parts of Django -- particularly the
password-reset mechanism -- to generate and display arbitrary URLs to users.</p>
<p>To remedy this, the parsing in HttpRequest.get_host() is being modified; Host
headers which contain potentially dangerous content (such as username/password
pairs) now raise the exception django.core.exceptions.SuspiciousOperation.</p>
</li>
<li>
<p>Documentation of HttpOnly cookie option</p>
<p>As of Django 1.4, session cookies are always sent with the HttpOnly flag, which
provides some additional protection from cross-site scripting attacks by denying
client-side scripts access to the session cookie.</p>
<p>Though not directly a security issue in Django, it has been reported that the
Django 1.4 documentation incorrectly described this change, by claiming that this
was now the default for all cookies set by the HttpResponse.set_cookie() method.</p>
<p>The Django documentation has been updated to reflect that this only applies to the
session cookie. Users of Django are encouraged to review their use of set_cookie()
to ensure that the HttpOnly flag is being set or unset appropriately.</p>
</li>
</ol>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4520</cvename>
<url>https://www.djangoproject.com/weblog/2012/oct/17/security/</url>
</references>
<dates>
<discovery>2012-10-17</discovery>
<entry>2012-10-24</entry>
</dates>
</vuln>
<vuln vid="a7706414-1be7-11e2-9aad-902b343deec9">
<topic>Wireshark -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<range><le>1.8.2_1</le></range>
</package>
<package>
<name>wireshark-lite</name>
<range><le>1.8.2_1</le></range>
</package>
<package>
<name>tshark</name>
<range><le>1.8.2_1</le></range>
</package>
<package>
<name>tshark-lite</name>
<range><le>1.8.2_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark reports:</p>
<blockquote cite="http://www.wireshark.org/docs/relnotes/wireshark-1.8.3.html">
<p>The HSRP dissector could go into an infinite loop.</p>
<p>The PPP dissector could abort.</p>
<p>Martin Wilck discovered an infinite loop in the DRDA
dissector.</p>
<p>Laurent Butti discovered a buffer overflow in the LDP
dissector.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5237</cvename>
<cvename>CVE-2012-5238</cvename>
<cvename>CVE-2012-5239</cvename>
<cvename>CVE-2012-5240</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2012-26.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-27.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-28.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-29.html</url>
<url>http://www.wireshark.org/docs/relnotes/wireshark-1.8.3.html</url>
</references>
<dates>
<discovery>2012-10-02</discovery>
<entry>2012-08-31</entry>
</dates>
</vuln>
<vuln vid="57652765-18aa-11e2-8382-00a0d181e71d">
<topic>xlockmore -- local exploit</topic>
<affects>
<package>
<name>xlockmore</name>
<name>ja-xlockmore</name>
<range><lt>5.40_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ignatios Souvatzis of NetBSD reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2012/10/17/10">
<p>Due to an error in the dclock screensaver in xlockmore, users who
explicitly use this screensaver or a random mix of screensavers using
something like "xlockmore -mode random" may have their screen unlocked
unexpectedly at a random time.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4524</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2012/10/17/10</mlist>
</references>
<dates>
<discovery>2012-10-17</discovery>
<entry>2012-10-17</entry>
</dates>
</vuln>
<vuln vid="e11955ca-187c-11e2-be36-00215af774f0">
<topic>xinetd -- attackers can bypass access restrictions if tcpmux-servers service enabled</topic>
<affects>
<package>
<name>xinetd</name>
<range><lt>2.3.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Thomas Swan reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=790940">
<p>xinetd allows for services to be configured with the TCPMUX
or TCPMUXPLUS service types, which makes those services
available on port 1, as per RFC 1078 [1], if the tcpmux-server
service is enabled. When the tcpmux-server service is enabled,
xinetd would expose _all_ enabled services via the tcpmux port,
instead of just the configured service(s). This could allow
a remote attacker to bypass firewall restrictions and access
services via the tcpmux port.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0862</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=790940</url>
</references>
<dates>
<discovery>2012-02-15</discovery>
<entry>2012-10-17</entry>
</dates>
</vuln>
<vuln vid="ec34d0c2-1799-11e2-b4ab-000c29033c32">
<topic>Zend Framework -- Multiple vulnerabilities via XXE injection</topic>
<affects>
<package>
<name>ZendFramework</name>
<range><lt>1.11.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Zend Framework team reports:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2012-01">
<p>The XmlRpc package of Zend Framework is vulnerable to XML
eXternal Entity Injection attacks (both server and client).
The SimpleXMLElement class (SimpleXML PHP extension) is used
in an insecure way to parse XML data. External entities can be
specified by adding a specific DOCTYPE element to XML-RPC
requests. By exploiting this vulnerability an application may be
coerced to open arbitrary files and/or TCP connections.</p>
<p>Additionally, the Zend_Dom, Zend_Feed, Zend_Soap, and
Zend_XmlRpc components are vulnerable to XML Entity Expansion
(XEE) vectors, leading to Denial of Service vectors. XEE attacks
occur when the XML DOCTYPE declaration includes XML entity
definitions that contain either recursive or circular references;
this leads to CPU and memory consumption, making Denial of
Service exploits trivial to implement.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3363</cvename>
<url>https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt</url>
<url>http://framework.zend.com/security/advisory/ZF2012-01</url>
<url>http://framework.zend.com/security/advisory/ZF2012-02</url>
<url>http://www.openwall.com/lists/oss-security/2012/06/26/2</url>
<url>https://secunia.com/advisories/49665/</url>
</references>
<dates>
<discovery>2012-06-26</discovery>
<entry>2012-10-16</entry>
</dates>
</vuln>
<vuln vid="f94befcd-1289-11e2-a25e-525400272390">
<topic>gitolite - path traversal vulnerability</topic>
<affects>
<package>
<name>gitolite</name>
<range><ge>3.01</ge><le>3.04</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sitaram Chamarty reports:</p>
<blockquote cite="https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion">
<p>I'm sorry to say there is a potential path traversal vulnerability in
v3. Thanks to Stephane Chazelas for finding it and alerting me.</p>
<p>Can it affect you? This can only affect you if you are using wild
card repos, *and* at least one of your patterns allows the string
"../" to match multiple times.</p>
<p>How badly can it affect you? A malicious user who *also* has the
ability to create arbitrary files in, say, /tmp (e.g., he has his own
userid on the same box), can compromise the entire "git" user.
Otherwise the worst he can do is create arbitrary repos in /tmp.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4506</cvename>
<mlist msgid="CAMK1S_jotna+d_X2C-+es-M28i1aUBcsNeiXxwJ63EshQ8ht6w@mail.gmail.com">https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion</mlist>
</references>
<dates>
<discovery>2012-10-09</discovery>
<entry>2012-10-15</entry>
</dates>
</vuln>
<vuln vid="ef417da3-1640-11e2-999b-e0cb4e266481">
<topic>phpMyAdmin -- Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages and Fetching the version information from a non-SSL site is vulnerable to a MITM attack</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>3.5</ge><lt>3.5.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php">
<p>When creating/modifying a trigger, event or procedure
with a crafted name, it is possible to trigger an XSS.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php">
<p>To display information about the current phpMyAdmin
version on the main page, a piece of JavaScript is fetched
from the phpmyadmin.net website in non-SSL mode. A
man-in-the-middle could modify this script on the wire to
cause mischief.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5339</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php</url>
<cvename>CVE-2012-5368</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php</url>
</references>
<dates>
<discovery>2012-10-08</discovery>
<entry>2012-10-14</entry>
</dates>
</vuln>
<vuln vid="09e83f7f-1326-11e2-afe3-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>22.0.1229.94</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/search/label/Stable%20updates">
<p>[154983][154987] Critical CVE-2012-5112: SVG use-after-free and
IPC arbitrary file write. Credit to Pinkie Pie.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5112</cvename>
<url>http://googlechromereleases.blogspot.nl/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-10-10</discovery>
<entry>2012-10-10</entry>
</dates>
</vuln>
<vuln vid="6e5a9afd-12d3-11e2-b47d-c8600054b392">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>16.0.1,1</lt></range>
<range><lt>10.0.9,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.9,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.13.1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.9</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.13.1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>16.0.1</lt></range>
<range><lt>10.0.9</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p> MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/
rv:10.0.8)</p>
<p>MFSA 2012-75 select element persistance allows for attacks</p>
<p>MFSA 2012-76 Continued access to initial origin after setting
document.domain</p>
<p>MFSA 2012-77 Some DOMWindowUtils methods bypass security checks</p>
<p>MFSA 2012-78 Reader Mode pages have chrome privileges</p>
<p>MFSA 2012-79 DOS and crash with full screen and history navigation</p>
<p>MFSA 2012-80 Crash with invalid cast when using instanceof
operator</p>
<p>MFSA 2012-81 GetProperty function can bypass security checks</p>
<p>MFSA 2012-82 top object and location property accessible by
plugins</p>
<p>MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces
to privileged functions or properties</p>
<p>MFSA 2012-84 Spoofing and script injection through location.hash</p>
<p>MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds
read issues found using Address Sanitizer</p>
<p>MFSA 2012-86 Heap memory corruption issues found using Address
Sanitizer</p>
<p>MFSA 2012-87 Use-after-free in the IME State Manager</p>
<p>MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)</p>
<p>MFSA 2012-89 defaultValue security checks not applied</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3982</cvename>
<cvename>CVE-2012-3983</cvename>
<cvename>CVE-2012-3984</cvename>
<cvename>CVE-2012-3985</cvename>
<cvename>CVE-2012-3986</cvename>
<cvename>CVE-2012-3987</cvename>
<cvename>CVE-2012-3988</cvename>
<cvename>CVE-2012-3989</cvename>
<cvename>CVE-2012-3990</cvename>
<cvename>CVE-2012-3991</cvename>
<cvename>CVE-2012-3992</cvename>
<cvename>CVE-2012-3993</cvename>
<cvename>CVE-2012-3994</cvename>
<cvename>CVE-2012-3995</cvename>
<cvename>CVE-2012-4179</cvename>
<cvename>CVE-2012-4180</cvename>
<cvename>CVE-2012-4181</cvename>
<cvename>CVE-2012-4182</cvename>
<cvename>CVE-2012-4183</cvename>
<cvename>CVE-2012-4184</cvename>
<cvename>CVE-2012-4186</cvename>
<cvename>CVE-2012-4187</cvename>
<cvename>CVE-2012-4188</cvename>
<cvename>CVE-2012-4190</cvename>
<cvename>CVE-2012-4191</cvename>
<cvename>CVE-2012-4192</cvename>
<cvename>CVE-2012-4193</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-74.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-75.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-76.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-77.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-78.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-79.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-80.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-81.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-82.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-83.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-84.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-85.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-86.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-87.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-88.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-89.html</url>
</references>
<dates>
<discovery>2012-10-09</discovery>
<entry>2012-10-10</entry>
<modified>2012-10-11</modified>
</dates>
</vuln>
<vuln vid="57a700f9-12c0-11e2-9f86-001d923933b6">
<topic>dns/bind9* -- crash on deliberately constructed combination of records</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.1.4</lt></range>
</package>
<package>
<name>bind99-base</name>
<range><lt>9.9.1.4</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.3.4</lt></range>
</package>
<package>
<name>bind98-base</name>
<range><lt>9.8.3.4</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.6.4</lt></range>
</package>
<package>
<name>bind97-base</name>
<range><lt>9.7.6.4</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R7.4</lt></range>
</package>
<package>
<name>bind96-base</name>
<range><lt>9.6.3.1.ESV.R7.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-00801/">
<p>A deliberately constructed combination of records could cause named
to hang while populating the additional section of a response.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5166</cvename>
</references>
<dates>
<discovery>2012-09-26</discovery>
<entry>2012-10-10</entry>
</dates>
</vuln>
<vuln vid="e6161b65-1187-11e2-afe3-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>22.0.1229.92</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/search/label/Stable%20updates">
<p>[138208] High CVE-2012-2900: Crash in Skia text rendering. Credit
to Atte Kettunen of OUSPG.</p>
<p>[147499] Critical CVE-2012-5108: Race condition in audio device
handling. Credit to Atte Kettunen of OUSPG.</p>
<p>[148692] Medium CVE-2012-5109: OOB read in ICU regex. Credit to
Arthur Gerkis.</p>
<p>[151449] Medium CVE-2012-5110: Out-of-bounds read in compositor.
Credit to Google Chrome Security Team (Inferno).</p>
<p>[151895] Low CVE-2012-5111: Plug-in crash monitoring was missing
for Pepper plug-ins. Credit to Google Chrome Security Team (Chris
Evans).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2900</cvename>
<cvename>CVE-2012-5108</cvename>
<cvename>CVE-2012-5109</cvename>
<cvename>CVE-2012-5110</cvename>
<cvename>CVE-2012-5111</cvename>
<url>http://googlechromereleases.blogspot.nl/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-10-08</discovery>
<entry>2012-10-08</entry>
</dates>
</vuln>
<vuln vid="dee44ba9-08ab-11e2-a044-d0df9acfd7e5">
<topic>OpenX -- SQL injection vulnerability</topic>
<affects>
<package>
<name>openx</name>
<range><lt>2.8.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/50598/">
<p>A vulnerability has been discovered in OpenX, which can be
exploited by malicious people to conduct SQL injection
attacks.</p>
<p>Input passed via the "xajaxargs" parameter to
www/admin/updates-history.php (when "xajax" is set to
"expandOSURow") is not properly sanitised in e.g. the
"queryAuditBackupTablesByUpgradeId()" function
(lib/OA/Upgrade/DB_UpgradeAuditor.php) before being used in SQL
queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.</p>
<p>The vulnerability is confirmed in version 2.8.9. Prior versions
may also be affected.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/50598/</url>
</references>
<dates>
<discovery>2012-09-14</discovery>
<entry>2012-09-27</entry>
</dates>
</vuln>
<vuln vid="5bae2ab4-0820-11e2-be5f-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>22.0.1229.79</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/search/label/Stable%20updates">
<p>[143439] High CVE-2012-2889: UXSS in frame handling. Credit to
Sergey Glazunov.</p>
<p>[143437] High CVE-2012-2886: UXSS in v8 bindings. Credit to Sergey
Glazunov.</p>
<p>[139814] High CVE-2012-2881: DOM tree corruption with plug-ins.
Credit to Chamal de Silva.</p>
<p>[135432] High CVE-2012-2876: Buffer overflow in SSE2 optimizations.
Credit to Atte Kettunen of OUSPG.</p>
<p>[140803] High CVE-2012-2883: Out-of-bounds write in Skia. Credit to
Atte Kettunen of OUSPG.</p>
<p>[143609] High CVE-2012-2887: Use-after-free in onclick handling.
Credit to Atte Kettunen of OUSPG.</p>
<p>[143656] High CVE-2012-2888: Use-after-free in SVG text references.
Credit to miaubiz.</p>
<p>[144899] High CVE-2012-2894: Crash in graphics context handling.
Credit to Slawomir Blazek.</p>
<p>[137707] Medium CVE-2012-2877: Browser crash with extensions and
modal dialogs. Credit to Nir Moshe.</p>
<p>[139168] Low CVE-2012-2879: DOM topology corruption. Credit to
pawlkt.</p>
<p>[141651] Medium CVE-2012-2884: Out-of-bounds read in Skia. Credit
to Atte Kettunen of OUSPG.</p>
<p>[132398] High CVE-2012-2874: Out-of-bounds write in Skia. Credit to
Google Chrome Security Team (Inferno).</p>
<p>[134955] [135488] [137106] [137288] [137302] [137547] [137556]
[137606] [137635] [137880] [137928] [144579] [145079] [145121]
[145163] [146462] Medium CVE-2012-2875: Various lower severity
issues in the PDF viewer. Credit to Mateusz Jurczyk of Google
Security Team, with contributions by Gynvael Coldwind of Google
Security Team.</p>
<p>[137852] High CVE-2012-2878: Use-after-free in plug-in handling.
Credit to Fermin Serna of Google Security Team.</p>
<p>[139462] Medium CVE-2012-2880: Race condition in plug-in paint
buffer. Credit to Google Chrome Security Team (Cris Neckar).</p>
<p>[140647] High CVE-2012-2882: Wild pointer in OGG container
handling. Credit to Google Chrome Security Team (Inferno).</p>
<p>[142310] Medium CVE-2012-2885: Possible double free on exit. Credit
to the Chromium development community.</p>
<p>[143798] [144072] [147402] High CVE-2012-2890: Use-after-free in
PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with
contributions by Gynvael Coldwind of Google Security Team.</p>
<p>[144051] Low CVE-2012-2891: Address leak over IPC. Credit to Lei
Zhang of the Chromium development community.</p>
<p>[144704] Low CVE-2012-2892: Pop-up block bypass. Credit to Google
Chrome Security Team (Cris Neckar).</p>
<p>[144799] High CVE-2012-2893: Double free in XSL transforms. Credit
to Google Chrome Security Team (Cris Neckar).</p>
<p>[145029] [145157] [146460] High CVE-2012-2895: Out-of-bounds writes
in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team,
with contributions by Gynvael Coldwind of Google Security Team.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2889</cvename>
<cvename>CVE-2012-2886</cvename>
<cvename>CVE-2012-2881</cvename>
<cvename>CVE-2012-2876</cvename>
<cvename>CVE-2012-2883</cvename>
<cvename>CVE-2012-2887</cvename>
<cvename>CVE-2012-2888</cvename>
<cvename>CVE-2012-2894</cvename>
<cvename>CVE-2012-2877</cvename>
<cvename>CVE-2012-2879</cvename>
<cvename>CVE-2012-2884</cvename>
<cvename>CVE-2012-2874</cvename>
<cvename>CVE-2012-2875</cvename>
<cvename>CVE-2012-2878</cvename>
<cvename>CVE-2012-2880</cvename>
<cvename>CVE-2012-2882</cvename>
<cvename>CVE-2012-2885</cvename>
<cvename>CVE-2012-2890</cvename>
<cvename>CVE-2012-2891</cvename>
<cvename>CVE-2012-2892</cvename>
<cvename>CVE-2012-2893</cvename>
<cvename>CVE-2012-2895</cvename>
<url>http://googlechromereleases.blogspot.nl/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-09-25</discovery>
<entry>2012-09-26</entry>
</dates>
</vuln>
<vuln vid="73efb1b7-07ec-11e2-a391-000c29033c32">
<topic>eperl -- Remote code execution</topic>
<affects>
<package>
<name>eperl</name>
<range><le>2.2.14_4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Madison reports:</p>
<blockquote cite="http://www.shmoo.com/mail/bugtraq/jun01/msg00286.shtml">
<p>ePerl is a multipurpose Perl filter and interpreter program
for Unix systems. The ePerl preprocessor contains an input
validation error. The preprocessor allows foreign data to be
"safely" included using the 'sinclude' directive.</p>
<p>The problem occurs when a file referenced by a 'sinclude'
directive contains a 'include' directive; the contents of
the file referred to by the second directive will be loaded
and executed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2001-0733</cvename>
<url>http://www.shmoo.com/mail/bugtraq/jun01/msg00286.shtml</url>
<bid>2912</bid>
<url>http://xforce.iss.net/xforce/xfdb/6743</url>
<url>http://osvdb.org/show/osvdb/1880</url>
</references>
<dates>
<discovery>2001-06-21</discovery>
<entry>2012-09-26</entry>
</dates>
</vuln>
<vuln vid="98690c45-0361-11e2-a391-000c29033c32">
<topic>ImageMagick and GraphicsMagick -- DoS via specially crafted PNG file</topic>
<affects>
<package>
<name>ImageMagick</name>
<name>ImageMagick-nox11</name>
<range><le>6.7.8.6</le></range>
</package>
<package>
<name>GraphicsMagick</name>
<name>GraphicsMagick-nox11</name>
<range><ge>1.3.0</ge><le>1.3.16</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kurt Seifried reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=844105">
<p>There is an issue in ImageMagick that is also present in
GraphicsMagick. CVE-2011-3026 deals with libpng memory
allocation, and limitations have been added so that a bad PNG
can't cause the system to allocate a lot of memory and a
denial of service. However on further investigation of
ImageMagick, Tom Lane found that PNG malloc function
(Magick_png_malloc) in turn calls AcquireMagickMemory with an
improper size argument.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3438</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=844105</url>
<bid>54716</bid>
<url>http://secunia.com/advisories/50090</url>
<url>http://xforce.iss.net/xforce/xfdb/77259</url>
<url>http://osvdb.org/show/osvdb/84323</url>
</references>
<dates>
<discovery>2012-07-28</discovery>
<entry>2012-09-20</entry>
</dates>
</vuln>
<vuln vid="ec255bd8-02c6-11e2-92d1-000d601460a4">
<topic>php5-sqlite -- open_basedir bypass</topic>
<affects>
<package>
<name>php5-sqlite</name>
<range><ge>5.2</ge><lt>5.2.17_11</lt></range>
<range><ge>5.3</ge><lt>5.3.15</lt></range>
</package>
<package>
<name>php52-sqlite</name>
<range><lt>5.2.17_11</lt></range>
</package>
<package>
<name>php53-sqlite</name>
<range><lt>5.3.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE CVE team reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3365">
<p>The SQLite functionality in PHP before 5.3.15 allows remote
attackers to bypass the open_basedir protection mechanism via
unspecified vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3365</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3365</url>
</references>
<dates>
<discovery>2012-06-14</discovery>
<entry>2012-09-19</entry>
</dates>
</vuln>
<vuln vid="9b2a5e88-02b8-11e2-92d1-000d601460a4">
<topic>php5 -- Denial of Service in php_date_parse_tzfile()</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.2</ge><lt>5.2.17_11</lt></range>
<range><ge>5.3</ge><lt>5.3.9</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_11</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE CVE team reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0789">
<p>Memory leak in the timezone functionality in PHP before 5.3.9
allows remote attackers to cause a denial of service (memory
consumption) by triggering many strtotime function calls, which are
not properly handled by the php_date_parse_tzfile cache.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0789</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0789</url>
<url>https://bugs.php.net/bug.php?id=53502</url>
</references>
<dates>
<discovery>2010-12-08</discovery>
<entry>2012-09-19</entry>
</dates>
</vuln>
<vuln vid="53a0ddef-0208-11e2-8afa-0024e830109b">
<topic>dns/bind9* -- Several vulnerabilities</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.1.3</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.3.3</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.6.3</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-00788">
<p>Prevents a crash when queried for a record whose RDATA exceeds
65535 bytes.</p>
<p>Prevents a crash when validating caused by using "Bad cache" data
before it has been initialized.</p>
<p>ISC_QUEUE handling for recursive clients was updated to address
a race condition that could cause a memory leak. This rarely
occurred with UDP clients, but could be a significant problem
for a server handling a steady rate of TCP queries.</p>
<p>A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process.</p>
</blockquote>
</body>
</description>
<references>
<url/>
</references>
<dates>
<discovery>2012-09-12</discovery>
<entry>2012-09-18</entry>
</dates>
</vuln>
<vuln vid="d846af5b-00f4-11e2-b6d0-00e0814cab4e">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>1.482</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory reports:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-09-17">
<p>This advisory announces security vulnerabilities that were found
in Jenkins core and several plugins.</p>
<ol>
<li>The first vulnerability in Jenkins core allows unprivileged
users to insert data into Jenkins master, which can lead to
remote code execution. For this vulnerability to be exploited,
the attacker must have an HTTP access to a Jenkins master, and
he must have a read access to Jenkins.</li>
<li>The second vulnerability in Jenkins core is a cross-site
scripting vulnerability. This allows an attacker to craft an URL
that points to Jenkins, and if a legitimate user clicks this link,
and the attacker will be able to hijack the user session.</li>
<li>The third vulnerability is a cross-site scripting vulnerability
in the Violations plugin</li>
<li>The fourth vulnerability is a cross-site scripting vulnerability
in The Continuous Integration Game plugin</li>
</ol>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-09-17</url>
</references>
<dates>
<discovery>2012-09-17</discovery>
<entry>2012-09-17</entry>
</dates>
</vuln>
<vuln vid="62f36dfd-ff56-11e1-8821-001b2134ef46">
<topic>vlc -- arbitrary code execution in Real RTSP and MMS support</topic>
<affects>
<package>
<name>vlc</name>
<range><lt>2.0.1,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jean-Baptiste Kempf, on behalf of the VideoLAN project reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1201.html">
<p>If successful, a malicious third party could crash the VLC
media player process. Arbitrary code execution could be possible
on some systems.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.videolan.org/security/sa1201.html</url>
<url>http://www.videolan.org/security/sa1202.html</url>
<cvename>CVE-2012-1775</cvename>
<cvename>CVE-2012-1776</cvename>
</references>
<dates>
<discovery>2012-03-12</discovery>
<entry>2012-09-15</entry>
</dates>
</vuln>
<vuln vid="143f6932-fedb-11e1-ad4a-003067b2972c">
<topic>bacula -- Console ACL Bypass</topic>
<affects>
<package>
<name>bacula</name>
<range><lt>5.2.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://secunia.com/advisories/50535/">
<p>A security issue has been reported in Bacula, which can be
exploited by malicious users to bypass certain security
restrictions.</p>
<p>The security issue is caused due to an error within the implementation
of console ACLs, which can be exploited to gain access to certain
restricted functionality and e.g. dump resources.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4430</cvename>
<url>http://www.bacula.org/git/cgit.cgi/bacula/commit/?id=67debcecd3d530c429e817e1d778e79dcd1db905</url>
<url>https://secunia.com/advisories/50535/</url>
<url>http://sourceforge.net/projects/bacula/files/bacula/5.2.11/ReleaseNotes/view</url>
</references>
<dates>
<discovery>2012-09-12</discovery>
<entry>2012-09-15</entry>
</dates>
</vuln>
<vuln vid="178ba4ea-fd40-11e1-b2ae-001fd0af1a4c">
<topic>mod_pagespeed -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mod_pagespeed</name>
<range><lt>0.10.22.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Reports:</p>
<blockquote cite="https://developers.google.com/speed/docs/mod_pagespeed/announce-0.10.22.6">
<p>mod_pagespeed 0.10.22.6 is a security update that fixes two
critical issues that affect earlier versions:</p>
<ul>
<li>CVE-2012-4001, a problem with validation of own host name.</li>
<li>CVE-2012-4360, a cross-site scripting attack, which affects versions starting from 0.10.19.1.</li>
</ul>
<p>The effect of the first problem is that it is possible to confuse
mod_pagespeed about its own host name, and to trick it into
fetching resources from other machines. This could be an issue if
the HTTP server has access to machines that are not otherwise
publicly visible.</p>
<p>The second problem would permit a hostile third party to execute
JavaScript in users' browsers in context of the domain running
mod_pagespeed, which could permit interception of users' cookies or
data on the site.</p>
<p>Because of the severity of the two problems, users are strongly
encouraged to update immediately.</p>
<p>Behavior Changes in the Update:</p>
<p>As part of the fix to the first issue, mod_pagespeed will not fetch
resources from machines other than localhost if they are not
explicitly mentioned in the configuration. This means that if you
need resources on the server's domain to be handled by some other
system, you'll need to explicitly use ModPagespeedMapOriginDomain
or ModPagespeedDomain to authorize that.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4001</cvename>
<cvename>CVE-2012-4360</cvename>
<url>https://developers.google.com/speed/docs/mod_pagespeed/announce-0.10.22.6</url>
</references>
<dates>
<discovery>2012-09-12</discovery>
<entry>2012-09-12</entry>
</dates>
</vuln>
<vuln vid="3bbbe3aa-fbeb-11e1-8bd8-0022156e8794">
<topic>freeradius -- arbitrary code execution for TLS-based authentication</topic>
<affects>
<package>
<name>freeradius</name>
<range><ge>2.1.10</ge><lt>2.1.12_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>freeRADIUS security team reports:</p>
<blockquote cite="http://freeradius.org/security.html">
<p>Overflow in EAP-TLS for 2.1.10, 2.1.11 and 2.1.12.</p>
<p>The issue was found by Timo Warns, and communicated to
security@freeradius.org. A sample exploit for the issue was
included in the notification.</p>
<p>The vulnerability was created in commit a368a6f4f4aaf on
August 18, 2010. Vulnerable versions include 2.1.10, 2.1.11,
and 2.1.12. Also anyone running the git "master" branch
after August 18, 2010 is vulnerable.</p>
<p>All sites using TLS-based EAP methods and the above
versions are vulnerable. The only configuration change which
can avoid the issue is to disable EAP-TLS, EAP-TTLS, and
PEAP.</p>
<p>An external attacker can use this vulnerability to
over-write the stack frame of the RADIUS server, and cause
it to crash. In addition, more sophisticated attacks may
gain additional privileges on the system running the RADIUS
server.</p>
<p>This attack does not require local network access to the
RADIUS server. It can be done by an attacker through a WiFi
Access Point, so long as the Access Point is configured to
use 802.1X authentication with the RADIUS server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3547</cvename>
<url>http://freeradius.org/security.html</url>
<url>http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt</url>
</references>
<dates>
<discovery>2012-09-10</discovery>
<entry>2012-09-11</entry>
<modified>2012-09-11</modified>
</dates>
</vuln>
<vuln vid="c1e5f35e-f93d-11e1-b07f-00235a5f2c9a">
<topic>emacs -- remote code execution vulnerability</topic>
<affects>
<package>
<name>emacs</name>
<range><gt>24.*</gt><lt>24.2</lt></range>
<range><gt>23.*</gt><lt>23.4_2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chong Yidong reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2012/08/13/1">
<p>Paul Ling has found a security flaw in the file-local
variables code in GNU Emacs.</p>
<p>When the Emacs user option `enable-local-variables' is
set to `:safe' (the default value is t), Emacs should
automatically refuse to evaluate `eval' forms in file-local
variable sections. Due to the bug, Emacs instead
automatically evaluates such `eval' forms. Thus, if the user
changes the value of `enable-local-variables' to `:safe',
visiting a malicious file can cause automatic execution of
arbitrary Emacs Lisp code with the permissions of the
user.</p>
<p>The bug is present in Emacs 23.2, 23.3, 23.4, and
24.1.</p>
</blockquote>
</body>
</description>
<references>
<bid>54969</bid>
<cvename>CVE-2012-3479</cvename>
<url>https://lists.gnu.org/archive/html/emacs-devel/2012-08/msg00802.html</url>
<url>http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155</url>
</references>
<dates>
<discovery>2012-08-13</discovery>
<entry>2012-09-08</entry>
<modified>2012-09-23</modified>
</dates>
</vuln>
<vuln vid="30149157-f926-11e1-95cd-001fd0af1a4c">
<topic>wordpress -- multiple unspecified privilege escalation bugs</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wordpress reports:</p>
<blockquote cite="http://wordpress.org/news/2012/09/wordpress-3-4-2/">
<p>Version 3.4.2 also fixes a few security issues and contains some
security hardening. The vulnerabilities included potential
privilege escalation and a bug that affects multisite installs with
untrusted users. These issues were discovered and fixed by the
WordPress security team.</p>
</blockquote>
</body>
</description>
<references>
<url>http://wordpress.org/news/2012/09/wordpress-3-4-2/</url>
</references>
<dates>
<discovery>2012-09-06</discovery>
<entry>2012-09-07</entry>
</dates>
</vuln>
<vuln vid="4a8a98ab-f745-11e1-8bd8-0022156e8794">
<topic>moinmoin -- cross-site scripting via RST parser</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.9.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE CVE team reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1058">
<p>Cross-site scripting (XSS) vulnerability in the
reStructuredText (rst) parser in parser/text_rst.py in
MoinMoin before 1.9.4, when docutils is installed or when
"format rst" is set, allows remote attackers to inject
arbitrary web script or HTML via a javascript: URL in the
refuri attribute.</p>
</blockquote>
</body>
</description>
<references>
<bid>46476</bid>
<cvename>CVE-2011-1058</cvename>
<url>http://moinmo.in/SecurityFixes</url>
</references>
<dates>
<discovery>2011-02-21</discovery>
<entry>2012-09-05</entry>
</dates>
</vuln>
<vuln vid="4f99e2ef-f725-11e1-8bd8-0022156e8794">
<topic>moinmoin -- wrong processing of group membership</topic>
<affects>
<package>
<name>moinmoin</name>
<range><ge>1.9</ge><lt>1.9.4_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MoinMoin developers report:</p>
<blockquote cite="http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16">
<p>If you have group NAMES containing "All" or "Known" or
"Trusted", they behaved wrong until now (they erroneously
included All/Known/Trusted users even if you did not list
them as members), but will start working correctly with this
changeset.</p>
<p>E.g. AllFriendsGroup:</p>
<ul>
<li>JoeDoe</li>
</ul>
<p>AllFriendsGroup will now (correctly) include only JoeDoe.
It (erroneously) contained all users (including JoeDoe)
before.</p>
<p>E.g. MyTrustedFriendsGroup:</p>
<ul>
<li>JoeDoe</li>
</ul>
<p>MyTrustedFriendsGroup will now (correctly) include only
JoeDoe. It (erroneously) contained all trusted users and
JoeDoe before.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4404</cvename>
<url>http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16</url>
</references>
<dates>
<discovery>2012-09-03</discovery>
<entry>2012-09-05</entry>
<modified>2012-09-11</modified>
</dates>
</vuln>
<vuln vid="918f38cd-f71e-11e1-8bd8-0022156e8794">
<topic>php5 -- header splitting attack via carriage-return character</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.2</ge><lt>5.2.17_11</lt></range>
<range><ge>5.3</ge><lt>5.3.11</lt></range>
<range><ge>5.4</ge><lt>5.4.1</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_11</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Rui Hirokawa reports:</p>
<blockquote cite="https://bugs.php.net/bug.php?id=60227">
<p>As of PHP 5.1.2, header() can no longer be used to send
multiple response headers in a single call to prevent the
HTTP Response Splitting Attack. header() only checks the
linefeed (LF, 0x0A) as line-end marker, it doesn't check the
carriage-return (CR, 0x0D).</p>
<p>However, some browsers including Google Chrome, IE also
recognize CR as the line-end.</p>
<p>The current specification of header() still has the
vulnerability against the HTTP header splitting attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1398</cvename>
<url>https://bugs.php.net/bug.php?id=60227</url>
</references>
<dates>
<discovery>2011-11-06</discovery>
<entry>2012-09-05</entry>
<modified>2012-09-19</modified>
</dates>
</vuln>
<vuln vid="b50913ce-f4a7-11e1-b135-003067b2972c">
<topic>bitcoin -- denial of service</topic>
<affects>
<package>
<name>bitcoin</name>
<range><lt>0.6.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://bitcointalk.org/?topic=88734">
<p>A unspecified denial-of-service attack that could cause the
bitcoin process to become unresponsive was found.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3789</cvename>
<url>https://bitcointalk.org/?topic=88734</url>
</references>
<dates>
<discovery>2012-07-20</discovery>
<entry>2012-09-02</entry>
</dates>
</vuln>
<vuln vid="6ad18fe5-f469-11e1-920d-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>3.6.0</ge><lt>3.6.11</lt></range>
<range><ge>4.0.0</ge><lt>4.0.8</lt></range>
<range><ge>4.2.0</ge><lt>4.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>A Bugzilla Security Advisory reports:</h1>
<blockquote cite="http://www.bugzilla.org/security/3.6.10/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<h1>LDAP Injection</h1>
<p>When the user logs in using LDAP, the username is not
escaped when building the uid=$username filter which is
used to query the LDAP directory. This could potentially
lead to LDAP injection.</p>
<h1>Directory Browsing</h1>
<p>Extensions are not protected against directory browsing
and users can access the source code of the templates
which may contain sensitive data.
Directory browsing is blocked in Bugzilla 4.3.3 only,
because it requires a configuration change in the Apache
httpd.conf file to allow local .htaccess files to use
Options -Indexes. To not break existing installations,
this fix has not been backported to stable branches.
The access to templates is blocked for all supported
branches except the old 3.6 branch, because this branch
doesn't have .htaccess in the bzr repository and cannot
be fixed easily for existing installations without
potentially conflicting with custom changes.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3981</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=785470</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=785522</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=785511</url>
</references>
<dates>
<discovery>2012-08-30</discovery>
<entry>2012-09-01</entry>
</dates>
</vuln>
<vuln vid="342176a8-f464-11e1-8bd8-0022156e8794">
<topic>GNU gatekeeper -- denial of service</topic>
<affects>
<package>
<name>gatekeeper</name>
<range><lt>3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jan Willamowius reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3534">
<p>GNU Gatekeeper before 3.1 does not limit the number
of connections to the status port, which allows remote
attackers to cause a denial of service (connection and
thread consumption) via a large number of connections.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3534</cvename>
<url>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3534</url>
<url>http://www.openwall.com/lists/oss-security/2012/08/25/4</url>
<url>http://www.gnugk.org/gnugk-3.1.html</url>
</references>
<dates>
<discovery>2012-08-15</discovery>
<entry>2012-09-01</entry>
</dates>
</vuln>
<vuln vid="7c0fecd6-f42f-11e1-b17b-000c2977ec30">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><ge>1.19</ge><lt>1.19.2</lt></range>
<range><ge>1.18</ge><lt>1.18.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mediawiki reports:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html">
<p>(Bug 39700) Wikipedia administrator Writ Keeper discovered
a stored XSS (HTML injection) vulnerability. This was
possible due to the handling of link text on File: links for
nonexistent files. MediaWiki 1.16 and later is affected.</p>
<p>(Bug 39180) User Fomafix reported several DOM-based XSS
vulnerabilities, made possible by a combination of loose
filtering of the uselang parameter, and JavaScript gadgets
on various language Wikipedias.</p>
<p>(Bug 39180) During internal review, it was discovered that
CSRF tokens, available via the api, were not protected with
X-Frame-Options headers. This could lead to a CSRF vulnerability
if the API response is embedded in an external website using
using an iframe.</p>
<p>(Bug 39824) During internal review, it was discovered extensions
were not always allowed to prevent the account creation action.
This allowed users blocked by the GlobalBlocking extension to
create accounts.</p>
<p>(Bug 39184) During internal review, it was discovered that
password data was always saved to the local MediaWiki database
even if authentication was handled by an extension, such as LDAP.
This could allow a compromised MediaWiki installation to leak
information about user's LDAP passwords. Additionally, in situations
when an authentication plugin returned false in its strict
function, this would allow old passwords to be used for accounts
that did not exist in the external system, indefinitely.</p>
<p>(Bug 39823) During internal review, it was discovered that metadata
about blocks, hidden by a user with suppression rights, was visible
to administrators.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39700</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=37587</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39180</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39824</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39184</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39823</url>
<cvename>CVE-2012-4377</cvename>
<cvename>CVE-2012-4378</cvename>
<cvename>CVE-2012-4379</cvename>
<cvename>CVE-2012-4380</cvename>
<cvename>CVE-2012-4381</cvename>
<cvename>CVE-2012-4382</cvename>
</references>
<dates>
<discovery>2012-08-27</discovery>
<entry>2012-09-01</entry>
</dates>
</vuln>
<vuln vid="5415f1b3-f33d-11e1-8bd8-0022156e8794">
<topic>wireshark -- denial of service in DRDA dissector</topic>
<affects>
<package>
<name>wireshark</name>
<range><ge>1.5</ge><lt>1.8.2_1</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><ge>1.5</ge><lt>1.8.2_1</lt></range>
</package>
<package>
<name>tshark</name>
<range><ge>1.5</ge><lt>1.8.2_1</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><ge>1.5</ge><lt>1.8.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RedHat security team reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=849926">
<p>A denial of service flaw was found in the way Distributed
Relational Database Architecture (DRDA) dissector of
Wireshark, a network traffic analyzer, performed processing
of certain DRDA packet capture files. A remote attacker
could create a specially-crafted capture file that, when
opened could lead to wireshark executable to consume
excessive amount of CPU time and hang with an infinite
loop.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3548</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=849926</url>
</references>
<dates>
<discovery>2012-08-21</discovery>
<entry>2012-08-31</entry>
<modified>2012-09-05</modified>
</dates>
</vuln>
<vuln vid="ee68923d-f2f5-11e1-8014-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>21.0.1180.89</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/search/label/Stable%20updates">
<p>[121347] Medium CVE-2012-2865: Out-of-bounds read in line breaking.
Credit to miaubiz.</p>
<p>[134897] High CVE-2012-2866: Bad cast with run-ins. Credit to
miaubiz.</p>
<p>[135485] Low CVE-2012-2867: Browser crash with SPDY.</p>
<p>[136881] Medium CVE-2012-2868: Race condition with workers and XHR.
Credit to miaubiz.</p>
<p>[137778] High CVE-2012-2869: Avoid stale buffer in URL loading.
Credit to Fermin Serna of the Google Security Team.</p>
<p>[138672] [140368] Low CVE-2012-2870: Lower severity memory
management issues in XPath. Credit to Nicolas Gregoire.</p>
<p>[138673] High CVE-2012-2871: Bad cast in XSL transforms. Credit to
Nicolas Gregoire.</p>
<p>[142956] Medium CVE-2012-2872: XSS in SSL interstitial. Credit to
Emmanuel Bronshtein.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2865</cvename>
<cvename>CVE-2012-2866</cvename>
<cvename>CVE-2012-2867</cvename>
<cvename>CVE-2012-2868</cvename>
<cvename>CVE-2012-2869</cvename>
<cvename>CVE-2012-2870</cvename>
<cvename>CVE-2012-2871</cvename>
<cvename>CVE-2012-2872</cvename>
<url>http://googlechromereleases.blogspot.nl/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-08-30</discovery>
<entry>2012-08-30</entry>
</dates>
</vuln>
<vuln vid="4c53f007-f2ed-11e1-a215-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk</name>
<range><gt>10.*</gt><lt>10.7.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.15.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Asterisk Manager User Unauthorized Shell Access</p>
<p>ACL rules ignored when placing outbound calls by certain IAX2
users</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2186</cvename>
<cvename>CVE-2012-4737</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-012.html</url>
<url>http://downloads.digium.com/pub/security/AST-2012-013.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2012-08-30</discovery>
<entry>2012-08-30</entry>
</dates>
</vuln>
<vuln vid="2b8cad90-f289-11e1-a215-14dae9ebcf89">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>15.0,1</lt></range>
<range><lt>10.0.7,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.7,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.12</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.7</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.12</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>15.0</lt></range>
<range><lt>10.0.7</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/
rv:10.0.7)</p>
<p>MFSA 2012-58 Use-after-free issues found using Address
Sanitizer</p>
<p>MFSA 2012-59 Location object can be shadowed using
Object.defineProperty</p>
<p>MFSA 2012-60 Escalation of privilege through about:newtab</p>
<p>MFSA 2012-61 Memory corruption with bitmap format images with
negative height</p>
<p>MFSA 2012-62 WebGL use-after-free and memory corruption</p>
<p>MFSA 2012-63 SVG buffer overflow and use-after-free issues</p>
<p>MFSA 2012-64 Graphite 2 memory corruption</p>
<p>MFSA 2012-65 Out-of-bounds read in format-number in XSLT</p>
<p>MFSA 2012-66 HTTPMonitor extension allows for remote debugging
without explicit activation</p>
<p>MFSA 2012-67 Installer will launch incorrect executable following
new installation</p>
<p>MFSA 2012-68 DOMParser loads linked resources in extensions when
parsing text/html</p>
<p>MFSA 2012-69 Incorrect site SSL certificate data display</p>
<p>MFSA 2012-70 Location object security checks bypassed by chrome
code</p>
<p>MFSA 2012-71 Insecure use of __android_log_print</p>
<p>MFSA 2012-72 Web console eval capable of executing
chrome-privileged code</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1956</cvename>
<cvename>CVE-2012-1970</cvename>
<cvename>CVE-2012-1971</cvename>
<cvename>CVE-2012-1972</cvename>
<cvename>CVE-2012-1973</cvename>
<cvename>CVE-2012-1974</cvename>
<cvename>CVE-2012-1975</cvename>
<cvename>CVE-2012-1976</cvename>
<cvename>CVE-2012-3956</cvename>
<cvename>CVE-2012-3957</cvename>
<cvename>CVE-2012-3958</cvename>
<cvename>CVE-2012-3959</cvename>
<cvename>CVE-2012-3960</cvename>
<cvename>CVE-2012-3961</cvename>
<cvename>CVE-2012-3962</cvename>
<cvename>CVE-2012-3963</cvename>
<cvename>CVE-2012-3964</cvename>
<cvename>CVE-2012-3965</cvename>
<cvename>CVE-2012-3966</cvename>
<cvename>CVE-2012-3967</cvename>
<cvename>CVE-2012-3968</cvename>
<cvename>CVE-2012-3969</cvename>
<cvename>CVE-2012-3970</cvename>
<cvename>CVE-2012-3971</cvename>
<cvename>CVE-2012-3972</cvename>
<cvename>CVE-2012-3973</cvename>
<cvename>CVE-2012-3974</cvename>
<cvename>CVE-2012-3975</cvename>
<cvename>CVE-2012-3976</cvename>
<cvename>CVE-2012-3978</cvename>
<cvename>CVE-2012-3979</cvename>
<cvename>CVE-2012-3980</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-57.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-58.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-59.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-60.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-61.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-62.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-63.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-64.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-65.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-66.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-67.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-68.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-69.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-70.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-71.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-72.html</url>
</references>
<dates>
<discovery>2012-08-28</discovery>
<entry>2012-08-30</entry>
</dates>
</vuln>
<vuln vid="6dd5e45c-f084-11e1-8d0f-406186f3d89d">
<topic>coppermine -- Multiple vulnerabilites</topic>
<affects>
<package>
<name>coppermine</name>
<range><lt>1.5.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Coppermine Team reports:</p>
<blockquote cite="http://forum.coppermine-gallery.net/index.php/topic,74682.0.html">
<p>The release covers several path disclosure vulnerabilities. If
unpatched, it's possible to generate an error that will reveal the
full path of the script. A remote user can determine the full path
to the web root directory and other potentially sensitive
information. Furthermore, the release covers a recently discovered
XSS vulnerability that allows (if unpatched) a malevolent visitor to
include own script routines under certain conditions.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1613</cvename>
<cvename>CVE-2012-1614</cvename>
<mlist>http://seclists.org/oss-sec/2012/q2/11</mlist>
<url>http://forum.coppermine-gallery.net/index.php/topic,74682.0.html</url>
</references>
<dates>
<discovery>2012-03-29</discovery>
<entry>2012-08-30</entry>
</dates>
</vuln>
<vuln vid="16846d1e-f1de-11e1-8bd8-0022156e8794">
<topic>Java 1.7 -- security manager bypass</topic>
<affects>
<package>
<name>openjdk</name>
<range><ge>7.0</ge><lt>7.6.24_1</lt></range>
</package>
<package>
<name>linux-sun-jdk</name>
<range><ge>7.0</ge><lt>7.7</lt></range>
</package>
<package>
<name>linux-sun-jre</name>
<range><ge>7.0</ge><lt>7.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/636312">
<p>Oracle Java Runtime Environment (JRE) 1.7 contains a
vulnerability that may allow an applet to call
setSecurityManager in a way that allows setting of arbitrary
permissions.</p>
<p>By leveraging the public, privileged getField() function,
an untrusted Java applet can escalate its privileges by
calling the setSecurityManager() function to allow full
privileges, without requiring code signing.</p>
<p>This vulnerability is being actively exploited in the
wild, and exploit code is publicly available.</p>
</blockquote>
<p>This exploit does not only affect Java applets, but every
piece of software that relies on the Java Security Manager for
sandboxing executable code is affected: malicious code can
totally disable Security Manager.</p>
</body>
</description>
<references>
<cvename>CVE-2012-4681</cvename>
<certvu>636312</certvu>
<url>http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html</url>
<url>http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html</url>
<url>http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html</url>
</references>
<dates>
<discovery>2012-08-27</discovery>
<entry>2012-08-30</entry>
<modified>2012-08-31</modified>
</dates>
</vuln>
<vuln vid="18ce9a90-f269-11e1-be53-080027ef73ec">
<topic>fetchmail -- chosen plaintext attack against SSL CBC initialization vectors</topic>
<affects>
<package>
<name>fetchmail</name>
<range><ge>6.3.9</ge><lt>6.3.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2012-01.txt">
<p>Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL)
which contains a switch to disable a countermeasure against certain
attacks against block ciphers that permit guessing the
initialization vectors, providing that an attacker can make the
application (fetchmail) encrypt some data for him -- which is not
easily the case.</p>
<p>Stream ciphers (such as RC4) are unaffected.</p>
<p>Credits to Apple Product Security for reporting this.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3389</cvename>
</references>
<dates>
<discovery>2012-01-19</discovery>
<entry>2012-08-30</entry>
</dates>
</vuln>
<vuln vid="c906e0a4-efa6-11e1-8fbf-001b77d09812">
<topic>roundcube -- cross-site scripting in HTML email messages</topic>
<affects>
<package>
<name>roundcube</name>
<range><ge>0.8.0,1</ge><lt>0.8.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RoundCube branch 0.8.x prior to the version 0.8.1 is prone
to the cross-scripting attack (XSS) originating from incoming
HTML e-mails: due to the lack of proper sanitization
of JavaScript code inside the "href" attribute, sender
could launch XSS attack when recipient opens the message
in RoundCube interface.</p>
</body>
</description>
<references>
<cvename>CVE-2012-3508</cvename>
<url>http://trac.roundcube.net/wiki/Changelog</url>
<url>http://trac.roundcube.net/ticket/1488613</url>
</references>
<dates>
<discovery>2012-08-14</discovery>
<entry>2012-08-27</entry>
</dates>
</vuln>
<vuln vid="aa4d3d73-ef17-11e1-b593-00269ef07d24">
<topic>Calligra, KOffice -- input validation failure</topic>
<affects>
<package>
<name>koffice</name>
<range><le>1.6.3_18,2</le></range>
</package>
<package>
<name>koffice-kde4</name>
<range><le>2.3.3_7</le></range>
</package>
<package>
<name>calligra</name>
<range><lt>2.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>KDE Security Advisory reports:</p>
<blockquote cite="http://www.kde.org/info/security/advisory-20120810-1.txt">
<p>A flaw has been found which can allow malicious code to take
advantage of an input validation failure in the Microsoft import
filter in Calligra and KOffice. Exploitation can allow the attacker
to gain control of the running process and execute code on its
behalf.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3455</cvename>
<cvename>CVE-2012-3456</cvename>
<url>http://www.kde.org/info/security/advisory-20120810-1.txt</url>
<url>http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf</url>
</references>
<dates>
<discovery>2012-08-10</discovery>
<entry>2012-08-26</entry>
</dates>
</vuln>
<vuln vid="ce680f0a-eea6-11e1-8bd8-0022156e8794">
<topic>squidclamav -- cross-site scripting in default virus warning pages</topic>
<affects>
<package>
<name>squidclamav</name>
<range><lt>5.8</lt></range>
<range><ge>6.0</ge><lt>6.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SquidClamav developers report:</p>
<blockquote cite="http://squidclamav.darold.net/news.html">
<p>This release fix several security issues by escaping CGI
parameters.</p>
</blockquote>
<p>Prior to versions 6.7 and 5.8, CGI script clwarn.cgi was not
properly sanitizing input variables, so they could be used to
inject arbitrary strings to the generated page, leading
to the cross-site scripting attacks.</p>
</body>
</description>
<references>
<cvename>CVE-2012-4667</cvename>
<url>http://squidclamav.darold.net/news.html</url>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-08-25</entry>
</dates>
</vuln>
<vuln vid="8defa0f9-ee8a-11e1-8bd8-0022156e8794">
<topic>squidclamav -- Denial of Service</topic>
<affects>
<package>
<name>squidclamav</name>
<range><lt>5.7_1</lt></range>
<range><ge>6.0</ge><lt>6.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SquidClamav developers report:</p>
<blockquote cite="http://squidclamav.darold.net/news.html">
<p>Add a workaround for a squidGuard bug that unescape
the URL and send it back unescaped. This result in garbage
staying into pipe of the system command call and could crash
squidclamav on next read or return false information.
This is specially true with URL containing the %0D or %0A
character.</p>
</blockquote>
<p>This vulnerability can be triggered only in configurations
where external chained URL checker is configured via
"squidguard" directive.</p>
</body>
</description>
<references>
<cvename>CVE-2012-3501</cvename>
<url>http://squidclamav.darold.net/news.html</url>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-08-25</entry>
<modified>2012-09-04</modified>
</dates>
</vuln>
<vuln vid="a7975581-ee26-11e1-8bd8-0022156e8794">
<topic>inn -- plaintext command injection into encrypted channel</topic>
<affects>
<package>
<name>inn</name>
<range><lt>2.5.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>INN developers report:</p>
<blockquote cite="https://www.isc.org/software/inn/2.5.3article">
<p>Fixed a possible plaintext command injection during the
negotiation of a TLS layer. The vulnerability detailed
in CVE-2011-0411 affects the STARTTLS and AUTHINFO SASL
commands. nnrpd now resets its read buffer upon
a successful negotiation of a TLS layer. It prevents
malicious commands, sent unencrypted, from being executed
in the new encrypted state of the session.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3523</cvename>
<cvename>CVE-2011-0411</cvename>
<url>https://www.isc.org/software/inn/2.5.3article</url>
</references>
<dates>
<discovery>2012-08-14</discovery>
<entry>2012-08-25</entry>
</dates>
</vuln>
<vuln vid="4d1d2f6d-ec94-11e1-8bd8-0022156e8794">
<topic>jabberd -- domain spoofing in server dialback protocol</topic>
<affects>
<package>
<name>jabberd</name>
<range><lt>2.2.16_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>XMPP Standards Foundation reports:</p>
<blockquote cite="http://xmpp.org/resources/security-notices/server-dialback/">
<p>Some implementations of the XMPP Server Dialback protocol
(RFC 3920/XEP-0220) have not been checking dialback
responses to ensure that validated results are correlated
with requests.</p>
<p>An attacking server could spoof one or more domains in
communicating with a vulnerable server implementation,
thereby avoiding the protections built into the Server
Dialback protocol.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3525</cvename>
<url>http://xmpp.org/resources/security-notices/server-dialback/</url>
</references>
<dates>
<discovery>2012-08-21</discovery>
<entry>2012-08-23</entry>
</dates>
</vuln>
<vuln vid="a4598875-ec91-11e1-8bd8-0022156e8794">
<topic>rssh -- configuration restrictions bypass</topic>
<affects>
<package>
<name>rssh</name>
<range><lt>2.3.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Derek Martin (rssh maintainer) reports:</p>
<blockquote cite="http://www.pizzashack.org/rssh/security.shtml">
<p>John Barber reported a problem where, if the system
administrator misconfigures rssh by providing too few access
bits in the configuration file, the user will be given
default permissions (scp) to the entire system, potentially
circumventing any configured chroot. Fixing this required a
behavior change: in the past, using rssh without a config
file would give all users default access to use scp on an
unchrooted system. In order to correct the reported bug,
this feature has been eliminated, and you must now have a
valid configuration file. If no config file exists, all
users will be locked out.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.pizzashack.org/rssh/security.shtml</url>
</references>
<dates>
<discovery>2010-08-01</discovery>
<entry>2012-08-22</entry>
</dates>
</vuln>
<vuln vid="65b25acc-e63b-11e1-b81c-001b77d09812">
<topic>rssh -- arbitrary command execution</topic>
<affects>
<package>
<name>rssh</name>
<range><lt>2.3.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Derek Martin (rssh maintainer) reports:</p>
<blockquote cite="http://sourceforge.net/mailarchive/message.php?msg_id=29235647">
<p>Henrik Erkkonen has discovered that, through clever
manipulation of environment variables on the ssh command
line, it is possible to circumvent rssh. As far as I can
tell, there is no way to effect a root compromise, except of
course if the root account is the one you're attempting to
protect with rssh...</p>
</blockquote>
</body>
</description>
<references>
<bid>53430</bid>
<cvename>CVE-2012-3478</cvename>
<url>http://sourceforge.net/mailarchive/message.php?msg_id=29235647</url>
</references>
<dates>
<discovery>2012-05-08</discovery>
<entry>2012-08-22</entry>
</dates>
</vuln>
<vuln vid="c651c898-e90d-11e1-b230-0024e830109b">
<topic>libotr -- buffer overflows</topic>
<affects>
<package>
<name>libotr</name>
<range><lt>3.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTR developers report:</p>
<blockquote cite="http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001347.html">
<p>The otrl_base64_otr_decode() function and similar functions within OTR
suffer from buffer overflows in the case of malformed input;
specifically if a message of the format of "?OTR:===." is received
then a zero-byte allocation is performed without a similar correlation
between the subsequent base64 decoding write, as such it becomes
possible to write between zero and three bytes incorrectly to the
heap, albeit only with a value of '='.</p>
<p>Because this code path is highly utilized, specifically in the
reception of instant messages over pidgin or similar, this
vulnerability is considered severe even though in many platforms and
circumstances the bug would yield an unexploitable state and result
simply in denial of service.</p>
<p>The developers of OTR promptly fixed the errors and users of OTR are
advised to upgrade the software at the next release cycle.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3461</cvename>
<url>http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001347.html</url>
</references>
<dates>
<discovery>2012-07-27</discovery>
<entry>2012-08-18</entry>
</dates>
</vuln>
<vuln vid="0f62be39-e8e0-11e1-bea0-002354ed89bc">
<topic>OpenTTD -- Denial of Service</topic>
<affects>
<package>
<name>openttd</name>
<range><le>1.2.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenTTD reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2012-3436">
<p>Denial of service (server) using ships on half tiles and
landscaping.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3436</cvename>
<url>http://security.openttd.org/en/CVE-2012-3436</url>
</references>
<dates>
<discovery>2012-07-25</discovery>
<entry>2012-08-18</entry>
</dates>
</vuln>
<vuln vid="4cdfe875-e8d6-11e1-bea0-002354ed89bc">
<topic>Wireshark -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<range><lt>1.8.2</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><lt>1.8.2</lt></range>
</package>
<package>
<name>tshark</name>
<range><lt>1.8.2</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><lt>1.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark reports:</p>
<blockquote cite="http://www.wireshark.org/docs/relnotes/wireshark-1.8.2.html">
<p>It may be possible to make Wireshark crash by injecting a
malformed packet onto the wire or by convincing someone to read a
malformed packet trace file.</p>
<p>It may be possible to make Wireshark consume excessive CPU
resources by injecting a malformed packet onto the wire or by
convincing someone to read a malformed packet trace file.</p>
<p>The PPP dissector could crash.</p>
<p>The NFS dissector could use excessive amounts of CPU.</p>
<p>The DCP ETSI dissector could trigger a zero division.</p>
<p>The MongoDB dissector could go into a large loop.</p>
<p>The XTP dissector could go into an infinite loop.</p>
<p>The ERF dissector could overflow a buffer.</p>
<p>The AFP dissector could go into a large loop.</p>
<p>The RTPS2 dissector could overflow a buffer.</p>
<p>The GSM RLC MAC dissector could overflow a buffer.</p>
<p>The CIP dissector could exhaust system memory.</p>
<p>The STUN dissector could crash.</p>
<p>The EtherCAT Mailbox dissector could abort.</p>
<p>The CTDB dissector could go into a large loop.</p>
<p>The pcap-ng file parser could trigger a zero division.</p>
<p>The Ixia IxVeriWave file parser could overflow a buffer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4048</cvename>
<cvename>CVE-2012-4049</cvename>
<cvename>CVE-2012-4285</cvename>
<cvename>CVE-2012-4286</cvename>
<cvename>CVE-2012-4287</cvename>
<cvename>CVE-2012-4288</cvename>
<cvename>CVE-2012-4289</cvename>
<cvename>CVE-2012-4290</cvename>
<cvename>CVE-2012-4291</cvename>
<cvename>CVE-2012-4292</cvename>
<cvename>CVE-2012-4293</cvename>
<cvename>CVE-2012-4294</cvename>
<cvename>CVE-2012-4295</cvename>
<cvename>CVE-2012-4296</cvename>
<cvename>CVE-2012-4297</cvename>
<cvename>CVE-2012-4298</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2012-11.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-12.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-13.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-14.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-15.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-16.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-17.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-18.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-19.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-20.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-21.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-22.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-23.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-24.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-25.html</url>
</references>
<dates>
<discovery>2012-07-22</discovery>
<entry>2012-08-18</entry>
</dates>
</vuln>
<vuln vid="07234e78-e899-11e1-b38d-0023ae8e59f0">
<topic>databases/postgresql*-server -- multiple vulnerabilities</topic>
<affects>
<package>
<name>postgresql-server</name>
<range><gt>8.3.*</gt><lt>8.3.20</lt></range>
<range><gt>8.4.*</gt><lt>8.4.13</lt></range>
<range><gt>9.0.*</gt><lt>9.0.9</lt></range>
<range><gt>9.1.*</gt><lt>9.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL Global Development Group reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1407/">
<p>The PostgreSQL Global Development Group today released
security updates for all active branches of the PostgreSQL
database system, including versions 9.1.5, 9.0.9, 8.4.13 and
8.3.20. This update patches security holes associated with
libxml2 and libxslt, similar to those affecting other open
source projects. All users are urged to update their
installations at the first available opportunity</p>
<p>Users who are relying on the built-in XML functionality to
validate external DTDs will need to implement a workaround, as
this security patch disables that functionality. Users who are
using xslt_process() to fetch documents or stylesheets from
external URLs will no longer be able to do so. The PostgreSQL
project regrets the need to disable both of these features in
order to maintain our security standards. These security issues
with XML are substantially similar to issues patched recently
by the Webkit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5
(CVE-2012-0057) projects.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3488</cvename>
<cvename>CVE-2012-3489</cvename>
<url>http://www.postgresql.org/about/news/1407/</url>
</references>
<dates>
<discovery>2012-08-17</discovery>
<entry>2012-08-17</entry>
</dates>
</vuln>
<vuln vid="db1d3340-e83b-11e1-999b-e0cb4e266481">
<topic>phpMyAdmin -- Multiple XSS in Table operations, Database structure, Trigger and Visualize GIS data pages</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.5.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-4.php">
<p>Using a crafted table name, it was possible to produce a
XSS : 1) On the Database Structure page, creating a new
table with a crafted name 2) On the Database Structure page,
using the Empty and Drop links of the crafted table name 3)
On the Table Operations page of a crafted table, using the
'Empty the table (TRUNCATE)' and 'Delete the table (DROP)'
links 4) On the Triggers page of a database containing
tables with a crafted name, when opening the 'Add Trigger'
popup 5) When creating a trigger for a table with a crafted
name, with an invalid definition. Having crafted data in a
database table, it was possible to produce a XSS : 6) When
visualizing GIS data, having a crafted label name.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4345</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-4.php</url>
</references>
<dates>
<discovery>2012-08-12</discovery>
<entry>2012-08-17</entry>
</dates>
</vuln>
<vuln vid="48bcb4b2-e708-11e1-a59d-000d601460a4">
<topic>typo3 -- Multiple vulernabilities in TYPO3 Core</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.5.0</ge><lt>4.5.19</lt></range>
<range><ge>4.6.0</ge><lt>4.6.12</lt></range>
<range><ge>4.7.0</ge><lt>4.7.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo Security Team reports:</p>
<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/">
<p>It has been discovered that TYPO3 Core is vulnerable to Cross-Site
Scripting, Information Disclosure, Insecure Unserialize leading to
Arbitrary Code Execution.</p>
<p>TYPO3 Backend Help System - Due to a missing signature (HMAC) for a
parameter in the view_help.php file, an attacker could unserialize
arbitrary objects within TYPO3. We are aware of a working exploit,
which can lead to arbitrary code execution. A valid backend user
login or multiple successful cross site request forgery attacks are
required to exploit this vulnerability.</p>
<p>TYPO3 Backend - Failing to properly HTML-encode user input in
several places, the TYPO3 backend is susceptible to Cross-Site
Scripting. A valid backend user is required to exploit these
vulnerabilities.</p>
<p>TYPO3 Backend - Accessing the configuration module discloses the
Encryption Key. A valid backend user with access to the
configuration module is required to exploit this vulnerability.</p>
<p>TYPO3 HTML Sanitizing API - By not removing several HTML5
JavaScript events, the API method t3lib_div::RemoveXSS() fails to
filter specially crafted HTML injections, thus is susceptible to
Cross-Site Scripting. Failing to properly encode for JavaScript the
API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site
Scripting.</p>
<p>TYPO3 Install Tool - Failing to properly sanitize user input, the
Install Tool is susceptible to Cross-Site Scripting.</p>
</blockquote>
</body>
</description>
<references>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/</url>
</references>
<dates>
<discovery>2012-08-15</discovery>
<entry>2012-08-15</entry>
</dates>
</vuln>
<vuln vid="83f9e943-e664-11e1-a66d-080027ef73ec">
<topic>fetchmail -- two vulnerabilities in NTLM authentication</topic>
<affects>
<package>
<name>fetchmail</name>
<range><ge>5.0.8</ge><lt>6.3.21_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2012-02.txt">
<p>With NTLM support enabled, fetchmail might mistake a server-side
error message during NTLM protocol exchange for protocol data,
leading to a SIGSEGV.</p>
<p>Also, with a carefully crafted NTLM challenge, a malicious server
might cause fetchmail to read from a bad memory location, betraying
confidential data. It is deemed hard, although not impossible, to
steal other accounts' data.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3482</cvename>
</references>
<dates>
<discovery>2012-08-12</discovery>
<entry>2012-08-14</entry>
<modified>2012-08-27</modified>
</dates>
</vuln>
<vuln vid="55b498e2-e56c-11e1-bbd5-001c25e46b1d">
<topic>Several vulnerabilities found in IcedTea-Web</topic>
<affects>
<package>
<name>icedtea-web</name>
<range><lt>1.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The IcedTea project team reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=840592">
<p>CVE-2012-3422: Use of uninitialized instance pointers</p>
<p>An uninitialized pointer use flaw was found in IcedTea-Web web
browser plugin. A malicious web page could use this flaw make
IcedTea-Web browser plugin pass invalid pointer to a web browser.
Depending on the browser used, it may cause the browser to crash
or possibly execute arbitrary code.</p>
<p>The get_cookie_info() and get_proxy_info() call
getFirstInTableInstance() with the instance_to_id_map hash as
a parameter. If instance_to_id_map is empty (which can happen
when plugin was recently removed), getFirstInTableInstance()
returns an uninitialized pointer.</p>
</blockquote>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=841345">
<p>CVE-2012-3423: Incorrect handling of non 0-terminated strings</p>
<p>It was discovered that the IcedTea-Web web browser plugin
incorrectly assumed that all strings provided by browser are NUL
terminated, which is not guaranteed by the NPAPI (Netscape Plugin
Application Programming Interface). When used in a browser that
does not NUL terminate NPVariant NPStrings, this could lead to
buffer over-read or over-write, resulting in possible information
leak, crash, or code execution.</p>
<p>Mozilla browsers currently NUL terminate strings, however recent
Chrome versions are known not to provide NUL terminated data.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3422</cvename>
<cvename>CVE-2012-3423</cvename>
<mlist>http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-July/019580.html</mlist>
</references>
<dates>
<discovery>2012-07-31</discovery>
<entry>2012-08-13</entry>
</dates>
</vuln>
<vuln vid="a14dee30-e3d7-11e1-a084-50e5492bd3dc">
<topic>libcloud -- possible SSL MITM due to invalid regexp used to validate target server hostname</topic>
<affects>
<package>
<name>py-libcloud</name>
<range><lt>0.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The libcloud development team reports:</p>
<blockquote cite="http://libcloud.apache.org/security.html">
<p>When establishing a secure (SSL / TLS) connection to a target server an invalid regular
expression has been used for performing the hostname verification. Subset instead of the
full target server hostname has been marked an an acceptable match for the given hostname.
For example, certificate with a hostname field of "aexample.com" was considered a valid
certificate for domain "example.com".</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3446</cvename>
<url>http://seclists.org/fulldisclosure/2012/Aug/55</url>
</references>
<dates>
<discovery>2012-08-01</discovery>
<entry>2012-08-11</entry>
</dates>
</vuln>
<vuln vid="aca0d7e0-e38a-11e1-999b-e0cb4e266481">
<topic>phpMyAdmin -- Path disclosure due to missing library</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.5.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-3.php">
<p>The show_config_errors.php script does not include a
library, so an error message shows the full path of this
file, leading to possible further attacks.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4219</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-3.php</url>
</references>
<dates>
<discovery>2012-08-03</discovery>
<entry>2012-08-11</entry>
</dates>
</vuln>
<vuln vid="60bbe12c-e2c1-11e1-a8ca-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>21.0.1180.75</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/search/label/Stable%20updates">
<p>[136643] [137721] [137957] High CVE-2012-2862: Use-after-free in
PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with
contributions by Gynvael Coldwind of Google Security Team.</p>
<p>[136968] [137361] High CVE-2012-2863: Out-of-bounds writes in PDF
viewer. Credit to Mateusz Jurczyk of Google Security Team, with
contributions by Gynvael Coldwind of Google Security Team.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2862</cvename>
<cvename>CVE-2012-2863</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-08-08</discovery>
<entry>2012-08-10</entry>
</dates>
</vuln>
<vuln vid="ce84e136-e2f6-11e1-a8ca-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>21.0.1180.60</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/search/label/Stable%20updates">
<p>[Linux only] [125225] Medium CVE-2012-2846: Cross-process
interference in renderers. Credit to Google Chrome Security Team
(Julien Tinnes).</p>
<p>[127522] Low CVE-2012-2847: Missing re-prompt to user upon
excessive downloads. Credit to Matt Austin of Aspect Security.</p>
<p>[127525] Medium CVE-2012-2848: Overly broad file access granted
after drag+drop. Credit to Matt Austin of Aspect Security.</p>
<p>[128163] Low CVE-2012-2849: Off-by-one read in GIF decoder. Credit
to Atte Kettunen of OUSPG.</p>
<p>[130251] [130592] [130611] [131068] [131237] [131252] [131621]
[131690] [132860] Medium CVE-2012-2850: Various lower severity
issues in the PDF viewer. Credit to Mateusz Jurczyk of Google
Security Team, with contributions by Gynvael Coldwind of Google
Security Team.</p>
<p>[132585] [132694] [132861] High CVE-2012-2851: Integer overflows in
PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with
contributions by Gynvael Coldwind of Google Security Team.</p>
<p>[134028] High CVE-2012-2852: Use-after-free with bad object linkage
in PDF. Credit to Alexey Samsonov of Google.</p>
<p>[134101] Medium CVE-2012-2853: webRequest can interfere with the
Chrome Web Store. Credit to Trev of Adblock.</p>
<p>[134519] Low CVE-2012-2854: Leak of pointer values to WebUI
renderers. Credit to Nasko Oskov of the Chromium development
community.</p>
<p>[134888] High CVE-2012-2855: Use-after-free in PDF viewer. Credit
to Mateusz Jurczyk of Google Security Team, with contributions by
Gynvael Coldwind of Google Security Team.</p>
<p>[134954] [135264] High CVE-2012-2856: Out-of-bounds writes in PDF
viewer. Credit to Mateusz Jurczyk of Google Security Team, with
contributions by Gynvael Coldwind of Google Security Team.</p>
<p>[136235] High CVE-2012-2857: Use-after-free in CSS DOM. Credit to
Arthur Gerkis.</p>
<p>[136894] High CVE-2012-2858: Buffer overflow in WebP decoder.
Credit to Juri Aedla.</p>
<p>[Linux only] [137541] Critical CVE-2012-2859: Crash in tab
handling. Credit to Jeff Roberts of Google Security Team.</p>
<p>[137671] Medium CVE-2012-2860: Out-of-bounds access when clicking
in date picker. Credit to Chamal de Silva.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2846</cvename>
<cvename>CVE-2012-2847</cvename>
<cvename>CVE-2012-2848</cvename>
<cvename>CVE-2012-2849</cvename>
<cvename>CVE-2012-2850</cvename>
<cvename>CVE-2012-2851</cvename>
<cvename>CVE-2012-2852</cvename>
<cvename>CVE-2012-2853</cvename>
<cvename>CVE-2012-2854</cvename>
<cvename>CVE-2012-2855</cvename>
<cvename>CVE-2012-2856</cvename>
<cvename>CVE-2012-2857</cvename>
<cvename>CVE-2012-2858</cvename>
<cvename>CVE-2012-2859</cvename>
<cvename>CVE-2012-2860</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-07-31</discovery>
<entry>2012-08-10</entry>
</dates>
</vuln>
<vuln vid="2092a45b-e2f6-11e1-a8ca-00262d5ed8ee">
<topic>www/chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>20.0.1132.57</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/search/label/Stable%20updates">
<p>[129898] High CVE-2012-2842: Use-after-free in counter handling.
Credit to miaubiz.</p>
<p>[130595] High CVE-2012-2843: Use-after-free in layout height
tracking. Credit to miaubiz.</p>
<p>[133450] High CVE-2012-2844: Bad object access with JavaScript in
PDF. Credit to Alexey Samsonov of Google.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2842</cvename>
<cvename>CVE-2012-2843</cvename>
<cvename>CVE-2012-2844</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-07-11</discovery>
<entry>2012-08-10</entry>
</dates>
</vuln>
<vuln vid="31db9a18-e289-11e1-a57d-080027a27dbf">
<topic>rubygem-rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-rails</name>
<range><lt>3.2.8</lt></range>
</package>
<package>
<name>rubygem-actionpack</name>
<range><lt>3.2.8</lt></range>
</package>
<package>
<name>rubygem-activesupport</name>
<range><lt>3.2.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Rails core team reports:</p>
<blockquote cite="http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/">
<p>This version contains three important security fixes, please upgrade immediately.</p>
<p>One of security fixes impacts all users and is related to HTML escaping code. The
other two fixes impacts people using select_tag's prompt option and strip_tags
helper from ActionPack.</p>
<p>CVE-2012-3463 Potential XSS Vulnerability in select_tag prompt.</p>
<p>CVE-2012-3464 Potential XSS Vulnerability in the HTML escaping code.</p>
<p>CVE-2012-3465 XSS Vulnerability in strip_tags.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3463</cvename>
<cvename>CVE-2012-3464</cvename>
<cvename>CVE-2012-3465</cvename>
<url>https://groups.google.com/d/msg/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ</url>
<url>https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J</url>
<url>https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J</url>
<url>http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/</url>
</references>
<dates>
<discovery>2012-08-08</discovery>
<entry>2012-08-10</entry>
</dates>
</vuln>
<vuln vid="8675efd5-e22c-11e1-a808-002354ed89bc">
<topic>sudosh -- buffer overflow</topic>
<affects>
<package>
<name>sudosh2</name>
<range><le>1.0.2</le></range>
</package>
<package>
<name>sudosh3</name>
<range><le>3.2.0_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISS reports:</p>
<blockquote cite="http://xforce.iss.net/xforce/xfdb/55903">
<p>sudosh2 and sudosh3 are vulnerable to a stack-based buffer
overflow, caused by improper bounds checking by the replay()
function. By persuading a victim to replay a specially-crafted
recorded sudo session, a local attacker could overflow a buffer
and execute arbitrary code on the system with elevated privileges
or cause the application to crash.</p>
</blockquote>
</body>
</description>
<references>
<url>http://xforce.iss.net/xforce/xfdb/55903</url>
<url>http://secunia.com/advisories/38349</url>
<url>http://secunia.com/advisories/38292</url>
</references>
<dates>
<discovery>2010-01-17</discovery>
<entry>2012-08-09</entry>
</dates>
</vuln>
<vuln vid="0f020b7b-e033-11e1-90a2-000c299b62e1">
<topic>FreeBSD -- named(8) DNSSEC validation Denial of Service</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_10</lt></range>
<range><ge>8.1</ge><lt>8.1_13</lt></range>
<range><ge>8.2</ge><lt>8.2_10</lt></range>
<range><ge>8.3</ge><lt>8.3_4</lt></range>
<range><ge>9.0</ge><lt>9.0_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:05.bind.asc">
<p>BIND 9 stores a cache of query names that are known to be failing
due to misconfigured name servers or a broken chain of trust.
Under high query loads, when DNSSEC validation is active, it is
possible for a condition to arise in which data from this cache of
failing queries could be used before it was fully initialized,
triggering an assertion failure.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:05.bind</freebsdsa>
<cvename>CVE-2012-3817</cvename>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-08-07</entry>
</dates>
</vuln>
<vuln vid="36235c38-e0a8-11e1-9f4d-002354ed89bc">
<topic>automake -- Insecure 'distcheck' recipe granted world-writable distdir</topic>
<affects>
<package>
<name>automake</name>
<range><ge>1.5.0</ge><lt>1.12.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GNU reports:</p>
<blockquote cite="https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html">
<p>The recipe of the 'distcheck' target granted temporary
world-write permissions on the extracted distdir. This introduced
a locally exploitable race condition for those who run "make
distcheck" with a non-restrictive umask (e.g., 022) in a directory
that was accessible by others. A successful exploit would result
in arbitrary code execution with the privileges of the user
running "make distcheck".</p>
<p>It is important to stress that this vulnerability impacts not only
the Automake package itself, but all packages with
Automake-generated makefiles. For an effective fix it is necessary
to regenerate the Makefile.in files with a fixed Automake
version.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3386</cvename>
<url>https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html</url>
</references>
<dates>
<discovery>2012-07-09</discovery>
<entry>2012-08-06</entry>
<modified>2012-08-25</modified>
</dates>
</vuln>
<vuln vid="dbf338d0-dce5-11e1-b655-14dae9ebcf89">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>14.0.1,1</lt></range>
<range><lt>10.0.6,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.6,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.11</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.6</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.11</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>14.0</lt></range>
<range><lt>10.0.6</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/
rv:10.0.6)</p>
<p>MFSA 2012-43 Incorrect URL displayed in addressbar through drag and
drop</p>
<p>MFSA 2012-44 Gecko memory corruption</p>
<p>MFSA 2012-45 Spoofing issue with location</p>
<p>MFSA 2012-46 XSS through data: URLs</p>
<p>MFSA 2012-47 Improper filtering of javascript in HTML feed-view</p>
<p>MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden</p>
<p>MFSA 2012-49 Same-compartment Security Wrappers can be bypassed</p>
<p>MFSA 2012-50 Out of bounds read in QCMS</p>
<p>MFSA 2012-51 X-Frame-Options header ignored when duplicated</p>
<p>MFSA 2012-52 JSDependentString::undepend string conversion results
in memory corruption</p>
<p>MFSA 2012-53 Content Security Policy 1.0 implementation errors
cause data leakage</p>
<p>MFSA 2012-54 Clickjacking of certificate warning page</p>
<p>MFSA 2012-55 feed: URLs with an innerURI inherit security context
of page</p>
<p>MFSA 2012-56 Code execution through javascript: URLs</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1949</cvename>
<cvename>CVE-2012-1950</cvename>
<cvename>CVE-2012-1951</cvename>
<cvename>CVE-2012-1952</cvename>
<cvename>CVE-2012-1953</cvename>
<cvename>CVE-2012-1954</cvename>
<cvename>CVE-2012-1955</cvename>
<cvename>CVE-2012-1957</cvename>
<cvename>CVE-2012-1958</cvename>
<cvename>CVE-2012-1959</cvename>
<cvename>CVE-2012-1960</cvename>
<cvename>CVE-2012-1961</cvename>
<cvename>CVE-2012-1962</cvename>
<cvename>CVE-2012-1963</cvename>
<cvename>CVE-2012-1964</cvename>
<cvename>CVE-2012-1965</cvename>
<cvename>CVE-2012-1966</cvename>
<cvename>CVE-2012-1967</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-42.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-43.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-44.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-45.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-46.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-47.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-48.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-49.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-50.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-51.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-52.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-53.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-54.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-55.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-56.html</url>
</references>
<dates>
<discovery>2012-07-17</discovery>
<entry>2012-08-02</entry>
</dates>
</vuln>
<vuln vid="de2bc01f-dc44-11e1-9f4d-002354ed89bc">
<topic>Apache -- Insecure LD_LIBRARY_PATH handling</topic>
<affects>
<package>
<name>apache</name>
<range><le>2.2.22_5</le></range>
</package>
<package>
<name>apache-event</name>
<range><le>2.2.22_5</le></range>
</package>
<package>
<name>apache-itk</name>
<range><le>2.2.22_5</le></range>
</package>
<package>
<name>apache-peruser</name>
<range><le>2.2.22_5</le></range>
</package>
<package>
<name>apache-worker</name>
<range><le>2.2.22_5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache reports:</p>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html">
<p>Insecure handling of LD_LIBRARY_PATH was found that could lead to
the current working directory to be searched for DSOs. This could
allow a local user to execute code as root if an administrator runs
apachectl from an untrusted directory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0883</cvename>
<url>http://httpd.apache.org/security/vulnerabilities_24.html</url>
<url>http://www.apache.org/dist/httpd/CHANGES_2.4.2</url>
</references>
<dates>
<discovery>2012-03-02</discovery>
<entry>2012-08-01</entry>
</dates>
</vuln>
<vuln vid="f01292a0-db3c-11e1-a84b-00e0814cab4e">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py26-django</name>
<name>py27-django</name>
<range><ge>1.4</ge><lt>1.4.1</lt></range>
<range><ge>1.3</ge><lt>1.3.2</lt></range>
</package>
<package>
<name>py26-django-devel</name>
<name>py27-django-devel</name>
<range><lt>20120731,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/">
<p>Today the Django team is issuing multiple releases --
Django 1.3.2 and Django 1.4.1 -- to remedy security issues
reported to us:</p>
<ul>
<li>Cross-site scripting in authentication views</li>
<li>Denial-of-service in image validation</li>
<li>Denial-of-service via get_image_dimensions()</li>
</ul>
<p>All users are encouraged to upgrade Django immediately.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3442</cvename>
<cvename>CVE-2012-3443</cvename>
<cvename>CVE-2012-3444</cvename>
<url>https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/</url>
</references>
<dates>
<discovery>2012-07-30</discovery>
<entry>2012-07-31</entry>
<modified>2012-08-02</modified>
</dates>
</vuln>
<vuln vid="58253655-d82c-11e1-907c-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>3.6.0</ge><lt>3.6.10</lt></range>
<range><ge>4.0.0</ge><lt>4.0.7</lt></range>
<range><ge>4.2.0</ge><lt>4.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>A Bugzilla Security Advisory reports:</h1>
<blockquote cite="http://www.bugzilla.org/security/3.6.9/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<h1>Information Leak</h1>
<p>Versions: 4.1.1 to 4.2.1, 4.3.1</p>
<p>In HTML bugmails, all bug IDs and attachment IDs are
linkified, and hovering these links displays a tooltip
with the bug summary or the attachment description if
the user is allowed to see the bug or attachment.
But when validating user permissions when generating the
email, the permissions of the user who edited the bug were
taken into account instead of the permissions of the
addressee. This means that confidential information could
be disclosed to the addressee if the other user has more
privileges than the addressee.
Plain text bugmails are not affected as bug and attachment
IDs are not linkified.</p>
<h1>Information Leak</h1>
<p>Versions: 2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to
4.2.1, 4.3.1</p>
<p>The description of a private attachment could be visible
to a user who hasn't permissions to access this attachment
if the attachment ID is mentioned in a public comment in
a bug that the user can see.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1968</cvename>
<cvename>CVE-2012-1969</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=777398</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=777586</url>
</references>
<dates>
<discovery>2012-07-26</discovery>
<entry>2012-07-27</entry>
</dates>
</vuln>
<vuln vid="17f369dc-d7e7-11e1-90a2-000c299b62e1">
<topic>nsd -- Denial of Service</topic>
<affects>
<package>
<name>nsd</name>
<range><lt>3.2.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tom Hendrikx reports:</p>
<blockquote cite="http://www.nlnetlabs.nl/downloads/CVE-2012-2979.txt">
<p>It is possible to crash (SIGSEGV) a NSD child server process by
sending it a DNS packet from any host on the internet and the per
zone stats build option is enabled. A crashed child process will
automatically be restarted by the parent process, but an attacker
may keep the NSD server occupied restarting child processes by
sending it a stream of such packets effectively preventing the
NSD server to serve.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2979</cvename>
<url>http://www.nlnetlabs.nl/downloads/CVE-2012-2979.txt</url>
</references>
<dates>
<discovery>2012-07-27</discovery>
<entry>2012-07-27</entry>
</dates>
</vuln>
<vuln vid="ae2fa87c-4bca-4138-8be1-67ce2a19b3a8">
<topic>rubygem-actionpack -- Denial of Service</topic>
<affects>
<package>
<name>rubygem-actionpack</name>
<range><lt>3.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/vxJjrc15qYM">
<p>There is a DoS vulnerability in Action Pack digest authentication
handling in authenticate_or_request_with_http_digest.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3424</cvename>
<url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/vxJjrc15qYM</url>
</references>
<dates>
<discovery>2012-07-26</discovery>
<entry>2012-07-26</entry>
</dates>
</vuln>
<vuln vid="cdc4ff0e-d736-11e1-8221-e0cb4e266481">
<topic>p5-RT-Authen-ExternalAuth -- privilege escalation</topic>
<affects>
<package>
<name>p5-RT-Authen-ExternalAuth</name>
<range><lt>0.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The RT development team reports:</p>
<blockquote cite="http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html">
<p>RT::Authen::ExternalAuth 0.10 and below (for all versions
of RT) are vulnerable to an escalation of privilege attack
where the URL of a RSS feed of the user can be used to
acquire a fully logged-in session as that user.
CVE-2012-2770 has been assigned to this vulnerability.</p>
<p>Users of RT 3.8.2 and above should upgrade to
RT::Authen::ExternalAuth 0.11, which resolves this
vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html</url>
<cvename>CVE-2012-2770</cvename>
</references>
<dates>
<discovery>2012-07-25</discovery>
<entry>2012-07-26</entry>
</dates>
</vuln>
<vuln vid="c7fa3618-d5ff-11e1-90a2-000c299b62e1">
<topic>isc-dhcp -- multiple vulnerabilities</topic>
<affects>
<package>
<name>isc-dhcp41-server</name>
<range><lt>4.1.e_5,2</lt></range>
</package>
<package>
<name>isc-dhcp42-server</name>
<range><lt>4.2.4_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/announcement/bind-and-dhcp-security-updates-released">
<p>An unexpected client identifier parameter can cause the ISC DHCP
daemon to segmentation fault when running in DHCPv6 mode,
resulting in a denial of service to further client requests. In
order to exploit this condition, an attacker must be able to send
requests to the DHCP server.</p>
<p>An error in the handling of malformed client identifiers can cause
a DHCP server running affected versions (see "Impact") to enter a
state where further client requests are not processed and the
server process loops endlessly, consuming all available CPU
cycles.
Under normal circumstances this condition should not be
triggered, but a non-conforming or malicious client could
deliberately trigger it in a vulnerable server. In order to
exploit this condition an attacker must be able to send requests
to the DHCP server.</p>
<p>Two memory leaks have been found and fixed in ISC DHCP. Both are
reproducible when running in DHCPv6 mode (with the -6 command-line
argument.) The first leak is confirmed to only affect servers
operating in DHCPv6 mode, but based on initial code analysis the
second may theoretically affect DHCPv4 servers (though this has
not been demonstrated.)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3570</cvename>
<cvename>CVE-2012-3571</cvename>
<cvename>CVE-2012-3954</cvename>
<url>https://kb.isc.org/article/AA-00714</url>
<url>https://kb.isc.org/article/AA-00712</url>
<url>https://kb.isc.org/article/AA-00737</url>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-07-25</entry>
</dates>
</vuln>
<vuln vid="0bc67930-d5c3-11e1-bef6-0024e81297ae">
<topic>dns/bind9* -- Heavy DNSSEC Validation Load Can Cause a 'Bad Cache' Assertion Failure</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.1.2</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.3.2</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.6.2</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-00729">
<p>High numbers of queries with DNSSEC validation enabled can
cause an assertion failure in named, caused by using a 'bad cache'
data structure before it has been initialized.</p>
<p>BIND 9 stores a cache of query names that are known to be failing due
to misconfigured name servers or a broken chain of trust. Under high query
loads when DNSSEC validation is active, it is possible for a condition
to arise in which data from this cache of failing queries could be used
before it was fully initialized, triggering an assertion failure.</p>
<p>This bug cannot be encountered unless your server is doing DNSSEC
validation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3817</cvename>
<url>https://kb.isc.org/article/AA-00729</url>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-07-24</entry>
</dates>
</vuln>
<vuln vid="748aa89f-d529-11e1-82ab-001fd0af1a4c">
<topic>rubygem-activerecord -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-activemodel</name>
<range><lt>3.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>rubygem-activerecord -- multiple vulernabilities</p>
<blockquote>
<p>Due to the way Active Record interprets parameters in
combination with the way that Rack parses query parameters, it
is possible for an attacker to issue unexpected database
queries with "IS NULL" where clauses. This issue does *not*
let an attacker insert arbitrary values into an SQL query,
however they can cause the query to check for NULL where most
users wouldn't expect it.</p>
<p>Due to the way Active Record handles nested query parameters,
an attacker can use a specially crafted request to inject some
forms of SQL into your application's SQL queries.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2660</cvename>
<cvename>CVE-2012-2661</cvename>
<url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/8SA-M3as7A8</url>
<url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/dUaiOOGWL1k</url>
</references>
<dates>
<discovery>2012-05-31</discovery>
<entry>2012-07-23</entry>
<modified>2012-07-23</modified>
</dates>
</vuln>
<vuln vid="bdab0acd-d4cd-11e1-8a1c-14dae9ebcf89">
<topic>php -- potential overflow in _php_stream_scandir</topic>
<affects>
<package>
<name>php5</name>
<range><gt>5.4</gt><lt>5.4.5</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.15</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Development Team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-07-19-1">
<p>The release of PHP 5.4.15 and 5.4.5 fix a potential overflow in
_php_stream_scandir</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2688</cvename>
<url>http://www.php.net/archive/2012.php#id2012-07-19-1</url>
</references>
<dates>
<discovery>2012-07-19</discovery>
<entry>2012-07-23</entry>
<modified>2012-09-19</modified>
</dates>
</vuln>
<vuln vid="ce82bfeb-d276-11e1-92c6-14dae938ec40">
<topic>dns/nsd -- DoS vulnerability from non-standard DNS packet</topic>
<affects>
<package>
<name>nsd</name>
<range><lt>3.2.11_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marek Vavrusa and Lubos Slovak report:</p>
<blockquote cite="http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt">
<p>It is possible to crash (SIGSEGV) a NSD child server process
by sending it a non-standard DNS packet from any host on the
internet. A crashed child process will automatically be restarted
by the parent process, but an attacker may keep the NSD server
occupied restarting child processes by sending it a stream of
such packets effectively preventing the NSD server to serve.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2978</cvename>
<freebsdpr>ports/170024</freebsdpr>
<url>http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt</url>
</references>
<dates>
<discovery>2012-07-19</discovery>
<entry>2012-07-20</entry>
<modified>2012-07-21</modified>
</dates>
</vuln>
<vuln vid="a460035e-d111-11e1-aff7-001fd056c417">
<topic>libjpeg-turbo -- heap-based buffer overflow</topic>
<affects>
<package>
<name>libjpeg-turbo</name>
<range><lt>1.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://sourceforge.net/projects/libjpeg-turbo/files/1.2.1/README.txt">
<p>The Changelog for version 1.2.1 says: Fixed a regression caused by
1.2.0[6] in which decompressing corrupt JPEG images (specifically,
images in which the component count was erroneously set to a large
value) would cause libjpeg-turbo to segfault.</p>
</blockquote>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=826849">
<p>A Heap-based buffer overflow was found in the way libjpeg-turbo
decompressed certain corrupt JPEG images in which the component count
was erroneously set to a large value. An attacker could create a
specially-crafted JPEG image that, when opened, could cause an
application using libpng to crash or, possibly, execute arbitrary code
with the privileges of the user running the application.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2806</cvename>
<url>http://sourceforge.net/projects/libjpeg-turbo/files/1.2.1/README.txt</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=826849</url>
</references>
<dates>
<discovery>2012-05-31</discovery>
<entry>2012-07-18</entry>
<modified>2012-07-19</modified>
</dates>
</vuln>
<vuln vid="2fe4b57f-d110-11e1-ac76-10bf48230856">
<topic>Dokuwiki -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20120125_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia Research reports:</p>
<blockquote cite="http://secunia.com/advisories/49196/">
<p>Secunia Research has discovered a vulnerability in DokuWiki, which can
be exploited by malicious people to conduct cross-site scripting
attacks.</p>
<p>Input passed to the "ns" POST parameter in lib/exe/ajax.php (when "call"
is set to "medialist" and "do" is set to "media") is not properly
sanitised within the "tpl_mediaFileList()" function in inc/template.php
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/49196/</url>
<cvename>CVE-2012-0283</cvename>
</references>
<dates>
<discovery>2012-07-13</discovery>
<entry>2012-07-18</entry>
</dates>
</vuln>
<vuln vid="3a6960ef-c8a8-11e1-9924-001fd0af1a4c">
<topic>puppet -- multiple vulnerabilities</topic>
<affects>
<package>
<name>puppet</name>
<range><lt>2.7.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>puppet -- multiple vulnerabilities</p>
<blockquote cite="http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18">
<p>Arbitrary file read on the puppet master from authenticated
clients (high). It is possible to construct an HTTP get request
from an authenticated client with a valid certificate that will
return the contents of an arbitrary file on the Puppet master
that the master has read-access to.</p>
<p>Arbitrary file delete/D.O.S on Puppet Master from authenticated
clients (high). Given a Puppet master with the "Delete"
directive allowed in auth.conf for an authenticated host, an
attacker on that host can send a specially crafted Delete
request that can cause an arbitrary file deletion on the Puppet
master, potentially causing a denial of service attack. Note
that this vulnerability does *not* exist in Puppet as
configured by default.</p>
<p>The last_run_report.yaml is world readable (medium). The most
recent Puppet run report is stored on the Puppet master with
world-readable permissions. The report file contains the
context diffs of any changes to configuration on an agent,
which may contain sensitive information that an attacker can
then access. The last run report is overwritten with every
Puppet run.</p>
<p>Arbitrary file read on the Puppet master by an agent (medium).
This vulnerability is dependent upon vulnerability
"last_run_report.yml is world readable" above. By creating a
hard link of a Puppet-managed file to an arbitrary file that
the Puppet master can read, an attacker forces the contents to
be written to the puppet run summary. The context diff is
stored in last_run_report.yaml, which can then be accessed by
the attacker.</p>
<p>Insufficient input validation for agent hostnames (low). An
attacker could trick the administrator into signing an
attacker's certificate rather than the intended one by
constructing specially crafted certificate requests containing
specific ANSI control sequences. It is possible to use the
sequences to rewrite the order of text displayed to an
administrator such that display of an invalid certificate and
valid certificate are transposed. If the administrator signs
the attacker's certificate, the attacker can then
man-in-the-middle the agent.</p>
<p>Agents with certnames of IP addresses can be impersonated
(low). If an authenticated host with a certname of an IP
address changes IP addresses, and a second host assumes the
first host's former IP address, the second host will be treated
by the puppet master as the first one, giving the second host
access to the first host's catalog. Note: This will not be
fixed in Puppet versions prior to the forthcoming 3.x. Instead,
with this announcement IP-based authentication in Puppet < 3.x
is deprecated.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3864</cvename>
<cvename>CVE-2012-3865</cvename>
<cvename>CVE-2012-3866</cvename>
<cvename>CVE-2012-3867</cvename>
<url>http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3864/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3865/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3866/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3867/</url>
</references>
<dates>
<discovery>2012-07-05</discovery>
<entry>2012-07-10</entry>
</dates>
</vuln>
<vuln vid="4c1ac2dd-c788-11e1-be25-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk</name>
<range><gt>10.*</gt><lt>10.5.2</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.13.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Possible resource leak on uncompleted re-invite transactions.</p>
<p>Remote crash vulnerability in voice mail application.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3812</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-010.html</url>
<url>http://downloads.digium.com/pub/security/AST-2012-011.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2012-07-05</discovery>
<entry>2012-07-06</entry>
<modified>2012-08-30</modified>
</dates>
</vuln>
<vuln vid="c28ee9cd-916e-4dcf-8ed3-e97e5846db6c">
<topic>typo3 -- Cross-Site Scripting Vulnerability in TYPO3 Core</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.5</ge><lt>4.5.17</lt></range>
<range><ge>4.6</ge><lt>4.6.10</lt></range>
<range><ge>4.7</ge><lt>4.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo3 Security Report (TYPO3-CORE-SA-2012-003):</p>
<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-003/">
<p>TYPO3 bundles and uses an external JavaScript and Flash Upload Library
called swfupload. TYPO3 can be configured to use this Flash uploader.
Input passed via the "movieName" parameter to swfupload.swf is not
properly sanitised before being used in a call to
"ExternalInterface.call()". This can be exploited to execute arbitrary
script code in a user's browser session in context of an affected site.
The existance of the swfupload library is sufficient to be vulnerable
to the reported problem.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/49780/</url>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-003/</url>
</references>
<dates>
<discovery>2012-07-04</discovery>
<entry>2012-07-06</entry>
</dates>
</vuln>
<vuln vid="fd8bac56-c444-11e1-864b-001cc0877741">
<topic>phpList -- SQL injection and XSS vulnerability</topic>
<affects>
<package>
<name>phplist</name>
<range><le>2.10.17</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Zero Science Lab reports:</p>
<blockquote cite="http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php">
<p>Input passed via the parameter 'sortby' is not properly
sanitised before being returned to the user or used in SQL queries.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code. The param 'num' is vulnerable to a XSS issue
where the attacker can execute arbitrary HTML and script code in
a user's browser session in context of an affected site.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2740</cvename>
<cvename>CVE-2012-2741</cvename>
<bid>52657</bid>
<url>https://www.phplist.com/?lid=567</url>
<url>http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php</url>
</references>
<dates>
<discovery>2012-03-21</discovery>
<entry>2012-07-02</entry>
</dates>
</vuln>
<vuln vid="ff922811-c096-11e1-b0f4-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>20.0.1132.43</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.nl/search/label/Stable%20updates">
<p>[118633] Low CVE-2012-2815: Leak of iframe fragment id. Credit to
Elie Bursztein of Google.</p>
<p>[120222] High CVE-2012-2817: Use-after-free in table section
handling. Credit to miaubiz.</p>
<p>[120944] High CVE-2012-2818: Use-after-free in counter layout.
Credit to miaubiz.</p>
<p>[120977] High CVE-2012-2819: Crash in texture handling. Credit to
Ken "gets" Russell of the Chromium development community.</p>
<p>[121926] Medium CVE-2012-2820: Out-of-bounds read in SVG filter
handling. Credit to Atte Kettunen of OUSPG.</p>
<p>[122925] Medium CVE-2012-2821: Autofill display problem. Credit to
"simonbrown60".</p>
<p>[various] Medium CVE-2012-2822: Misc. lower severity OOB read
issues in PDF. Credit to awesome ASAN and various Googlers (Kostya
Serebryany, Evgeniy Stepanov, Mateusz Jurczyk, Gynvael Coldwind).</p>
<p>[124356] High CVE-2012-2823: Use-after-free in SVG resource
handling. Credit to miaubiz.</p>
<p>[125374] High CVE-2012-2824: Use-after-free in SVG painting.
Credit to miaubiz.</p>
<p>[128688] Medium CVE-2012-2826: Out-of-bounds read in texture
conversion. Credit to Google Chrome Security Team (Inferno).</p>
<p>[Mac only] [129826] Low CVE-2012-2827: Use-after-free in Mac UI.
Credit to the Chromium development community (Dharani Govindan).</p>
<p>[129857] High CVE-2012-2828: Integer overflows in PDF. Credit to
Mateusz Jurczyk of Google Security Team and Google Chrome Security
Team (Chris Evans).</p>
<p>[129947] High CVE-2012-2829: Use-after-free in first-letter
handling. Credit to miaubiz.</p>
<p>[129951] High CVE-2012-2830: Wild pointer in array value setting.
Credit to miaubiz.</p>
<p>[130356] High CVE-2012-2831: Use-after-free in SVG reference
handling. Credit to miaubiz.</p>
<p>[131553] High CVE-2012-2832: Uninitialized pointer in PDF image
codec. Credit to Mateusz Jurczyk of Google Security Team.</p>
<p>[132156] High CVE-2012-2833: Buffer overflow in PDF JS API. Credit
to Mateusz Jurczyk of Google Security Team.</p>
<p>[132779] High CVE-2012-2834: Integer overflow in Matroska
container. Credit to Juri Aedla.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2815</cvename>
<cvename>CVE-2012-2817</cvename>
<cvename>CVE-2012-2818</cvename>
<cvename>CVE-2012-2819</cvename>
<cvename>CVE-2012-2820</cvename>
<cvename>CVE-2012-2821</cvename>
<cvename>CVE-2012-2822</cvename>
<cvename>CVE-2012-2823</cvename>
<cvename>CVE-2012-2824</cvename>
<cvename>CVE-2012-2826</cvename>
<cvename>CVE-2012-2827</cvename>
<cvename>CVE-2012-2828</cvename>
<cvename>CVE-2012-2829</cvename>
<cvename>CVE-2012-2830</cvename>
<cvename>CVE-2012-2831</cvename>
<cvename>CVE-2012-2832</cvename>
<cvename>CVE-2012-2833</cvename>
<cvename>CVE-2012-2834</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-06-26</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="aed44c4e-c067-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- Privilege escalation when returning from kernel</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_9</lt></range>
<range><ge>8.1</ge><lt>8.1_12</lt></range>
<range><ge>8.2</ge><lt>8.2_9</lt></range>
<range><ge>8.3</ge><lt>8.3_3</lt></range>
<range><ge>9.0</ge><lt>9.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc">
<p>FreeBSD/amd64 runs on CPUs from different vendors. Due to varying
behaviour of CPUs in 64 bit mode a sanity check of the kernel may be
insufficient when returning from a system call.</p>
<p>Successful exploitation of the problem can lead to local kernel privilege
escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code with user
privileges on the target system.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:04.sysret</freebsdsa>
<cvename>CVE-2012-0217</cvename>
</references>
<dates>
<discovery>2012-06-12</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="fc5231b6-c066-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- Incorrect handling of zero-length RDATA fields in named(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_9</lt></range>
<range><ge>8.1</ge><lt>8.1_11</lt></range>
<range><ge>8.2</ge><lt>8.2_9</lt></range>
<range><ge>8.3</ge><lt>8.3_3</lt></range>
<range><ge>9.0</ge><lt>9.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:03.bind.asc">
<p>The named(8) server does not properly handle DNS resource records where
the RDATA field is zero length, which may cause various issues for the
servers handling them.</p>
<p>Resolving servers may crash or disclose some portion of memory to the
client. Authoritative servers may crash on restart after transferring a
zone containing records with zero-length RDATA fields. These would
result in a denial of service, or leak of sensitive information.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:03.bind</freebsdsa>
<cvename>CVE-2012-1667</cvename>
</references>
<dates>
<discovery>2012-06-12</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="185ff22e-c066-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- Incorrect crypt() hashing</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_8</lt></range>
<range><ge>8.1</ge><lt>8.1_10</lt></range>
<range><ge>8.2</ge><lt>8.2_8</lt></range>
<range><ge>8.3</ge><lt>8.3_2</lt></range>
<range><ge>9.0</ge><lt>9.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:02.crypt.asc">
<p>There is a programming error in the DES implementation used in crypt()
when handling input which contains characters that can not be represented
with 7-bit ASCII.</p>
<p>When the input contains characters with only the most significant bit set
(0x80), that character and all characters after it will be ignored.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:02.crypt</freebsdsa>
<cvename>CVE-2012-2143</cvename>
</references>
<dates>
<discovery>2012-05-30</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="2ae114de-c064-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- OpenSSL multiple vulnerabilities</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_8</lt></range>
<range><ge>8.1</ge><lt>8.1_10</lt></range>
<range><ge>8.2</ge><lt>8.2_8</lt></range>
<range><ge>8.3</ge><lt>8.3_2</lt></range>
<range><ge>9.0</ge><lt>9.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc">
<p>OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]</p>
<p>OpenSSL support for handshake restarts for server gated cryptography (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]</p>
<p>If an application uses OpenSSL's certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]</p>
<p>A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]</p>
<p>The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates
or RSA public keys. [CVE-2012-2110]</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:01.openssl</freebsdsa>
<cvename>CVE-2011-4576</cvename>
<cvename>CVE-2011-4619</cvename>
<cvename>CVE-2011-4109</cvename>
<cvename>CVE-2012-0884</cvename>
<cvename>CVE-2012-2110</cvename>
</references>
<dates>
<discovery>2012-05-03</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="f45c0049-be72-11e1-a284-0023ae8e59f0">
<topic>pycrypto -- vulnerable ElGamal key generation</topic>
<affects>
<package>
<name>py-pycrypto</name>
<range><ge>2.5</ge><lt>2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dwayne C. Litzenberger of PyCrypto reports:</p>
<blockquote cite="http://lists.dlitz.net/pipermail/pycrypto/2012q2/000587.html">
<p>In the ElGamal schemes (for both encryption and signatures), g is
supposed to be the generator of the entire Z^*_p group. However, in
PyCrypto 2.5 and earlier, g is more simply the generator of a random
sub-group of Z^*_p.</p>
<p>The result is that the signature space (when the key is used for
signing) or the public key space (when the key is used for encryption)
may be greatly reduced from its expected size of log(p) bits, possibly
down to 1 bit (the worst case if the order of g is 2).</p>
<p>While it has not been confirmed, it has also been suggested that an
attacker might be able to use this fact to determine the private key.</p>
<p>Anyone using ElGamal keys should generate new keys as soon as
practical.</p>
<p>Any additional information about this bug will be tracked at
https://bugs.launchpad.net/pycrypto/+bug/985164</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2417</cvename>
<url>http://lists.dlitz.net/pipermail/pycrypto/2012q2/000587.html</url>
<url>https://bugs.launchpad.net/pycrypto/+bug/985164</url>
</references>
<dates>
<discovery>2012-05-24</discovery>
<entry>2012-06-24</entry>
</dates>
</vuln>
<vuln vid="f46c4c6a-ba25-11e1-806a-001143cd36d8">
<topic>joomla -- Privilege Escalation</topic>
<affects>
<package>
<name>joomla</name>
<range><lt>2.5.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Joomla! reported a Core Privilege Escalation::</p>
<blockquote cite="http://developer.joomla.org/security/news/470-20120601-core-privilege-escalation.html">
<p>Inadequate checking leads to possible user privilege escalation..</p>
</blockquote>
</body>
</description>
<references>
<url>http://developer.joomla.org/security/news/470-20120601-core-privilege-escalation.html</url>
</references>
<dates>
<discovery>2012-04-29</discovery>
<entry>2012-06-19</entry>
</dates>
</vuln>
<vuln vid="eb12ebee-b7af-11e1-b5e0-000c299b62e1">
<topic>clamav -- multiple vulnerabilities</topic>
<affects>
<package>
<name>clamav</name>
<range><lt>0.97.5</lt></range>
</package>
<package>
<name>clamav-devel</name>
<range><lt>20120612</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE Advisories report:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1419">
<p>The TAR parser allows remote attackers to bypass malware detection
via a POSIX TAR file with an initial [aliases] character sequence.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1457">
<p>The TAR parser allows remote attackers to bypass malware detection
via a TAR archive entry with a length field that exceeds the total
TAR file size.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458">
<p>The Microsoft CHM file parser allows remote attackers to bypass
malware detection via a crafted reset interval in the LZXC header
of a CHM file.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1459">
<p>The TAR file parser allows remote attackers to bypass malware
detection via a TAR archive entry with a length field
corresponding to that entire entry, plus part of the header ofxi
the next entry.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1419</cvename>
<cvename>CVE-2012-1457</cvename>
<cvename>CVE-2012-1458</cvename>
<cvename>CVE-2012-1459</cvename>
</references>
<dates>
<discovery>2012-03-19</discovery>
<entry>2012-06-16</entry>
</dates>
</vuln>
<vuln vid="3c8d1e5b-b673-11e1-be25-14dae9ebcf89">
<topic>asterisk -- remote crash vulnerability</topic>
<affects>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Skinny Channel Driver Remote Crash Vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3553</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-009.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2012-06-14</discovery>
<entry>2012-06-14</entry>
</dates>
</vuln>
<vuln vid="5140dc69-b65e-11e1-9425-001b21614864">
<topic>ImageMagick -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ImageMagick</name>
<name>ImageMagick-nox11</name>
<range><lt>6.7.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ImageMagick reports:</p>
<blockquote cite="http://www.cert.fi/en/reports/2012/vulnerability635606.html">
<p>Three vulnerabilities have been identified in ImageMagick's
handling of JPEG and TIFF files. With these vulnerabilities, it is
possible to cause a denial of service situation in the target
system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0259</cvename>
<cvename>CVE-2012-0260</cvename>
<cvename>CVE-2012-1798</cvename>
<url>http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629</url>
<url>http://www.cert.fi/en/reports/2012/vulnerability635606.html</url>
</references>
<dates>
<discovery>2012-03-28</discovery>
<entry>2012-06-14</entry>
</dates>
</vuln>
<vuln vid="55587adb-b49d-11e1-8df1-0004aca374af">
<topic>mantis -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mantis</name>
<range><lt>1.2.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mantis reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2012/06/09/1">
<p>Roland Becker and Damien Regad (MantisBT developers) found that
any user able to report issues via the SOAP interface could also
modify any bugnotes (comments) created by other users. In a
default/typical MantisBT installation, SOAP API is enabled and any
user can sign up to report new issues. This vulnerability therefore
impacts upon many public facing MantisBT installations.</p>
<p>Roland Becker (MantisBT developer) found that the
delete_attachments_threshold permission was not being checked when
a user attempted to delete an attachment from an issue. The more
generic update_bug_threshold permission was being checked instead.
MantisBT administrators may have been under the false impression
that their configuration of the delete_attachments_threshold was
successfully preventing unwanted users from deleting
attachments.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2691</cvename>
<cvename>CVE-2012-2692</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2012/06/09/1</mlist>
<mlist>http://sourceforge.net/mailarchive/forum.php?thread_name=1339229952.28538.22%40d.hx.id.au&forum_name=mantisbt-dev</mlist>
</references>
<dates>
<discovery>2012-06-09</discovery>
<entry>2012-06-12</entry>
<modified>2012-06-13</modified>
</dates>
</vuln>
<vuln vid="38195f00-b215-11e1-8132-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.236</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb12-14.html">
<p>These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2034</cvename>
<cvename>CVE-2012-2035</cvename>
<cvename>CVE-2012-2036</cvename>
<cvename>CVE-2012-2037</cvename>
<cvename>CVE-2012-2038</cvename>
<cvename>CVE-2012-2039</cvename>
<cvename>CVE-2012-2040</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb12-14.html</url>
</references>
<dates>
<discovery>2012-06-08</discovery>
<entry>2012-06-09</entry>
</dates>
</vuln>
<vuln vid="bfecf7c1-af47-11e1-9580-4061862b8c22">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>13.0,1</lt></range>
<range><lt>10.0.5,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.5,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.10</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.5</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.10</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>13.0</lt></range>
<range><lt>10.0.5</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)</p>
<p>MFSA 2012-36 Content Security Policy inline-script bypass</p>
<p>MFSA 2012-37 Information disclosure though Windows file shares and shortcut files</p>
<p>MFSA 2012-38 Use-after-free while replacing/inserting a node in a document</p>
<p>MFSA 2012-39 NSS parsing errors with zero length items</p>
<p>MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3101</cvename>
<cvename>CVE-2012-0441</cvename>
<cvename>CVE-2012-1938</cvename>
<cvename>CVE-2012-1939</cvename>
<cvename>CVE-2012-1937</cvename>
<cvename>CVE-2012-1940</cvename>
<cvename>CVE-2012-1941</cvename>
<cvename>CVE-2012-1944</cvename>
<cvename>CVE-2012-1945</cvename>
<cvename>CVE-2012-1946</cvename>
<cvename>CVE-2012-1947</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-34.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-36.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-37.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-38.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-39.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-40.html</url>
</references>
<dates>
<discovery>2012-06-05</discovery>
<entry>2012-06-05</entry>
</dates>
</vuln>
<vuln vid="1e14d46f-af1f-11e1-b242-00215af774f0">
<topic>quagga -- BGP OPEN denial of service vulnerability</topic>
<affects>
<package>
<name>quagga</name>
<range><le>0.99.20.1</le></range>
</package>
<package>
<name>quagga-re</name>
<range><lt>0.99.17.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/962587">
<p>If a pre-configured BGP peer sends a specially-crafted OPEN
message with a malformed ORF capability TLV, Quagga bgpd process
will erroneously try to consume extra bytes from the input packet
buffer. The process will detect a buffer overrun attempt before
it happens and immediately terminate with an error message. All
BGP sessions established by the attacked router will be closed
and its BGP routing disrupted.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1820</cvename>
<url>http://www.kb.cert.org/vuls/id/962587</url>
</references>
<dates>
<discovery>2012-06-04</discovery>
<entry>2012-06-05</entry>
</dates>
</vuln>
<vuln vid="de6d8290-aef7-11e1-898f-14dae938ec40">
<topic>mail/sympa* -- Multiple vulnerabilities in Sympa archive management</topic>
<affects>
<package>
<name>sympa</name>
<range><lt>6.0.7</lt></range>
<range><gt>6.1.*</gt><lt>6.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Verdin reports:</p>
<blockquote cite="http://www.sympa.org/security_advisories#security_breaches_in_archives_management">
<p>Multiple vulnerabilities have been discovered in Sympa archive
management that allow to skip the scenario-based authorization
mechanisms.</p>
<p>This vulnerability allows the attacker to:</p>
<ul>
<li>display the archives management page ('arc_manage')</li>
<li>download the list's archives</li>
<li>delete the list's archives</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.sympa.org/security_advisories#security_breaches_in_archives_management</url>
</references>
<dates>
<discovery>2012-05-15</discovery>
<entry>2012-06-05</entry>
</dates>
</vuln>
<vuln vid="1ecc0d3f-ae8e-11e1-965b-0024e88a8c98">
<topic>dns/bind9* -- zero-length RDATA can cause named to terminate, reveal memory</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.1.1</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.3.1</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.6.1</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/bind/advisories/cve-2012-1667">
<p>Processing of DNS resource records where the rdata field is zero length
may cause various issues for the servers handling them.</p>
<p>Processing of these records may lead to unexpected outcomes. Recursive
servers may crash or disclose some portion of memory to the client.
Secondary servers may crash on restart after transferring a zone
containing these records. Master servers may corrupt zone data if the
zone option "auto-dnssec" is set to "maintain". Other unexpected
problems that are not listed here may also be encountered.</p>
<p>Impact: This issue primarily affects recursive nameservers.
Authoritative nameservers will only be impacted if an administrator
configures experimental record types with no data. If the server is
configured this way, then secondaries can crash on restart after
transferring that zone. Zone data on the master can become corrupted if
the zone with those records has named configured to manage the DNSSEC
key rotation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1667</cvename>
<url>http://www.isc.org/software/bind/advisories/cve-2012-1667</url>
</references>
<dates>
<discovery>2012-06-04</discovery>
<entry>2012-06-04</entry>
<modified>2012-06-06</modified>
</dates>
</vuln>
<vuln vid="a8864f8f-aa9e-11e1-a284-0023ae8e59f0">
<topic>databases/postgresql*-server -- crypt vulnerabilities</topic>
<affects>
<package>
<name>postgresql-server</name>
<range><gt>8.3.*</gt><lt>8.3.18_1</lt></range>
<range><gt>8.4.*</gt><lt>8.4.11_1</lt></range>
<range><gt>9.0.*</gt><lt>9.0.7_2</lt></range>
<range><gt>9.1.*</gt><lt>9.1.3_1</lt></range>
<range><gt>9.2.*</gt><lt>9.2.b1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL Global Development Group reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1397/">
<p>Today the PHP, OpenBSD and FreeBSD communities announced updates to
patch a security hole involving their crypt() hashing algorithms. This
issue is described in CVE-2012-2143. This vulnerability also affects a
minority of PostgreSQL users, and will be fixed in an update release on
June 4, 2012.</p>
<p>Affected users are those who use the crypt(text, text) function
with DES encryption in the optional pg_crypto module. Passwords
affected are those that contain characters that cannot be
represented with 7-bit ASCII. If a password contains a character
that has the most significant bit set (0x80), and DES encryption
is used, that character and all characters after it will be ignored.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2143</cvename>
<url>http://www.postgresql.org/about/news/1397/</url>
<url>http://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=932ded2ed51e8333852e370c7a6dad75d9f236f9</url>
</references>
<dates>
<discovery>2012-05-30</discovery>
<entry>2012-05-30</entry>
<modified>2012-05-31</modified>
</dates>
</vuln>
<vuln vid="47f13540-c4cb-4971-8dc6-28d0dabfd9cd">
<topic>nut -- upsd can be remotely crashed</topic>
<affects>
<package>
<name>nut</name>
<range><ge>2.4.0</ge><le>2.6.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Networkupstools project reports:</p>
<blockquote cite="http://trac.networkupstools.org/projects/nut/changeset/3633">
<p>NUT server (upsd), from versions 2.4.0 to 2.6.3, are exposed to
crashes when receiving random data from the network.</p>
<p>This issue is related to the way NUT parses characters, especially
from the network. Non printable characters were missed from strings
operation (such as strlen), but still copied to the buffer, causing
an overflow.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2944</cvename>
<url>http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1027934.html</url>
<url>http://trac.networkupstools.org/projects/nut/changeset/3633</url>
</references>
<dates>
<discovery>2012-05-30</discovery>
<entry>2012-05-30</entry>
</dates>
</vuln>
<vuln vid="359f615d-a9e1-11e1-8a66-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><le>1.6.2.24</le></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.12.1</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Remote crash vulnerability in IAX2 channel driver.</p>
<p>Skinny Channel Driver Remote Crash Vulnerability</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2947</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-007.html</url>
<cvename>CVE-2012-2948</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-008.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2012-05-29</discovery>
<entry>2012-05-29</entry>
<modified>2012-05-29</modified>
</dates>
</vuln>
<vuln vid="219d0bfd-a915-11e1-b519-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>19.0.1084.52</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[117409] High CVE-2011-3103: Crashes in v8 garbage collection.
Credit to the Chromium development community (Brett Wilson).</p>
<p>[118018] Medium CVE-2011-3104: Out-of-bounds read in Skia. Credit
to Google Chrome Security Team (Inferno).</p>
<p>[120912] High CVE-2011-3105: Use-after-free in first-letter
handling. Credit to miaubiz.</p>
<p>[122654] Critical CVE-2011-3106: Browser memory corruption with
websockets over SSL. Credit to the Chromium development community
(Dharani Govindan).</p>
<p>[124625] High CVE-2011-3107: Crashes in the plug-in JavaScript
bindings. Credit to the Chromium development community (Dharani
Govindan).</p>
<p>[125159] Critical CVE-2011-3108: Use-after-free in browser cache.
Credit to "efbiaiinzinz".</p>
<p>[Linux only] [126296] High CVE-2011-3109: Bad cast in GTK UI.
Credit to Micha Bartholome.</p>
<p>[126337] [126343] [126378] [127349] [127819] [127868] High
CVE-2011-3110: Out of bounds writes in PDF. Credit to Mateusz
Jurczyk of the Google Security Team, with contributions by Gynvael
Coldwind of the Google Security Team.</p>
<p>[126414] Medium CVE-2011-3111: Invalid read in v8. Credit to
Christian Holler.</p>
<p>[127331] High CVE-2011-3112: Use-after-free with invalid encrypted
PDF. Credit to Mateusz Jurczyk of the Google Security Team, with
contributions by Gynvael Coldwind of the Google Security Team.</p>
<p>[127883] High CVE-2011-3113: Invalid cast with colorspace handling
in PDF. Credit to Mateusz Jurczyk of the Google Security Team, with
contributions by Gynvael Coldwind of the Google Security Team.</p>
<p>[128014] High CVE-2011-3114: Buffer overflows with PDF functions.
Credit to Google Chrome Security Team (scarybeasts).</p>
<p>[128018] High CVE-2011-3115: Type corruption in v8. Credit to
Christian Holler.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3103</cvename>
<cvename>CVE-2011-3104</cvename>
<cvename>CVE-2011-3105</cvename>
<cvename>CVE-2011-3106</cvename>
<cvename>CVE-2011-3107</cvename>
<cvename>CVE-2011-3108</cvename>
<cvename>CVE-2011-3110</cvename>
<cvename>CVE-2011-3111</cvename>
<cvename>CVE-2011-3112</cvename>
<cvename>CVE-2011-3113</cvename>
<cvename>CVE-2011-3114</cvename>
<cvename>CVE-2011-3115</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-05-23</discovery>
<entry>2012-05-28</entry>
</dates>
</vuln>
<vuln vid="617959ce-a5f6-11e1-a284-0023ae8e59f0">
<topic>haproxy -- buffer overflow</topic>
<affects>
<package>
<name>haproxy</name>
<range><lt>1.4.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>HAProxy reports:</p>
<blockquote cite="http://haproxy.1wt.eu/news.html">
<p>A flaw was reported in HAProxy where, due to a boundary error
when copying data into the trash buffer, an external attacker could
cause a buffer overflow. Exploiting this flaw could lead to the
execution of arbitrary code, however it requires non-default settings
for the global.tune.bufsize configuration option (must be set to a
value greater than the default), and also that header rewriting is
enabled (via, for example, the regrep or rsprep directives).
This flaw is reported against 1.4.20, prior versions may also be
affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2391</cvename>
<url>https://secunia.com/advisories/49261/</url>
<url>http://haproxy.1wt.eu/download/1.4/src/CHANGELOG</url>
<url>http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b</url>
<url>http://haproxy.1wt.eu/news.html</url>
</references>
<dates>
<discovery>2012-05-21</discovery>
<entry>2012-05-24</entry>
<modified>2012-05-29</modified>
</dates>
</vuln>
<vuln vid="e0a969e4-a512-11e1-90b4-e0cb4e266481">
<topic>RT -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>rt40</name>
<range><ge>4.0</ge><lt>4.0.6</lt></range>
</package>
<package>
<name>rt38</name>
<range><lt>3.8.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BestPractical report:</p>
<blockquote cite="http://blog.bestpractical.com/2012/05/security-vulnerabilities-in-rt.html">
<p>Internal audits of the RT codebase have uncovered a
number of security vulnerabilities in RT. We are releasing
versions 3.8.12 and 4.0.6 to resolve these vulnerabilities,
as well as patches which apply atop all released versions of
3.8 and 4.0.</p>
<p>The vulnerabilities addressed by 3.8.12, 4.0.6, and the
below patches include the following:</p>
<p>The previously released tool to upgrade weak password
hashes as part of CVE-2011-0009 was an incomplete fix and
failed to upgrade passwords of disabled users.</p>
<p>RT versions 3.0 and above contain a number of cross-site
scripting (XSS) vulnerabilities which allow an attacker to
run JavaScript with the user's credentials. CVE-2011-2083 is
assigned to this vulnerability.</p>
<p>RT versions 3.0 and above are vulnerable to multiple
information disclosure vulnerabilities. This includes the
ability for privileged users to expose users' previous
password hashes -- this vulnerability is particularly
dangerous given RT's weak hashing previous to the fix in
CVE-2011-0009. A separate vulnerability allows privileged
users to obtain correspondence history for any ticket in
RT. CVE-2011-2084 is assigned to this vulnerability.</p>
<p>All publicly released versions of RT are vulnerable to
cross-site request forgery (CSRF). CVE-2011-2085 is assigned
to this vulnerability.</p>
<p>We have also added a separate configuration option
($RestrictLoginReferrer) to prevent login CSRF, a different
class of CSRF attack.</p>
<p>RT versions 3.6.1 and above are vulnerable to a remote
execution of code vulnerability if the optional VERP
configuration options ($VERPPrefix and $VERPDomain) are
enabled. RT 3.8.0 and higher are vulnerable to a limited
remote execution of code which can be leveraged for
privilege escalation. RT 4.0.0 and above contain a
vulnerability in the global $DisallowExecuteCode option,
allowing sufficiently privileged users to still execute code
even if RT was configured to not allow it. CVE-2011-4458 is
assigned to this set of vulnerabilities.</p>
<p>RT versions 3.0 and above may, under some circumstances,
still respect rights that a user only has by way of a
currently-disabled group. CVE-2011-4459 is assigned to this
vulnerability.</p>
<p>RT versions 2.0 and above are vulnerable to a SQL
injection attack, which allow privileged users to obtain
arbitrary information from the database. CVE-2011-4460 is
assigned to this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0009</cvename>
<cvename>CVE-2011-2082</cvename>
<cvename>CVE-2011-2083</cvename>
<cvename>CVE-2011-2084</cvename>
<cvename>CVE-2011-2085</cvename>
<cvename>CVE-2011-4458</cvename>
<cvename>CVE-2011-4459</cvename>
<cvename>CVE-2011-4460</cvename>
<url>http://blog.bestpractical.com/2012/05/security-vulnerabilities-in-rt.html</url>
</references>
<dates>
<discovery>2012-05-22</discovery>
<entry>2012-05-23</entry>
</dates>
</vuln>
<vuln vid="78c39232-a345-11e1-9d81-d0df9acfd7e5">
<topic>sympa -- Multiple Security Bypass Vulnerabilities</topic>
<affects>
<package>
<name>sympa</name>
<range><lt>6.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia team reports:</p>
<blockquote cite="http://secunia.com/advisories/49045/">
<p>Multiple vulnerabilities have been reported in Sympa, which can be
exploited by malicious people to bypass certain security
restrictions.</p>
<p>The vulnerabilities are caused due to the application allowing
access to archive functions without checking credentials. This can
be exploited to create, download, and delete an archive.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2352</cvename>
<url>http://secunia.com/advisories/49045/</url>
</references>
<dates>
<discovery>2012-05-14</discovery>
<entry>2012-05-21</entry>
</dates>
</vuln>
<vuln vid="495b46fd-a30f-11e1-82c9-d0df9acfd7e5">
<topic>foswiki -- Script Insertion Vulnerability via unchecked user registration fields</topic>
<affects>
<package>
<name>foswiki</name>
<range><lt>1.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Foswiki team reports:</p>
<blockquote cite="http://foswiki.org/Support/SecurityAlert-CVE-2012-1004">
<p>When a new user registers, the new user can add arbitrary HTML and
script code into the user topic which is generated by the
RegistrationAgent via standard registration fields such as
"FirstName" or "OrganisationName".</p>
<p>By design, Foswiki's normal editing features allow arbitrary HTML
markup, including script code, to be inserted into any topic anyway,
assuming the authenticated user has CHANGE permission - which is the
case on many Foswiki sites. However, the assumption that only
authenticated users with CHANGE permission may create script content
is false if new users exploit the vulnerability detailed in this
alert to manipulate the registration agent into creating that
content for them.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1004</cvename>
<url>http://foswiki.org/Support/SecurityAlert-CVE-2012-1004</url>
</references>
<dates>
<discovery>2012-04-13</discovery>
<entry>2012-05-21</entry>
</dates>
</vuln>
<vuln vid="b8ae4659-a0da-11e1-a294-bcaec565249c">
<topic>libxml2 -- An off-by-one out-of-bounds write by XPointer</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.7.8_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google chrome team reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html">
<p>An off-by-one out-of-bounds write flaw was found in the way libxml, a library
for providing XML and HTML support, evaluated certain XPointer parts (XPointer
is used by libxml to include only the part from the returned XML document, that
can be accessed using the XPath expression given with the XPointer). A remote
attacker could provide a specially-crafted XML file, which once opened in an
application, linked against libxml, would lead to that application crash, or,
potentially arbitrary code execution with the privileges of the user running
the application.</p>
<p>Note: The flaw to be exploited requires the particular application, linked
against libxml, to use the XPointer evaluation functionality.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3202</cvename>
<url>http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3102</url>
</references>
<dates>
<discovery>2012-05-15</discovery>
<entry>2012-05-18</entry>
</dates>
</vuln>
<vuln vid="f5f00804-a03b-11e1-a284-0023ae8e59f0">
<topic>inspircd -- buffer overflow</topic>
<affects>
<package>
<name>inspircd</name>
<range><ge>1.2</ge><lt>1.2.9</lt></range>
<range><ge>2.0</ge><lt>2.0.5_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>InspIRCd reports:</p>
<blockquote cite="http://inspircd.github.com/">
<p>InspIRCd contains a heap corruption vulnerability that exists in the
dns.cpp code. The res[] buffer is allocated on the heap and can be
overflowed. The res[] buffer can be exploited during its deallocation.
The number of overflowed bytes can be controlled with DNS compression
features.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1836</cvename>
<url>http://inspircd.github.com/</url>
</references>
<dates>
<discovery>2012-03-19</discovery>
<entry>2012-05-17</entry>
<modified>2012-06-21</modified>
</dates>
</vuln>
<vuln vid="aa71daaa-9f8c-11e1-bd0a-0082a0c18826">
<topic>pidgin-otr -- format string vulnerability</topic>
<affects>
<package>
<name>pidgin-otr</name>
<range><lt>3.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The authors report:</p>
<blockquote cite="http://www.cypherpunks.ca/otr/">
<p>Versions 3.2.0 and earlier of the pidgin-otr plugin contain
a format string security flaw. This flaw could potentially be
exploited by a remote attacker to cause arbitrary code to be
executed on the user's machine.</p>
<p>The flaw is in pidgin-otr, not in libotr. Other applications
that use libotr are not affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2369</cvename>
<url>http://www.cypherpunks.ca/otr/</url>
</references>
<dates>
<discovery>2012-05-16</discovery>
<entry>2012-05-16</entry>
</dates>
</vuln>
<vuln vid="b3435b68-9ee8-11e1-997c-002354ed89bc">
<topic>sudo -- netmask vulnerability</topic>
<affects>
<package>
<name>sudo</name>
<range><le>1.8.4_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.sudo.ws/sudo/alerts/netmask.html">
<p>Sudo supports granting access to commands on a per-host basis.
The host specification may be in the form of a host name, a
netgroup, an IP address, or an IP network (an IP address with an
associated netmask).</p>
<p>When IPv6 support was added to sudo, a bug was introduced that
caused the IPv6 network matching code to be called when an IPv4
network address does not match. Depending on the value of the
uninitialized portion of the IPv6 address, it is possible for the
IPv4 network number to match when it should not. This bug only
affects IP network matching and does not affect simple IP address
matching.</p>
<p>The reported configuration that exhibited the bug was an
LDAP-based sudo installation where the sudoRole object contained
multiple sudoHost entries, each containing a different IPv4
network. File-based sudoers should be affected as well as the
same matching code is used.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2337</cvename>
<url>http://www.sudo.ws/sudo/alerts/netmask.html</url>
</references>
<dates>
<discovery>2012-05-16</discovery>
<entry>2012-05-16</entry>
</dates>
</vuln>
<vuln vid="dba5d1c9-9f29-11e1-b511-003067c2616f">
<topic>OpenSSL -- DTLS and TLS 1.1, 1.2 denial of service</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL security team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120510.txt">
<p>A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and
servers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2333</cvename>
<url>http://www.openssl.org/news/secadv_20120510.txt</url>
</references>
<dates>
<discovery>2012-05-10</discovery>
<entry>2012-05-10</entry>
</dates>
</vuln>
<vuln vid="1449af37-9eba-11e1-b9c1-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>19.0.1084.46</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[112983] Low CVE-2011-3083: Browser crash with video + FTP. Credit
to Aki Helin of OUSPG.</p>
<p>[113496] Low CVE-2011-3084: Load links from internal pages in their
own process. Credit to Brett Wilson of the Chromium development
community.</p>
<p>[118374] Medium CVE-2011-3085: UI corruption with long autofilled
values. Credit to "psaldorn".</p>
<p>[118642] High CVE-2011-3086: Use-after-free with style element.
Credit to Arthur Gerkis.</p>
<p>[118664] Low CVE-2011-3087: Incorrect window navigation. Credit to
Charlie Reis of the Chromium development community.</p>
<p>[120648] Medium CVE-2011-3088: Out-of-bounds read in hairline
drawing. Credit to Aki Helin of OUSPG.</p>
<p>[120711] High CVE-2011-3089: Use-after-free in table handling.
Credit to miaubiz.</p>
<p>[121223] Medium CVE-2011-3090: Race condition with workers. Credit
to Arthur Gerkis.</p>
<p>[121734] High CVE-2011-3091: Use-after-free with indexed DB. Credit
to Google Chrome Security Team (Inferno).</p>
<p>[122337] High CVE-2011-3092: Invalid write in v8 regex. Credit to
Christian Holler.</p>
<p>[122585] Medium CVE-2011-3093: Out-of-bounds read in glyph
handling. Credit to miaubiz.</p>
<p>[122586] Medium CVE-2011-3094: Out-of-bounds read in Tibetan
handling. Credit to miaubiz.</p>
<p>[123481] High CVE-2011-3095: Out-of-bounds write in OGG container.
Credit to Hannu Heikkinen.</p>
<p>[Linux only] [123530] Low CVE-2011-3096: Use-after-free in GTK
omnibox handling. Credit to Arthur Gerkis.</p>
<p>[123733] [124182] High CVE-2011-3097: Out-of-bounds write in
sampled functions with PDF. Credit to Kostya Serebryany of Google
and Evgeniy Stepanov of Google.</p>
<p>[124479] High CVE-2011-3099: Use-after-free in PDF with corrupt
font encoding name. Credit to Mateusz Jurczyk of Google Security
Team and Gynvael Coldwind of Google Security Team.</p>
<p>[124652] Medium CVE-2011-3100: Out-of-bounds read drawing dash
paths. Credit to Google Chrome Security Team (Inferno).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3083</cvename>
<cvename>CVE-2011-3084</cvename>
<cvename>CVE-2011-3085</cvename>
<cvename>CVE-2011-3086</cvename>
<cvename>CVE-2011-3087</cvename>
<cvename>CVE-2011-3088</cvename>
<cvename>CVE-2011-3089</cvename>
<cvename>CVE-2011-3090</cvename>
<cvename>CVE-2011-3091</cvename>
<cvename>CVE-2011-3092</cvename>
<cvename>CVE-2011-3093</cvename>
<cvename>CVE-2011-3094</cvename>
<cvename>CVE-2011-3095</cvename>
<cvename>CVE-2011-3096</cvename>
<cvename>CVE-2011-3097</cvename>
<cvename>CVE-2011-3099</cvename>
<cvename>CVE-2011-3100</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-05-15</discovery>
<entry>2012-05-15</entry>
</dates>
</vuln>
<vuln vid="6601127c-9e09-11e1-b5e0-000c299b62e1">
<topic>socat -- Heap-based buffer overflow</topic>
<affects>
<package>
<name>socat</name>
<range><lt>1.7.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The socat development team reports:</p>
<blockquote cite="http://www.dest-unreach.org/socat/contrib/socat-secadv3.html">
<p>This vulnerability can be exploited when socat is invoked with the
READLINE address (this is usually only used interactively) without
option "prompt" and without option "noprompt" and an attacker succeeds
to provide malicious data to the other (arbitrary) address that is then
transferred by socat to the READLINE address for output.</p>
<p>Successful exploitation may allow an attacker to execute arbitrary
code with the privileges of the socat process.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0219</cvename>
<url>www.dest-unreach.org/socat/contrib/socat-secadv3.html</url>
</references>
<dates>
<discovery>2012-05-14</discovery>
<entry>2012-05-14</entry>
</dates>
</vuln>
<vuln vid="59b68b1e-9c78-11e1-b5e0-000c299b62e1">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<range><gt>5.4</gt><lt>5.4.3</lt></range>
<range><lt>5.3.13</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.13</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Development Team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-05-08-1">
<p>The release of PHP 5.4.13 and 5.4.3 complete a fix for the
vulnerability in CGI-based setups as originally described in
CVE-2012-1823. (CVE-2012-2311)</p>
<p>Note: mod_php and php-fpm are not vulnerable to this attack.</p>
<p>PHP 5.4.3 fixes a buffer overflow vulnerability in the
apache_request_headers() (CVE-2012-2329).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1823</cvename>
<cvename>CVE-2012-2311</cvename>
<cvename>CVE-2012-2329</cvename>
</references>
<dates>
<discovery>2012-05-08</discovery>
<entry>2012-05-12</entry>
</dates>
</vuln>
<vuln vid="64f8b72d-9c4e-11e1-9c94-000bcdf0a03b">
<topic>libpurple -- Invalid memory dereference in the XMPP protocol plug-in by processing serie of specially-crafted file transfer requests</topic>
<affects>
<package>
<name>libpurple</name>
<range><lt>2.10.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pidgin reports:</p>
<blockquote cite="http://pidgin.im/news/security/?id=62">
<p>A series of specially crafted file transfer requests can cause clients to reference invalid memory. The user must have accepted one of the file transfer requests.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2214</cvename>
</references>
<dates>
<discovery>2012-05-06</discovery>
<entry>2012-05-12</entry>
</dates>
</vuln>
<vuln vid="0d3547ab-9b69-11e1-bdb1-525401003090">
<topic>PivotX -- 'ajaxhelper.php' Cross Site Scripting Vulnerability</topic>
<affects>
<package>
<name>pivotx</name>
<range><le>2.3.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>High-Tech Bridge reports:</p>
<blockquote cite="https://www.htbridge.com/advisory/HTB23087">
<p>Input passed via the "file" GET parameter to
/pivotx/ajaxhelper.php is not properly sanitised before
being returned to the user. This can be exploited to
execute arbitrary HTML and script code in administrator's
browser session in context of the affected website.</p>
</blockquote>
</body>
</description>
<references>
<bid>52159</bid>
<cvename>CVE-2012-2274</cvename>
<url>https://www.htbridge.com/advisory/HTB23087</url>
</references>
<dates>
<discovery>2012-05-09</discovery>
<entry>2012-05-12</entry>
<modified>2012-05-14</modified>
</dates>
</vuln>
<vuln vid="b91234e7-9a8b-11e1-b666-001636d274f3">
<topic>NVIDIA UNIX driver -- access to arbitrary system memory</topic>
<affects>
<package>
<name>nvidia-driver</name>
<range><gt>173.14.35_1</gt><lt>295.71</lt></range>
<range><gt>96.43.20_2</gt><lt>173.14.35</lt></range>
<range><gt>71.86.15_2</gt><lt>96.43.20_2</lt></range>
<range><lt>71.86.15_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVIDIA Unix security team reports:</p>
<blockquote cite="http://nvidia.custhelp.com/app/answers/detail/a_id/3109">
<p>Security vulnerability CVE-2012-0946 in the NVIDIA UNIX driver
was disclosed to NVIDIA on March 20th, 2012. The vulnerability
makes it possible for an attacker who has read and write access
to the GPU device nodes to reconfigure GPUs to gain access to
arbitrary system memory. NVIDIA is not aware of any reports of
this vulnerability, outside of the disclosure which was made
privately to NVIDIA.</p>
<p>NVIDIA has identified the root cause of the vulnerability and
has released updated drivers which close it. [NVIDIA encourages]
all users with Geforce 8 or newer, G80 Quadro or newer, and all
Tesla GPUs to update their drivers to 295.40 or later.</p>
</blockquote>
<p>Later, it was additionally discovered that similar exploit could
be achieved through remapping of VGA window:</p>
<blockquote cite="http://nvidia.custhelp.com/app/answers/detail/a_id/3140">
<p>NVIDIA received notification of a security exploit that uses
NVIDIA UNIX device files to map and program registers to redirect
the VGA window. Through the VGA window, the exploit can access
any region of physical system memory. This arbitrary memory
access can be further exploited, for example, to escalate user
privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0946</cvename>
<cvename>CVE-2012-4225</cvename>
</references>
<dates>
<discovery>2012-03-20</discovery>
<entry>2012-05-10</entry>
<modified>2012-09-12</modified>
</dates>
</vuln>
<vuln vid="3d55b961-9a2e-11e1-a2ef-001fd0af1a4c">
<topic>rubygem-mail -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-mail</name>
<range><lt>2.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>rubygem-mail -- multiple vulnerabilities</p>
<blockquote cite="http://seclists.org/oss-sec/2012/q2/190">
<p>Two issues were fixed. They are a file system traversal in file_delivery method and arbitrary command execution when using exim or sendmail from the command line.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2139</cvename>
<cvename>CVE-2012-2140</cvename>
<url>http://seclists.org/oss-sec/2012/q2/190</url>
</references>
<dates>
<discovery>2012-03-14</discovery>
<entry>2012-05-09</entry>
</dates>
</vuln>
<vuln vid="a1d0911f-987a-11e1-a2ef-001fd0af1a4c">
<topic>node -- private information disclosure</topic>
<affects>
<package>
<name>node</name>
<name>node-devel</name>
<range><lt>0.6.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Private information disclosure</p>
<blockquote cite="http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/">
<p>An attacker can cause private information disclosure.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/</url>
</references>
<dates>
<discovery>2012-04-17</discovery>
<entry>2012-05-07</entry>
</dates>
</vuln>
<vuln vid="725ab25a-987b-11e1-a2ef-001fd0af1a4c">
<topic>p5-Config-IniFiles -- unsafe temporary file creation</topic>
<affects>
<package>
<name>p5-Config-IniFiles</name>
<range><lt>2.71</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Unsafe Temporary file creation</p>
<blockquote cite="https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59">
<p>Config::IniFiles used a predictable name for its temporary
file without opening it correctly.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2451</cvename>
<url>https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59</url>
</references>
<dates>
<discovery>2012-05-02</discovery>
<entry>2012-05-07</entry>
</dates>
</vuln>
<vuln vid="60de13d5-95f0-11e1-806a-001143cd36d8">
<topic>php -- vulnerability in certain CGI-based setups</topic>
<affects>
<package>
<name>php5</name>
<range><gt>5.4</gt><lt>5.4.2</lt></range>
<range><lt>5.3.12</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.12</lt></range>
</package>
<package>
<name>php4</name>
<range><lt>4.4.10</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>php development team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-05-03-1">
<p>Security Enhancements and Fixes in PHP 5.3.12:</p>
<ul>
<li>Initial fix for cgi-bin ?-s cmdarg parse issue
(CVE-2012-1823)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1823</cvename>
</references>
<dates>
<discovery>2012-05-03</discovery>
<entry>2012-05-05</entry>
</dates>
</vuln>
<vuln vid="18dffa02-946a-11e1-be9d-000c29cc39d3">
<topic>WebCalendar -- multiple vulnerabilities</topic>
<affects>
<package>
<name>WebCalendar-devel</name>
<range><le>1.2.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hanno Boeck reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2012/04/28/1">
<p>Fixes [are now available] for various security vulnerabilities
including LFI (local file inclusion), XSS (cross site scripting)
and others.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1495</cvename>
<cvename>CVE-2012-1496</cvename>
<url>http://packetstormsecurity.org/files/112332/WebCalendar-1.2.4-Remote-Code-Execution.html</url>
<url>http://packetstormsecurity.org/files/112323/WebCalendar-1.2.4-Pre-Auth-Remote-Code-Injection.html</url>
<url>http://archives.neohapsis.com/archives/bugtraq/2012-04/0182.html</url>
</references>
<dates>
<discovery>2012-04-28</discovery>
<entry>2012-05-02</entry>
</dates>
</vuln>
<vuln vid="94c0ac4f-9388-11e1-b242-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>18.0.1025.168</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[106413] High CVE-2011-3078: Use after free in floats handling.
Credit to Google Chrome Security Team (Marty Barbella) and
independent later discovery by miaubiz.</p>
<p>[117627] Medium CVE-2011-3079: IPC validation failure. Credit to
PinkiePie.</p>
<p>[121726] Medium CVE-2011-3080: Race condition in sandbox IPC.
Credit to Willem Pinckaers of Matasano.</p>
<p>[121899] High CVE-2011-3081: Use after free in floats handling.
Credit to miaubiz.</p>
<p>[117110] High CVE-2012-1521: Use after free in xml parser. Credit
to Google Chrome Security Team (SkyLined) and independent later
discovery by wushi of team509 reported through iDefense VCP
(V-874rcfpq7z).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3078</cvename>
<cvename>CVE-2011-3079</cvename>
<cvename>CVE-2011-3080</cvename>
<cvename>CVE-2011-3081</cvename>
<cvename>CVE-2012-1521</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-04-30</discovery>
<entry>2012-05-01</entry>
</dates>
</vuln>
<vuln vid="2cde1892-913e-11e1-b44c-001fd0af1a4c">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php53</name>
<range><lt>5.3.11</lt></range>
</package>
<package>
<name>php5</name>
<range><lt>5.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>php development team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-04-26-1">
<p>Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:</p>
<ul>
<li>Insufficient validating of upload name leading to corrupted $_FILES indices. (CVE-2012-1172) </li>
<li>Add open_basedir checks to readline_write_history and readline_read_history.</li>
</ul>
<p>Security Enhancements for both PHP 5.3.11 only:</p>
<ul>
<li>Regression in magic_quotes_gpc fix for CVE-2012-0831.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0831</cvename>
<cvename>CVE-2012-1172</cvename>
<url>http://www.php.net/archive/2012.php#id2012-04-26-1</url>
</references>
<dates>
<discovery>2012-03-01</discovery>
<entry>2012-04-28</entry>
<modified>2012-05-04</modified>
</dates>
</vuln>
<vuln vid="0fa15e08-92ec-11e1-a94a-00215c6a37bb">
<topic>samba -- incorrect permission checks vulnerability</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>3.4.*</gt><lt>3.4.17</lt></range>
</package>
<package>
<name>samba35</name>
<range><gt>3.5.*</gt><lt>3.5.15</lt></range>
</package>
<package>
<name>samba36</name>
<range><gt>3.6.*</gt><lt>3.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba project reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2012-2111">
<p>Samba versions 3.4.x to 3.6.4 inclusive are affected
by a vulnerability that allows arbitrary users to modify
privileges on a file server.</p>
<p>Security checks were incorrectly applied to the Local
Security Authority (LSA) remote proceedure calls (RPC)
CreateAccount, OpenAccount, AddAccountRights and
RemoveAccountRights allowing any authenticated user
to modify the privileges database.</p>
<p>This is a serious error, as it means that authenticated
users can connect to the LSA and grant themselves the
"take ownership" privilege. This privilege is used by the
smbd file server to grant the ability to change ownership
of a file or directory which means users could take ownership
of files or directories they do not own.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2111</cvename>
</references>
<dates>
<discovery>2012-04-30</discovery>
<entry>2012-04-30</entry>
</dates>
</vuln>
<vuln vid="b428e6b3-926c-11e1-8d7b-003067b2972c">
<topic>portupgrade-devel -- lack of distfile checksums</topic>
<affects>
<package>
<name>portupgrade-devel</name>
<range><lt>0,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ports security team reports:</p>
<p>The portupgrade-devel port fetched directly from a git
respository without checking against a known good
SHA hash. This means that it is possible that packages
built using this port may not match the one vetted
by the maintainer. Users are advised to rebuild
portupgrade-devel from known good sources.</p>
</body>
</description>
<references>
<mlist>http://web.archiveorange.com/archive/v/6ETvLYPz7CfFT9tiHKiI</mlist>
<mlist>http://www.freebsd.org/cgi/getmsg.cgi?fetch=100677+0+/usr/local/www/db/text/2012/cvs-ports/20120506.cvs-ports</mlist>
</references>
<dates>
<discovery>2012-04-30</discovery>
<entry>2012-04-30</entry>
<modified>2012-05-06</modified>
</dates>
</vuln>
<vuln vid="5d85976a-9011-11e1-b5e0-000c299b62e1">
<topic>net-snmp -- Remote DoS</topic>
<affects>
<package>
<name>net-snmp</name>
<range><lt>5.7.1_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Red Hat Security Response Team reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=815813">
<p>An array index error, leading to out-of heap-based buffer read flaw was
found in the way the net-snmp agent performed lookups in the
extension table. When certain MIB subtrees were handled by the
extend directive, a remote attacker (having read privileges to the
subntree) could use this flaw to cause a denial of service condition
via an SNMP GET request involving a non-existent extension table
entry.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2141</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=815813</url>
<url>http://www.openwall.com/lists/oss-security/2012/04/26/2</url>
</references>
<dates>
<discovery>2012-04-26</discovery>
<entry>2012-04-27</entry>
</dates>
</vuln>
<vuln vid="380e8c56-8e32-11e1-9580-4061862b8c22">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>12.0,1</lt></range>
<range><lt>10.0.4,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.4,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.9</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.4</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.9</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>12.0</lt></range>
<range><lt>10.0.4</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)</p>
<p>MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9</p>
<p>MFSA 2012-22 use-after-free in IDBKeyRange</p>
<p>MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface</p>
<p>MFSA 2012-24 Potential XSS via multibyte content processing errors</p>
<p>MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite</p>
<p>MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error</p>
<p>MFSA 2012-27 Page load short-circuit can lead to XSS</p>
<p>MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions</p>
<p>MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues</p>
<p>MFSA 2012-30 Crash with WebGL content using textImage2D</p>
<p>MFSA 2012-31 Off-by-one error in OpenType Sanitizer</p>
<p>MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors</p>
<p>MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1187</cvename>
<cvename>CVE-2011-3062</cvename>
<cvename>CVE-2012-0467</cvename>
<cvename>CVE-2012-0468</cvename>
<cvename>CVE-2012-0469</cvename>
<cvename>CVE-2012-0470</cvename>
<cvename>CVE-2012-0471</cvename>
<cvename>CVE-2012-0472</cvename>
<cvename>CVE-2012-0473</cvename>
<cvename>CVE-2012-0474</cvename>
<cvename>CVE-2012-0475</cvename>
<cvename>CVE-2012-0477</cvename>
<cvename>CVE-2012-0478</cvename>
<cvename>CVE-2012-0479</cvename>
<cvename>CVE-2012-1126</cvename>
<cvename>CVE-2012-1127</cvename>
<cvename>CVE-2012-1128</cvename>
<cvename>CVE-2012-1129</cvename>
<cvename>CVE-2012-1130</cvename>
<cvename>CVE-2012-1131</cvename>
<cvename>CVE-2012-1132</cvename>
<cvename>CVE-2012-1133</cvename>
<cvename>CVE-2012-1134</cvename>
<cvename>CVE-2012-1135</cvename>
<cvename>CVE-2012-1136</cvename>
<cvename>CVE-2012-1137</cvename>
<cvename>CVE-2012-1138</cvename>
<cvename>CVE-2012-1139</cvename>
<cvename>CVE-2012-1140</cvename>
<cvename>CVE-2012-1141</cvename>
<cvename>CVE-2012-1142</cvename>
<cvename>CVE-2012-1143</cvename>
<cvename>CVE-2012-1144</cvename>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-20.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-21.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-22.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-23.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-24.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-25.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-26.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-27.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-28.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-29.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-30.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-31.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-32.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-33.html</url>
</references>
<dates>
<discovery>2012-04-24</discovery>
<entry>2012-04-24</entry>
</dates>
</vuln>
<vuln vid="a04247f1-8d9c-11e1-93c7-00215c6a37bb">
<topic>Dokuwiki -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20120125_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Andy Webber reports:</p>
<blockquote cite="http://bugs.dokuwiki.org/index.php?do=details&task_id=2487">
<p>Add User appears to be vulnerable to Cross Site Request Forgery (CSRF/XSRF).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2128</cvename>
<cvename>CVE-2012-2129</cvename>
</references>
<dates>
<discovery>2012-04-17</discovery>
<entry>2012-04-23</entry>
</dates>
</vuln>
<vuln vid="1c5abbe2-8d7f-11e1-a374-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.24</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.11.1</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Remote Crash Vulnerability in SIP Channel Driver</p>
<p>Heap Buffer Overflow in Skinny Channel Driver</p>
<p>Asterisk Manager User Unauthorized Shell Access</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.digium.com/pub/security/AST-2012-004.html</url>
<cvename>CVE-2012-2414</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-005.html</url>
<cvename>CVE-2012-2415</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-006.html</url>
<cvename>CVE-2012-2416</cvename>
</references>
<dates>
<discovery>2012-04-23</discovery>
<entry>2012-04-23</entry>
</dates>
</vuln>
<vuln vid="b384cc5b-8d56-11e1-8d7b-003067b2972c">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.3.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wordpress reports:</p>
<blockquote cite="https://codex.wordpress.org/Version_3.3.2">
<p>External code has been updated to
non-vulnerable versions.
In addition the following bugs have been fixed:</p>
<ul>
<li>Limited privilege escalation where a site administrator could
deactivate network-wide plugins when running a WordPress network under
particular circumstances.</li>
<li>Cross-site scripting vulnerability when making URLs
clickable.</li>
<li>Cross-site scripting vulnerabilities in redirects after posting
comments in older browsers, and when filtering URLs.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2399</cvename>
<cvename>CVE-2012-2400</cvename>
<cvename>CVE-2012-2401</cvename>
<cvename>CVE-2012-2402</cvename>
<cvename>CVE-2012-2403</cvename>
<cvename>CVE-2012-2404</cvename>
<url>https://codex.wordpress.org/Version_3.3.2</url>
</references>
<dates>
<discovery>2012-04-20</discovery>
<entry>2012-04-23</entry>
</dates>
</vuln>
<vuln vid="7184f92e-8bb8-11e1-8d7b-003067b2972c">
<topic>OpenSSL -- integer conversions result in memory corruption</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL security team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120419.txt">
<p>A potentially exploitable vulnerability has been discovered in the OpenSSL
function asn1_d2i_read_bio.
Any application which uses BIO or FILE based functions to read untrusted DER
format data is vulnerable. Affected functions are of the form d2i_*_bio or
d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2110</cvename>
<mlist msgid="20120419103522.GN30784@cmpxchg8b.com">http://marc.info/?l=full-disclosure&m=133483221408243</mlist>
<url>http://www.openssl.org/news/secadv_20120419.txt</url>
</references>
<dates>
<discovery>2012-04-19</discovery>
<entry>2012-04-21</entry>
</dates>
</vuln>
<vuln vid="09c87973-8b9d-11e1-b393-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>3.6.0</ge><lt>3.6.9</lt></range>
<range><ge>4.0.0</ge><lt>4.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>A Bugzilla Security Advisory reports:</h1>
<blockquote cite="http://www.bugzilla.org/security/3.6.8/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<h1>Unauthorized Access</h1>
<p>Due to a lack of proper validation of the X-FORWARDED-FOR
header of an authentication request, an attacker could bypass
the current lockout policy used for protection against brute-
force password discovery. This vulnerability can only be
exploited if the 'inbound_proxies' parameter is set.</p>
<h1>Cross Site Scripting</h1>
<p>A JavaScript template used by buglist.cgi could be used
by a malicious script to permit an attacker to gain access
to some information about bugs he would not normally be
allowed to see, using the victim's credentials. To be
exploitable, the victim must be logged in when visiting
the attacker's malicious page.</p>
<p>All affected installations are encouraged to upgrade as soon
as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0465</cvename>
<cvename>CVE-2012-0466</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=728639</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=745397</url>
</references>
<dates>
<discovery>2012-04-18</discovery>
<entry>2012-04-21</entry>
</dates>
</vuln>
<vuln vid="67516177-88ec-11e1-9a10-0023ae8e59f0">
<topic>typo -- Cross-Site Scripting</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.6.0</ge><le>4.6.7</le></range>
<range><ge>4.5.0</ge><le>4.5.14</le></range>
<range><ge>4.4.0</ge><le>4.4.14</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo Security Team reports:</p>
<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/">
<p>Failing to properly encode the output, the default TYPO3
Exception Handler is susceptible to Cross-Site Scripting. We
are not aware of a possibility to exploit this vulnerability
without third party extensions being installed that put user
input in exception messages. However, it has come to our
attention that extensions using the extbase MVC framework can
be used to exploit this vulnerability if these extensions
accept objects in controller actions.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2112</cvename>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/</url>
</references>
<dates>
<discovery>2012-04-17</discovery>
<entry>2012-04-18</entry>
</dates>
</vuln>
<vuln vid="0c14dfa7-879e-11e1-a2a0-00500802d8f7">
<topic>nginx -- Buffer overflow in the ngx_http_mp4_module</topic>
<affects>
<package>
<name>nginx</name>
<range><lt>1.0.15</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><lt>1.1.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The nginx project reports:</p>
<blockquote cite="http://nginx.org/en/security_advisories.html">
<p>Buffer overflow in the ngx_http_mp4_module</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2089</cvename>
<url>http://nginx.org/en/security_advisories.html</url>
</references>
<dates>
<discovery>2012-04-12</discovery>
<entry>2012-04-16</entry>
</dates>
</vuln>
<vuln vid="c80a3d93-8632-11e1-a374-14dae9ebcf89">
<topic>phpmyfaq -- Remote PHP Code Execution Vulnerability</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><lt>2.7.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyFAQ project reports:</p>
<blockquote cite="http://www.phpmyfaq.de/advisory_2011-10-25.php">
<p>The bundled ImageManager library allows injection of arbitrary
PHP code to execute arbitrary PHP code and upload malware and
trojan horses.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyfaq.de/advisory_2012-04-14.php</url>
</references>
<dates>
<discovery>2012-04-14</discovery>
<entry>2012-04-14</entry>
</dates>
</vuln>
<vuln vid="607d2108-a0e4-423a-bf78-846f2a8f01b0">
<topic>puppet -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>puppet</name>
<range><lt>2.7.12_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://puppetlabs.com/security/">
<p>Multiple vulnerabilities exist in puppet that can result in
arbitrary code execution, arbitrary file read access, denial of
service, and arbitrary file write access. Please review the
details in each of the CVEs for additional information.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1906</cvename>
<cvename>CVE-2012-1986</cvename>
<cvename>CVE-2012-1987</cvename>
<cvename>CVE-2012-1988</cvename>
<cvename>CVE-2012-1989</cvename>
<url>http://puppetlabs.com/security/cve/cve-2012-1906/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1986/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1987/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1988/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1989/</url>
</references>
<dates>
<discovery>2012-03-26</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="baf37cd2-8351-11e1-894e-00215c6a37bb">
<topic>samba -- "root" credential remote code execution</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>3.4.*</gt><lt>3.4.16</lt></range>
</package>
<package>
<name>samba35</name>
<range><gt>3.5.*</gt><lt>3.5.14</lt></range>
</package>
<package>
<name>samba36</name>
<range><gt>3.6.*</gt><lt>3.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba development team reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2012-1182">
<p>Samba versions 3.6.3 and all versions previous to this
are affected by a vulnerability that allows remote code
execution as the "root" user from an anonymous connection.</p>
<p>As this does not require an authenticated connection it
is the most serious vulnerability possible in a program,
and users and vendors are encouraged to patch their Samba
installations immediately.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1182</cvename>
</references>
<dates>
<discovery>2012-04-10</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="7f448dc1-82ca-11e1-b393-20cf30e32f6d">
<topic>bugzilla Cross-Site Request Forgery</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>4.0.0</ge><lt>4.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/4.0.4/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<ul>
<li>Due to a lack of validation of the enctype form attribute
when making POST requests to xmlrpc.cgi, a possible CSRF
vulnerability was discovered. If a user visits an HTML page
with some malicious HTML code in it, an attacker could make
changes to a remote Bugzilla installation on behalf of the
victim's account by using the XML-RPC API on a site running
mod_perl. Sites running under mod_cgi are not affected.
Also, the user would have had to be already logged in to the
target site for the vulnerability to work.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon
as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0453</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=725663</url>
</references>
<dates>
<discovery>2012-02-22</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="20923a0d-82ba-11e1-8d7b-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.228</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-07.html">
<p>Multiple Priority 2 vulnerabilities could cause a crash and
potentially allow an attacker to take control of the affected
system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0724</cvename>
<cvename>CVE-2012-0725</cvename>
<cvename>CVE-2012-0772</cvename>
<cvename>CVE-2012-0773</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-07.html</url>
</references>
<dates>
<discovery>2012-04-05</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="262b92fe-81c8-11e1-8899-001ec9578670">
<topic>png -- memory corruption/possible remote code execution</topic>
<affects>
<package>
<name>png</name>
<range><lt>1.4.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PNG project reports:</p>
<blockquote cite="http://www.libpng.org/pub/png/libpng.html">
<p>libpng fails to correctly handle malloc() failures for text
chunks (in png_set_text_2()), which can lead to memory
corruption and the possibility of remote code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3048</cvename>
<url>http://www.libpng.org/pub/png/libpng.html</url>
</references>
<dates>
<discovery>2012-03-29</discovery>
<entry>2012-04-08</entry>
</dates>
</vuln>
<vuln vid="462e2d6c-8017-11e1-a571-bcaec565249c">
<topic>freetype -- multiple vulnerabilities</topic>
<affects>
<package>
<name>freetype2</name>
<range><lt>2.4.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Freetype project reports:</p>
<blockquote cite="https://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view">
<p>Multiple vulnerabilities exist in freetype that can result in
application crashes and remote code execution. Please review
the details in each of the CVEs for additional information.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1126</cvename>
<cvename>CVE-2012-1127</cvename>
<cvename>CVE-2012-1128</cvename>
<cvename>CVE-2012-1129</cvename>
<cvename>CVE-2012-1130</cvename>
<cvename>CVE-2012-1131</cvename>
<cvename>CVE-2012-1132</cvename>
<cvename>CVE-2012-1133</cvename>
<cvename>CVE-2012-1134</cvename>
<cvename>CVE-2012-1135</cvename>
<cvename>CVE-2012-1136</cvename>
<cvename>CVE-2012-1137</cvename>
<cvename>CVE-2012-1138</cvename>
<cvename>CVE-2012-1139</cvename>
<cvename>CVE-2012-1140</cvename>
<cvename>CVE-2012-1141</cvename>
<cvename>CVE-2012-1142</cvename>
<cvename>CVE-2012-1143</cvename>
<cvename>CVE-2012-1144</cvename>
<url>https://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=806270</url>
</references>
<dates>
<discovery>2012-03-08</discovery>
<entry>2012-04-06</entry>
</dates>
</vuln>
<vuln vid="49314321-7fd4-11e1-9582-001b2134ef46">
<topic>mutt-devel -- failure to check SMTP TLS server certificate</topic>
<affects>
<package>
<name>mutt-devel</name>
<range><lt>1.5.21_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dave B reports on Full Disclosure:</p>
<blockquote cite="http://seclists.org/fulldisclosure/2011/Mar/87">
<p>It seems that mutt fails to check the validity of a SMTP
servers certificate during a TLS connection. [...]
This means that an attacker could potentially MITM a
mutt user connecting to their SMTP server even when the
user has forced a TLS connection.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1429</cvename>
<url>http://seclists.org/fulldisclosure/2011/Mar/87</url>
</references>
<dates>
<discovery>2012-03-08</discovery>
<entry>2012-04-06</entry>
</dates>
</vuln>
<vuln vid="057130e6-7f61-11e1-8a43-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>18.0.1025.151</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[106577] Medium CVE-2011-3066: Out-of-bounds read in Skia clipping. Credit to miaubiz.</p>
<p>[117583] Medium CVE-2011-3067: Cross-origin iframe replacement.
Credit to Sergey Glazunov.</p>
<p>[117698] High CVE-2011-3068: Use-after-free in run-in handling.
Credit to miaubiz.</p>
<p>[117728] High CVE-2011-3069: Use-after-free in line box handling.
Credit to miaubiz.</p>
<p>[118185] High CVE-2011-3070: Use-after-free in v8 bindings. Credit
to Google Chrome Security Team (SkyLined).</p>
<p>[118273] High CVE-2011-3071: Use-after-free in HTMLMediaElement.
Credit to pa_kt, reporting through HP TippingPoint ZDI
(ZDI-CAN-1528).</p>
<p>[118467] Low CVE-2011-3072: Cross-origin violation parenting pop-up
window. Credit to Sergey Glazunov.</p>
<p>[118593] High CVE-2011-3073: Use-after-free in SVG resource
handling. Credit to Arthur Gerkis.</p>
<p>[119281] Medium CVE-2011-3074: Use-after-free in media handling.
Credit to Slawomir Blazek.</p>
<p>[119525] High CVE-2011-3075: Use-after-free applying style command.
Credit to miaubiz.</p>
<p>[120037] High CVE-2011-3076: Use-after-free in focus handling.
Credit to miaubiz.</p>
<p>[120189] Medium CVE-2011-3077: Read-after-free in script bindings.
Credit to Google Chrome Security Team (Inferno).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3066</cvename>
<cvename>CVE-2011-3067</cvename>
<cvename>CVE-2011-3068</cvename>
<cvename>CVE-2011-3069</cvename>
<cvename>CVE-2011-3070</cvename>
<cvename>CVE-2011-3071</cvename>
<cvename>CVE-2011-3072</cvename>
<cvename>CVE-2011-3073</cvename>
<cvename>CVE-2011-3074</cvename>
<cvename>CVE-2011-3075</cvename>
<cvename>CVE-2011-3076</cvename>
<cvename>CVE-2011-3077</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-04-05</discovery>
<entry>2012-04-05</entry>
</dates>
</vuln>
<vuln vid="7289214f-7c55-11e1-ab3b-000bcdf0a03b">
<topic>libpurple -- Remote DoS via an MSN OIM message that lacks UTF-8 encoding</topic>
<affects>
<package>
<name>libpurple</name>
<range><lt>2.10.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1178">
<p>The msn_oim_report_to_user function in oim.c in the MSN protocol
plugin in libpurple in Pidgin before 2.10.2 allows remote servers
to cause a denial of service (application crash) via an OIM message
that lacks UTF-8 encoding.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1178</cvename>
</references>
<dates>
<discovery>2012-03-15</discovery>
<entry>2012-04-01</entry>
</dates>
</vuln>
<vuln vid="a81161d2-790f-11e1-ac16-e0cb4e266481">
<topic>phpMyAdmin -- Path disclosure due to missing verification of file presence</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.10.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMYAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php">
<p>The show_config_errors.php scripts did not validate the presence
of the configuration file, so an error message shows the full path
of this file, leading to possible further attacks. For the error
messages to be displayed, php.ini's error_reporting must be set to
E_ALL and display_errors must be On (these settings are not
recommended on a production server in the PHP manual).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1902</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php</url>
</references>
<dates>
<discovery>2012-03-28</discovery>
<entry>2012-03-28</entry>
</dates>
</vuln>
<vuln vid="b8f0a391-7910-11e1-8a43-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>18.0.1025.142</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[109574] Medium CVE-2011-3058: Bad interaction possibly leading to
XSS in EUC-JP. Credit to Masato Kinugawa.</p>
<p>[112317] Medium CVE-2011-3059: Out-of-bounds read in SVG text
handling. Credit to Arthur Gerkis.</p>
<p>[114056] Medium CVE-2011-3060: Out-of-bounds read in text fragment
handling. Credit to miaubiz.</p>
<p>[116398] Medium CVE-2011-3061: SPDY proxy certificate checking
error. Credit to Leonidas Kontothanassis of Google.</p>
<p>[116524] High CVE-2011-3062: Off-by-one in OpenType Sanitizer.
Credit to Mateusz Jurczyk of the Google Security Team.</p>
<p>[117417] Low CVE-2011-3063: Validate navigation requests from the
renderer more carefully. Credit to kuzzcc, Sergey Glazunov,
PinkiePie and scarybeasts (Google Chrome Security Team).</p>
<p>[117471] High CVE-2011-3064: Use-after-free in SVG clipping. Credit to Atte Kettunen of OUSPG.</p>
<p>[117588] High CVE-2011-3065: Memory corruption in Skia. Credit to
Omair.</p>
<p>[117794] Medium CVE-2011-3057: Invalid read in v8. Credit to
Christian Holler.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3057</cvename>
<cvename>CVE-2011-3058</cvename>
<cvename>CVE-2011-3059</cvename>
<cvename>CVE-2011-3060</cvename>
<cvename>CVE-2011-3061</cvename>
<cvename>CVE-2011-3062</cvename>
<cvename>CVE-2011-3063</cvename>
<cvename>CVE-2011-3064</cvename>
<cvename>CVE-2011-3065</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-03-28</discovery>
<entry>2012-03-28</entry>
</dates>
</vuln>
<vuln vid="60f81af3-7690-11e1-9423-00235a5f2c9a">
<topic>raptor/raptor2 -- XXE in RDF/XML File Interpretation</topic>
<affects>
<package>
<name>raptor2</name>
<range><lt>2.0.7</lt></range>
</package>
<package>
<name>raptor</name>
<range><lt>1.4.21_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Timothy D. Morgan reports:</p>
<blockquote cite="http://www.vsecurity.com/resources/advisory/20120324-1/">
<p>In December 2011, VSR identified a vulnerability in multiple open
source office products (including OpenOffice, LibreOffice, KOffice,
and AbiWord) due to unsafe interpretation of XML files with custom
entity declarations. Deeper analysis revealed that the
vulnerability was caused by acceptance of external entities by the
libraptor library, which is used by librdf and is in turn used by
these office products.</p>
<p>In the context of office applications, these vulnerabilities could
allow for XML External Entity (XXE) attacks resulting in file theft
and a loss of user privacy when opening potentially malicious ODF
documents. For other applications which depend on librdf or
libraptor, potentially serious consequences could result from
accepting RDF/XML content from untrusted sources, though the impact
may vary widely depending on the context.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0037</cvename>
<url>http://seclists.org/fulldisclosure/2012/Mar/281</url>
<url>http://www.vsecurity.com/resources/advisory/20120324-1/</url>
</references>
<dates>
<discovery>2012-03-24</discovery>
<entry>2012-03-25</entry>
</dates>
</vuln>
<vuln vid="42a2c82a-75b9-11e1-89b4-001ec9578670">
<topic>quagga -- multiple vulnerabilities</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.20.1</lt></range>
</package>
<package>
<name>quagga-re</name>
<range><lt>0.99.17.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/551715">
<p>The ospfd implementation of OSPF in Quagga allows a remote
attacker (on a local network segment with OSPF enabled) to cause
a denial of service (daemon aborts due to an assert) with a
malformed OSPF LS-Update message.</p>
<p>The ospfd implementation of OSPF in Quagga allows a remote
attacker (on a local network segment with OSPF enabled) to cause
a denial of service (daemon crash) with a malformed OSPF Network-
LSA message.</p>
<p>The bgpd implementation of BGP in Quagga allows remote attackers
to cause a denial of service (daemon aborts due to an assert) via
BGP Open message with an invalid AS4 capability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0249</cvename>
<cvename>CVE-2012-0250</cvename>
<cvename>CVE-2012-0255</cvename>
<url>http://www.kb.cert.org/vuls/id/551715</url>
</references>
<dates>
<discovery>2012-03-23</discovery>
<entry>2012-03-24</entry>
<modified>2012-03-26</modified>
</dates>
</vuln>
<vuln vid="acab2f88-7490-11e1-865f-00e0814cab4e">
<topic>Apache Traffic Server -- heap overflow vulnerability</topic>
<affects>
<package>
<name>trafficserver</name>
<range><lt>3.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT-FI reports:</p>
<blockquote cite="https://www.cert.fi/en/reports/2012/vulnerability612884.html">
<p>A heap overflow vulnerability has been found in the HTTP
(Hypertext Transfer Protocol) protocol handling of Apache
Traffic Server. The vulnerability allows an attacker to cause
a denial of service or potentially to execute his own code by
sending a specially modified HTTP message to an affected
server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0256</cvename>
</references>
<dates>
<discovery>2012-03-22</discovery>
<entry>2012-03-24</entry>
</dates>
</vuln>
<vuln vid="330106da-7406-11e1-a1d7-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.83</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[113902] High CVE-2011-3050: Use-after-free with first-letter
handling. Credit to miaubiz.</p>
<p>[116162] High CVE-2011-3045: libpng integer issue from upstream.
Credit to Glenn Randers-Pehrson of the libpng project.</p>
<p>[116461] High CVE-2011-3051: Use-after-free in CSS cross-fade
handling. Credit to Arthur Gerkis.</p>
<p>[116637] High CVE-2011-3052: Memory corruption in WebGL canvas
handling. Credit to Ben Vanik of Google.</p>
<p>[116746] High CVE-2011-3053: Use-after-free in block splitting.
Credit to miaubiz.</p>
<p>[117418] Low CVE-2011-3054: Apply additional isolations to webui
privileges. Credit to Sergey Glazunov.</p>
<p>[117736] Low CVE-2011-3055: Prompt in the browser native UI for
unpacked extension installation. Credit to PinkiePie.</p>
<p>[117550] High CVE-2011-3056: Cross-origin violation with "magic
iframe". Credit to Sergey Glazunov.</p>
<p>[117794] Medium CVE-2011-3057: Invalid read in v8. Credit to
Christian Holler.</p>
<p>[108648] Low CVE-2011-3049: Extension web request API can
interfere with system requests. Credit to Michael Gundlach.
Fixed in an earlier release.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3045</cvename>
<cvename>CVE-2011-3049</cvename>
<cvename>CVE-2011-3050</cvename>
<cvename>CVE-2011-3051</cvename>
<cvename>CVE-2011-3052</cvename>
<cvename>CVE-2011-3053</cvename>
<cvename>CVE-2011-3054</cvename>
<cvename>CVE-2011-3055</cvename>
<cvename>CVE-2011-3056</cvename>
<cvename>CVE-2011-3057</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-03-21</discovery>
<entry>2012-03-22</entry>
</dates>
</vuln>
<vuln vid="2e7e9072-73a0-11e1-a883-001cc0a36e12">
<topic>libtasn1 -- ASN.1 length decoding vulnerability</topic>
<affects>
<package>
<name>libtasn1</name>
<range><lt>2.12</lt></range>
</package>
<package>
<name>gnutls</name>
<range><lt>2.12.18</lt></range>
</package>
<package>
<name>gnutls-devel</name>
<range><gt>2.99</gt><lt>3.0.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mu Dynamics, Inc. reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5959">
<p>Various functions using the ASN.1 length decoding logic in
Libtasn1 were incorrectly assuming that the return value from
asn1_get_length_der is always less than the length of the
enclosing ASN.1 structure, which is only true for valid
structures and not for intentionally corrupt or otherwise
buggy structures.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1569</cvename>
</references>
<dates>
<discovery>2012-03-20</discovery>
<entry>2012-03-21</entry>
<modified>2012-03-24</modified>
</dates>
</vuln>
<vuln vid="aecee357-739e-11e1-a883-001cc0a36e12">
<topic>gnutls -- possible overflow/Denial of service vulnerabilities</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>2.12.18</lt></range>
</package>
<package>
<name>gnutls-devel</name>
<range><gt>2.99</gt><lt>3.0.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mu Dynamics, Inc. reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5959">
<p>The block cipher decryption logic in GnuTLS assumed that a
record containing any data which was a multiple of the block
size was valid for further decryption processing, leading to
a heap corruption vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1573</cvename>
</references>
<dates>
<discovery>2012-03-20</discovery>
<entry>2012-03-21</entry>
<modified>2012-03-24</modified>
</dates>
</vuln>
<vuln vid="0d530174-6eef-11e1-afd6-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.44</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.23</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.10.1</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Stack Buffer Overflow in HTTP Manager</p>
<p>Remote Crash Vulnerability in Milliwatt Application</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2012-002.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2012-003.html</url>
</references>
<dates>
<discovery>2012-03-15</discovery>
<entry>2012-03-15</entry>
</dates>
</vuln>
<vuln vid="60eb344e-6eb1-11e1-8ad7-00e0815b8da8">
<topic>OpenSSL -- CMS and S/MIME Bleichenbacher attack</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL Team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120312.txt">
<p>A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA).</p>
<p>Only users of CMS, PKCS #7, or S/MIME decryption operations are
affected. A successful attack needs on average 2^20 messages. In
practice only automated systems will be affected as humans will
not be willing to process this many messages.</p>
<p>SSL/TLS applications are *NOT* affected by this problem since
the SSL/TLS code does not use the PKCS#7 or CMS decryption
code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0884</cvename>
<url>http://www.openssl.org/news/secadv_20120312.txt</url>
</references>
<dates>
<discovery>2012-03-12</discovery>
<entry>2012-03-15</entry>
</dates>
</vuln>
<vuln vid="29194cb8-6e9f-11e1-8376-f0def16c5c1b">
<topic>nginx -- potential information leak</topic>
<affects>
<package>
<name>nginx</name>
<range><lt>1.0.14,1</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><lt>1.1.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>nginx development team reports:</p>
<blockquote cite="http://nginx.net/CHANGES">
<p>Matthew Daley recently discovered a security problem
which may lead to a disclosure of previously freed memory
on specially crafted response from an upstream server,
potentially resulting in sensitive information leak.</p>
</blockquote>
</body>
</description>
<references>
<url>http://nginx.net/CHANGES</url>
</references>
<dates>
<discovery>2012-03-15</discovery>
<entry>2012-03-15</entry>
</dates>
</vuln>
<vuln vid="a1050b8b-6db3-11e1-8b37-0011856a6e37">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>10.0.3,1</lt></range>
<range><ge>3.6.*,1</ge><lt>3.6.28</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.3,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.8</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.3</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.8</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>10.0.3</lt></range>
<range><gt>3.1.*</gt><lt>3.1.20</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.28</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-13 XSS with Drag and Drop and Javascript: URL</p>
<p>MFSA 2012-14 SVG issues found with Address Sanitizer</p>
<p>MFSA 2012-15 XSS with multiple Content Security Policy headers</p>
<p>MFSA 2012-16 Escalation of privilege with Javascript: URL as home page</p>
<p>MFSA 2012-17 Crash when accessing keyframe cssText after dynamic modification</p>
<p>MFSA 2012-18 window.fullScreen writeable by untrusted content</p>
<p>MFSA 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0451</cvename>
<cvename>CVE-2012-0455</cvename>
<cvename>CVE-2012-0456</cvename>
<cvename>CVE-2012-0457</cvename>
<cvename>CVE-2012-0458</cvename>
<cvename>CVE-2012-0459</cvename>
<cvename>CVE-2012-0460</cvename>
<cvename>CVE-2012-0461</cvename>
<cvename>CVE-2012-0462</cvename>
<cvename>CVE-2012-0463</cvename>
<cvename>CVE-2012-0464</cvename>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-13.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-14.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-15.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-16.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-17.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-18.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-19.html</url>
</references>
<dates>
<discovery>2012-03-13</discovery>
<entry>2012-03-14</entry>
<modified>2012-03-18</modified>
</dates>
</vuln>
<vuln vid="6d329b64-6bbb-11e1-9166-001e4f0fb9b1">
<topic>portaudit -- auditfile remote code execution</topic>
<affects>
<package>
<name>portaudit</name>
<range><lt>0.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael Gmelin and Jörg Scheinert has reported a remote
command execution vulnerability in portaudit.</p>
<p>An attacker who can get the user to use a specially crafted
audit file will be able to run commands on the users system,
with the privileges of the user running running portaudit
(often root).</p>
<p>The attack could e.g. happen through DNS hijacking or a man
in the middle attack.</p>
<p>Note that if the user has set up portaudit to run from
periodic this attack could happen without direct user
interaction.</p>
<p>In the FreeBSD Ports Collection (bsd.port.mk) the check for
vulnerable ports at install-time directly operates on the
auditfile and has the same vulnerability as portaudit. As
the Ports Collection infrastructure does not have a version
number just be sure to have a Ports Collection new enough to
contain the fix for portaudit. Note that this is <em>only</em>
a problem for users which has portaudit installed, as they will
not have the audit database installed or downloaded
otherwise.</p>
</body>
</description>
<references>
<url>http://cvsweb.FreeBSD.org/ports/ports-mgmt/portaudit/Makefile#rev1.30</url>
<url>http://cvsweb.FreeBSD.org/ports/Mk/bsd.port.mk#rev1.707</url>
</references>
<dates>
<discovery>2012-03-11</discovery>
<entry>2012-03-11</entry>
</dates>
</vuln>
<vuln vid="ab1f515d-6b69-11e1-8288-00262d5ed8ee">
<topic>chromium -- Errant plug-in load and GPU process memory corruption</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.79</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[117620] [117656] Critical CVE-2011-3047: Errant plug-in load and
GPU process memory corruption. Credit to PinkiePie.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3047</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-03-10</discovery>
<entry>2012-03-11</entry>
</dates>
</vuln>
<vuln vid="9da3834b-6a50-11e1-91af-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.1r102.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-05.html">
<p>These vulnerabilities could cause a crash and potentially allow
an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0768</cvename>
<cvename>CVE-2012-0769</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-05.html</url>
</references>
<dates>
<discovery>2012-03-05</discovery>
<entry>2012-03-09</entry>
</dates>
</vuln>
<vuln vid="1015e1fe-69ce-11e1-8288-00262d5ed8ee">
<topic>chromium -- cross-site scripting vulnerability</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.78</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[117226] [117230] Critical CVE-2011-3046: UXSS and bad history
navigation. Credit to Sergey Glazunov.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3046</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-03-08</discovery>
<entry>2012-03-09</entry>
</dates>
</vuln>
<vuln vid="9448a82f-6878-11e1-865f-00e0814cab4e">
<topic>jenkins -- XSS vulnerability</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>1.453</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory reports:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05">
<p>An XSS vulnerability was found in Jenkins core, which allows an
attacker to inject malicious HTMLs to pages served by Jenkins.
This allows an attacker to escalate his privileges by hijacking
sessions of other users. This vulnerability affects all
versions.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05</url>
</references>
<dates>
<discovery>2012-03-05</discovery>
<entry>2012-03-07</entry>
</dates>
</vuln>
<vuln vid="99aef698-66ed-11e1-8288-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.65</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[105867] High CVE-2011-3031: Use-after-free in v8 element wrapper.
Credit to Chamal de Silva.</p>
<p>[108037] High CVE-2011-3032: Use-after-free in SVG value handling.
Credit to Arthur Gerkis.</p>
<p>[108406] [115471] High CVE-2011-3033: Buffer overflow in the Skia
drawing library. Credit to Aki Helin of OUSPG.</p>
<p>[111748] High CVE-2011-3034: Use-after-free in SVG document
handling. Credit to Arthur Gerkis.</p>
<p>[112212] High CVE-2011-3035: Use-after-free in SVG use handling.
Credit to Arthur Gerkis.</p>
<p>[113258] High CVE-2011-3036: Bad cast in line box handling. Credit
to miaubiz.</p>
<p>[113439] [114924] [115028] High CVE-2011-3037: Bad casts in
anonymous block splitting. Credit to miaubiz.</p>
<p>[113497] High CVE-2011-3038: Use-after-free in multi-column
handling. Credit to miaubiz.</p>
<p>[113707] High CVE-2011-3039: Use-after-free in quote handling.
Credit to miaubiz.</p>
<p>[114054] High CVE-2011-3040: Out-of-bounds read in text handling.
Credit to miaubiz.</p>
<p>[114068] High CVE-2011-3041: Use-after-free in class attribute
handling. Credit to miaubiz.</p>
<p>[114219] High CVE-2011-3042: Use-after-free in table section
handling. Credit to miaubiz.</p>
<p>[115681] High CVE-2011-3043: Use-after-free in flexbox with floats.
Credit to miaubiz.</p>
<p>[116093] High CVE-2011-3044: Use-after-free with SVG animation
elements. Credit to Arthur Gerkis.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3031</cvename>
<cvename>CVE-2011-3032</cvename>
<cvename>CVE-2011-3033</cvename>
<cvename>CVE-2011-3034</cvename>
<cvename>CVE-2011-3035</cvename>
<cvename>CVE-2011-3036</cvename>
<cvename>CVE-2011-3037</cvename>
<cvename>CVE-2011-3038</cvename>
<cvename>CVE-2011-3039</cvename>
<cvename>CVE-2011-3040</cvename>
<cvename>CVE-2011-3041</cvename>
<cvename>CVE-2011-3042</cvename>
<cvename>CVE-2011-3043</cvename>
<cvename>CVE-2011-3044</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-03-04</discovery>
<entry>2012-03-05</entry>
</dates>
</vuln>
<vuln vid="eba70db4-6640-11e1-98af-00262d8b701d">
<topic>dropbear -- arbitrary code execution</topic>
<affects>
<package>
<name>dropbear</name>
<range><ge>0.51</ge><lt>2012.55</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Dropbear project reports:</p>
<blockquote cite="http://xforce.iss.net/xforce/xfdb/73444">
<p>Dropbear SSH Server could allow a remote authenticated attacker
to execute arbitrary code on the system, caused by a use-after-
free error. If a command restriction is enforced, an attacker
could exploit this vulnerability to execute arbitrary code on
the system with root privileges.</p>
</blockquote>
</body>
</description>
<references>
<bid>52159</bid>
<cvename>CVE-2012-0920</cvename>
<url>http://secunia.com/advisories/48147</url>
<url>http://xforce.iss.net/xforce/xfdb/73444</url>
</references>
<dates>
<discovery>2012-02-22</discovery>
<entry>2012-03-04</entry>
</dates>
</vuln>
<vuln vid="46aeba13-64a1-11e1-bc16-0023ae8e59f0">
<topic>openx -- undisclosed security issue</topic>
<affects>
<package>
<name>openx</name>
<range><lt>2.8.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenX does not provide information about vulnerabilities beyond their
existence.</p>
</body>
</description>
<references>
<url>http://blog.openx.org/12/security-matters-3</url>
</references>
<dates>
<discovery>2011-12-01</discovery>
<entry>2012-03-02</entry>
<modified>2012-07-08</modified>
</dates>
</vuln>
<vuln vid="174b8864-6237-11e1-be18-14dae938ec40">
<topic>databases/postgresql*-client -- multiple vulnerabilities</topic>
<affects>
<package>
<name>postgresql-client</name>
<range><lt>8.3.18</lt></range>
<range><ge>8.4</ge><lt>8.4.11</lt></range>
<range><ge>9</ge><lt>9.0.7</lt></range>
<range><ge>9.1</ge><lt>9.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL Global Development Group reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1377/">
<p>These vulnerabilities could allow users to define triggers that
execute functions on which the user does not have EXECUTE
permission, allow SSL certificate spoofing and allow line breaks
in object names to be exploited to execute code when loading a
pg_dump file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0866</cvename>
<cvename>CVE-2012-0867</cvename>
<cvename>CVE-2012-0868</cvename>
<url>http://www.postgresql.org/about/news/1377/</url>
</references>
<dates>
<discovery>2012-02-27</discovery>
<entry>2012-02-28</entry>
</dates>
</vuln>
<vuln vid="f63bf080-619d-11e1-91af-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.1r102.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-03.html">
<p>These vulnerabilities could cause a crash and potentially allow
an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0751</cvename>
<cvename>CVE-2012-0752</cvename>
<cvename>CVE-2012-0753</cvename>
<cvename>CVE-2012-0754</cvename>
<cvename>CVE-2012-0755</cvename>
<cvename>CVE-2012-0756</cvename>
<cvename>CVE-2012-0767</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-03.html</url>
</references>
<dates>
<discovery>2012-02-15</discovery>
<entry>2012-02-27</entry>
</dates>
</vuln>
<vuln vid="57f1a624-6197-11e1-b98c-bcaec565249c">
<topic>libxml2 -- heap buffer overflow</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.7.8_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google chrome team reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html">
<p>Heap-based buffer overflow in libxml2, allows remote attackers
to cause a denial of service or possibly have unspecified other
impact via unknown vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3919</cvename>
<url>http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html</url>
</references>
<dates>
<discovery>2012-01-05</discovery>
<entry>2012-02-27</entry>
</dates>
</vuln>
<vuln vid="ba51c2f7-5b43-11e1-8288-00262d5ed8ee">
<topic>plib -- remote code execution via buffer overflow</topic>
<affects>
<package>
<name>torcs</name>
<range><lt>1.3.3</lt></range>
</package>
<package>
<name>plib</name>
<range><le>1.8.5_3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/47297/">
<p>A vulnerability has been discovered in PLIB, which can be
exploited by malicious people to compromise an application using
the library.</p>
<p>The vulnerability is caused due to a boundary error within the
"ulSetError()" function (src/util/ulError.cxx) when creating the
error message, which can be exploited to overflow a static
buffer.</p>
<p>Successful exploitation allows the execution of arbitrary code
but requires that the attacker can e.g. control the content of
an overly long error message passed to the "ulSetError()"
function.</p>
<p>The vulnerability is confirmed in version 1.8.5. Other versions
may also be affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4620</cvename>
<url>http://secunia.com/advisories/47297/</url>
<url>http://torcs.sourceforge.net/index.php?name=News&file=article&sid=79</url>
</references>
<dates>
<discovery>2011-12-21</discovery>
<entry>2012-02-19</entry>
</dates>
</vuln>
<vuln vid="fdd1c316-5a3d-11e1-8d3e-e0cb4e266481">
<topic>phpMyAdmin -- XSS in replication setup</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.10.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php">
<p>It was possible to conduct XSS using a crafted database name.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1190</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php</url>
</references>
<dates>
<discovery>2012-02-18</discovery>
<entry>2012-02-18</entry>
</dates>
</vuln>
<vuln vid="da317bc9-59a6-11e1-bc16-0023ae8e59f0">
<topic>piwik -- xss and click-jacking issues</topic>
<affects>
<package>
<name>piwik</name>
<range><lt>1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Piwik Team reports:</p>
<blockquote cite="http://piwik.org/blog/2012/02/7775/">
<p>We would like to thank the following security researchers for
their responsible disclosure of XSS and click-jacking issues:
Piotr Duszynski, Sergey Markov, Mauro Gentile.</p>
</blockquote>
</body>
</description>
<references>
<url>"http://piwik.org/blog/2012/02/7775/"</url>
</references>
<dates>
<discovery>2012-02-16</discovery>
<entry>2012-02-16</entry>
</dates>
</vuln>
<vuln vid="d7dbd2db-599c-11e1-a2fb-14dae9ebcf89">
<topic>mozilla -- heap-buffer overflow</topic>
<affects>
<package>
<name>firefox</name>
<range><ge>10.0,1</ge><lt>10.0.2,1</lt></range>
<range><ge>3.6.*,1</ge><lt>3.6.27</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><ge>10.0,1</ge><lt>10.0.2,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><ge>2.7</ge><lt>2.7.2</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>10.0</ge><lt>10.0.2</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><ge>2.7</ge><lt>2.7.2</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>10.0</ge><lt>10.0.2</lt></range>
<range><gt>3.1.*</gt><lt>3.1.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-11 libpng integer overflow</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3026</cvename>
<url>https://www.mozilla.org/security/announce/2012/mfsa2012-11.html</url>
</references>
<dates>
<discovery>2012-02-16</discovery>
<entry>2012-02-17</entry>
<modified>2012-03-18</modified>
</dates>
</vuln>
<vuln vid="2f5ff968-5829-11e1-8288-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.56</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[105803] High CVE-2011-3015: Integer overflows in PDF codecs.
Credit to Google Chrome Security Team (scarybeasts).</p>
<p>[106336] Medium CVE-2011-3016: Read-after-free with counter nodes.
Credit to miaubiz.</p>
<p>[108695] High CVE-2011-3017: Possible use-after-free in database
handling. Credit to miaubiz.</p>
<p>[110172] High CVE-2011-3018: Heap overflow in path rendering.
Credit to Aki Helin of OUSPG.</p>
<p>[110849] High CVE-2011-3019: Heap buffer overflow in MKV handling.
Credit to Google Chrome Security Team (scarybeasts) and Mateusz
Jurczyk of the Google Security Team.</p>
<p>[111575] Medium CVE-2011-3020: Native client validator error.
Credit to Nick Bray of the Chromium development community.</p>
<p>[111779] High CVE-2011-3021: Use-after-free in subframe loading.
Credit to Arthur Gerkis.</p>
<p>[112236] Medium CVE-2011-3022: Inappropriate use of http for
translation script. Credit to Google Chrome Security Team (Jorge
Obes).</p>
<p>[112259] Medium CVE-2011-3023: Use-after-free with drag and drop.
Credit to pa_kt.</p>
<p>[112451] Low CVE-2011-3024: Browser crash with empty x509
certificate. Credit to chrometot.</p>
<p>[112670] Medium CVE-2011-3025: Out-of-bounds read in h.264
parsing. Credit to Slawomir Blazek.</p>
<p>[112822] High CVE-2011-3026: Integer overflow / truncation in
libpng. Credit to Juri Aedla.</p>
<p>[112847] Medium CVE-2011-3027: Bad cast in column handling.
Credit to miaubiz.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3015</cvename>
<cvename>CVE-2011-3016</cvename>
<cvename>CVE-2011-3017</cvename>
<cvename>CVE-2011-3018</cvename>
<cvename>CVE-2011-3019</cvename>
<cvename>CVE-2011-3020</cvename>
<cvename>CVE-2011-3021</cvename>
<cvename>CVE-2011-3022</cvename>
<cvename>CVE-2011-3023</cvename>
<cvename>CVE-2011-3024</cvename>
<cvename>CVE-2011-3025</cvename>
<cvename>CVE-2011-3026</cvename>
<cvename>CVE-2011-3027</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-02-15</discovery>
<entry>2012-02-15</entry>
</dates>
</vuln>
<vuln vid="b4f8be9e-56b2-11e1-9fb7-003067b2972c">
<topic>Python -- DoS via malformed XML-RPC / HTTP POST request</topic>
<affects>
<package>
<name>python32</name>
<range><le>3.2.2_2</le></range>
</package>
<package>
<name>python31</name>
<range><le>3.1.4_2</le></range>
</package>
<package>
<name>python27</name>
<range><le>2.7.2_3</le></range>
</package>
<package>
<name>python26</name>
<range><le>2.6.7_2</le></range>
</package>
<package>
<name>python25</name>
<range><le>2.5.6_2</le></range>
</package>
<package>
<name>python24</name>
<range><le>2.4.5_8</le></range>
</package>
<package>
<name>pypy</name>
<!-- note that it also affects 1.8 but we do not yet have
this version in ports. -->
<range><le>1.7</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jan Lieskovsky reports,</p>
<blockquote cite="http://bugs.python.org/issue14001">
<p>A denial of service flaw was found in the way Simple XML-RPC
Server module of Python processed client connections, that were
closed prior the complete request body has been received. A
remote attacker could use this flaw to cause Python Simple
XML-RPC based server process to consume excessive amount of
CPU.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0845</cvename>
<url>http://bugs.python.org/issue14001</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=789790</url>
<url>https://bugs.pypy.org/issue1047</url>
</references>
<dates>
<discovery>2012-02-13</discovery>
<entry>2012-02-14</entry>
<modified>2012-02-26</modified>
</dates>
</vuln>
<vuln vid="2b20fd5f-552e-11e1-9fb7-003067b2972c">
<topic>WebCalendar -- Persistent XSS</topic>
<affects>
<package>
<name>WebCalendar</name>
<range><le>1.2.4</le></range>
</package>
<package>
<name>WebCalendar-devel</name>
<range><le>1.2.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>tom reports,</p>
<blockquote cite="http://seclists.org/bugtraq/2012/Jan/128">
<p>There is no sanitation on the input of the location variable
allowing for persistent XSS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0846</cvename>
<url>http://sourceforge.net/tracker/?func=detail&aid=3472745&group_id=3870&atid=103870</url>
</references>
<dates>
<discovery>2012-01-11</discovery>
<entry>2012-02-12</entry>
<modified>2012-02-13</modified>
</dates>
</vuln>
<vuln vid="eba9aa94-549c-11e1-b6b7-0011856a6e37">
<topic>mozilla -- use after free in nsXBLDocumentInfo::ReadPrototypeBindings</topic>
<affects>
<package>
<name>firefox</name>
<range><ge>10.0,1</ge><lt>10.0.1,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><ge>10.0,1</ge><lt>10.0.1,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><ge>2.7</ge><lt>2.7.1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>10.0</ge><lt>10.0.1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><ge>2.7</ge><lt>2.7.1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>10.0</ge><lt>10.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0452</cvename>
<url>https://www.mozilla.org/security/announce/2012/mfsa2012-10.html</url>
</references>
<dates>
<discovery>2012-02-10</discovery>
<entry>2012-02-11</entry>
</dates>
</vuln>
<vuln vid="1c4cab30-5468-11e1-9fb7-003067b2972c">
<topic>bip -- buffer overflow</topic>
<affects>
<package>
<name>bip</name>
<range><le>0.8.8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Julien Tinnes reports,</p>
<blockquote cite="https://projects.duckcorp.org/issues/269">
<p>Bip doesn't check if fd is equal or larger than FD_SETSIZE.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0806</cvename>
<url>https://projects.duckcorp.org/projects/bip/repository/revisions/222a33cb84a2e52ad55a88900b7895bf9dd0262c</url>
<url>https://projects.duckcorp.org/issues/269</url>
</references>
<dates>
<discovery>2012-01-07</discovery>
<entry>2012-02-11</entry>
</dates>
</vuln>
<vuln vid="039d057e-544e-11e1-9fb7-003067b2972c">
<topic>surf -- private information disclosure</topic>
<affects>
<package>
<name>surf</name>
<range><le>0.4.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>surf does not protect its cookie jar against access read access from
other local users</p>
</body>
</description>
<references>
<cvename>CVE-2012-0842</cvename>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296</url>
</references>
<dates>
<discovery>2012-02-10</discovery>
<entry>2012-02-11</entry>
</dates>
</vuln>
<vuln vid="7c769c89-53c2-11e1-8e52-00163e22ef61">
<topic>glpi -- remote attack via crafted POST request</topic>
<affects>
<package>
<name>glpi</name>
<range><lt>0.80.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The GLPI project reports:</p>
<blockquote cite="http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en">
<p>The autocompletion functionality in GLPI before 0.80.2 does not
blacklist certain username and password fields, which allows
remote attackers to obtain sensitive information via a crafted
POST request.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en</url>
<url>https://forge.indepnet.net/issues/3017</url>
<cvename>CVE-2011-2720</cvename>
</references>
<dates>
<discovery>2011-07-20</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="fe1976c2-5317-11e1-9e99-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>17.0.963.46</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[73478] Low CVE-2011-3953: Avoid clipboard monitoring after paste
event. Credit to Daniel Cheng of the Chromium development
community.</p>
<p>[92550] Low CVE-2011-3954: Crash with excessive database usage.
Credit to Collin Payne.</p>
<p>[93106] High CVE-2011-3955: Crash aborting an IndexDB transaction.
Credit to David Grogan of the Chromium development community.</p>
<p>[103630] Low CVE-2011-3956: Incorrect handling of sandboxed origins
inside extensions. Credit to Devdatta Akhawe, UC Berkeley.</p>
<p>[104056] High CVE-2011-3957: Use-after-free in PDF garbage
collection. Credit to Aki Helin of OUSPG.</p>
<p>[105459] High CVE-2011-3958: Bad casts with column spans. Credit
to miaubiz.</p>
<p>[106441] High CVE-2011-3959: Buffer overflow in locale handling.
Credit to Aki Helin of OUSPG.</p>
<p>[108416] Medium CVE-2011-3960: Out-of-bounds read in audio
decoding. Credit to Aki Helin of OUSPG.</p>
<p>[108871] Critical CVE-2011-3961: Race condition after crash of
utility process. Credit to Shawn Goertzen.</p>
<p>[108901] Medium CVE-2011-3962: Out-of-bounds read in path clipping.
Credit to Aki Helin of OUSPG.</p>
<p>[109094] Medium CVE-2011-3963: Out-of-bounds read in PDF fax image
handling. Credit to Atte Kettunen of OUSPG.</p>
<p>[109245] Low CVE-2011-3964: URL bar confusion after drag + drop.
Credit to Code Audit Labs of VulnHunt.com.</p>
<p>[109664] Low CVE-2011-3965: Crash in signature check. Credit to
Slawomir Blazek.</p>
<p>[109716] High CVE-2011-3966: Use-after-free in stylesheet error
handling. Credit to Aki Helin of OUSPG.</p>
<p>[109717] Low CVE-2011-3967: Crash with unusual certificate. Credit
to Ben Carrillo.</p>
<p>[109743] High CVE-2011-3968: Use-after-free in CSS handling.
Credit to Arthur Gerkis.</p>
<p>[110112] High CVE-2011-3969: Use-after-free in SVG layout. Credit
to Arthur Gerkis.</p>
<p>[110277] Medium CVE-2011-3970: Out-of-bounds read in libxslt.
Credit to Aki Helin of OUSPG.</p>
<p>[110374] High CVE-2011-3971: Use-after-free with mousemove events.
Credit to Arthur Gerkis.</p>
<p>[110559] Medium CVE-2011-3972: Out-of-bounds read in shader
translator. Credit to Google Chrome Security Team (Inferno).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3953</cvename>
<cvename>CVE-2011-3954</cvename>
<cvename>CVE-2011-3955</cvename>
<cvename>CVE-2011-3956</cvename>
<cvename>CVE-2011-3957</cvename>
<cvename>CVE-2011-3958</cvename>
<cvename>CVE-2011-3959</cvename>
<cvename>CVE-2011-3960</cvename>
<cvename>CVE-2011-3961</cvename>
<cvename>CVE-2011-3962</cvename>
<cvename>CVE-2011-3963</cvename>
<cvename>CVE-2011-3964</cvename>
<cvename>CVE-2011-3965</cvename>
<cvename>CVE-2011-3966</cvename>
<cvename>CVE-2011-3967</cvename>
<cvename>CVE-2011-3968</cvename>
<cvename>CVE-2011-3969</cvename>
<cvename>CVE-2011-3970</cvename>
<cvename>CVE-2011-3971</cvename>
<cvename>CVE-2011-3972</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-02-08</discovery>
<entry>2012-02-09</entry>
</dates>
</vuln>
<vuln vid="10720fe8-51e0-11e1-91c1-00215c6a37bb">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal6</name>
<range><lt>6.23</lt></range>
</package>
<package>
<name>drupal7</name>
<range><lt>7.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal development team reports:</p>
<blockquote cite="http://drupal.org/node/1425084">
<h3>Cross Site Request Forgery vulnerability in Aggregator
module</h3>
<p>CVE: CVE-2012-0826</p>
<p>An XSRF vulnerability can force an aggregator feed to update.
Since some services are rate-limited (e.g. Twitter limits
requests to 150 per hour) this could lead to a denial of
service.</p>
<p>This issue affects Drupal 6.x and 7.x.</p>
<h3>OpenID not verifying signed attributes in SREG and AX</h3>
<p>CVE: CVE-2012-0825</p>
<p>A group of security researchers identified a flaw in how some
OpenID relying parties implement Attribute Exchange (AX). Not
verifying that attributes being passed through AX have been
signed could allow an attacker to modify users' information.</p>
<p>This issue affects Drupal 6.x and 7.x.</p>
<h3>Access bypass in File module</h3>
<p>CVE: CVE-2012-0827</p>
<p>When using private files in combination with certain field
access modules, the File module will allow users to download
the file even if they do not have access to view the field it
was attached to.</p>
<p>This issue affects Drupal 7.x only.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0825</cvename>
<cvename>CVE-2012-0826</cvename>
<cvename>CVE-2012-0827</cvename>
</references>
<dates>
<discovery>2012-02-01</discovery>
<entry>2012-02-07</entry>
</dates>
</vuln>
<vuln vid="309542b5-50b9-11e1-b0d8-00151735203a">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>2.4.*</ge><lt>3.6.8</lt></range>
<range><ge>4.0.*</ge><lt>4.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4.12/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<ul>
<li>Account Impersonation:
When a user creates a new account, Bugzilla doesn't correctly
reject email addresses containing non-ASCII characters, which
could be used to impersonate another user account. Such email
addresses could look visually identical to other valid email
addresses, and an attacker could try to confuse other users
and be added to bugs he shouldn't have access to.</li>
<li>Cross-Site Request Forgery:
Due to a lack of validation of the Content-Type head when
making POST requests to jsonrpc.cgi, a possible CSRF
vulnerability was discovered. If a user visits an HTML page
with some malicious JS code in it, an attacker could make
changes to a remote Bugzilla installation on behalf of the
victim's account by using the JSON-RPC API. The user would
have had to be already logged in to the target site for the
vulnerability to work.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0448</cvename>
<cvename>CVE-2012-0440</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=714472</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=718319</url>
</references>
<dates>
<discovery>2012-01-31</discovery>
<entry>2012-02-06</entry>
</dates>
</vuln>
<vuln vid="3fd040be-4f0b-11e1-9e32-0025900931f8">
<topic>php -- arbitrary remote code execution vulnerability</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.3.9</ge><lt>5.3.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/47806/">
<p>A vulnerability has been reported in PHP, which can be exploited
by malicious people to compromise a vulnerable system.</p>
<p>The vulnerability is caused due to a logic error within the
"php_register_variable_ex()" function (php_variables.c) when
hashing form posts and updating a hash table, which can be
exploited to execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0830</cvename>
<url>http://www.php.net/archive/2012.php#id2012-02-02-1</url>
<url>http://secunia.com/advisories/47806/</url>
</references>
<dates>
<discovery>2012-02-02</discovery>
<entry>2012-02-04</entry>
<modified>2012-02-06</modified>
</dates>
</vuln>
<vuln vid="6e7ad1d7-4e27-11e1-8e12-90e6ba8a36a2">
<topic>mathopd - directory traversal vulnerability</topic>
<affects>
<package>
<name>mathopd</name>
<range><lt>1.5p7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michiel Boland reports:</p>
<blockquote cite="http://www.mathopd.org/security.html">
<p>The software has a vulnerability that could lead to directory
traversal if the '*' construct for mass virtual hosting is
used.</p>
</blockquote>
</body>
</description>
<references>
<mlist msgid="4F2AFEF2.5040708@boland.org">http://www.mail-archive.com/mathopd%40mathopd.org/msg00392.html</mlist>
<url>http://www.mathopd.org/security.html</url>
</references>
<dates>
<discovery>2012-02-02</discovery>
<entry>2012-02-03</entry>
</dates>
</vuln>
<vuln vid="4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0">
<topic>apache -- multiple vulnerabilities</topic>
<affects>
<package>
<name>apache</name>
<range><gt>2.*</gt><lt>2.2.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE MITRE reports:</p>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_22.html">
<p>An exposure was found when using mod_proxy in reverse proxy
mode. In certain configurations using RewriteRule with proxy
flag or ProxyPassMatch, a remote attacker could cause the reverse
proxy to connect to an arbitrary server, possibly disclosing
sensitive information from internal web servers not directly
accessible to attacker.</p>
<p>Integer overflow in the ap_pregsub function in server/util.c in
the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through
2.2.21, when the mod_setenvif module is enabled, allows local
users to gain privileges via a .htaccess file with a crafted
SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.</p>
<p>An additional exposure was found when using mod_proxy in
reverse proxy mode. In certain configurations using RewriteRule
with proxy flag or ProxyPassMatch, a remote attacker could cause
the reverse proxy to connect to an arbitrary server, possibly
disclosing sensitive information from internal web servers
not directly accessible to attacker.</p>
<p>A flaw was found in mod_log_config. If the '%{cookiename}C' log
format string is in use, a remote attacker could send a specific
cookie causing a crash. This crash would only be a denial of
service if using a threaded MPM.</p>
<p>A flaw was found in the handling of the scoreboard. An
unprivileged child process could cause the parent process to
crash at shutdown rather than terminate cleanly.</p>
<p>A flaw was found in the default error response for status code
400. This flaw could be used by an attacker to expose
"httpOnly" cookies when no custom ErrorDocument is specified.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3368</cvename>
<cvename>CVE-2011-3607</cvename>
<cvename>CVE-2011-4317</cvename>
<cvename>CVE-2012-0021</cvename>
<cvename>CVE-2012-0031</cvename>
<cvename>CVE-2012-0053</cvename>
</references>
<dates>
<discovery>2011-10-05</discovery>
<entry>2012-01-31</entry>
</dates>
</vuln>
<vuln vid="0a9e2b72-4cb7-11e1-9146-14dae9ebcf89">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>10.0,1</lt></range>
<range><ge>3.6.*,1</ge><lt>3.6.26</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.7</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.7</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>10.0</lt></range>
<range><gt>3.1.*</gt><lt>3.1.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/
rv:1.9.2.26)</p>
<p>MFSA 2012-02 Overly permissive IPv6 literal syntax</p>
<p>MFSA 2012-03 iframe element exposed across domains via name
attribute</p>
<p>MFSA 2012-04 Child nodes from nsDOMAttribute still accessible
after removal of nodes</p>
<p>MFSA 2012-05 Frame scripts calling into untrusted objects bypass
security checks</p>
<p>MFSA 2012-06 Uninitialized memory appended when encoding icon
images may cause information disclosure</p>
<p>MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis
files</p>
<p>MFSA 2012-08 Crash with malformed embedded XSLT stylesheets</p>
<p>MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe
permission</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0442</cvename>
<cvename>CVE-2012-0443</cvename>
<cvename>CVE-2011-3670</cvename>
<cvename>CVE-2012-0445</cvename>
<cvename>CVE-2011-3659</cvename>
<cvename>CVE-2012-0446</cvename>
<cvename>CVE-2012-0447</cvename>
<cvename>CVE-2012-0449</cvename>
<cvename>CVE-2012-0450</cvename>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-01.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-02.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-03.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-04.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-05.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-06.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-07.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-08.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-09.html</url>
</references>
<dates>
<discovery>2012-01-31</discovery>
<entry>2012-02-01</entry>
<modified>2012-03-18</modified>
</dates>
</vuln>
<vuln vid="7c920bb7-4b5f-11e1-9f47-00e0815b8da8">
<topic>sudo -- format string vulnerability</topic>
<affects>
<package>
<name>sudo</name>
<range><ge>1.8.0</ge><lt>1.8.3_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.gratisoft.us/sudo/alerts/sudo_debug.html">
<p>Sudo 1.8.0 introduced simple debugging support that was primarily
intended for use when developing policy or I/O logging plugins.
The sudo_debug() function contains a flaw where the program name
is used as part of the format string passed to the fprintf()
function. The program name can be controlled by the caller,
either via a symbolic link or, on some systems, by setting argv[0]
when executing sudo.</p>
<p>Using standard format string vulnerability exploitation
techniques it is possible to leverage this bug to achieve root
privileges.</p>
<p>Exploitation of the bug does not require that the attacker be
listed in the sudoers file. As such, we strongly suggest that
affected sites upgrade from affected sudo versions as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0809</cvename>
<url>http://www.gratisoft.us/sudo/alerts/sudo_debug.html</url>
</references>
<dates>
<discovery>2012-01-30</discovery>
<entry>2012-01-30</entry>
<modified>2012-01-31</modified>
</dates>
</vuln>
<vuln vid="e51d5b1a-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- pam_ssh() does not validate service names</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_7</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:10.pam.asc">
<h1>Problem Description:</h1>
<p>Some third-party applications, including KDE's kcheckpass command,
allow the user to specify the name of the policy on the command
line. Since OpenPAM treats the policy name as a path relative to
/etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run
such an application can craft their own policies and cause the
application to load and execute their own modules.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:10.pam</freebsdsa>
<cvename>CVE-2011-4122</cvename>
</references>
<dates>
<discovery>2011-12-23</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="eda151d8-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- pam_ssh improperly grants access when user account has unencrypted SSH private keys</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_7</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc">
<h1>Problem Description:</h1>
<p>The OpenSSL library call used to decrypt private keys ignores the
passphrase argument if the key is not encrypted. Because the
pam_ssh module only checks whether the passphrase provided by the
user is null, users with unencrypted SSH private keys may
successfully authenticate themselves by providing a dummy
passphrase.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:09.pam_ssh</freebsdsa>
</references>
<dates>
<discovery>2012-12-23</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="f56390a4-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- Buffer overflow in handling of UNIX socket addresses</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_8</lt></range>
<range><ge>7.4</ge><lt>7.4_4</lt></range>
<range><ge>8.1</ge><lt>8.1_6</lt></range>
<range><ge>8.2</ge><lt>8.2_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc">
<h1>Problem Description:</h1>
<p>When a UNIX-domain socket is attached to a location using the
bind(2) system call, the length of the provided path is not
validated. Later, when this address was returned via other system
calls, it is copied into a fixed-length buffer.</p>
<p>Linux uses a larger socket address structure for UNIX-domain
sockets than FreeBSD, and the FreeBSD's linux emulation code did
not translate UNIX-domain socket addresses into the correct size
of structure.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:05.unix</freebsdsa>
</references>
<dates>
<discovery>2011-09-28</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="fee94342-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- errors handling corrupt compress file in compress(1) and gzip(1)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_7</lt></range>
<range><ge>7.4</ge><lt>7.4_3</lt></range>
<range><ge>8.1</ge><lt>8.1_5</lt></range>
<range><ge>8.2</ge><lt>8.2_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:04.compress.asc">
<h1>Problem Description:</h1>
<p>The code used to decompress a file created by compress(1) does not
do sufficient boundary checks on compressed code words, allowing
reference beyond the decompression table, which may result in a
stack overflow or an infinite loop when the decompressor encounters
a corrupted file.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:04.compress</freebsdsa>
<cvename>CVE-2011-2895</cvename>
</references>
<dates>
<discovery>2011-09-28</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="7a09a8df-ca41-11df-aade-0050568f000c">
<topic>FreeBSD -- Network ACL mishandling in mountd(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_5</lt></range>
<range><ge>7.4</ge><lt>7.4_1</lt></range>
<range><ge>8.1</ge><lt>8.1_3</lt></range>
<range><ge>8.2</ge><lt>8.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:01.mountd.asc">
<h1>Problem Description:</h1>
<p>While parsing the exports(5) table, a network mask in the form of
"-network=netname/prefixlength" results in an incorrect network mask
being computed if the prefix length is not a multiple of 8.</p>
<p>For example, specifying the ACL for an export as "-network
192.0.2.0/23" would result in a netmask of 255.255.127.0 being used
instead of the correct netmask of 255.255.254.0.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:01.mountd</freebsdsa>
<cvename>CVE-2011-1739</cvename>
</references>
<dates>
<discovery>2011-04-20</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="93688f8f-4935-11e1-89b4-001ec9578670">
<topic>postfixadmin -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>postfixadmin</name>
<range><lt>2.3.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Postfix Admin Team reports:</p>
<blockquote cite="http://sourceforge.net/projects/postfixadmin/forums/forum/676076/topic/4977778">
<p>Multiple XSS vulnerabilities exist:<br/>
- XSS with $_GET[domain] in templates/menu.php and
edit-vacation<br/>
- XSS in some create-domain input fields<br/>
- XSS in create-alias and edit-alias error message<br/>
- XSS (by values stored in the database) in fetchmail list
view, list-domain and list-virtual</p>
<p>Multiple SQL injection issues exist:<br/>
- SQL injection in pacrypt() (if $CONF[encrypt] ==
'mysql_encrypt')<br/>
- SQL injection in backup.php - the dump was not mysql_escape()d,
therefore users could inject SQL (for example in the vacation message)
which will be executed when restoring the database dump.
WARNING: database dumps created with backup.php from 2.3.4 or older
might contain malicious SQL. Double-check before using them!</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0811</cvename>
<cvename>CVE-2012-0812</cvename>
<url>http://sourceforge.net/projects/postfixadmin/forums/forum/676076/topic/4977778</url>
</references>
<dates>
<discovery>2012-01-27</discovery>
<entry>2012-01-27</entry>
</dates>
</vuln>
<vuln vid="e465159c-4817-11e1-89b4-001ec9578670">
<topic>mpack -- Information disclosure</topic>
<affects>
<package>
<name>mpack</name>
<range><lt>1.6_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The oss-security list reports:</p>
<blockquote cite="http://openwall.com/lists/oss-security/2011/12/31/1">
<p>Incorrect permissions on temporary files can lead to
information disclosure.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4919</cvename>
<url>http://openwall.com/lists/oss-security/2011/12/31/1</url>
</references>
<dates>
<discovery>2011-12-31</discovery>
<entry>2012-01-26</entry>
</dates>
</vuln>
<vuln vid="fa2f386f-4814-11e1-89b4-001ec9578670">
<topic>acroread9 -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>acroread9</name>
<range><lt>9.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Adobe Security Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa11-04.html">
<p>An unspecified vulnerability in the U3D component allows
remote attackers to execute arbitrary code (or cause a denial
of service attack) via unknown vectors.</p>
</blockquote>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-24.html">
<p>A heap-based buffer overflow allows attackers to execute
arbitrary code via unspecified vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2462</cvename>
<cvename>CVE-2011-1353</cvename>
<cvename>CVE-2011-2431</cvename>
<cvename>CVE-2011-2432</cvename>
<cvename>CVE-2011-2433</cvename>
<cvename>CVE-2011-2434</cvename>
<cvename>CVE-2011-2435</cvename>
<cvename>CVE-2011-2436</cvename>
<cvename>CVE-2011-2437</cvename>
<cvename>CVE-2011-2438</cvename>
<cvename>CVE-2011-2439</cvename>
<cvename>CVE-2011-2440</cvename>
<cvename>CVE-2011-2441</cvename>
<cvename>CVE-2011-2442</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-24.html</url>
<url>http://www.adobe.com/support/security/advisories/apsa11-04.html</url>
</references>
<dates>
<discovery>2011-12-07</discovery>
<entry>2012-01-26</entry>
</dates>
</vuln>
<vuln vid="33d73d59-4677-11e1-88cd-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>16.0.912.77</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[106484] High CVE-2011-3924: Use-after-free in DOM selections.
Credit to Arthur Gerkis.</p>
<p>[108461] High CVE-2011-3928: Use-after-free in DOM handling.
Credit to wushi of team509 reported through ZDI (ZDI-CAN-1415).</p>
<p>[108605] High CVE-2011-3927: Uninitialized value in Skia. Credit
to miaubiz.</p>
<p>[109556] High CVE-2011-3926: Heap-buffer-overflow in tree builder.
Credit to Arthur Gerkis.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3924</cvename>
<cvename>CVE-2011-3926</cvename>
<cvename>CVE-2011-3927</cvename>
<cvename>CVE-2011-3928</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2012-01-23</discovery>
<entry>2012-01-24</entry>
</dates>
</vuln>
<vuln vid="3ebb2dc8-4609-11e1-9f47-00e0815b8da8">
<topic>Wireshark -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
<package>
<name>tshark</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark reports:</p>
<blockquote cite="http://www.wireshark.org/docs/relnotes/wireshark-1.6.5.html">
<p>Laurent Butti discovered that Wireshark failed to properly check
record sizes for many packet capture file formats</p>
<p>Wireshark could dereference a NULL pointer and crash.</p>
<p>The RLC dissector could overflow a buffer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0041</cvename>
<cvename>CVE-2012-0066</cvename>
<cvename>CVE-2012-0067</cvename>
<cvename>CVE-2012-0068</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2012-01.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-02.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-03.html</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6666</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6667</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6668</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6669</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6670</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6634</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6391</url>
</references>
<dates>
<discovery>2010-01-10</discovery>
<entry>2012-01-23</entry>
</dates>
</vuln>
<vuln vid="7d2336c2-4607-11e1-9f47-00e0815b8da8">
<topic>spamdyke -- Buffer Overflow Vulnerabilities</topic>
<affects>
<package>
<name>spamdyke</name>
<range><lt>4.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://www.spamdyke.org/documentation/Changelog.txt">
<p>Fixed a number of very serious errors in the usage of
snprintf()/vsnprintf().</p>
<p>The return value was being used as the length of the string
printed into the buffer, but the return value really indicates
the length of the string that *could* be printed if the buffer
were of infinite size. Because the returned value could be
larger than the buffer's size, this meant remotely exploitable
buffer overflows were possible, depending on spamdyke's
configuration.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0802</cvename>
<url>https://secunia.com/advisories/47548/</url>
<url>http://www.spamdyke.org/documentation/Changelog.txt</url>
</references>
<dates>
<discovery>2012-01-15</discovery>
<entry>2012-01-23</entry>
</dates>
</vuln>
<vuln vid="5c5f19ce-43af-11e1-89b4-001ec9578670">
<topic>OpenSSL -- DTLS Denial of Service</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL Team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120118.txt">
<p>A flaw in the fix to CVE-2011-4108 can be exploited in a
denial of service attack. Only DTLS applications using OpenSSL
1.0.0f and 0.9.8s are affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0050</cvename>
<url>http://www.openssl.org/news/secadv_20120118.txt</url>
</references>
<dates>
<discovery>2012-01-18</discovery>
<entry>2012-01-20</entry>
</dates>
</vuln>
<vuln vid="dd698b76-42f7-11e1-a1b6-14dae9ebcf89">
<topic>asterisk -- SRTP Video Remote Crash Vulnerability</topic>
<affects>
<package>
<name>asterisk18</name>
<range><lt>1.8.8.2</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><lt>10.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="http://downloads.asterisk.org/pub/security/AST-2012-001.html">
<p>An attacker attempting to negotiate a secure video stream can
crash Asterisk if video support has not been enabled and the
res_srtp Asterisk module is loaded.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2012-001.html</url>
</references>
<dates>
<discovery>2012-01-15</discovery>
<entry>2011-12-19</entry>
</dates>
</vuln>
<vuln vid="7f5ccb1d-439b-11e1-bc16-0023ae8e59f0">
<topic>tomcat -- Denial of Service</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>5.5.0</gt><lt>5.5.35</lt></range>
</package>
<package>
<name>tomcat</name>
<range><gt>6.0.0</gt><lt>6.0.34</lt></range>
</package>
<package>
<name>tomcat</name>
<range><gt>7.0.0</gt><lt>7.0.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tomcat security team reports:</p>
<blockquote cite="http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.35">
<p>Analysis of the recent hash collision vulnerability identified
unrelated inefficiencies with Apache Tomcat's handling of large
numbers of parameters and parameter values. These inefficiencies
could allow an attacker, via a specially crafted request, to
cause large amounts of CPU to be used which in turn could create
a denial of service. The issue was addressed by modifying the
Tomcat parameter handling code to efficiently process large
numbers of parameters and parameter values.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0022</cvename>
<url>http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.35</url>
<url>http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34</url>
<url>http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.23</url>
</references>
<dates>
<discovery>2011-10-21</discovery>
<entry>2012-01-17</entry>
</dates>
</vuln>
<vuln vid="1ac858b0-3fae-11e1-a127-0013d3ccd9df">
<topic>OpenTTD -- Denial of service (server) via slow read attack</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>0.3.5</ge><lt>1.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2012-0049">
<p>Using a slow read type attack it is possible to prevent anyone
from joining a server with virtually no resources. Once
downloading the map no other downloads of the map can start, so
downloading really slowly will prevent others from joining.
This can be further aggravated by the pause-on-join setting in
which case the game is paused and the players cannot continue
the game during such an attack. This attack requires that the
user is not banned and passes the authorization to the server,
although for many servers there is no server password and thus
authorization is easy.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0049</cvename>
<url>http://security.openttd.org/en/CVE-2012-0049</url>
</references>
<dates>
<discovery>2012-01-06</discovery>
<entry>2012-01-16</entry>
</dates>
</vuln>
<vuln vid="91be81e7-3fea-11e1-afc7-2c4138874f7d">
<topic>Multiple implementations -- DoS via hash algorithm collision</topic>
<affects>
<package>
<name>jruby</name>
<range><lt>1.6.5.1</lt></range>
</package>
<package>
<name>ruby</name>
<name>ruby+nopthreads</name>
<name>ruby+nopthreads+oniguruma</name>
<name>ruby+oniguruma</name>
<range><lt>1.8.7.357,1</lt></range>
</package>
<package>
<name>rubygem-rack</name>
<range><lt>1.3.6,3</lt></range>
</package>
<package>
<name>v8</name>
<range><lt>3.8.5</lt></range>
</package>
<package>
<name>redis</name>
<range><le>2.4.6</le></range>
</package>
<package>
<name>node</name>
<range><lt>0.6.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2011-003.html">
<p>A variety of programming languages suffer from a denial-of-service
(DoS) condition against storage functions of key/value pairs in
hash data structures, the condition can be leveraged by exploiting
predictable collisions in the underlying hashing algorithms.</p>
<p>The issue finds particular exposure in web server applications
and/or frameworks. In particular, the lack of sufficient limits
for the number of parameters in POST requests in conjunction with
the predictable collision properties in the hashing functions of
the underlying languages can render web applications vulnerable
to the DoS condition. The attacker, using specially crafted HTTP
requests, can lead to a 100% of CPU usage which can last up to
several hours depending on the targeted application and server
performance, the amplification effect is considerable and
requires little bandwidth and time on the attacker side.</p>
<p>The condition for predictable collisions in the hashing functions
has been reported for the following language implementations:
Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the
Ruby language, the 1.9.x branch is not affected by the
predictable collision condition since this version includes a
randomization of the hashing function.</p>
<p>The vulnerability outlined in this advisory is practically
identical to the one reported in 2003 and described in the paper
Denial of Service via Algorithmic Complexity Attacks which
affected the Perl language.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4838</cvename>
<cvename>CVE-2011-4815</cvename>
<cvename>CVE-2011-5036</cvename>
<cvename>CVE-2011-5037</cvename>
<url>http://www.ocert.org/advisories/ocert-2011-003.html</url>
<url>http://www.nruns.com/_downloads/advisory28122011.pdf</url>
</references>
<dates>
<discovery>2011-12-28</discovery>
<entry>2012-01-16</entry>
<modified>2012-01-20</modified>
</dates>
</vuln>
<vuln vid="ea2ddc49-3e8e-11e1-8095-5404a67eef98">
<topic>ffmpeg -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ffmpeg</name>
<range><lt>0.7.11,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ubuntu Security Notice USN-1320-1 reports:</p>
<blockquote cite="http://www.ubuntu.com/usn/usn-1320-1">
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed QDM2 streams. If a user were tricked into opening
a crafted QDM2 stream file, an attacker could cause a denial of
service via application crash, or possibly execute arbitrary code
with the privileges of the user invoking the program.
(CVE-2011-4351)</p>
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed VP3 streams. If a user were tricked into opening
a crafted file, an attacker could cause a denial of service via
application crash, or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2011-4352)</p>
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed VP5 and VP6 streams. If a user were tricked into
opening a crafted file, an attacker could cause a denial of service
via application crash, or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2011-4353)</p>
<p>It was discovered that FFmpeg incorrectly handled certain
malformed VMD files. If a user were tricked into opening a crafted
VMD file, an attacker could cause a denial of service via
application crash, or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2011-4364)</p>
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed SVQ1 streams. If a user were tricked into opening
a crafted SVQ1 stream file, an attacker could cause a denial of
service via application crash, or possibly execute arbitrary code
with the privileges of the user invoking the program.
(CVE-2011-4579)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4351</cvename>
<cvename>CVE-2011-4352</cvename>
<cvename>CVE-2011-4353</cvename>
<cvename>CVE-2011-4364</cvename>
<cvename>CVE-2011-4579</cvename>
<url>http://www.ubuntu.com/usn/usn-1320-1</url>
</references>
<dates>
<discovery>2011-09-14</discovery>
<entry>2012-01-14</entry>
</dates>
</vuln>
<vuln vid="78cc8a46-3e56-11e1-89b4-001ec9578670">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL Team reports:</p>
<blockquote cite="http://openssl.org/news/secadv_20120104.txt">
<p>6 security flaws have been fixed in OpenSSL 1.0.0f:</p>
<p>If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8,
then a policy check failure can lead to a double-free.</p>
<p>OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the
bytes used as block cipher padding in SSL 3.0 records.
As a result, in each record, up to 15 bytes of
uninitialized memory may be sent, encrypted, to the SSL
peer. This could include sensitive contents of
previously freed memory.</p>
<p>RFC 3779 data can be included in certificates, and if
it is malformed, may trigger an assertion failure.
This could be used in a denial-of-service attack.</p>
<p>Support for handshake restarts for server gated
cryptograpy (SGC) can be used in a denial-of-service
attack.</p>
<p>A malicious TLS client can send an invalid set of GOST
parameters which will cause the server to crash due to
lack of error checking. This could be used in a
denial-of-service attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4108</cvename>
<cvename>CVE-2011-4109</cvename>
<cvename>CVE-2011-4576</cvename>
<cvename>CVE-2011-4577</cvename>
<cvename>CVE-2011-4619</cvename>
<cvename>CVE-2012-0027</cvename>
<url>http://openssl.org/news/secadv_20120104.txt</url>
</references>
<dates>
<discovery>2012-01-04</discovery>
<entry>2012-01-14</entry>
</dates>
</vuln>
<vuln vid="1800886c-3dde-11e1-89b4-001ec9578670">
<topic>isc-dhcp-server -- DoS in DHCPv6</topic>
<affects>
<package>
<name>isc-dhcp42-server</name>
<range><lt>4.2.3_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/software/dhcp/advisories/cve-2011-4868">
<p>Due to improper handling of a DHCPv6 lease structure, ISC DHCP
servers that are serving IPv6 address pools AND using Dynamic
DNS can encounter a segmentation fault error while updating lease
status under certain conditions.</p>
<p>The potential exists for this condition to be intentionally
triggered, resulting in effective denial of service to
clients expecting service from the affected server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4868</cvename>
<url>https://www.isc.org/software/dhcp/advisories/cve-2011-4868</url>
</references>
<dates>
<discovery>2012-01-13</discovery>
<entry>2012-01-13</entry>
</dates>
</vuln>
<vuln vid="3338f87c-3d5f-11e1-a00a-000c6eb41cf7">
<topic>PowerDNS -- Denial of Service Vulnerability</topic>
<affects>
<package>
<name>powerdns</name>
<name>powerdns-devel</name>
<range><lt>3.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PowerDNS Team reports:</p>
<blockquote cite="http://www.powerdns.com/news/powerdns-security-advisory-2012-01.html">
<p>Using well crafted UDP packets, one or more PowerDNS servers
could be made to enter a tight packet loop, causing temporary
denial of service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0206</cvename>
</references>
<dates>
<discovery>2012-01-10</discovery>
<entry>2012-01-12</entry>
</dates>
</vuln>
<vuln vid="d3921810-3c80-11e1-97e8-00215c6a37bb">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<name>php5-exif</name>
<range><lt>5.3.9</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_5</lt></range>
</package>
<package>
<name>php52-exif</name>
<range><lt>5.2.17_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>php development team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-01-11-1">
<p>Security Enhancements and Fixes in PHP 5.3.9:</p>
<ul>
<li>Added max_input_vars directive to prevent attacks
based on hash collisions. (CVE-2011-4885)</li>
<li>Fixed bug #60150 (Integer overflow during the parsing
of invalid exif header). (CVE-2011-4566)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4566</cvename>
<cvename>CVE-2011-4885</cvename>
<url>http://www.nruns.com/_downloads/advisory28122011.pdf</url>
</references>
<dates>
<discovery>2011-12-29</discovery>
<entry>2012-01-11</entry>
<modified>2012-01-19</modified>
</dates>
</vuln>
<vuln vid="e7fd27b2-3ae9-11e1-8b5c-00262d5ed8ee">
<topic>torcs -- untrusted local library loading</topic>
<affects>
<package>
<name>torcs</name>
<range><lt>1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>TORCS News reports:</p>
<blockquote cite="http://torcs.sourceforge.net/index.php?name=News&file=article&sid=77">
<p>An insecure change to LD_LIBRARY_PATH allows loading of libraries
in directories other than the standard paths. This can be a
problem when downloading and installing untrusted content from the
Internet.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3384</cvename>
<url>http://torcs.sourceforge.net/index.php?name=News&file=article&sid=77</url>
<url>http://sourceforge.net/tracker/index.php?func=detail&aid=3089384&group_id=3777&atid=103777</url>
</references>
<dates>
<discovery>2010-10-20</discovery>
<entry>2012-01-09</entry>
</dates>
</vuln>
<vuln vid="a47af810-3a17-11e1-a1be-00e0815b8da8">
<topic>spamdyke -- STARTTLS Plaintext Injection Vulnerability</topic>
<affects>
<package>
<name>spamdyke</name>
<range><lt>4.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/47435/">
<p>The vulnerability is caused due to the TLS implementation not
properly clearing transport layer buffers when upgrading from
plaintext to ciphertext after receiving the "STARTTLS" command.
This can be exploited to insert arbitrary plaintext data (e.g.
SMTP commands) during the plaintext phase, which will then be
executed after upgrading to the TLS ciphertext phase.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0070</cvename>
<url>http://secunia.com/advisories/47435/</url>
<url>http://www.spamdyke.org/documentation/Changelog.txt</url>
</references>
<dates>
<discovery>2012-01-04</discovery>
<entry>2012-01-08</entry>
<modified>2012-01-23</modified>
</dates>
</vuln>
<vuln vid="1a1aef8e-3894-11e1-8b5c-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>16.0.912.75</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[106672] High CVE-2011-3921: Use-after-free in animation frames.
Credit to Boris Zbarsky of Mozilla.<br/>
[107128] High CVE-2011-3919: Heap-buffer-overflow in libxml.
Credit to Juri Aedla.<br/>
[108006] High CVE-2011-3922: Stack-buffer-overflow in glyph
handling. Credit to Google Chrome Security Team (Cris
Neckar).</p>
<p>[107182] Critical CVE-2011-3925: Use-after-free in Safe Browsing
navigation. Credit to Chamal de Silva.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3919</cvename>
<cvename>CVE-2011-3921</cvename>
<cvename>CVE-2011-3922</cvename>
<cvename>CVE-2011-3925</cvename>
</references>
<dates>
<discovery>2012-01-05</discovery>
<entry>2012-01-06</entry>
<modified>2012-01-23</modified>
</dates>
</vuln>
<vuln vid="0c7a3ee2-3654-11e1-b404-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>2.4.*</ge><lt>3.6.7</lt></range>
<range><ge>4.0.*</ge><lt>4.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4.12/">
<p>The following security issues have been discovered in Bugzilla:</p>
<ul>
<li>Tabular and graphical reports, as well as new charts have
a debug mode which displays raw data as plain text. This
text is not correctly escaped and a crafted URL could use
this vulnerability to inject code leading to XSS.</li>
<li>The User.offer_account_by_email WebService method ignores
the user_can_create_account setting of the authentication
method and generates an email with a token in it which the
user can use to create an account. Depending on the
authentication method being active, this could allow the
user to log in using this account.
Installations where the createemailregexp parameter is
empty are not vulnerable to this issue.</li>
<li>The creation of bug reports and of attachments is not
protected by a token and so they can be created without the
consent of a user if the relevant code is embedded in an
HTML page and the user visits this page. This behavior was
intentional to let third-party applications submit new bug
reports and attachments easily. But as this behavior can be
abused by a malicious user, it has been decided to block
submissions with no valid token starting from version 4.2rc1.
Older branches are not patched to not break these third-party
applications after the upgrade.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon
as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3657</cvename>
<cvename>CVE-2011-3667</cvename>
<cvename>CVE-2011-3668</cvename>
<cvename>CVE-2011-3669</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=697699</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=711714</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=703975</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=703983</url>
</references>
<dates>
<discovery>2011-11-28</discovery>
<entry>2012-01-05</entry>
</dates>
</vuln>
<vuln vid="810df820-3664-11e1-8fe3-00215c6a37bb">
<topic>WordPress -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.3.1,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>3.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>WordPress development team reports:</p>
<blockquote cite="http://wordpress.org/news/2012/01/wordpress-3-3-1/">
<p>WordPress 3.3.1 is now available. This maintenance release
fixes 15 issues with WordPress 3.3, as well as a fix for a
cross-site scripting vulnerability that affected version 3.3.
Thanks to Joshua H., Hoang T., Stefan Zimmerman, Chris K., and
the Go Daddy security team for responsibly disclosing the bug
to our security team.</p>
</blockquote>
</body>
</description>
<references>
<url>http://threatpost.com/en_us/blogs/xss-bug-found-wordpress-33-010312</url>
</references>
<dates>
<discovery>2012-01-03</discovery>
<entry>2012-01-03</entry>
</dates>
</vuln>
<vuln vid="048c77df-3211-11e1-9583-14dae938ec40">
<topic>zabbix-frontend -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>zabbix-frontend</name>
<range><lt>1.8.10,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Martina Matari reports:</p>
<blockquote cite="https://support.zabbix.com/browse/ZBX-4015">
<p>These URLs (hostgroups.php, usergrps.php) are vulnerable to
persistent XSS attacks due to improper sanitation of gname
variable when creating user and host groups.</p>
</blockquote>
</body>
</description>
<references>
<url>https://support.zabbix.com/browse/ZBX-4015</url>
</references>
<dates>
<discovery>2011-08-04</discovery>
<entry>2011-12-29</entry>
</dates>
</vuln>
<vuln vid="c6521b04-314b-11e1-9cf4-5404a67eef98">
<topic>lighttpd -- remote DoS in HTTP authentication</topic>
<affects>
<package>
<name>lighttpd</name>
<range><lt>1.4.30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT/NIST reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4362">
<p>Integer signedness error in the base64_decode function in the
HTTP authentication functionality (http_auth.c) in lighttpd 1.4
before 1.4.30 and 1.5 before SVN revision 2806 allows remote
attackers to cause a denial of service (segmentation fault)
via crafted base64 input that triggers an out-of-bounds read
with a negative index.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4362</cvename>
</references>
<dates>
<discovery>2011-11-29</discovery>
<entry>2011-12-28</entry>
</dates>
</vuln>
<vuln vid="4ddc78dc-300a-11e1-a2aa-0016ce01e285">
<topic>krb5-appl -- telnetd code execution vulnerability</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_7</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
<package>
<name>krb5-appl</name>
<range><lt>1.0.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos Team reports:</p>
<blockquote cite="http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc">
<p>When an encryption key is supplied via the TELNET protocol,
its length is not validated before the key is copied into a
fixed-size buffer. Also see MITKRB5-SA-2011-008.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:08.telnetd</freebsdsa>
<cvename>CVE-2011-4862</cvename>
<url>http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc</url>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt</url>
</references>
<dates>
<discovery>2011-12-23</discovery>
<entry>2011-12-26</entry>
<modified>2012-01-29</modified>
</dates>
</vuln>
<vuln vid="022a4c77-2da4-11e1-b356-00215c6a37bb">
<topic>proftpd -- arbitrary code execution vulnerability with chroot</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_6</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
<package>
<name>proftpd</name>
<name>proftpd-mysql</name>
<range><lt>1.3.3g_1</lt></range>
</package>
<package>
<name>proftpd-devel</name>
<range><lt>1.3.3.r4_3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The FreeBSD security advisory FreeBSD-SA-11:07.chroot reports:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:07.chroot.asc">
<p>If ftpd is configured to place a user in a chroot environment,
then an attacker who can log in as that user may be able to run
arbitrary code(...).</p>
</blockquote>
<p>Proftpd shares the same problem of a similar nature.</p>
</body>
</description>
<references>
<freebsdsa>SA-11:07.chroot</freebsdsa>
<url>http://seclists.org/fulldisclosure/2011/Nov/452</url>
</references>
<dates>
<discovery>2011-11-30</discovery>
<entry>2011-12-23</entry>
<modified>2012-01-29</modified>
</dates>
</vuln>
<vuln vid="8c83145d-2c95-11e1-89b4-001ec9578670">
<topic>phpMyAdmin -- Multiple XSS</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.9.r1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php">
<p>Using crafted url parameters, it was possible to produce XSS on
the export panels in the server, database and table sections.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php">
<p>Crafted values entered in the setup interface can produce XSS;
also, if the config directory exists and is writeable, the XSS
payload can be saved to this directory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4780</cvename>
<cvename>CVE-2011-4782</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php</url>
</references>
<dates>
<discovery>2011-12-16</discovery>
<entry>2011-12-22</entry>
</dates>
</vuln>
<vuln vid="e3ff776b-2ba6-11e1-93c6-0011856a6e37">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>9.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>9.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.6</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>9.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.6</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>9.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-53 Miscellaneous memory safety hazards (rv:9.0)</p>
<p>MFSA 2011-54 Potentially exploitable crash in the YARR regular
expression library</p>
<p>MFSA 2011-55 nsSVGValue out-of-bounds access</p>
<p>MFSA 2011-56 Key detection without JavaScript via SVG
animation</p>
<p>MFSA 2011-58 Crash scaling video to extreme sizes</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3658</cvename>
<cvename>CVE-2011-3660</cvename>
<cvename>CVE-2011-3661</cvename>
<cvename>CVE-2011-3663</cvename>
<cvename>CVE-2011-3665</cvename>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-53.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-54.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-55.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-56.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-58.html</url>
</references>
<dates>
<discovery>2011-12-20</discovery>
<entry>2011-12-21</entry>
<modified>2011-12-21</modified>
</dates>
</vuln>
<vuln vid="7ba65bfd-2a40-11e1-b96e-00215af774f0">
<topic>unbound -- denial of service vulnerabilities from nonstandard redirection and denial of existence</topic>
<affects>
<package>
<name>unbound</name>
<range><lt>1.4.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Unbound developer reports:</p>
<blockquote cite="http://www.unbound.net/downloads/CVE-2011-4528.txt">
<p>Unbound crashes when confronted with a non-standard response
from a server for a domain. This domain produces duplicate RRs
from a certain type and is DNSSEC signed. Unbound also crashes
when confronted with a query that eventually, and under specific
circumstances, resolves to a domain that misses expected NSEC3
records.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4528</cvename>
<url>http://unbound.nlnetlabs.nl/downloads/CVE-2011-4528.txt</url>
</references>
<dates>
<discovery>2011-12-19</discovery>
<entry>2011-12-19</entry>
</dates>
</vuln>
<vuln vid="3c957a3e-2978-11e1-89b4-001ec9578670">
<topic>typo3 -- Remote Code Execution</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.6</ge><lt>4.6.2</lt></range>
<range><lt>4.5.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The typo3 security team reports:</p>
<blockquote cite="http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/">
<p>A crafted request to a vulnerable TYPO3 installation will allow
an attacker to load PHP code from an external source and to
execute it on the TYPO3 installation.</p>
<p>This is caused by a PHP file, which is part of the workspaces
system extension, that does not validate passed arguments.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4614</cvename>
<url>http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/</url>
</references>
<dates>
<discovery>2011-12-16</discovery>
<entry>2011-12-18</entry>
</dates>
</vuln>
<vuln vid="6c7d9a35-2608-11e1-89b4-001ec9578670">
<topic>krb5 -- KDC null pointer dereference in TGS handling</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.9</ge><lt>1.9.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos Team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-007.txt">
<p>In releases krb5-1.9 and later, the KDC can crash due to a NULL
pointer dereference in code that handles TGS (Ticket Granting
Service) requests. The trigger condition is trivial to produce
using unmodified client software, but requires the ability to
authenticate as a principal in the KDC's realm.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1530</cvename>
<url>http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-007.txt</url>
</references>
<dates>
<discovery>2011-12-11</discovery>
<entry>2011-12-14</entry>
</dates>
</vuln>
<vuln vid="a4a809d8-25c8-11e1-b531-00215c6a37bb">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<name>linux-opera</name>
<range><lt>11.60</lt></range>
</package>
<package>
<name>opera-devel</name>
<range><lt>11.60,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera software reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1160/">
<ul>
<li>Fixed a moderately severe issue; details will be
disclosed at a later date</li>
<li>Fixed an issue that could allow pages to set cookies
or communicate cross-site for some top level domains;
see our <a href="http://www.opera.com/support/kb/view/1003/">advisory</a></li>
<li>Improved handling of certificate revocation corner
cases</li>
<li>Added a fix for a weakness in the SSL v3.0 and TLS 1.0
specifications, as reported by Thai Duong and Juliano Rizzo;
see our <a href="http://www.opera.com/support/kb/view/1004/">advisory</a></li>
<li>Fixed an issue where the JavaScript "in" operator
allowed leakage of cross-domain information, as reported
by David Bloom; see our <a href="http://www.opera.com/support/kb/view/1005/">advisory</a></li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3389</cvename>
<cvename>CVE-2011-4681</cvename>
<cvename>CVE-2011-4682</cvename>
<cvename>CVE-2011-4683</cvename>
<url>http://www.opera.com/support/kb/view/1003/</url>
<url>http://www.opera.com/support/kb/view/1004/</url>
<url>http://www.opera.com/support/kb/view/1005/</url>
</references>
<dates>
<discovery>2011-12-06</discovery>
<entry>2011-12-13</entry>
</dates>
</vuln>
<vuln vid="68ac6266-25c3-11e1-b63a-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>16.0.912.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>[81753] Medium CVE-2011-3903: Out-of-bounds read in regex
matching. Credit to David Holloway of the Chromium development
community.<br/>
[95465] Low CVE-2011-3905: Out-of-bounds reads in libxml. Credit to
Google Chrome Security Team (Inferno).<br/>
[98809] Medium CVE-2011-3906: Out-of-bounds read in PDF parser.
Credit to Aki Helin of OUSPG.<br/>
[99016] High CVE-2011-3907: URL bar spoofing with view-source.
Credit to Mitja Kolsek of ACROS Security.<br/>
[100863] Low CVE-2011-3908: Out-of-bounds read in SVG parsing.
Credit to Aki Helin of OUSPG.<br/>
[101010] Medium CVE-2011-3909: [64-bit only] Memory corruption in
CSS property array. Credit to Google Chrome Security Team
(scarybeasts) and Chu.<br/>
[101494] Medium CVE-2011-3910: Out-of-bounds read in YUV video
frame handling. Credit to Google Chrome Security Team (Cris
Neckar).<br/>
[101779] Medium CVE-2011-3911: Out-of-bounds read in PDF. Credit to
Google Chrome Security Team (scarybeasts) and Robert Swiecki of
the Google Security Team.<br/>
[102359] High CVE-2011-3912: Use-after-free in SVG filters. Credit
to Arthur Gerkis.<br/>
[103921] High CVE-2011-3913: Use-after-free in Range handling.
Credit to Arthur Gerkis.<br/>
[104011] High CVE-2011-3914: Out-of-bounds write in v8 i18n
handling. Credit to Slawomir Blazek.<br/>
[104529] High CVE-2011-3915: Buffer overflow in PDF font handling.
Credit to Atte Kettunen of OUSPG.<br/>
[104959] Medium CVE-2011-3916: Out-of-bounds reads in PDF cross
references. Credit to Atte Kettunen of OUSPG.<br/>
[105162] Medium CVE-2011-3917: Stack-buffer-overflow in FileWatcher.
Credit to Google Chrome Security Team (Marty Barbella).<br/>
[107258] High CVE-2011-3904: Use-after-free in bidi handling.
Credit to Google Chrome Security Team (Inferno) and miaubiz.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3903</cvename>
<cvename>CVE-2011-3904</cvename>
<cvename>CVE-2011-3905</cvename>
<cvename>CVE-2011-3906</cvename>
<cvename>CVE-2011-3907</cvename>
<cvename>CVE-2011-3908</cvename>
<cvename>CVE-2011-3909</cvename>
<cvename>CVE-2011-3910</cvename>
<cvename>CVE-2011-3911</cvename>
<cvename>CVE-2011-3912</cvename>
<cvename>CVE-2011-3913</cvename>
<cvename>CVE-2011-3914</cvename>
<cvename>CVE-2011-3915</cvename>
<cvename>CVE-2011-3916</cvename>
<cvename>CVE-2011-3917</cvename>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
</references>
<dates>
<discovery>2011-12-13</discovery>
<entry>2011-12-13</entry>
</dates>
</vuln>
<vuln vid="bbd5f486-24f1-11e1-95bc-080027ef73ec">
<topic>PuTTY 0.59 - 0.61 -- Password vulnerability</topic>
<affects>
<package>
<name>putty</name>
<range><ge>0.59</ge><lt>0.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon Tatham reports:</p>
<blockquote cite="http://lists.tartarus.org/pipermail/putty-announce/2011/000017.html">
<p>PuTTY 0.62 fixes a security issue present in 0.59, 0.60 and 0.61.
If you log in using SSH-2 keyboard-interactive authentication
(which is the usual method used by modern servers to request a
password), the password you type was accidentally kept in PuTTY's
memory for the rest of its run, where it could be retrieved by
other processes reading PuTTY's memory, or written out to swap
files or crash dumps.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4607</cvename>
<mlist>http://lists.tartarus.org/pipermail/putty-announce/2011/000017.html</mlist>
</references>
<dates>
<discovery>2011-12-10</discovery>
<entry>2011-12-12</entry>
</dates>
</vuln>
<vuln vid="bb389137-21fb-11e1-89b4-001ec9578670">
<topic>asterisk -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>asterisk18</name>
<range><lt>1.8.7.2</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><lt>1.6.2.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="http://downloads.asterisk.org/pub/security/AST-2011-013.html">
<p>It is possible to enumerate SIP usernames when the general and
user/peer NAT settings differ in whether to respond to the port
a request is sent from or the port listed for responses in the
Via header.</p>
</blockquote>
<blockquote cite="http://downloads.asterisk.org/pub/security/AST-2011-014.html">
<p>When the "automon" feature is enabled in features.conf, it is
possible to send a sequence of SIP requests that cause Asterisk
to dereference a NULL pointer and crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4597</cvename>
<cvename>CVE-2011-4598</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2011-013.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-014.html</url>
</references>
<dates>
<discovery>2011-12-08</discovery>
<entry>2011-12-09</entry>
</dates>
</vuln>
<vuln vid="93be487e-211f-11e1-89b4-001ec9578670">
<topic>isc-dhcp-server -- Remote DoS</topic>
<affects>
<package>
<name>isc-dhcp42-server</name>
<range><lt>4.2.3_1</lt></range>
</package>
<package>
<name>isc-dhcp41-server</name>
<range><lt>4.1.e_3,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/software/bind/advisories/cve-2011-4539">
<p>A bug exists which allows an attacker who is able to send DHCP
Request packets, either directly or through a relay, to remotely
crash an ISC DHCP server if that server is configured to evaluate
expressions using a regular expression (i.e. uses the "~=" or
"~~" comparison operators).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4539</cvename>
</references>
<dates>
<discovery>2011-12-07</discovery>
<entry>2011-12-07</entry>
</dates>
</vuln>
<vuln vid="ed536336-1c57-11e1-86f4-e0cb4e266481">
<topic>phpMyAdmin -- Multiple XSS</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.8.r1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php">
<p>Using crafted database names, it was possible to produce XSS
in the Database Synchronize and Database rename panels. Using
an invalid and crafted SQL query, it was possible to produce
XSS when editing a query on a table overview panel or when
using the view creation dialog. Using a crafted column type,
it was possible to produce XSS in the table search and create
index dialogs.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4634</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php</url>
</references>
<dates>
<discovery>2011-11-24</discovery>
<entry>2011-12-01</entry>
</dates>
</vuln>
<vuln vid="eef56761-11eb-11e1-bb94-001c140104d4">
<topic>hiawatha -- memory leak in PreventSQLi routine</topic>
<affects>
<package>
<name>hiawatha</name>
<range><ge>7.6</ge><lt>7.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hugo Leisink reports via private mail to maintainer:</p>
<blockquote>
<p>The memory leak was introduced in version 7.6. It is in the
routing that checks for SQL injections. So, if you have set
PreventSQLi to 'no', there is no problem.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.hiawatha-webserver.org/changelog</url>
</references>
<dates>
<discovery>2011-11-18</discovery>
<entry>2011-11-18</entry>
</dates>
</vuln>
<vuln vid="90cc1494-10ac-11e1-b3ec-0024e830109b">
<topic>BIND -- Remote DOS</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_7</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R5.1</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.4.1</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Internet Systems Consortium reports:</p>
<blockquote cite="https://www.isc.org/software/bind/advisories/cve-2011-4313">
<p>Organizations across the Internet reported crashes interrupting
service on BIND 9 nameservers performing recursive queries.
Affected servers crashed after logging an error in query.c with
the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))"
Multiple versions were reported being affected, including all
currently supported release versions of ISC BIND 9.</p>
<p>Because it may be possible to trigger this bug even on networks
that do not allow untrusted users to access the recursive name
servers (perhaps via specially crafted e-mail messages, and/or
malicious web sites) it is recommended that ALL operators of
recursive name servers upgrade immediately.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:06.bind</freebsdsa>
<cvename>CVE-2011-4313</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313</url>
<url>https://www.isc.org/software/bind/advisories/cve-2011-4313</url>
</references>
<dates>
<discovery>2011-11-16</discovery>
<entry>2011-11-16</entry>
<modified>2012-01-29</modified>
</dates>
</vuln>
<vuln vid="d8c901ff-0f0f-11e1-902b-20cf30e32f6d">
<topic>Apache 1.3 -- mod_proxy reverse proxy exposure</topic>
<affects>
<package>
<name>apache</name>
<range><lt>1.3.43</lt></range>
</package>
<package>
<name>apache+ssl</name>
<range><lt>1.3.43.1.59_2</lt></range>
</package>
<package>
<name>apache+ipv6</name>
<range><lt>1.3.43</lt></range>
</package>
<package>
<name>apache+mod_perl</name>
<range><lt>1.3.43</lt></range>
</package>
<package>
<name>apache+mod_ssl</name>
<range><lt>1.3.41+2.8.31_4</lt></range>
</package>
<package>
<name>apache+mod_ssl+ipv6</name>
<range><lt>1.3.41+2.8.31_4</lt></range>
</package>
<package>
<name>ru-apache-1.3</name>
<range><lt>1.3.43+30.23_1</lt></range>
</package>
<package>
<name>ru-apache+mod_ssl</name>
<range><lt>1.3.43+30.23_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache HTTP server project reports:</p>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_13.html">
<p>An exposure was found when using mod_proxy in reverse proxy mode.
In certain configurations using RewriteRule with proxy flag, a
remote attacker could cause the reverse proxy to connect to an
arbitrary server, possibly disclosing sensitive information from
internal web servers not directly accessible to attacker. There
is no patch against this issue!</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3368</cvename>
<url>http://httpd.apache.org/security/vulnerabilities_13.html</url>
<url>http://seclists.org/fulldisclosure/2011/Oct/232</url>
</references>
<dates>
<discovery>2011-10-05</discovery>
<entry>2011-11-14</entry>
</dates>
</vuln>
<vuln vid="7fb9e739-0e6d-11e1-87cd-00235a5f2c9a">
<topic>kdeutils4 -- Directory traversal vulnerability</topic>
<affects>
<package>
<name>kdeutils</name>
<range><ge>4.0.*</ge><lt>4.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tim Brown from Nth Dimention reports:</p>
<blockquote cite="http://seclists.org/fulldisclosure/2011/Oct/351">
<p>I recently discovered that the Ark archiving tool is vulnerable
to directory traversal via malformed. When attempts are made to
view files within the malformed Zip file in Ark's default view,
the wrong file may be displayed due to incorrect construction of
the temporary file name. Whilst this does not allow the wrong
file to be overwritten, after closing the default view, Ark will
then attempt to delete the temporary file which could result in
the deletion of the incorrect file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2725</cvename>
<url>http://seclists.org/fulldisclosure/2011/Oct/351</url>
</references>
<dates>
<discovery>2011-10-19</discovery>
<entry>2011-11-14</entry>
</dates>
</vuln>
<vuln vid="38560d79-0e42-11e1-902b-20cf30e32f6d">
<topic>Apache APR -- DoS vulnerabilities</topic>
<affects>
<package>
<name>apr0</name>
<range><lt>0.9.20.0.9.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Portable Runtime Project reports:</p>
<blockquote cite="http://www.apache.org/dist/apr/CHANGES-APR-0.9">
<p>Reimplement apr_fnmatch() from scratch using a non-recursive
algorithm; now has improved compliance with the fnmatch()
spec.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0419</cvename>
<url>http://www.apache.org/dist/apr/Announcement0.9.html</url>
</references>
<dates>
<discovery>2011-05-19</discovery>
<entry>2011-11-13</entry>
</dates>
</vuln>
<vuln vid="1f6ee708-0d22-11e1-b5bd-14dae938ec40">
<topic>phpmyadmin -- Local file inclusion</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.7.1</lt></range>
<range><lt>3.3.10.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jan Lieskovsky reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php">
<p>Importing a specially-crafted XML file which contains an XML
entity injection permits to retrieve a local file (limited by the
privileges of the user running the web server).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4107</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php</url>
</references>
<dates>
<discovery>2011-11-10</discovery>
<entry>2011-11-12</entry>
</dates>
</vuln>
<vuln vid="0e8e1212-0ce5-11e1-849b-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r183.11</lt></range>
<range><gt>11</gt><lt>11.1r102.55</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb11-28.html">
<p>Critical vulnerabilities have been identified in Adobe Flash
Player 11.0.1.152 and earlier versions for Windows, Macintosh,
Linux and Solaris, and Adobe Flash Player 11.0.1.153 and earlier
versions for Android.</p>
</blockquote>
<p>In addition a patch was released for users of flash10.</p>
</body>
</description>
<references>
<cvename>CVE-2011-2445</cvename>
<cvename>CVE-2011-2450</cvename>
<cvename>CVE-2011-2451</cvename>
<cvename>CVE-2011-2452</cvename>
<cvename>CVE-2011-2453</cvename>
<cvename>CVE-2011-2454</cvename>
<cvename>CVE-2011-2455</cvename>
<cvename>CVE-2011-2456</cvename>
<cvename>CVE-2011-2457</cvename>
<cvename>CVE-2011-2458</cvename>
<cvename>CVE-2011-2459</cvename>
<cvename>CVE-2011-2460</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb11-28.html</url>
</references>
<dates>
<discovery>2011-11-10</discovery>
<entry>2011-11-11</entry>
</dates>
</vuln>
<vuln vid="ce4b3af8-0b7c-11e1-846b-00235409fd3e">
<topic>libxml -- Integer overflow</topic>
<affects>
<package>
<name>libxml</name>
<range><lt>1.8.17_5</lt></range>
</package>
<package>
<name>libxml2</name>
<range><lt>2.7.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Integer overflow in xpath.c, allows context-dependent attackers
to to cause a denial of service (crash) and possibly execute
arbitrary code via a crafted XML file that triggers a heap-based
buffer overflow when adding a new namespace node, related to
handling of XPath expressions.</p>
</body>
</description>
<references>
<cvename>CVE-2011-1944</cvename>
</references>
<dates>
<discovery>2011-09-02</discovery>
<entry>2011-11-10</entry>
<modified>2011-11-12</modified>
</dates>
</vuln>
<vuln vid="ce4b3af8-0b7c-11e1-846b-00235409fd3e">
<topic>libxml -- Multiple use-after-free vulnerabilities</topic>
<affects>
<package>
<name>libxml</name>
<range><lt>1.8.17_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple use-after-free vulnerabilities in libxml 1.8.17 that
allow context-dependent attackers to cause a denial of service
(application crash) via crafted (1) Notation or (2) Enumeration
attribute types in an XML file.</p>
</body>
</description>
<references>
<cvename>CVE-2009-2416</cvename>
</references>
<dates>
<discovery>2009-08-03</discovery>
<entry>2011-11-10</entry>
<modified>2011-11-12</modified>
</dates>
</vuln>
<vuln vid="5a7d4110-0b7a-11e1-846b-00235409fd3e">
<topic>libxml -- Stack consumption vulnerability</topic>
<affects>
<package>
<name>libxml</name>
<range><lt>1.8.17_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stack consumption vulnerability allows context-dependent
attackers to cause a denial of service (application crash) via
a large depth of element declarations in a DTD.</p>
</body>
</description>
<references>
<cvename>CVE-2009-2414</cvename>
</references>
<dates>
<discovery>2009-08-03</discovery>
<entry>2011-11-10</entry>
<modified>2011-11-12</modified>
</dates>
</vuln>
<vuln vid="bdec8dc2-0b3b-11e1-b722-001cc0476564">
<topic>gnutls -- client session resumption vulnerability</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>2.12.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The GnuTLS team reports:</p>
<blockquote cite="http://www.gnu.org/software/gnutls/security.html">
<p>GNUTLS-SA-2011-2 Possible buffer overflow/Denial of service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4128</cvename>
<url>http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5596</url>
</references>
<dates>
<discovery>2011-11-08</discovery>
<entry>2011-11-10</entry>
</dates>
</vuln>
<vuln vid="6c8ad3e8-0a30-11e1-9580-4061862b8c22">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>8.0,1</lt></range>
<range><gt>3.6.*,1</gt><lt>3.6.24,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.24</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>8.0,1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>8.0</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>8.0</lt></range>
<range><lt>3.1.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-46 loadSubScript unwraps XPCNativeWrapper scope
parameter (1.9.2 branch)</p>
<p>MFSA 2011-47 Potential XSS against sites using Shift-JIS</p>
<p>MFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0)</p>
<p>MFSA 2011-49 Memory corruption while profiling using Firebug</p>
<p>MFSA 2011-50 Cross-origin data theft using canvas and Windows
D2D</p>
<p>MFSA 2011-51 Cross-origin image theft on Mac with integrated
Intel GPU</p>
<p>MFSA 2011-52 Code execution via NoWaiverWrapper</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3647</cvename>
<cvename>CVE-2011-3648</cvename>
<cvename>CVE-2011-3649</cvename>
<cvename>CVE-2011-3650</cvename>
<cvename>CVE-2011-3651</cvename>
<cvename>CVE-2011-3652</cvename>
<cvename>CVE-2011-3653</cvename>
<cvename>CVE-2011-3654</cvename>
<cvename>CVE-2011-3655</cvename>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-46.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-47.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-48.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-49.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-50.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-51.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-52.html</url>
</references>
<dates>
<discovery>2011-11-08</discovery>
<entry>2011-11-08</entry>
</dates>
</vuln>
<vuln vid="9dde9dac-08f4-11e1-af36-003067b2972c">
<topic>caml-light - insecure use of temporary files</topic>
<affects>
<package>
<name>caml-light</name>
<range><le>0.75</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>caml-light uses mktemp() insecurely, and also does
unsafe things in /tmp during make install.</p>
</body>
</description>
<references>
<cvename>CVE-2011-4119</cvename>
<mlist msgid="20111106200911.GC13652@netbsd.org">http://seclists.org/oss-sec/2011/q4/249</mlist>
</references>
<dates>
<discovery>2011-11-02</discovery>
<entry>2011-11-06</entry>
</dates>
</vuln>
<vuln vid="54075e39-04ac-11e1-a94e-bcaec565249c">
<topic>freetype -- Some type 1 fonts handling vulnerabilities</topic>
<affects>
<package>
<name>freetype2</name>
<range><lt>2.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The FreeType project reports:</p>
<blockquote cite="http://sourceforge.net/projects/freetype/files/freetype2/2.4.7/README/view">
<p>A couple of vulnerabilities in handling Type 1 fonts.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3256</cvename>
<url>http://sourceforge.net/projects/freetype/files/freetype2/2.4.7/README/view</url>
<url>https://bugzilla.redhat.com/attachment.cgi?id=528829&action=diff</url>
</references>
<dates>
<discovery>2011-10-12</discovery>
<entry>2011-11-01</entry>
</dates>
</vuln>
<vuln vid="f08e2c15-ffc9-11e0-b0f3-bcaec565249c">
<topic>cacti -- Multiple vulnabilites</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.7h</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cacti Group reports:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_7h.php">
<p>SQL injection issue with user login, and cross-site scripting
issues.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.cacti.net/release_notes_0_8_7h.php</url>
</references>
<dates>
<discovery>2011-09-26</discovery>
<entry>2011-10-26</entry>
</dates>
</vuln>
<vuln vid="395e0faa-ffa7-11e0-8ac4-6c626dd55a41">
<topic>phpmyfaq -- Remote PHP Code Injection Vulnerability</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><lt>2.6.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyFAQ project reports:</p>
<blockquote cite="http://www.phpmyfaq.de/advisory_2011-10-25.php">
<p>The phpMyFAQ Team has learned of a serious security issue that
has been discovered in our bundled ImageManager library we use
in phpMyFAQ 2.6 and 2.7. The bundled ImageManager library
allows injection of arbitrary PHP code via POST requests.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyfaq.de/advisory_2011-10-25.php</url>
<url>http://forum.phpmyfaq.de/viewtopic.php?f=3&t=13402</url>
</references>
<dates>
<discovery>2011-10-25</discovery>
<entry>2011-10-26</entry>
</dates>
</vuln>
<vuln vid="edf47177-fe3f-11e0-a207-0014a5e3cda6">
<topic>phpLDAPadmin -- Remote PHP code injection vulnerability</topic>
<affects>
<package>
<name>phpldapadmin</name>
<range><ge>1.2.0</ge><lt>1.2.1.1_1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>EgiX (n0b0d13s at gmail dot com) reports:</p>
<blockquote cite="http://packetstormsecurity.org/files/106120/phpldapadmin-inject.txt">
<p>The $sortby parameter passed to 'masort' function in file
lib/functions.php isn't properly sanitized before being used in
a call to create_function() at line 1080. This can be exploited
to inject and execute arbitrary PHP code. The only possible
attack vector is when handling the 'query_engine' command, in
which input passed through $_REQUEST['orderby'] is passed as
$sortby parameter to 'masort' function.</p>
</blockquote>
</body>
</description>
<references>
<url>http://packetstormsecurity.org/files/106120/phpldapadmin-inject.txt</url>
<url>http://sourceforge.net/tracker/?func=detail&aid=3417184&group_id=61828&atid=498546</url>
</references>
<dates>
<discovery>2011-10-23</discovery>
<entry>2011-10-24</entry>
</dates>
</vuln>
<vuln vid="6d21a287-fce0-11e0-a828-00235a5f2c9a">
<topic>kdelibs4, rekonq -- input validation failure</topic>
<affects>
<package>
<name>kdelibs</name>
<range><ge>4.0.*</ge><lt>4.7.2</lt></range>
</package>
<package>
<name>rekonq</name>
<range><lt>0.8.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>KDE Security Advisory reports:</p>
<blockquote cite="http://www.kde.org/info/security/advisory-20111003-1.txt">
<p>The default rendering type for a QLabel is QLabel::AutoText,
which uses heuristics to determine whether to render the given
content as plain text or rich text. KSSL and Rekonq did not
properly force its QLabels to use QLabel::PlainText. As a result,
if given a certificate containing rich text in its fields, they
would render the rich text. Specifically, a certificate
containing a common name (CN) that has a table element will cause
the second line of the table to be displayed. This can allow
spoofing of the certificate's common name.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.kde.org/info/security/advisory-20111003-1.txt</url>
<url>http://www.nth-dimension.org.uk/pub/NDSA20111003.txt.asc</url>
<cvename>CVE-2011-3365</cvename>
<cvename>CVE-2011-3366</cvename>
</references>
<dates>
<discovery>2011-10-03</discovery>
<entry>2011-10-23</entry>
</dates>
</vuln>
<vuln vid="411ecb79-f9bc-11e0-a7e6-6c626dd55a41">
<topic>piwik -- unknown critical vulnerabilities</topic>
<affects>
<package>
<name>piwik</name>
<range><gt>1.1</gt><lt>1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/46461/">
<p>Multiple vulnerabilities with an unknown impact have been
reported in Piwik. The vulnerabilities are caused due to
unspecified errors. No further information is currently
available.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/46461/</url>
<url>http://piwik.org/blog/2011/10/piwik-1-6/</url>
</references>
<dates>
<discovery>2011-10-18</discovery>
<entry>2011-10-20</entry>
</dates>
</vuln>
<vuln vid="8441957c-f9b4-11e0-a78a-bcaec565249c">
<topic>Xorg server -- two vulnerabilities in X server lock handling code</topic>
<affects>
<package>
<name>xorg-server</name>
<range><lt>1.7.7_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthieu Herrb reports:</p>
<blockquote cite="http://lists.freedesktop.org/archives/xorg-announce/2011-October/001744.html">
<p>It is possible to deduce if a file exists or not by exploiting
the way that Xorg creates its lock files. This is caused by the
fact that the X server is behaving differently if the lock file
already exists as a symbolic link pointing to an existing or
non-existing file.</p>
<p>It is possible for a non-root user to set the permissions for
all users on any file or directory to 444, giving unwanted read
access or causing denies of service (by removing execute
permission). This is caused by a race between creating the lock
file and setting its access modes.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4028</cvename>
<cvename>CVE-2011-4029</cvename>
</references>
<dates>
<discovery>2011-10-18</discovery>
<entry>2011-10-18</entry>
</dates>
</vuln>
<vuln vid="a95092a6-f8f1-11e0-a7ea-00215c6a37bb">
<topic>asterisk -- remote crash vulnerability in SIP channel driver</topic>
<affects>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.7.1</lt></range>
</package>
<package>
<name>asterisk</name>
<range><gt>10.0.0.*</gt><lt>10.0.0.r1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="http://downloads.asterisk.org/pub/security/AST-2011-012.html">
<p>A remote authenticated user can cause a crash with a malformed
request due to an unitialized variable.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4063</cvename>
</references>
<dates>
<discovery>2011-10-17</discovery>
<entry>2011-10-17</entry>
</dates>
</vuln>
<vuln vid="e454ca2f-f88d-11e0-b566-00163e01a509">
<topic>PivotX -- Remote File Inclusion Vulnerability of TimThumb</topic>
<affects>
<package>
<name>pivotx</name>
<range><lt>2.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PivotX team reports:</p>
<blockquote cite="http://blog.pivotx.net/page/security">
<p>TimThumb domain name security bypass and insecure cache
handling. PivotX before 2.3.0 includes a vulnerable version
of TimThumb.</p>
</blockquote>
<blockquote cite="http://blog.pivotx.net/2011-10-14/timthumb-update-for-older-pivotx-installs">
<p>If you are still running PivotX 2.2.6, you might be vulnerable
to a security exploit, that was patched previously. Version
2.3.0 doesn't have this issue, but any older version of PivotX
might be vulnerable.</p>
</blockquote>
</body>
</description>
<references>
<bid>48963</bid>
<url>https://secunia.com/advisories/45416/</url>
</references>
<dates>
<discovery>2011-08-03</discovery>
<entry>2011-10-17</entry>
</dates>
</vuln>
<vuln vid="9bad5ab1-f3f6-11e0-8b5c-b482fe3f522d">
<topic>OpenTTD -- Multiple buffer overflows in validation of external data</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>0.1.0</ge><lt>1.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3343">
<p>Multiple buffer overflows in OpenTTD before 1.1.3 allow local
users to cause a denial of service (daemon crash) or possibly
gain privileges via (1) a crafted BMP file with RLE compression
or (2) crafted dimensions in a BMP file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3343</cvename>
<url>http://security.openttd.org/en/CVE-2011-3343</url>
</references>
<dates>
<discovery>2011-08-25</discovery>
<entry>2011-10-16</entry>
</dates>
</vuln>
<vuln vid="78c25ed7-f3f9-11e0-8b5c-b482fe3f522d">
<topic>OpenTTD -- Buffer overflows in savegame loading</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>0.1.0</ge><lt>1.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3342">
<p>Multiple buffer overflows in OpenTTD before 1.1.3 allow remote
attackers to cause a denial of service (daemon crash) or possibly
execute arbitrary code via vectors related to (1) NAME, (2) PLYR,
(3) CHTS, or (4) AIPL (aka AI config) chunk loading from a
savegame.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3342</cvename>
<url>http://security.openttd.org/en/CVE-2011-3342</url>
</references>
<dates>
<discovery>2011-08-08</discovery>
<entry>2011-10-16</entry>
</dates>
</vuln>
<vuln vid="e77befb5-f3f9-11e0-8b5c-b482fe3f522d">
<topic>OpenTTD -- Denial of service via improperly validated commands</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>0.3.5</ge><lt>1.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3341">
<p>Multiple off-by-one errors in order_cmd.cpp in OpenTTD before
1.1.3 allow remote attackers to cause a denial of service (daemon
crash) or possibly execute arbitrary code via a crafted
CMD_INSERT_ORDER command.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3341</cvename>
<url>http://security.openttd.org/en/CVE-2011-3341</url>
</references>
<dates>
<discovery>2011-08-25</discovery>
<entry>2011-10-16</entry>
</dates>
</vuln>
<vuln vid="ab9be2c8-ef91-11e0-ad5a-00215c6a37bb">
<topic>quagga -- multiple vulnerabilities</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT-FI reports:</p>
<blockquote cite="https://www.cert.fi/en/reports/2011/vulnerability539178.html">
<p>Five vulnerabilities have been found in the BGP, OSPF, and
OSPFv3 components of Quagga. The vulnerabilities allow an
attacker to cause a denial of service or potentially to
execute his own code by sending a specially modified packets
to an affected server. Routing messages are typically accepted
from the routing peers. Exploiting these vulnerabilities may
require an established routing session (BGP peering or
OSPF/OSPFv3 adjacency) to the router.</p>
<p>The vulnerability <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3327">CVE-2011-3327</a>
is related to the extended communities handling in BGP
messages. Receiving a malformed BGP update can result
in a buffer overflow and disruption of IPv4 routing.</p>
<p>The vulnerability <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3326">CVE-2011-3326</a>
results from the handling of LSA (Link State Advertisement)
states in the OSPF service. Receiving a modified Link State
Update message with malicious state information can result in
denial of service in IPv4 routing.</p>
<p>The vulnerability <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3325">CVE-2011-3325</a>
is a denial of service vulnerability related to Hello message
handling by the OSPF service. As Hello messages are used to
initiate adjacencies, exploiting the vulnerability may be
feasible from the same broadcast domain without an established
adjacency. A malformed packet may result in denial of service
in IPv4 routing.</p>
<p>The vulnerabilities <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3324">CVE-2011-3324</a>
and <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3323">CVE-2011-3323</a>
are related to the IPv6 routing protocol (OSPFv3) implemented
in ospf6d daemon. Receiving modified Database Description and
Link State Update messages, respectively, can result in denial
of service in IPv6 routing.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3323</cvename>
<cvename>CVE-2011-3324</cvename>
<cvename>CVE-2011-3325</cvename>
<cvename>CVE-2011-3326</cvename>
<cvename>CVE-2011-3327</cvename>
</references>
<dates>
<discovery>2011-09-26</discovery>
<entry>2011-10-05</entry>
</dates>
</vuln>
<vuln vid="1fade8a3-e9e8-11e0-9580-4061862b8c22">
<topic>Mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>7.0,1</lt></range>
<range><gt>3.6.*,1</gt><lt>3.6.23,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.23</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>7.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.4</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>7.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.4</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>7.0</lt></range>
<range><lt>3.1.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 /
rv:1.9.2.23)</p>
<p>MFSA 2011-37 Integer underflow when using JavaScript RegExp</p>
<p>MFSA 2011-38 XSS via plugins and shadowed window.location
object</p>
<p>MFSA 2011-39 Defense against multiple Location headers due to
CRLF Injection</p>
<p>MFSA 2011-40 Code installation through holding down Enter</p>
<p>MFSA 2011-41 Potentially exploitable WebGL crashes</p>
<p>MFSA 2011-42 Potentially exploitable crash in the YARR regular
expression library</p>
<p>MFSA 2011-43 loadSubScript unwraps XPCNativeWrapper scope
parameter</p>
<p>MFSA 2011-44 Use after free reading OGG headers</p>
<p>MFSA 2011-45 Inferring Keystrokes from motion data</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2372</cvename>
<cvename>CVE-2011-2995</cvename>
<cvename>CVE-2011-2996</cvename>
<cvename>CVE-2011-2997</cvename>
<cvename>CVE-2011-2999</cvename>
<cvename>CVE-2011-3000</cvename>
<cvename>CVE-2011-3001</cvename>
<cvename>CVE-2011-3002</cvename>
<cvename>CVE-2011-3003</cvename>
<cvename>CVE-2011-3004</cvename>
<cvename>CVE-2011-3005</cvename>
<cvename>CVE-2011-3232</cvename>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-36.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-37.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-38.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-39.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-40.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-41.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-42.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-43.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-44.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-45.html</url>
</references>
<dates>
<discovery>2011-09-27</discovery>
<entry>2011-09-28</entry>
</dates>
</vuln>
<vuln vid="53e531a7-e559-11e0-b481-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r183.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb11-26.html">
<p>Critical vulnerabilities have been identified in Adobe Flash
Player 10.3.183.7 and earlier versions for Windows, Macintosh,
Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier
versions for Android. These vulnerabilities could cause a crash
and potentially allow an attacker to take control of the
affected system.</p>
<p>There are reports that one of these vulnerabilities
(CVE-2011-2444) is being exploited in the wild in active
targeted attacks designed to trick the user into clicking on
a malicious link delivered in an email message. This universal
cross-site scripting issue could be used to take actions on a
user's behalf on any website or webmail provider if the user
visits a malicious website.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.adobe.com/support/security/bulletins/apsb11-26.html</url>
<cvename>CVE-2011-2426</cvename>
<cvename>CVE-2011-2427</cvename>
<cvename>CVE-2011-2428</cvename>
<cvename>CVE-2011-2429</cvename>
<cvename>CVE-2011-2430</cvename>
<cvename>CVE-2011-2444</cvename>
</references>
<dates>
<discovery>2011-06-06</discovery>
<entry>2011-09-22</entry>
</dates>
</vuln>
<vuln vid="e44fe906-df27-11e0-a333-001cc0a36e12">
<topic>phpMyAdmin -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php">
<p>Firstly, if a row contains javascript code, after inline
editing this row and saving, the code is executed. Secondly,
missing sanitization on the db, table and column names leads
to XSS vulnerabilities.</p>
<p>Versions 3.4.0 to 3.4.4 were found vulnerable.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php</url>
</references>
<dates>
<discovery>2011-09-11</discovery>
<entry>2011-09-14</entry>
</dates>
</vuln>
<vuln vid="d01d10c7-de2d-11e0-b215-00215c6a37bb">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py27-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><ge>1.3</ge><lt>1.3.1</lt></range>
<range><ge>1.2</ge><lt>1.2.7</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py27-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>16758,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">
<p>Today the Django team is issuing multiple releases --
Django 1.2.6 and Django 1.3.1 -- to remedy security issues
reported to us. Additionally, this announcement contains
advisories for several other issues which, while not
requiring changes to Django itself, will be of concern
to users of Django.</p>
<p>All users are encouraged to upgrade Django, and to implement
the recommendations in these advisories, immediately.</p>
<h3>Session manipulation</h3>
<p>Django's session framework, django.contrib.sessions, is
configurable to use any of multiple backends for storage of
session data. One such backend, provided with Django itself,
integrates with Django's cache framework to use the cache as
storage for session data.</p>
<p>When configured in this fashion using memory-based sessions
and caching, Django sessions are stored directly in the root
namespace of the cache, using session identifiers as keys.</p>
<p>This results in a potential attack when coupled with an
application storing user-supplied data in the cache; if an
attacker can cause data to be cached using a key which is
also a valid session identifier, Django's session framework
will treat that data -- so long as it is a dictionary-like
object -- as the session, thus allowing arbitrary data to be
inserted into a session so long as the attacker knows the
session key.</p>
<h3>Denial of service attack via URLField</h3>
<p>Django's model system includes a field type -- URLField --
which validates that the supplied value is a valid URL, and if
the boolean keyword argument verify_exists is true, attempts
to validate that the supplied URL also resolves, by issuing a
request to it.</p>
<p>By default, the underlying socket libraries in Python do not
have a timeout. This can manifest as a security problem in
three different ways:</p>
<ol>
<li>An attacker can supply a slow-to-respond URL. Each request
will tie up a server process for a period of time; if the
attacker is able to make enough requests, they can tie up
all available server processes.</li>
<li>An attacker can supply a URL under his or her control, and
which will simply hold an open connection indefinitely. Due
to the lack of timeout, the Django process attempting to
verify the URL will similarly spin indefinitely. Repeating
this can easily tie up all available server processes.</li>
<li>An attacker can supply a URL under his or her control
which not only keeps the connection open, but also sends an
unending stream of random garbage data. This data will
cause the memory usage of the Django process (which will
hold the response in memory) to grow without bound, thus
consuming not only server processes but also server
memory.</li>
</ol>
<h3>URLField redirection</h3>
<p>The regular expression which validates URLs is used to check
the supplied URL before issuing a check to verify that it
exists, but if that URL issues a redirect in response to the
request, no validation of the resulting redirected URL is
performed, including basic checks for supported protocols
(HTTP, HTTPS, and FTP).</p>
<p>This creates a small window for an attacker to gain knowledge
of, for example, server layout; a redirect to a file:// URL,
for example, will tell an attacker whether a given file exists
locally on the server.</p>
<p>Additionally, although the initial request issued by Django
uses the HEAD method for HTTP/HTTPS, the request to the target
of the redirect is issued using GET. This may create further
issues for systems which implicitly trust GET requests from
the local machine/network.</p>
<h3>Host header cache poisoning</h3>
<p>In several places, Django itself -- independent of the
developer -- generates full URLs (for example, when issuing
HTTP redirects). Currently this uses the value of the HTTP
Host header from the request to construct the URL, which opens
a potential cache-poisoning vector: an attacker can submit
a request with a Host header of his or her choice, receive a
response which constructs URLs using that Host header, and --
if that response is cached -- further requests will be served
out of cache using URLs containing the attacker's host of
choice.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/</url>
</references>
<dates>
<discovery>2011-09-09</discovery>
<entry>2011-09-13</entry>
<modified>2011-11-01</modified>
</dates>
</vuln>
<vuln vid="4ae68e7c-dda4-11e0-a906-00215c6a37bb">
<topic>roundcube -- XSS vulnerability</topic>
<affects>
<package>
<name>roundcube</name>
<range><lt>0.5.4,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RoundCube development Team reports:</p>
<blockquote cite="http://sourceforge.net/news/?group_id=139281&id=302769">
<p>We just published a new release which fixes a recently
reported XSS vulnerability as an update to the stable 0.5
branch. Please update your installations with this new
version or patch them with the fix which is also published
in the downloads section or our sourceforge.net page.</p>
</blockquote>
<p>and:</p>
<blockquote cite="http://trac.roundcube.net/ticket/1488030">
<p>During one of pen-tests I found that _mbox parameter is not
properly sanitized and reflected XSS attack is possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2937</cvename>
</references>
<dates>
<discovery>2011-08-09</discovery>
<entry>2011-09-13</entry>
</dates>
</vuln>
<vuln vid="b9f3ffa3-dd6c-11e0-b7fc-000a5e1e33c6">
<topic>libsndfile -- PAF file processing integer overflow</topic>
<affects>
<package>
<name>libsndfile</name>
<range><lt>1.0.25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/45125/">
<p>Hossein Lotfi has discovered a vulnerability in libsndfile,
which can be exploited by malicious people to potentially
compromise an application using the library. The vulnerability
is caused due to an integer overflow error in the "paf24_init()"
function (src/paf.c) when processing Paris Audio (PAF) files.
This can be exploited to cause a heap-based buffer overflow via
a specially crafted file. Successful exploitation may allow
execution of arbitrary code. The vulnerability is confirmed in
version 1.0.24. Other versions may also be affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2696</cvename>
<url>http://secunia.com/advisories/45125/</url>
</references>
<dates>
<discovery>2011-07-12</discovery>
<entry>2011-09-12</entry>
</dates>
</vuln>
<vuln vid="2ecb7b20-d97e-11e0-b2e2-00215c6a37bb">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><ge>1.0.0</ge><lt>1.0.0_6</lt></range>
<range><ge>0.9.8</ge><lt>1.0.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL Team reports:</p>
<blockquote cite="http://openssl.org/news/secadv_20110906.txt">
<p>Two security flaws have been fixed in OpenSSL 1.0.0e</p>
<p>Under certain circumstances OpenSSL's internal certificate
verification routines can incorrectly accept a CRL whose
nextUpdate field is in the past. (CVE-2011-3207)</p>
<p>OpenSSL server code for ephemeral ECDH ciphersuites is not
thread-safe, and furthermore can crash if a client violates
the protocol by sending handshake messages in incorrect
order. (CVE-2011-3210)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3207</cvename>
<cvename>CVE-2011-3210</cvename>
<url>http://www.openssl.org/news/secadv_20110906.txt</url>
</references>
<dates>
<discovery>2011-09-06</discovery>
<entry>2011-09-07</entry>
</dates>
</vuln>
<vuln vid="a83f25df-d775-11e0-8bf1-003067b2972c">
<topic>XSS issue in MantisBT</topic>
<affects>
<package>
<name>mantis</name>
<range><ge>1.2.0</ge><lt>1.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://www.mantisbt.org/blog/?p=142">
<p>Net.Edit0r from BlACK Hat Group reported an XSS issue in
search.php. All MantisBT users (including anonymous users that
are not logged in to public bug trackers) could be impacted by
this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/160368</freebsdpr>
<cvename>CVE-2011-2938</cvename>
</references>
<dates>
<discovery>2011-08-18</discovery>
<entry>2011-09-05</entry>
</dates>
</vuln>
<vuln vid="e55f948f-d729-11e0-abd1-0017f22d6707">
<topic>security/cfs -- buffer overflow</topic>
<affects>
<package>
<name>cfs</name>
<range><le>1.4.1_6</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Debian reports:</p>
<blockquote cite="http://www.debian.org/security/2002/dsa-116">
<p>Zorgon found several buffer overflows in cfsd, a daemon that
pushes encryption services into the Unix(tm) file system.
We are not yet sure if these overflows can successfully be
exploited to gain root access to the machine running the CFS
daemon. However, since cfsd can easily be forced to die, a
malicious user can easily perform a denial of service attack
to it.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2002-0351</cvename>
<url>http://www.debian.org/security/2002/dsa-116</url>
</references>
<dates>
<discovery>2002-03-02</discovery>
<entry>2011-09-04</entry>
</dates>
</vuln>
<vuln vid="1b27af46-d6f6-11e0-89a6-080027ef73ec">
<topic>ca_root_nss -- extraction of explicitly-untrusted certificates into trust bundle</topic>
<affects>
<package>
<name>ca_root_nss</name>
<range><lt>3.12.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports that the ca-bundle.pl used in older
versions of the ca_root_nss FreeBSD port before 3.12.11 did not
take the Mozilla/NSS/CKBI untrusted markers into account and
would add certificates to the trust bundle that were marked
unsafe by Mozilla.</p>
</body>
</description>
<references>
<freebsdpr>ports/160455</freebsdpr>
</references>
<dates>
<discovery>2011-09-04</discovery>
<entry>2011-09-04</entry>
</dates>
</vuln>
<vuln vid="aa5bc971-d635-11e0-b3cf-080027ef73ec">
<topic>nss/ca_root_nss -- fraudulent certificates issued by DigiNotar.nl</topic>
<affects>
<package>
<name>nss</name>
<range><lt>3.12.11</lt></range>
<!-- this builds on the assumption that 3.12.11 in ports actually
contains the CKBI 1.87 update to the built-in certificates
as commited by kwm@ on September 3rd, 2011 -->
</package>
<package>
<name>ca_root_nss</name>
<range><lt>3.12.11</lt></range>
<!-- this builds on the assumption that 3.12.11 in ports actually
contains the CKBI 1.87 update to the built-in certificates
as commited by mandree@ on September 4th, 2011 -->
</package>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.22,1</lt></range>
<range><gt>4.0.*,1</gt><lt>6.0.2,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.3.2</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.22,1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>3.1.*</gt><lt>3.1.14</lt></range>
<range><gt>5.0.*</gt><lt>6.0.2</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>3.1.14</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Heather Adkins, Google's Information Security Manager, reported that
Google received</p>
<blockquote cite="http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html">
<p>[...] reports of attempted SSL man-in-the-middle (MITM)
attacks against Google users, whereby someone tried to get between
them and encrypted Google services. The people affected were
primarily located in Iran. The attacker used a fraudulent SSL
certificate issued by DigiNotar, a root certificate authority that
should not issue certificates for Google (and has since revoked
it). [...]</p>
</blockquote>
<p>VASCO Data Security International Inc., owner of DigiNotar, issued a
press statement confirming this incident:</p>
<blockquote cite="http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx">
<p>On July 19th 2011, DigiNotar detected an intrusion
into its Certificate Authority (CA) infrastructure, which resulted
in the fraudulent issuance of public key certificate requests for
a number of domains, including Google.com. [...] an external
security audit concluded that all fraudulently issued certificates
were
revoked. Recently, it was discovered that at least one fraudulent
certificate had not been revoked at the time. [...]</p>
</blockquote>
<p>Mozilla, maintainer of the NSS package, from which FreeBSD derived
ca_root_nss, stated that they:</p>
<blockquote cite="https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/">
<p>revoked our trust in the DigiNotar certificate authority from
all Mozilla software. This is not a temporary suspension, it is
a complete removal from our trusted root program. Complete
revocation of trust is a decision we treat with careful
consideration, and employ as a last resort.
</p><p>Three central issues informed our decision:</p>
<ol><li>Failure to notify. [...]</li>
<li>The scope of the breach remains unknown. [...]</li>
<li>The attack is not theoretical.</li></ol>
</blockquote>
</body>
</description>
<references>
<url>http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-34.html</url>
<url>http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html</url>
</references>
<dates>
<discovery>2011-07-19</discovery>
<entry>2011-09-03</entry>
<modified>2011-09-06</modified>
</dates>
</vuln>
<vuln vid="7f6108d2-cea8-11e0-9d58-0800279895ea">
<topic>apache -- Range header DoS vulnerability</topic>
<affects>
<package>
<name>apache</name>
<name>apache-event</name>
<name>apache-itk</name>
<name>apache-peruser</name>
<name>apache-worker</name>
<range><gt>2.*</gt><lt>2.2.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache HTTP server project reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192">
<p>A denial of service vulnerability has been found in the way
the multiple overlapping ranges are handled by Apache HTTPD
server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3192</cvename>
<url>https://people.apache.org/~dirkx/CVE-2011-3192.txt</url>
<url>https://svn.apache.org/viewvc?view=revision&revision=1161534</url>
<url>https://svn.apache.org/viewvc?view=revision&revision=1162874</url>
</references>
<dates>
<discovery>2011-08-24</discovery>
<entry>2011-08-30</entry>
<modified>2011-09-01</modified>
</dates>
</vuln>
<vuln vid="cdeb34e6-d00d-11e0-987e-00215c6a37bb">
<topic>stunnel -- heap corruption vulnerability</topic>
<affects>
<package>
<name>stunnel</name>
<range><ge>4.40</ge><lt>4.42</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michal Trojnara reports:</p>
<blockquote cite="http://www.stunnel.org/pipermail/stunnel-announce/2011-August/000059.html">
<p>Version 4.42, 2011.08.18, urgency: HIGH:</p>
<p>Fixed a heap corruption vulnerability in versions 4.40 and 4.41.
It may possibly be leveraged to perform DoS or remote code
execution attacks.</p>
</blockquote>
</body>
</description>
<references>
<bid>49254</bid>
<cvename>CVE-2011-2940</cvename>
</references>
<dates>
<discovery>2011-08-25</discovery>
<entry>2011-08-26</entry>
</dates>
</vuln>
<vuln vid="75e26236-ce9e-11e0-b26a-00215c6a37bb">
<topic>phpMyAdmin -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-13.php">
<p>Multiple XSS in the Tracking feature.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3181</cvename>
</references>
<dates>
<discovery>2011-08-24</discovery>
<entry>2011-08-24</entry>
</dates>
</vuln>
<vuln vid="3f1df2f9-cd22-11e0-9bb2-00215c6a37bb">
<topic>PHP -- crypt() returns only the salt for MD5</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.3.7</ge><lt>5.3.7_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP development team reports:</p>
<blockquote cite="https://bugs.php.net/bug.php?id=55439">
<p>If crypt() is executed with MD5 salts, the return value
consists of the salt only. DES and BLOWFISH salts work as
expected.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugs.php.net/bug.php?id=55439</url>
</references>
<dates>
<discovery>2011-08-17</discovery>
<entry>2011-08-23</entry>
<modified>2011-08-30</modified>
</dates>
</vuln>
<vuln vid="057bf770-cac4-11e0-aea3-00215c6a37bb">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<name>php5-sockets</name>
<range><lt>5.3.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP development team reports:</p>
<blockquote cite="http://www.php.net/ChangeLog-5.php#5.3.7">
<p>Security Enhancements and Fixes in PHP 5.3.7:</p>
<ul>
<li>Updated crypt_blowfish to 1.2. (CVE-2011-2483)</li>
<li>Fixed crash in error_log(). Reported by Mateusz
Kocielski</li>
<li>Fixed buffer overflow on overlog salt in crypt().</li>
<li>Fixed bug #54939 (File path injection vulnerability
in RFC1867 File upload filename). Reported by Krzysztof
Kotowicz. (CVE-2011-2202)</li>
<li>Fixed stack buffer overflow in socket_connect().
(CVE-2011-1938)</li>
<li>Fixed bug #54238 (use-after-free in substr_replace()).
(CVE-2011-1148)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<bid>49241</bid>
<cvename>CVE-2011-2483</cvename>
<cvename>CVE-2011-2202</cvename>
<cvename>CVE-2011-1938</cvename>
<cvename>CVE-2011-1148</cvename>
</references>
<dates>
<discovery>2011-08-18</discovery>
<entry>2011-08-20</entry>
</dates>
</vuln>
<vuln vid="be77eff6-ca91-11e0-aea3-00215c6a37bb">
<topic>rubygem-rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-rails</name>
<range><lt>3.0.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/49179/discuss">
<p>Ruby on Rails is prone to multiple vulnerabilities
including SQL-injection, information-disclosure,
HTTP-header-injection, security-bypass and cross-site
scripting issues.</p>
</blockquote>
</body>
</description>
<references>
<bid>49179</bid>
<url>http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b</url>
<url>http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6</url>
<url>http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768</url>
<url>http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12</url>
<url>http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195</url>
</references>
<dates>
<discovery>2011-08-16</discovery>
<entry>2011-08-19</entry>
</dates>
</vuln>
<vuln vid="0b53f5f7-ca8a-11e0-aea3-00215c6a37bb">
<topic>dovecot -- denial of service vulnerability</topic>
<affects>
<package>
<name>dovecot</name>
<range><lt>1.2.17</lt></range>
<range><gt>2.0</gt><lt>2.0.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Timo Sirainen reports:</p>
<blockquote cite="http://dovecot.org/pipermail/dovecot/2011-May/059086.html">
<p> Fixed potential crashes and other problems when parsing header
names that contained NUL characters.</p>
</blockquote>
</body>
</description>
<references>
<bid>47930</bid>
<cvename>CVE-2011-1929</cvename>
</references>
<dates>
<discovery>2011-05-25</discovery>
<entry>2011-08-19</entry>
</dates>
</vuln>
<vuln vid="86baa0d4-c997-11e0-8a8e-00151735203a">
<topic>OTRS -- Vulnerabilities in OTRS-Core allows read access to any file on local file system</topic>
<affects>
<package>
<name>otrs</name>
<range><gt>2.1.*</gt><lt>3.0.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://otrs.org/advisory/OSA-2011-03-en/">
<ul>
<li>An attacker with valid session and admin permissions could
get read access to any file on the servers local operating
system. For this it would be needed minimum one installed
OTRS package.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2746</cvename>
<url>http://otrs.org/advisory/OSA-2011-03-en/</url>
</references>
<dates>
<discovery>2011-08-16</discovery>
<entry>2011-08-18</entry>
</dates>
</vuln>
<vuln vid="834591a9-c82f-11e0-897d-6c626dd55a41">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.20,1</lt></range>
<range><gt>5.0.*,1</gt><lt>6.0,1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.3</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.20,1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>3.1.12</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>3.1.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-29 Security issues addressed in Firefox 6</p>
<p>MFSA 2011-28 Security issues addressed in Firefox 3.6.20</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-29.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-30.html</url>
<cvename>CVE-2011-2982</cvename>
<cvename>CVE-2011-0084</cvename>
<cvename>CVE-2011-2981</cvename>
<cvename>CVE-2011-2378</cvename>
<cvename>CVE-2011-2984</cvename>
<cvename>CVE-2011-2980</cvename>
<cvename>CVE-2011-2983</cvename>
<cvename>CVE-2011-2989</cvename>
<cvename>CVE-2011-2991</cvename>
<cvename>CVE-2011-2992</cvename>
<cvename>CVE-2011-2985</cvename>
<cvename>CVE-2011-2993</cvename>
<cvename>CVE-2011-2988</cvename>
<cvename>CVE-2011-2987</cvename>
<cvename>CVE-2011-0084</cvename>
<cvename>CVE-2011-2990</cvename>
<cvename>CVE-2011-2986</cvename>
</references>
<dates>
<discovery>2011-08-16</discovery>
<entry>2011-08-16</entry>
</dates>
</vuln>
<vuln vid="56f4b3a6-c82c-11e0-a498-00215c6a37bb">
<topic>Samba -- cross site scripting and request forgery vulnerabilities</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>3.4.*</gt><lt>3.4.14</lt></range>
</package>
<package>
<name>samba35</name>
<range><gt>3.5.*</gt><lt>3.5.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba security advisory reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2011-2522">
<p>All current released versions of Samba are vulnerable to a
cross-site request forgery in the Samba Web Administration Tool
(SWAT). By tricking a user who is authenticated with SWAT into
clicking a manipulated URL on a different web page, it is
possible to manipulate SWAT.</p>
</blockquote>
<blockquote cite="http://www.samba.org/samba/security/CVE-2011-2694">
<p>All current released versions of Samba are vulnerable to a
cross-site scripting issue in the Samba Web Administration Tool
(SWAT). On the "Change Password" field, it is possible to insert
arbitrary content into the "user" field.</p>
</blockquote>
</body>
</description>
<references>
<bid>48901</bid>
<bid>48899</bid>
<cvename>CVE-2011-2522</cvename>
<cvename>CVE-2011-2694</cvename>
</references>
<dates>
<discovery>2011-07-27</discovery>
<entry>2011-08-16</entry>
</dates>
</vuln>
<vuln vid="510b630e-c43b-11e0-916c-00e0815b8da8">
<topic>isc-dhcp-server -- server halt upon processing certain packets</topic>
<affects>
<package>
<name>isc-dhcp31-server</name>
<range><lt>3.1.ESV_1,1</lt></range>
</package>
<package>
<name>isc-dhcp41-server</name>
<range><lt>4.1.e_2,2</lt></range>
</package>
<package>
<name>isc-dhcp42-server</name>
<range><lt>4.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/dhcp/advisories/cve-2011-2748">
<p>A pair of defects cause the server to halt upon processing
certain packets. The patch is to properly discard or process
those packets.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2748</cvename>
<cvename>CVE-2011-2749</cvename>
</references>
<dates>
<discovery>2011-08-10</discovery>
<entry>2011-08-13</entry>
</dates>
</vuln>
<vuln vid="dc8741b9-c5d5-11e0-8a8e-00151735203a">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>2.4.*</ge><lt>3.6.6</lt></range>
<range><ge>4.0.*</ge><lt>4.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4.11/">
<p>The following security issues have been discovered in Bugzilla:</p>
<ul>
<li>Internet Explorer 8 and older, and Safari before 5.0.6 do
content sniffing when viewing a patch in "Raw Unified" mode,
which could trigger a cross-site scripting attack due to
the execution of malicious code in the attachment.</li>
<li>It is possible to determine whether or not certain group
names exist while creating or updating bugs.</li>
<li>Attachment descriptions with a newline in them could lead
to the injection of crafted headers in email notifications sent
to the requestee or the requester when editing an attachment
flag.</li>
<li>If an attacker has access to a user's session, he can modify
that user's email address without that user being notified
of the change.</li>
<li>Temporary files for uploaded attachments are not deleted
on Windows, which could let a user with local access to
the server read them.</li>
<li>Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised,
it can be used to inject HTML code when viewing a bug report,
leading to a cross-site scripting attack.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2379</cvename>
<cvename>CVE-2011-2380</cvename>
<cvename>CVE-2011-2979</cvename>
<cvename>CVE-2011-2381</cvename>
<cvename>CVE-2011-2978</cvename>
<cvename>CVE-2011-2977</cvename>
<cvename>CVE-2011-2976</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=637981</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=653477</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=674497</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=657158</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=670868</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=660502</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=660053</url>
</references>
<dates>
<discovery>2011-08-04</discovery>
<entry>2011-08-13</entry>
</dates>
</vuln>
<vuln vid="879b0242-c5b6-11e0-abd1-0017f22d6707">
<topic>dtc -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dtc</name>
<range><lt>0.32.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ansgar Burchardt reports:</p>
<blockquote cite="http://www.debian.org/security/2011/dsa-2179">
<p>Ansgar Burchardt discovered several vulnerabilities in DTC, a
web control panel for admin and accounting hosting services:
The bw_per_moth.php graph contains an SQL injection
vulnerability; insufficient checks in bw_per_month.php can lead
to bandwidth usage information disclosure; after a registration,
passwords are sent in cleartext email messages and Authenticated
users could delete accounts using an obsolete interface which
was incorrectly included in the package.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0434</cvename>
<cvename>CVE-2011-0435</cvename>
<cvename>CVE-2011-0436</cvename>
<cvename>CVE-2011-0437</cvename>
<url>http://www.debian.org/security/2011/dsa-2179</url>
</references>
<dates>
<discovery>2011-03-02</discovery>
<entry>2011-08-13</entry>
</dates>
</vuln>
<vuln vid="304409c3-c3ef-11e0-8aa5-485d60cb5385">
<topic>libXfont -- possible local privilege escalation</topic>
<affects>
<package>
<name>libXfont</name>
<range><lt>1.4.4_1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tomas Hoger reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=725760">
<p>The compress/ LZW decompress implentation does not correctly
handle compressed streams that contain code words that were not
yet added to the decompression table. This may lead to
arbitrary memory corruption. Successfull exploitation may
possible lead to a local privilege escalation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2895</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=725760</url>
</references>
<dates>
<discovery>2011-07-26</discovery>
<entry>2011-08-11</entry>
<modified>2012-03-13</modified>
</dates>
</vuln>
<vuln vid="5d374b01-c3ee-11e0-8aa5-485d60cb5385">
<topic>freetype2 -- execute arbitrary code or cause denial of service</topic>
<affects>
<package>
<name>freetype2</name>
<range><lt>2.4.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Vincent Danen reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0226">
<p>Due to an error within the t1_decoder_parse_charstrings()
function (src/psaux/t1decode.c) and can be exploited to corrupt
memory by tricking a user into processing a specially-crafted
postscript Type1 font in an application that uses the freetype
library.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0226</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0226</url>
</references>
<dates>
<discovery>2011-07-19</discovery>
<entry>2011-08-11</entry>
</dates>
</vuln>
<vuln vid="2c12ae0c-c38d-11e0-8eb7-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r183.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb11-21.html">
<p>Critical vulnerabilities have been identified in Adobe Flash
Player 10.3.181.36 and earlier versions for Windows, Macintosh,
Linux and Solaris, and Adobe Flash Player 10.3.185.25 and
earlier versions for Android. These vulnerabilities could
cause a crash and potentially allow an attacker to take control
of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2130</cvename>
<cvename>CVE-2011-2134</cvename>
<cvename>CVE-2011-2135</cvename>
<cvename>CVE-2011-2136</cvename>
<cvename>CVE-2011-2137</cvename>
<cvename>CVE-2011-2138</cvename>
<cvename>CVE-2011-2139</cvename>
<cvename>CVE-2011-2140</cvename>
<cvename>CVE-2011-2414</cvename>
<cvename>CVE-2011-2415</cvename>
<cvename>CVE-2011-2416</cvename>
<cvename>CVE-2011-2417</cvename>
<cvename>CVE-2011-2425</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb11-21.html</url>
</references>
<dates>
<discovery>2011-05-13</discovery>
<entry>2011-08-10</entry>
<modified>2012-11-05</modified>
</dates>
</vuln>
<vuln vid="30cb4522-b94d-11e0-8182-485d60cb5385">
<topic>libsoup -- unintentionally allow access to entire local filesystem</topic>
<affects>
<package>
<name>libsoup</name>
<range><lt>2.32.2_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dan Winship reports:</p>
<blockquote cite="http://mail.gnome.org/archives/ftp-release-list/2011-July/msg00176.html">
<p>Fixed a security hole that caused some SoupServer users to
unintentionally allow accessing the entire local filesystem when
they thought they were only providing access to a single
directory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2054</cvename>
<url>http://mail.gnome.org/archives/ftp-release-list/2011-July/msg00176.html</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=653258</url>
</references>
<dates>
<discovery>2011-06-23</discovery>
<entry>2011-07-28</entry>
</dates>
</vuln>
<vuln vid="d79fc873-b5f9-11e0-89b4-001ec9578670">
<topic>phpmyadmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.4.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php">
<p>XSS in table Print view.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php">
<p>Via a crafted MIME-type transformation parameter, an attacker can
perform a local file inclusion.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php">
<p>In the 'relational schema' code a parameter was not sanitized before
being used to concatenate a class name.</p>
<p>The end result is a local file inclusion vulnerability and code
execution.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php">
<p>It was possible to manipulate the PHP session superglobal using
some of the Swekey authentication code.</p>
<p>This is very similar to PMASA-2011-5, documented in
7e4e5c53-a56c-11e0-b180-00216aa06fc2</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2642</cvename>
<cvename>CVE-2011-2643</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php</url>
</references>
<dates>
<discovery>2011-07-23</discovery>
<entry>2011-07-24</entry>
<modified>2011-07-28</modified>
</dates>
</vuln>
<vuln vid="9f14cb36-b6fc-11e0-a044-445c73746d79">
<topic>opensaml2 -- unauthenticated login</topic>
<affects>
<package>
<name>opensaml2</name>
<range><gt>0</gt><lt>2.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSAML developer reports:</p>
<blockquote cite="http://shibboleth.internet2.edu/secadv/secadv_20110725.txt">
<p>The Shibboleth software relies on the OpenSAML libraries to
perform verification of signed XML messages such as attribute
queries or SAML assertions. Both the Java and C++ versions are
vulnerable to a so-called "wrapping attack" that allows a remote,
unauthenticated attacker to craft specially formed messages that
can be successfully verified, but contain arbitrary content.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1411</cvename>
<mlist msgid="CA530061.113D6%cantor.2@osu.edu">https://groups.google.com/a/shibboleth.net/group/announce/browse_thread/thread/cf3e0d76afbb57d9</mlist>
</references>
<dates>
<discovery>2011-07-25</discovery>
<entry>2011-07-25</entry>
</dates>
</vuln>
<vuln vid="9a777c23-b310-11e0-832d-00215c6a37bb">
<topic>rsync -- incremental recursion memory corruption vulnerability</topic>
<affects>
<package>
<name>rsync</name>
<range><gt>3.0</gt><lt>3.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>rsync development team reports:</p>
<blockquote cite="http://rsync.samba.org/ftp/rsync/src/rsync-3.0.8-NEWS">
<p>Fixed a data-corruption issue when preserving hard-links
without preserving file ownership, and doing deletions either
before or during the transfer (CVE-2011-1097). This
fixes some assert errors in the hard-linking code, and some
potential failed checksums (via -c) that should have matched.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1097</cvename>
<url>https://bugzilla.samba.org/show_bug.cgi?id=7936</url>
</references>
<dates>
<discovery>2011-04-08</discovery>
<entry>2011-07-20</entry>
</dates>
</vuln>
<vuln vid="fd64188d-a71d-11e0-89b4-001ec9578670">
<topic>BIND -- Remote DoS against authoritative and recursive servers</topic>
<affects>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R4.3</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.3.3</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/software/bind/advisories/cve-2011-2464">
<p>A defect in the affected BIND 9 versions allows an attacker to
remotely cause the "named" process to exit using a specially
crafted packet.</p>
<p>This defect affects both recursive and authoritative servers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2464</cvename>
<url>https://www.isc.org/software/bind/advisories/cve-2011-2464</url>
</references>
<dates>
<discovery>2011-07-05</discovery>
<entry>2011-07-05</entry>
</dates>
</vuln>
<vuln vid="4ccee784-a721-11e0-89b4-001ec9578670">
<topic>BIND -- Remote DoS with certain RPZ configurations</topic>
<affects>
<package>
<name>bind98</name>
<range><lt>9.8.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/software/bind/advisories/cve-2011-2465">
<p>Two defects were discovered in ISC's BIND 9.8 code. These
defects only affect BIND 9.8 servers which have recursion
enabled and which use a specific feature of the software known
as Response Policy Zones (RPZ) and where the RPZ zone contains
a specific rule/action pattern.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2465</cvename>
<url>https://www.isc.org/software/bind/advisories/cve-2011-2465</url>
</references>
<dates>
<discovery>2011-07-05</discovery>
<entry>2011-07-05</entry>
</dates>
</vuln>
<vuln vid="7e4e5c53-a56c-11e0-b180-00216aa06fc2">
<topic>phpmyadmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.4.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php">
<p>It was possible to manipulate the PHP session superglobal using
some of the Swekey authentication code. This could open a path
for other attacks.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php">
<p>An unsanitized key from the Servers array is written in a comment
of the generated config. An attacker can modify this key by
modifying the SESSION superglobal array. This allows the attacker
to close the comment and inject code.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php">
<p>Through a possible bug in PHP running on Windows systems a NULL
byte can truncate the pattern string allowing an attacker to
inject the /e modifier causing the preg_replace function to
execute its second argument as PHP code.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php">
<p>Fixed filtering of a file path in the MIME-type transformation
code, which allowed for directory traversal.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2505</cvename>
<cvename>CVE-2011-2506</cvename>
<cvename>CVE-2011-2507</cvename>
<cvename>CVE-2011-2508</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php</url>
</references>
<dates>
<discovery>2011-07-02</discovery>
<entry>2011-07-03</entry>
<modified>2011-07-28</modified>
</dates>
</vuln>
<vuln vid="40544e8c-9f7b-11e0-9bec-6c626dd55a41">
<topic>Asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.41.2</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.18.2</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://www.asterisk.org/node/51650">
<p>AST-2011-008: If a remote user sends a SIP packet containing a
NULL, Asterisk assumes available data extends past the null to
the end of the packet when the buffer is actually truncated when
copied. This causes SIP header parsing to modify data past the
end of the buffer altering unrelated memory structures. This
vulnerability does not affect TCP/TLS connections.</p>
<p>AST-2011-009: A remote user sending a SIP packet containing a
Contact header with a missing left angle bracket causes Asterisk
to access a null pointer.</p>
<p>AST-2011-010: A memory address was inadvertently transmitted
over the network via IAX2 via an option control frame and the
remote party would try to access it.</p>
<p>Possible enumeration of SIP users due to differing
authentication responses.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2529</cvename>
<cvename>CVE-2011-2535</cvename>
<cvename>CVE-2011-2536</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2011-008.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-009.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-010.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-011.html</url>
</references>
<dates>
<discovery>2011-06-24</discovery>
<entry>2011-06-25</entry>
<modified>2011-06-29</modified>
</dates>
</vuln>
<vuln vid="01d3ab7d-9c43-11e0-bc0f-0014a5e3cda6">
<topic>ejabberd -- remote denial of service vulnerability</topic>
<affects>
<package>
<name>ejabberd</name>
<range><lt>2.1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>It's reported in CVE advisory that:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1753">
<p>expat_erl.c in ejabberd before 2.1.7 and 3.x before
3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect
recursion during entity expansion, which allows remote attackers
to cause a denial of service (memory and CPU consumption) via a
crafted XML document containing a large number of nested entity
references, a similar issue to CVE-2003-1564.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1753</cvename>
<url>http://www.ejabberd.im/ejabberd-2.1.7</url>
</references>
<dates>
<discovery>2011-04-27</discovery>
<entry>2011-06-24</entry>
</dates>
</vuln>
<vuln vid="dfe40cff-9c3f-11e0-9bec-6c626dd55a41">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.20,1</lt></range>
<range><gt>3.6.*,1</gt><lt>3.6.18,1</lt></range>
<range><gt>4.0.*,1</gt><lt>5.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.18,1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>3.1.11</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>3.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-19 Miscellaneous memory safety hazards
(rv:3.0/1.9.2.18)</p>
<p>MFSA 2011-20 Use-after-free vulnerability when viewing XUL
document with script disabled</p>
<p>MFSA 2011-21 Memory corruption due to multipart/x-mixed-replace
images</p>
<p>MFSA 2011-22 Integer overflow and arbitrary code execution in
Array.reduceRight()</p>
<p>MFSA 2011-23 Multiple dangling pointer vulnerabilities</p>
<p>MFSA 2011-24 Cookie isolation error</p>
<p>MFSA 2011-25 Stealing of cross-domain images using WebGL
textures</p>
<p>MFSA 2011-26 Multiple WebGL crashes</p>
<p>MFSA 2011-27 XSS encoding hazard with inline SVG</p>
<p>MFSA 2011-28 Non-whitelisted site can trigger xpinstall</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-19.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-20.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-21.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-22.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-23.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-24.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-25.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-26.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-27.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-28.html</url>
</references>
<dates>
<discovery>2011-06-21</discovery>
<entry>2011-06-21</entry>
<modified>2011-06-23</modified>
</dates>
</vuln>
<vuln vid="bfdbc7ec-9c3f-11e0-9bec-6c626dd55a41">
<topic>Samba -- Denial of service - memory corruption</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>3.4.*</gt><lt>3.4.12</lt></range>
</package>
<package>
<name>samba35</name>
<range><gt>3.5.*</gt><lt>3.5.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba team reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2011-0719.html">
<p>Samba is vulnerable to a denial of service, caused by a memory
corruption error related to missing range checks on file
descriptors being used in the "FD_SET" macro. By performing a
select on a bad file descriptor set, a remote attacker could
exploit this vulnerability to cause the application to crash or
possibly execute arbitrary code on the system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0719</cvename>
<url>http://www.samba.org/samba/security/CVE-2011-0719.html</url>
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0719</url>
</references>
<dates>
<discovery>2011-02-28</discovery>
<entry>2011-06-21</entry>
</dates>
</vuln>
<vuln vid="23c8423e-9bff-11e0-8ea2-0019d18c446a">
<topic>Piwik -- remote command execution vulnerability</topic>
<affects>
<package>
<name>piwik</name>
<range><ge>1.2</ge><lt>1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Piwik security advisory reports:</p>
<blockquote cite="http://piwik.org/blog/2011/06/piwik-1-5-security-advisory/">
<p>The Piwik 1.5 release addresses a critical security
vulnerability, which affect all Piwik users that have let
granted some access to the "anonymous" user.</p>
<p>Piwik contains a remotely exploitable vulnerability that could
allow a remote attacker to execute arbitrary code. Only
installations that have granted untrusted view access to their
stats (ie. grant "view" access to a website to anonymous) are
at risk.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/158084</freebsdpr>
<url>http://piwik.org/blog/2011/06/piwik-1-5-security-advisory/</url>
</references>
<dates>
<discovery>2011-06-21</discovery>
<entry>2011-06-21</entry>
</dates>
</vuln>
<vuln vid="0b535cd0-9b90-11e0-800a-00215c6a37bb">
<topic>Dokuwiki -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20110525a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dokuwiki reports:</p>
<blockquote cite="http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind">
<p>We just released a Hotfix Release "2011-05-25a Rincewind".
It contains the following changes:</p>
<p>Security fix for a Cross Site Scripting vulnerability.
Malicious users could abuse DokuWiki's RSS embedding mechanism
to create links containing arbitrary JavaScript. Note: this
security problem is present in at least Anteater and Rincewind
but probably in older releases as well.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind</url>
</references>
<dates>
<discovery>2011-06-14</discovery>
<entry>2011-06-20</entry>
</dates>
</vuln>
<vuln vid="55a528e8-9787-11e0-b24a-001b2134ef46">
<topic>linux-flashplugin -- remote code execution vulnerability</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r181.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-18.html">
<p>A critical vulnerability has been identified in Adobe Flash
Player 10.3.181.23 and earlier versions for Windows, Macintosh,
Linux and Solaris, and Adobe Flash Player 10.3.185.23 and
earlier versions for Android. This memory corruption
vulnerability (CVE-2011-2110) could cause a crash and
potentially allow an attacker to take control of the affected
system. There are reports that this vulnerability is being
exploited in the wild in targeted attacks via malicious Web
pages.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2110</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-18.html</url>
</references>
<dates>
<discovery>2011-05-13</discovery>
<entry>2011-06-15</entry>
</dates>
</vuln>
<vuln vid="3145faf1-974c-11e0-869e-000c29249b2e">
<topic>ikiwiki -- tty hijacking via ikiwiki-mass-rebuild</topic>
<affects>
<package>
<name>ikiwiki</name>
<range><lt>3.20110608</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The IkiWiki development team reports:</p>
<blockquote cite="http://ikiwiki.info/security/#index40h2">
<p>Ludwig Nussel discovered a way for users to hijack root's tty
when ikiwiki-mass-rebuild was run. Additionally, there was
some potential for information disclosure via symlinks.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1408</cvename>
<url>http://ikiwiki.info/security/#index40h2</url>
</references>
<dates>
<discovery>2011-06-08</discovery>
<entry>2011-06-15</entry>
</dates>
</vuln>
<vuln vid="57573136-920e-11e0-bdc9-001b2134ef46">
<topic>linux-flashplugin -- cross-site scripting vulnerability</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r181.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-13.html">
<p>An important vulnerability has been identified in Adobe
Flash Player 10.3.181.16 and earlier versions for Windows,
Macintosh, Linux and Solaris, and Adobe Flash Player
10.3.185.22 and earlier versions for Android. This universal
cross-site scripting vulnerability (CVE-2011-2107) could be
used to take actions on a user's behalf on any website or
webmail provider, if the user visits a malicious website.
There are reports that this vulnerability is being exploited
in the wild in active targeted attacks designed to trick
the user into clicking on a malicious link delivered in an
email message.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2107</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-13.html</url>
</references>
<dates>
<discovery>2011-05-13</discovery>
<entry>2011-06-08</entry>
</dates>
</vuln>
<vuln vid="1e1421f0-8d6f-11e0-89b4-001ec9578670">
<topic>BIND -- Large RRSIG RRsets and Negative Caching DoS</topic>
<affects>
<package>
<name>bind9-sdb-ldap</name>
<name>bind9-sdb-postgresql</name>
<range><lt>9.4.3.4</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R4.1</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.3.1</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.0.2</lt></range>
</package>
<system>
<name>FreeBSD</name>
<range><gt>7.3</gt><lt>7.3_6</lt></range>
<range><gt>7.4</gt><lt>7.4_2</lt></range>
<range><gt>8.1</gt><lt>8.1_4</lt></range>
<range><gt>8.2</gt><lt>8.2_2</lt></range>
</system>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/bind/advisories/cve-2011-1910">
<p>A BIND 9 DNS server set up to be a caching resolver is
vulnerable to a user querying a domain with very large resource
record sets (RRSets) when trying to negatively cache a response.
This can cause the BIND 9 DNS server (named process) to crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1910</cvename>
<freebsdsa>SA-11:02.bind</freebsdsa>
<url>http://www.isc.org/software/bind/advisories/cve-2011-1910</url>
</references>
<dates>
<discovery>2011-05-26</discovery>
<entry>2011-06-04</entry>
</dates>
</vuln>
<vuln vid="f7d838f2-9039-11e0-a051-080027ef73ec">
<topic>fetchmail -- STARTTLS denial of service</topic>
<affects>
<package>
<name>fetchmail</name>
<range><lt>6.3.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2011-01.txt">
<p>Fetchmail version 5.9.9 introduced STLS support for POP3,
version 6.0.0 added STARTTLS for IMAP. However, the actual
S(TART)TLS-initiated in-band SSL/TLS negotiation was not guarded
by a timeout.</p>
<p>Depending on the operating system defaults as to TCP stream
keepalive mode, fetchmail hangs in excess of one week after
sending STARTTLS were observed if the connection failed without
notifying the operating system, for instance, through network
outages or hard server crashes.</p>
<p>A malicious server that does not respond, at the network level,
after acknowledging fetchmail's STARTTLS or STLS request, can
hold fetchmail in this protocol state, and thus render fetchmail
unable to complete the poll, or proceed to the next server,
effecting a denial of service.</p>
<p>SSL-wrapped mode on dedicated ports was unaffected by this
problem, so can be used as a workaround.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1947</cvename>
<url>http://www.fetchmail.info/fetchmail-SA-2011-01.txt</url>
<url>https://gitorious.org/fetchmail/fetchmail/commit/7dc67b8cf06f74aa57525279940e180c99701314</url>
</references>
<dates>
<discovery>2011-04-28</discovery>
<entry>2011-06-06</entry>
</dates>
</vuln>
<vuln vid="34ce5817-8d56-11e0-b5a2-6c626dd55a41">
<topic>asterisk -- Remote crash vulnerability</topic>
<affects>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://lists.digium.com/pipermail/asterisk-announce/2011-June/000325.html">
<p>If a remote user initiates a SIP call and the recipient picks
up, the remote user can reply with a malformed Contact header
that Asterisk will improperly handle and cause a crash due to a
segmentation fault.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2216</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2011-007.pdf</url>
</references>
<dates>
<discovery>2011-06-02</discovery>
<entry>2011-06-02</entry>
</dates>
</vuln>
<vuln vid="e27a1af3-8d21-11e0-a45d-001e8c75030d">
<topic>Subversion -- multiple vulnerabilities</topic>
<affects>
<package>
<name>subversion</name>
<range><lt>1.6.17</lt></range>
</package>
<package>
<name>subversion-freebsd</name>
<range><lt>1.6.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion tram reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2011-1752-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module will
dereference a NULL pointer if asked to deliver baselined WebDAV
resources.</p>
<p>This can lead to a DoS. An exploit has been tested, and tools
or users have been observed triggering this problem in the
wild.</p>
</blockquote>
<blockquote cite="http://subversion.apache.org/security/CVE-2011-1783-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module may in
certain scenarios enter a logic loop which does not exit and
which allocates memory in each iteration, ultimately exhausting
all the available memory on the server.</p>
<p>This can lead to a DoS. There are no known instances of this
problem being observed in the wild, but an exploit has been
tested.</p>
</blockquote>
<blockquote cite="http://subversion.apache.org/security/CVE-2011-1921-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module may leak to
remote users the file contents of files configured to be
unreadable by those users.</p>
<p>There are no known instances of this problem being observed in
the wild, but an exploit has been tested.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1752</cvename>
<cvename>CVE-2011-1783</cvename>
<cvename>CVE-2011-1921</cvename>
</references>
<dates>
<discovery>2011-05-28</discovery>
<entry>2011-06-02</entry>
</dates>
</vuln>
<vuln vid="1acf9ec5-877d-11e0-b937-001372fd0af2">
<topic>drupal6 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal6</name>
<range><lt>6.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Team reports:</p>
<blockquote cite="http://drupal.org/node/1168756">
<p>A reflected cross site scripting vulnerability was discovered
in Drupal's error handler. Drupal displays PHP errors in the
messages area, and a specially crafted URL can cause malicious
scripts to be injected into the message. The issue can be
mitigated by disabling on-screen error display at admin /
settings / error-reporting. This is the recommended setting
for production sites.</p>
<p>When using re-colorable themes, color inputs are not sanitized.
Malicious color values can be used to insert arbitrary CSS and
script code. Successful exploitation requires the "Administer
themes" permission.</p>
</blockquote>
</body>
</description>
<references>
<url>http://drupal.org/node/1168756</url>
</references>
<dates>
<discovery>2011-05-25</discovery>
<entry>2011-05-26</entry>
</dates>
</vuln>
<vuln vid="e4833927-86e5-11e0-a6b4-000a5e1e33c6">
<topic>Erlang -- ssh library uses a weak random number generator</topic>
<affects>
<package>
<name>erlang</name>
<range><lt>r14b03</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/178990">
<p>The Erlang/OTP ssh library implements a number of
cryptographic operations that depend on cryptographically
strong random numbers. Unfortunately the RNG used by the
library is not cryptographically strong, and is further
weakened by the use of predictable seed material. The RNG
(Wichman-Hill) is not mixed with an entropy source.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0766</cvename>
<url>http://www.erlang.org/download/otp_src_R14B03.readme</url>
<url>https://github.com/erlang/otp/commit/f228601de45c5b53241b103af6616453c50885a5</url>
</references>
<dates>
<discovery>2011-05-25</discovery>
<entry>2011-05-25</entry>
</dates>
</vuln>
<vuln vid="dc96ac1f-86b1-11e0-9e85-00215af774f0">
<topic>Unbound -- an empty error packet handling assertion failure</topic>
<affects>
<package>
<name>unbound</name>
<range><lt>1.4.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Unbound developer reports:</p>
<blockquote cite="http://unbound.nlnetlabs.nl/downloads/CVE-2011-1922.txt">
<p>NLnet Labs was notified of an error in Unbound's code-path
for error replies which is triggered under special conditions.
The error causes the program to abort.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1922</cvename>
<url>http://unbound.nlnetlabs.nl/downloads/CVE-2011-1922.txt</url>
</references>
<dates>
<discovery>2011-05-25</discovery>
<entry>2011-05-25</entry>
</dates>
</vuln>
<vuln vid="115a1389-858e-11e0-a76c-000743057ca2">
<topic>Pubcookie Login Server -- XSS vulnerability</topic>
<affects>
<package>
<name>pubcookie-login-server</name>
<range><lt>3.3.2d</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nathan Dors, Pubcookie Project reports:</p>
<blockquote cite="http://pubcookie.org/news/20070606-login-secadv.html">
<p>A new non-persistent XSS vulnerability was found in the
Pubcookie login server's compiled binary "index.cgi" CGI
program. The CGI program mishandles untrusted data when
printing responses to the browser. This makes the program
vulnerable to carefully crafted requests containing script
or HTML. If an attacker can lure an unsuspecting user to
visit carefully staged content, the attacker can use it to
redirect the user to his or her local Pubcookie login page
and attempt to exploit the XSS vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://pubcookie.org/news/20070606-login-secadv.html</url>
</references>
<dates>
<discovery>2007-05-25</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="1ca8228f-858d-11e0-a76c-000743057ca2">
<topic>mod_pubcookie -- Empty Authentication Security Advisory</topic>
<affects>
<package>
<name>ap20-mod_pubcookie</name>
<range><ge>3.1.0</ge><lt>3.3.2b</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nathan Dors, Pubcookie Project reports:</p>
<blockquote cite="http://pubcookie.org/news/20061106-empty-auth-secadv.html">
<p>An Abuse of Functionality vulnerability in the Pubcookie
authentication process was found. This vulnerability allows an
attacker to appear as if he or she were authenticated using an
empty userid when such a userid isn't expected. Unauthorized
access to web content and applications may result where access
is restricted to users who can authenticate successfully but
where no additional authorization is performed after
authentication.</p>
</blockquote>
</body>
</description>
<references>
<url>http://pubcookie.org/news/20061106-empty-auth-secadv.html</url>
</references>
<dates>
<discovery>2006-10-04</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="7af2fb85-8584-11e0-96b7-00300582f9fc">
<topic>ViewVC -- user-reachable override of cvsdb row limit</topic>
<affects>
<package>
<name>viewvc</name>
<range><lt>1.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ViewVC.org reports:</p>
<blockquote cite="http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2536&r2=2574">
<p>Security fix: remove user-reachable override of cvsdb row limit.</p>
</blockquote>
</body>
</description>
<references>
<url>http://viewvc.tigris.org/source/browse/*checkout*/viewvc/branches/1.1.x/CHANGES</url>
</references>
<dates>
<discovery>2011-05-17</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="99a5590c-857e-11e0-96b7-00300582f9fc">
<topic>Apache APR -- DoS vulnerabilities</topic>
<affects>
<package>
<name>apr1</name>
<range><lt>1.4.5.1.3.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Portable Runtime Project reports:</p>
<blockquote cite="http://www.apache.org/dist/apr/CHANGES-APR-1.4">
<p>A flaw was discovered in the apr_fnmatch() function in the
Apache Portable Runtime (APR) library 1.4.4 (or any backported
versions that contained the upstream fix for CVE-2011-0419).
This could cause httpd workers to enter a hung state (100% CPU
utilization).</p>
<p>apr-util 1.3.11 could cause crashes with httpd's
mod_authnz_ldap in some situations.</p>
</blockquote>
</body>
</description>
<references>
<bid>47929</bid>
<cvename>CVE-2011-1928</cvename>
<cvename>CVE-2011-0419</cvename>
<url>http://www.apache.org/dist/apr/Announcement1.x.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1928</url>
</references>
<dates>
<discovery>2011-05-19</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="d226626c-857f-11e0-95cc-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.3r181.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-12.html">
<p>Critical vulnerabilities have been identified in Adobe Flash
Player 10.2.159.1 and earlier versions (Adobe Flash Player
10.2.154.28 and earlier for Chrome users) for Windows,
Macintosh, Linux and Solaris, and Adobe Flash Player 10.2.157.51
and earlier versions for Android. These vulnerabilities could
cause the application to crash and could potentially allow an
attacker to take control of the affected system. There are
reports of malware attempting to exploit one of the
vulnerabilities, CVE-2011-0627, in the wild via a Flash (.swf)
file embedded in a Microsoft Word (.doc) or Microsoft Excel
(.xls) file delivered as an email attachment targeting the
Windows platform. However, to date, Adobe has not obtained a
sample that successfully completes an attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0579</cvename>
<cvename>CVE-2011-0618</cvename>
<cvename>CVE-2011-0619</cvename>
<cvename>CVE-2011-0620</cvename>
<cvename>CVE-2011-0621</cvename>
<cvename>CVE-2011-0622</cvename>
<cvename>CVE-2011-0623</cvename>
<cvename>CVE-2011-0624</cvename>
<cvename>CVE-2011-0625</cvename>
<cvename>CVE-2011-0626</cvename>
<cvename>CVE-2011-0627</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-12.html</url>
</references>
<dates>
<discovery>2011-01-20</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="e666498a-852a-11e0-8f78-080027ef73ec">
<topic>Opera -- code injection vulnerability through broken frameset handling</topic>
<affects>
<package><name>opera</name><range><lt>11.11</lt></range></package>
<package><name>opera-devel</name><range><lt>11.11</lt></range></package>
<package><name>linux-opera</name><range><lt>11.11</lt></range></package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera Software ASA reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1111/">
<p>Fixed an issue with framesets that could allow execution of
arbitrary code, as reported by an anonymous contributor working
with the SecuriTeam Secure Disclosure program.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/docs/changelogs/unix/1111/</url>
<url>http://www.opera.com/support/kb/view/992/</url>
</references>
<dates>
<discovery>2011-05-18</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="1495f931-8522-11e0-a1c1-00215c6a37bb">
<topic>pureftpd -- multiple vulnerabilities</topic>
<affects>
<package>
<name>pure-ftpd</name>
<range><lt>1.0.32</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pure-FTPd development team reports:</p>
<blockquote cite="http://www.pureftpd.org/project/pure-ftpd/news">
<p>Support for braces expansion in directory listings has been
disabled -- Cf. CVE-2011-0418.</p>
<p>Fix a STARTTLS flaw similar to Postfix's CVE-2011-0411.
If you're using TLS, upgrading is recommended.</p>
</blockquote>
</body>
</description>
<references>
<bid>46767</bid>
<cvename>CVE-2011-0418</cvename>
<cvename>CVE-2011-1575</cvename>
</references>
<dates>
<discovery>2011-04-01</discovery>
<entry>2011-05-23</entry>
</dates>
</vuln>
<vuln vid="36594c54-7be7-11e0-9838-0022156e8794">
<topic>Exim -- remote code execution and information disclosure</topic>
<affects>
<package>
<name>exim</name>
<range><ge>4.70</ge><lt>4.76</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Release notes for Exim 4.76 says:</p>
<blockquote cite="ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.76">
<p>Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to
a format-string attack -- SECURITY: remote arbitrary code
execution.</p>
<p>DKIM signature header parsing was double-expanded, second
time unintentionally subject to list matching rules, letting
the header cause arbitrary Exim lookups (of items which can
occur in lists, *not* arbitrary string expansion). This
allowed for information disclosure.</p>
</blockquote>
<p>Also, impact assessment was redone shortly after the original
announcement:</p>
<blockquote cite="https://lists.exim.org/lurker/message/20110512.102909.8136175a.en.html">
<p>Further analysis revealed that the second security was
more severe than I realised at the time that I wrote the
announcement. The second security issue has been assigned
CVE-2011-1407 and is also a remote code execution flaw.
For clarity: both issues were introduced with 4.70.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1764</cvename>
<cvename>CVE-2011-1407</cvename>
<mlist msgid="20110512102909.GA58484@redoubt.spodhuis.org">https://lists.exim.org/lurker/message/20110512.102909.8136175a.en.html</mlist>
<url>http://bugs.exim.org/show_bug.cgi?id=1106</url>
</references>
<dates>
<discovery>2011-05-10</discovery>
<entry>2011-05-14</entry>
</dates>
</vuln>
<vuln vid="00b296b6-7db1-11e0-96b7-00300582f9fc">
<topic>Apache APR -- DoS vulnerabilities</topic>
<affects>
<package>
<name>apr1</name>
<range><lt>1.4.4.1.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Portable Runtime Project reports:</p>
<blockquote cite="http://www.apache.org/dist/apr/CHANGES-APR-1.4">
<p>Note especially a security fix to APR 1.4.4, excessive CPU
consumption was possible due to an unconstrained, recursive
invocation of apr_fnmatch, as apr_fnmatch processed '*' wildcards.
Reimplement apr_fnmatch() from scratch using a non-recursive
algorithm now has improved compliance with the fnmatch() spec.
(William Rowe)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0419</cvename>
<url>http://www.apache.org/dist/apr/Announcement1.x.html</url>
</references>
<dates>
<discovery>2011-05-10</discovery>
<entry>2011-05-12</entry>
</dates>
</vuln>
<vuln vid="34e8ccf5-7d71-11e0-9d83-000c29cc39d3">
<topic>Zend Framework -- potential SQL injection when using PDO_MySql</topic>
<affects>
<package>
<name>ZendFramework</name>
<range><lt>1.11.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Zend Framework team reports:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2011-02">
<p>Developers using non-ASCII-compatible encodings in conjunction
with the MySQL PDO driver of PHP may be vulnerable to SQL
injection attacks. Developers using ASCII-compatible encodings
like UTF8 or latin1 are not affected by this PHP issue.</p>
</blockquote>
</body>
</description>
<references>
<url>http://framework.zend.com/security/advisory/ZF2011-02</url>
<url>http://zend-framework-community.634137.n4.nabble.com/Zend-Framework-1-11-6-and-1-10-9-released-td3503741.html</url>
</references>
<dates>
<discovery>2011-05-06</discovery>
<entry>2011-05-13</entry>
</dates>
</vuln>
<vuln vid="3fadb7c6-7b0a-11e0-89b4-001ec9578670">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><lt>1.16.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mediawiki reports:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-May/000098.html">
<p>(Bug 28534) XSS vulnerability for IE 6 clients. This is the
third attempt at fixing bug 28235.</p>
<p>(Bug 28639) Potential privilege escalation when
$wgBlockDisablesLogin is enabled.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=28534</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=28639</url>
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-May/000098.html</url>
<url>http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/RELEASE-NOTES</url>
</references>
<dates>
<discovery>2011-04-14</discovery>
<entry>2011-05-12</entry>
</dates>
</vuln>
<vuln vid="3eb2c100-738b-11e0-89f4-001e90d46635">
<topic>Postfix -- memory corruption vulnerability</topic>
<affects>
<package>
<name>postfix</name>
<name>postfix-base</name>
<range><ge>2.8.*,1</ge><lt>2.8.3,1</lt></range>
<range><ge>2.7.*,1</ge><lt>2.7.4,1</lt></range>
<range><ge>2.6.*,1</ge><lt>2.6.10,1</lt></range>
<range><ge>2.5.*,2</ge><lt>2.5.13,2</lt></range>
<range><le>2.4.16,1</le></range>
</package>
<package>
<name>postfix-current</name>
<name>postfix-current-base</name>
<range><lt>2.9.20110501,4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Postfix SMTP server has a memory corruption error, when the
Cyrus SASL library is used with authentication mechanisms other
than PLAIN and LOGIN (ANONYMOUS is not affected, but should not
be used for other reasons). This memory corruption is known to
result in a program crash (SIGSEV).</p>
</body>
</description>
<references>
<cvename>CVE-2011-1720</cvename>
<url>http://www.postfix.org/CVE-2011-1720.html</url>
</references>
<dates>
<discovery>2011-05-09</discovery>
<entry>2011-05-09</entry>
</dates>
</vuln>
<vuln vid="04b7d46c-7226-11e0-813a-6c626dd55a41">
<topic>Mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.17,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.19,1</lt></range>
<range><gt>4.0.*,1</gt><lt>4.0.1,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.17</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.17,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.19</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.14</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-12 Miscellaneous memory safety hazards</p>
<p>MFSA 2011-13 Multiple dangling pointer vulnerabilities</p>
<p>MFSA 2011-14 Information stealing via form history</p>
<p>MFSA 2011-15 Escalation of privilege through Java Embedding Plugin</p>
<p>MFSA 2011-16 Directory traversal in resource: protocol</p>
<p>MFSA 2011-17 WebGLES vulnerabilities</p>
<p>MFSA 2011-18 XSLT generate-id() function heap address leak</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-12.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-13.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-14.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-15.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-16.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-17.html</url>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-18.html</url>
</references>
<dates>
<discovery>2011-04-28</discovery>
<entry>2011-04-29</entry>
</dates>
</vuln>
<vuln vid="3c7d565a-6c64-11e0-813a-6c626dd55a41">
<topic>Asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.40.1</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.17.3</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.3.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://lists.digium.com/pipermail/asterisk-announce/2011-April/000316.html">
<p>It is possible for a user of the Asterisk Manager Interface to
bypass a security check and execute shell commands when they
should not have that ability. Sending the "Async" header with
the "Application" header during an Originate action, allows
authenticated manager users to execute shell commands. Only
users with the "system" privilege should be able to do this.</p>
<p>On systems that have the Asterisk Manager Interface, Skinny, SIP
over TCP, or the built in HTTP server enabled, it is possible for
an attacker to open as many connections to asterisk as he wishes.
This will cause Asterisk to run out of available file descriptors
and stop processing any new calls. Additionally, disk space can
be exhausted as Asterisk logs failures to open new file
descriptors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1507</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2011-005.pdf</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-006.pdf</url>
</references>
<dates>
<discovery>2011-04-21</discovery>
<entry>2011-04-21</entry>
</dates>
</vuln>
<vuln vid="6a4bfe75-692a-11e0-bce7-001eecdd401a">
<topic>VLC -- Heap corruption in MP4 demultiplexer</topic>
<affects>
<package>
<name>vlc</name>
<range><ge>1.0.0</ge><lt>1.1.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VideoLAN project reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1103.html">
<p>When parsing some MP4 (MPEG-4 Part 14) files, insufficient
buffer size might lead to corruption of the heap.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.videolan.org/security/sa1103.html</url>
</references>
<dates>
<discovery>2011-04-07</discovery>
<entry>2011-04-17</entry>
</dates>
</vuln>
<vuln vid="32b05547-6913-11e0-bdc4-001b2134ef46">
<topic>linux-flashplugin -- remote code execution vulnerability</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>10.2r159.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa11-02.html">
<p>A critical vulnerability exists in Flash Player 10.2.153.1
and earlier versions (Adobe Flash Player 10.2.154.25 and
earlier for Chrome users) for Windows, Macintosh, Linux
and Solaris, Adobe Flash Player 10.2.156.12 and earlier
versions for Android, and the Authplay.dll component that
ships with Adobe Reader and Acrobat X (10.0.2) and earlier
10.x and 9.x versions for Windows and Macintosh operating
systems.</p>
<p>This vulnerability (CVE-2011-0611) could cause a crash
and potentially allow an attacker to take control of the
affected system. There are reports that this vulnerability
is being exploited in the wild in targeted attacks via a
malicious Web page or a Flash (.swf) file embedded in a
Microsoft Word (.doc) or Microsoft Excel (.xls) file
delivered as an email attachment, targeting the Windows
platform. At this time, Adobe is not aware of any attacks
via PDF targeting Adobe Reader and Acrobat. Adobe Reader
X Protected Mode mitigations would prevent an exploit of
this kind from executing.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0611</cvename>
<url>http://www.adobe.com/support/security/advisories/apsa11-02.html</url>
</references>
<dates>
<discovery>2011-01-20</discovery>
<entry>2011-04-17</entry>
</dates>
</vuln>
<vuln vid="bf171509-68dd-11e0-afe6-0003ba02bf30">
<topic>rt -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rt36</name>
<range><lt>3.6.11</lt></range>
</package>
<package>
<name>rt38</name>
<range><lt>3.8.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Best Practical reports:</p>
<blockquote cite="http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html">
<p>In the process of preparing the release of RT 4.0.0, we performed
an extensive security audit of RT's source code. During this
audit, several vulnerabilities were found which affect earlier
releases of RT.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1685</cvename>
<cvename>CVE-2011-1686</cvename>
<cvename>CVE-2011-1687</cvename>
<cvename>CVE-2011-1688</cvename>
<cvename>CVE-2011-1689</cvename>
<cvename>CVE-2011-1690</cvename>
<url>http://secunia.com/advisories/44189</url>
</references>
<dates>
<discovery>2011-04-14</discovery>
<entry>2011-04-17</entry>
</dates>
</vuln>
<vuln vid="6a3c3e5c-66cb-11e0-a116-c535f3aa24f0">
<topic>krb5 -- MITKRB5-SA-2011-004, kadmind invalid pointer free() [CVE-2011-0285]</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><lt>1.8.4</lt></range>
<range><eq>1.9</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An advisory published by the MIT Kerberos team says:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt">
<p>The password-changing capability of the MIT krb5 administration
daemon (kadmind) has a bug that can cause it to attempt to free()
an invalid pointer under certain error conditions. This can cause
the daemon to crash or induce the execution of arbitrary code
(which is believed to be difficult). No exploit that executes
arbitrary code is known to exist, but it is easy to trigger a
denial of service manually.</p>
<p>Some platforms detect attempted freeing of invalid pointers and
protectively terminate the process, preventing arbitrary code
execution on those platforms.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0285</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt</url>
</references>
<dates>
<discovery>2011-04-12</discovery>
<entry>2011-04-14</entry>
</dates>
</vuln>
<vuln vid="7edac52a-66cd-11e0-9398-5d45f3aa24f0">
<topic>krb5 -- MITKRB5-SA-2011-003, KDC vulnerable to double-free when PKINIT enabled</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><lt>1.8.4</lt></range>
<range><eq>1.9</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An advisory published by the MIT Kerberos team says:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt">
<p>The MIT Kerberos 5 Key Distribution Center (KDC) daemon is
vulnerable to a double-free condition if the Public Key
Cryptography for Initial Authentication (PKINIT) capability is
enabled, resulting in daemon crash or arbitrary code execution
(which is believed to be difficult).</p>
<p>An unauthenticated remote attacker can induce a double-free
event, causing the KDC daemon to crash (denial of service),
or to execute arbitrary code. Exploiting a double-free event
to execute arbitrary code is believed to be difficult.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0284</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt</url>
</references>
<dates>
<discovery>2011-03-15</discovery>
<entry>2011-04-14</entry>
</dates>
</vuln>
<vuln vid="4ab413ea-66ce-11e0-bf05-d445f3aa24f0">
<topic>krb5 -- MITKRB5-SA-2011-002, KDC vulnerable to hang when using LDAP back end</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><le>1.8.4</le></range>
<range><eq>1.9</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An advisory published by the MIT Kerberos team says:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt">
<p>The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable
to denial of service attacks from unauthenticated remote
attackers. CVE-2011-0281 and CVE-2011-0282 occur only in KDCs
using LDAP back ends, but CVE-2011-0283 occurs in all krb5-1.9
KDCs.</p>
<p>Exploit code is not known to exist, but the vulnerabilities are
easy to trigger manually. The trigger for CVE-2011-0281 has
already been disclosed publicly, but that fact might not be
obvious to casual readers of the message in which it was
disclosed. The triggers for CVE-2011-0282 and CVE-2011-0283
have not yet been disclosed publicly, but they are also
trivial.</p>
<p>CVE-2011-0281: An unauthenticated remote attacker can cause a KDC
configured with an LDAP back end to become completely unresponsive
until restarted.</p>
<p>CVE-2011-0282: An unauthenticated remote attacker can cause a KDC
configured with an LDAP back end to crash with a null pointer
dereference.</p>
<p>CVE-2011-0283: An unauthenticated remote attacker can cause a
krb5-1.9 KDC with any back end to crash with a null pointer
dereference.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0281</cvename>
<cvename>CVE-2011-0282</cvename>
<cvename>CVE-2011-0283</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-04-14</entry>
</dates>
</vuln>
<vuln vid="64f24a1e-66cf-11e0-9deb-f345f3aa24f0">
<topic>krb5 -- MITKRB5-SA-2011-001, kpropd denial of service</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><lt>1.8.4</lt></range>
<range><eq>1.9</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An advisory published by the MIT Kerberos team says:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt">
<p>The MIT krb5 KDC database propagation daemon (kpropd) is
vulnerable to a denial-of-service attack triggered by invalid
network input. If a kpropd worker process receives invalid
input that causes it to exit with an abnormal status, it can
cause the termination of the listening process that spawned it,
preventing the slave KDC it was running on from receiving
database updates from the master KDC.</p>
<p>Exploit code is not known to exist, but the vulnerabilities are
easy to trigger manually.</p>
<p>An unauthenticated remote attacker can cause kpropd running in
standalone mode (the "-S" option) to terminate its listening
process, preventing database propagations to the KDC host on
which it was running. Configurations where kpropd runs in
incremental propagation mode ("iprop") or as an inetd server
are not affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4022</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-04-14</entry>
</dates>
</vuln>
<vuln vid="2eccb24f-61c0-11e0-b199-0015f2db7bde">
<topic>xrdb -- root hole via rogue hostname</topic>
<affects>
<package>
<name>xrdb</name>
<range><lt>1.0.6_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Hopf reports:</p>
<blockquote cite="http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html">
<p>By crafting hostnames with shell escape characters, arbitrary
commands can be executed in a root environment when a display
manager reads in the resource database via xrdb.</p>
<p>These specially crafted hostnames can occur in two environments:</p>
<p>Systems are affected are: systems set their hostname via DHCP,
and the used DHCP client allows setting of hostnames with illegal
characters. And systems that allow remote logins via xdmcp.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0465</cvename>
<url>http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html</url>
</references>
<dates>
<discovery>2011-04-05</discovery>
<entry>2011-04-14</entry>
</dates>
</vuln>
<vuln vid="a4372a68-652c-11e0-a25a-00151735203a">
<topic>OTRS -- Several XSS attacks possible</topic>
<affects>
<package>
<name>otrs</name>
<range><gt>2.3.*</gt><lt>3.0.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://otrs.org/advisory/OSA-2011-01-en/">
<ul>
<li>Several XSS attacks possible:
An attacker could trick a logged in user to following a prepared
URL inside of the OTRS system which causes a page to be shown that
possibly includes malicious !JavaScript code because of incorrect
escaping during the generation of the HTML page.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1518</cvename>
<url>http://otrs.org/advisory/OSA-2011-01-en/</url>
</references>
<dates>
<discovery>2011-03-12</discovery>
<entry>2011-04-12</entry>
</dates>
</vuln>
<vuln vid="7e69f00d-632a-11e0-9f3a-001d092480a4">
<topic>isc-dhcp-client -- dhclient does not strip or escape shell meta-characters</topic>
<affects>
<package>
<name>isc-dhcp31-client</name>
<range><lt>3.1.ESV_1,1</lt></range>
</package>
<package>
<name>isc-dhcp41-client</name>
<range><lt>4.1.e,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/dhcp/advisories/cve-2011-0997">
<p>ISC dhclient did not strip or escape certain shell meta-characters
in responses from the dhcp server (like hostname) before passing the
responses on to dhclient-script. Depending on the script and OS,
this can result in execution of exploit code on the client.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0997</cvename>
<certvu>107886</certvu>
</references>
<dates>
<discovery>2011-04-05</discovery>
<entry>2011-04-10</entry>
</dates>
</vuln>
<vuln vid="b9281fb9-61b2-11e0-b1ce-0019d1a7ece2">
<topic>tinyproxy -- ACL lists ineffective when range is configured</topic>
<affects>
<package>
<name>tinyproxy</name>
<range><lt>1.8.2_2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>When including a line to allow a network of IP addresses, the access to tinyproxy
56 is actually allowed for all IP addresses.</p>
</body>
</description>
<references>
<cvename>CVE-2011-1499</cvename>
<url>https://banu.com/bugzilla/show_bug.cgi?id=90</url>
</references>
<dates>
<discovery>2010-05-18</discovery>
<entry>2011-04-08</entry>
</dates>
</vuln>
<vuln vid="b2a40507-5c88-11e0-9e85-00215af774f0">
<topic>quagga -- two DoS vulnerabilities</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.17_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Quagga developers report:</p>
<blockquote cite="http://www.quagga.net/news2.php?y=2011&m=3&d=21#id1300723200">
<p>Quagga 0.99.18 has been released.
This release fixes 2 denial of services in bgpd, which can be
remotely triggered by malformed AS-Pathlimit or Extended-Community
attributes. These issues have been assigned CVE-2010-1674 and
CVE-2010-1675. Support for AS-Pathlimit has been removed with this
release.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1674</cvename>
<cvename>CVE-2010-1675</cvename>
<url>http://www.quagga.net/news2.php?y=2011&m=3&d=21#id1300723200</url>
</references>
<dates>
<discovery>2010-04-30</discovery>
<entry>2011-04-01</entry>
</dates>
</vuln>
<vuln vid="c6fbd447-59ed-11e0-8d04-0015f2db7bde">
<topic>gdm -- privilege escalation vulnerability</topic>
<affects>
<package>
<name>gdm</name>
<range><lt>2.30.5_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sebastian Krahmer reports:</p>
<blockquote cite="http://mail.gnome.org/archives/distributor-list/2011-March/msg00008.html">
<p>It was discovered that the GNOME Display Manager (gdm) cleared the cache
directory, which is owned by an unprivileged user, with the privileges of the
root user. A race condition exists in gdm where a local user could take
advantage of this by writing to the cache directory between ending the session
and the signal to clean up the session, which could lead to the execution of
arbitrary code as the root user.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0727</cvename>
<url>http://mail.gnome.org/archives/distributor-list/2011-March/msg00008.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=688323</url>
</references>
<dates>
<discovery>2011-03-28</discovery>
<entry>2011-03-29</entry>
</dates>
</vuln>
<vuln vid="fe853666-56ce-11e0-9668-001fd0d616cf">
<topic>php -- ZipArchive segfault with FL_UNCHANGED on empty archive</topic>
<affects>
<package>
<name>php5-zip</name>
<range><lt>5.3.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT/NIST reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0421">
<p>The _zip_name_locate function in zip_name_locate.c in the Zip extension
in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED
argument, which might allow context-dependent attackers to cause a
denial of service (application crash) via an empty ZIP archive that is
processed with a (1) locateName or (2) statName operation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0421</cvename>
</references>
<dates>
<discovery>2011-03-20</discovery>
<entry>2011-03-25</entry>
</dates>
</vuln>
<vuln vid="cc3bfec6-56cd-11e0-9668-001fd0d616cf">
<topic>php -- crash on crafted tag in exif</topic>
<affects>
<package>
<name>php5-exif</name>
<range><lt>5.3.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT/NIST reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0708">
<p>exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms
performs an incorrect cast, which allows remote attackers to cause a
denial of service (application crash) via an image with a crafted
Image File Directory (IFD) that triggers a buffer over-read.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0708</cvename>
</references>
<dates>
<discovery>2011-03-20</discovery>
<entry>2011-03-25</entry>
</dates>
</vuln>
<vuln vid="501ee07a-5640-11e0-985a-001b2134ef46">
<topic>linux-flashplugin -- remote code execution vulnerability</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.2r153</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa11-01.html">
<p>A critical vulnerability exists in Adobe Flash Player
10.2.152.33 and earlier versions (Adobe Flash Player
10.2.154.18 and earlier for Chrome users) for Windows,
Macintosh, Linux and Solaris operating systems, Adobe
Flash Player 10.1.106.16 and earlier versions for Android,
and the Authplay.dll component that ships with Adobe Reader
and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of
Reader and Acrobat for Windows and Macintosh operating systems.</p>
<p>This vulnerability (CVE-2011-0609) could cause a crash and
potentially allow an attacker to take control of the affected
system. There are reports that this vulnerability is being
exploited in the wild in targeted attacks via a Flash (.swf)
file embedded in a Microsoft Excel (.xls) file delivered as
an email attachment.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0609</cvename>
<url>http://www.adobe.com/support/security/advisories/apsa11-01.html</url>
</references>
<dates>
<discovery>2011-01-20</discovery>
<entry>2011-03-24</entry>
</dates>
</vuln>
<vuln vid="b2f09169-55af-11e0-9d6f-000f20797ede">
<topic>mozilla -- update to HTTPS certificate blacklist</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.16,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.18,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.16</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.16,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.18</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.13</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-11 Update to HTTPS certificate blacklist</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.mozilla.org/security/announce/2011/mfsa2011-11.html</url>
</references>
<dates>
<discovery>2011-03-22</discovery>
<entry>2011-03-24</entry>
</dates>
</vuln>
<vuln vid="14a6f516-502f-11e0-b448-bbfa2731f9c7">
<topic>postfix -- plaintext command injection with SMTP over TLS</topic>
<affects>
<package>
<name>postfix</name>
<name>postfix-base</name>
<range><ge>2.7.*,1</ge><lt>2.7.3,1</lt></range>
<range><ge>2.6.*,1</ge><lt>2.6.9,1</lt></range>
<range><ge>2.5.*,2</ge><lt>2.5.12,2</lt></range>
<range><ge>2.4.*,1</ge><lt>2.4.16,1</lt></range>
</package>
<package>
<name>postfix-current</name>
<name>postfix-current-base</name>
<range><lt>2.9.20100120,4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wietse Venema has discovered a software flaw that allows
an attacker to inject client commands into an SMTP session
during the unprotected plaintext SMTP protocol phase, such
that the server will execute those commands during the SMTP-
over-TLS protocol phase when all communication is supposed
to be protected.</p>
</body>
</description>
<references>
<cvename>CVE-2011-0411</cvename>
<url>http://www.postfix.org/CVE-2011-0411.html</url>
<url>http://secunia.com/advisories/43646/</url>
</references>
<dates>
<discovery>2011-03-07</discovery>
<entry>2011-03-19</entry>
</dates>
</vuln>
<vuln vid="b13414c9-50ba-11e0-975a-000c29cc39d3">
<topic>hiawatha -- integer overflow in Content-Length header parsing</topic>
<affects>
<package>
<name>hiawatha</name>
<range><lt>7.4_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hugo Leisink reports:</p>
<blockquote cite="http://www.hiawatha-webserver.org/weblog/16">
<p>A bug has been found in version 7.4 of the Hiawatha webserver,
which could lead to a server crash. This is caused by an integer
overflow in the routine that reads the HTTP request. A too large
value of the Content-Length HTTP header results in an overflow.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.hiawatha-webserver.org/weblog/16</url>
<url>http://secunia.com/advisories/43660/</url>
<url>http://securityvulns.com/Zdocument902.html</url>
<url>http://packetstormsecurity.org/files/99021/Hiawatha-WebServer-7.4-Denial-Of-Service.html</url>
<url>http://seclists.org/bugtraq/2011/Mar/65</url>
</references>
<dates>
<discovery>2011-02-25</discovery>
<entry>2011-03-17</entry>
</dates>
</vuln>
<vuln vid="bfe9c75e-5028-11e0-b2d2-00215c6a37bb">
<topic>asterisk -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.17.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://www.venturevoip.com/news.php?rssid=2521">
<p>The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1
resolve two issues:</p>
<ul>
<li>Resource exhaustion in Asterisk Manager Interface
(AST-2011-003)</li>
<li>Remote crash vulnerability in TCP/TLS server
(AST-2011-004)</li>
</ul>
<p>The issues and resolutions are described in the AST-2011-003
and AST-2011-004 security advisories.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2011-003.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2011-004.html</url>
</references>
<dates>
<discovery>2011-03-01</discovery>
<entry>2011-03-16</entry>
</dates>
</vuln>
<vuln vid="8b986a05-4dbe-11e0-8b9a-02e0184b8d35">
<topic>avahi -- denial of service</topic>
<affects>
<package>
<name>avahi</name>
<name>avahi-app</name>
<name>avahi-autoipd</name>
<name>avahi-gtk</name>
<name>avahi-libdns</name>
<name>avahi-qt3</name>
<name>avahi-qt4</name>
<name>avahi-sharp</name>
<range><lt>0.6.29</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Avahi developers reports:</p>
<blockquote cite="http://secunia.com/advisories/43361/">
<p>A vulnerability has been reported in Avahi, which can be exploited
by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when processing certain
UDP packets, which can be exploited to trigger an infinite loop by
e.g. sending an empty packet to port 5353/UDP.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1002</cvename>
<cvename>CVE-2010-2244</cvename>
<url>http://secunia.com/advisories/43361/</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=667187</url>
</references>
<dates>
<discovery>2011-02-21</discovery>
<entry>2011-03-13</entry>
</dates>
</vuln>
<vuln vid="64691c49-4b22-11e0-a226-00e0815b8da8">
<topic>mailman -- XSS vulnerability</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.14_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0707">
<p>Multiple cross-site scripting (XSS) vulnerabilities in
Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote
attackers to inject arbitrary web script or HTML via the (1)
full name or (2) username field in a confirmation message.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0707</cvename>
<url>http://mail.python.org/pipermail/mailman-announce/2011-February/000157.html</url>
</references>
<dates>
<discovery>2011-02-13</discovery>
<entry>2011-03-10</entry>
</dates>
</vuln>
<vuln vid="cf96cd8d-48fb-11e0-98a6-0050569b2d21">
<topic>redmine -- XSS vulnerability</topic>
<affects>
<package>
<name>redmine</name>
<range><gt>1.0</gt><lt>1.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jean-Philippe Lang reports:</p>
<blockquote cite="http://www.redmine.org/news/53">
<p>This maintenance release for 1.1.x users includes
13 bug fixes since 1.1.1 and a security fix (XSS
vulnerability affecting all Redmine versions from
1.0.1 to 1.1.1).
</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/news/53</url>
</references>
<dates>
<discovery>2011-03-07</discovery>
<entry>2011-03-07</entry>
</dates>
</vuln>
<vuln vid="e27ca763-4721-11e0-bdc4-001e8c75030d">
<topic>subversion -- remote HTTP DoS vulnerability</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.6</ge><le>1.6.15</le></range>
<range><ge>1.5</ge><le>1.6.9</le></range>
</package>
<package>
<name>subversion-freebsd</name>
<range><ge>1.6</ge><le>1.6.15</le></range>
<range><ge>1.5</ge><le>1.6.9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion project reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2011-0715-advisory.txt">
<p>Subversion HTTP servers up to 1.5.9 (inclusive) or 1.6.15 (inclusive)
are vulnerable to a remotely triggerable NULL-pointer dereference.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0715</cvename>
</references>
<dates>
<discovery>2011-02-27</discovery>
<entry>2011-03-05</entry>
</dates>
</vuln>
<vuln vid="45f102cd-4456-11e0-9580-4061862b8c22">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.14,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.17,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.14</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.14,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.17</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.12</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>3.1</ge><lt>3.1.8</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.12</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>3.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)</p>
<p>MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true</p>
<p>MFSA 2011-03 Use-after-free error in JSON.stringify</p>
<p>MFSA 2011-04 Buffer overflow in JavaScript upvarMap</p>
<p>MFSA 2011-05 Buffer overflow in JavaScript atom map</p>
<p>MFSA 2011-06 Use-after-free error using Web Workers</p>
<p>MFSA 2011-07 Memory corruption during text run construction (Windows)</p>
<p>MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents</p>
<p>MFSA 2011-09 Crash caused by corrupted JPEG image</p>
<p>MFSA 2011-10 CSRF risk with plugins and 307 redirects</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1585</cvename>
<cvename>CVE-2011-0051</cvename>
<cvename>CVE-2011-0053</cvename>
<cvename>CVE-2011-0054</cvename>
<cvename>CVE-2011-0055</cvename>
<cvename>CVE-2011-0056</cvename>
<cvename>CVE-2011-0057</cvename>
<cvename>CVE-2011-0058</cvename>
<cvename>CVE-2011-0059</cvename>
<cvename>CVE-2011-0061</cvename>
<cvename>CVE-2011-0062</cvename>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-01.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-02.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-03.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-04.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-05.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-06.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-07.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-08.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-09.html</url>
<url>https://www.mozilla.org/security/announce/2011/mfsa2011-10.html</url>
</references>
<dates>
<discovery>2011-03-01</discovery>
<entry>2011-03-01</entry>
</dates>
</vuln>
<vuln vid="be3dfe33-410b-11e0-9e02-00215c6a37bb">
<topic>openldap -- two security bypass vulnerabilities</topic>
<affects>
<package>
<name>openldap-server</name>
<range><gt>2.4.0</gt><lt>2.4.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/43331/">
<p>Two vulnerabilities have been reported in
OpenLDAP, which can be exploited by malicious
people to bypass certain security restrictions.</p>
<p>The vulnerabilities are reported in versions
prior to 2.4.24.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/43331/</url>
</references>
<dates>
<discovery>2011-02-14</discovery>
<entry>2011-02-25</entry>
</dates>
</vuln>
<vuln vid="65d16342-3ec8-11e0-9df7-001c42d23634">
<topic>asterisk -- Exploitable Stack and Heap Array Overflows</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.39.2</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.16.2</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://lists.digium.com/pipermail/asterisk-announce/2011-February/000302.html">
<p>The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and
1.8.2.4 resolve an issue that when decoding UDPTL packets, multiple
heap based arrays can be made to overflow by specially
crafted packets. Systems configured for T.38 pass through or
termination are vulnerable. The issue and resolution are described
in the AST-2011-002 security advisory.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2011-002.html</url>
<url>http://secunia.com/advisories/43429/</url>
</references>
<dates>
<discovery>2011-02-21</discovery>
<entry>2011-02-22</entry>
</dates>
</vuln>
<vuln vid="ae0e5835-3cad-11e0-b654-00215c6a37bb">
<topic>PivotX -- administrator password reset vulnerability</topic>
<affects>
<package>
<name>pivotx</name>
<range><lt>2.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/175068">
<p>PivotX contains a vulnerability that allows an
attacker to change the password of any account
just by guessing the username. Version 2.2.4 has
been reported to not be affected.
This vulnerability is being exploited in the wild
and users should immediately upgrade to 2.2.5 or
later. Mitigation steps for users that have been
compromised have been posted to the <a href="http://forum.pivotx.net/viewtopic.php?f=2&t=1967">PivotX
Support Community</a>.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1035</cvename>
</references>
<dates>
<discovery>2011-02-18</discovery>
<entry>2011-02-20</entry>
</dates>
</vuln>
<vuln vid="553ec4ed-38d6-11e0-94b1-000c29ba66d2">
<topic>tomcat -- Cross-site scripting vulnerability</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>5.5.0</gt><lt>5.5.32</lt></range>
</package>
<package>
<name>tomcat</name>
<range><gt>6.0.0</gt><lt>6.0.30</lt></range>
</package>
<package>
<name>tomcat</name>
<range><gt>7.0.0</gt><lt>7.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tomcat security team reports:</p>
<blockquote cite="http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32">
<p>The HTML Manager interface displayed web applciation
provided data, such as display names, without filtering.
A malicious web application could trigger script execution
by an administartive user when viewing the manager pages.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0013</cvename>
<url>http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32</url>
<url>http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30</url>
<url>http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6</url>
</references>
<dates>
<discovery>2010-11-12</discovery>
<entry>2011-02-15</entry>
<modified>2011-09-30</modified>
</dates>
</vuln>
<vuln vid="cd68ff50-362b-11e0-ad36-00215c6a37bb">
<topic>phpMyAdmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.3.9.2</lt></range>
</package>
<package>
<name>phpMyAdmin211</name>
<range><lt>2.11.11.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php">
<p>It was possible to create a bookmark which would be executed
unintentionally by other users.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php">
<p>When the files README, ChangeLog or LICENSE have been removed
from their original place (possibly by the distributor), the
scripts used to display these files can show their full path,
leading to possible further attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-02-11</entry>
</dates>
</vuln>
<vuln vid="4a3482da-3624-11e0-b995-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><le>9.0r289</le></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.2r152</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-02.html">
<p>Critical vulnerabilities have been identified in
Adobe Flash Player 10.1.102.64 and earlier versions for
Windows, Macintosh, Linux, and Solaris. These vulnerabilities
could cause the application to crash and could potentially
allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0558</cvename>
<cvename>CVE-2011-0559</cvename>
<cvename>CVE-2011-0560</cvename>
<cvename>CVE-2011-0561</cvename>
<cvename>CVE-2011-0571</cvename>
<cvename>CVE-2011-0572</cvename>
<cvename>CVE-2011-0573</cvename>
<cvename>CVE-2011-0574</cvename>
<cvename>CVE-2011-0575</cvename>
<cvename>CVE-2011-0577</cvename>
<cvename>CVE-2011-0578</cvename>
<cvename>CVE-2011-0607</cvename>
<cvename>CVE-2011-0608</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-02.html</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-02-11</entry>
</dates>
</vuln>
<vuln vid="53bde960-356b-11e0-8e81-0022190034c0">
<topic>mupdf -- Remote System Access</topic>
<affects>
<package>
<name>mupdf</name>
<range><lt>0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/43020/">
<p>The vulnerability is caused due to an error within the
"closedctd()" function in fitz/filt_dctd.c when processing PDF
files containing certain malformed JPEG images. This can be
exploited to cause a stack corruption by e.g. tricking a user
into opening a specially crafted PDF file.</p>
</blockquote>
</body>
</description>
<references>
<bid>46027</bid>
<url>http://secunia.com/advisories/43020/</url>
</references>
<dates>
<discovery>2011-01-26</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="1cae628c-3569-11e0-8e81-0022190034c0">
<topic>rubygem-mail -- Remote Arbitrary Shell Command Injection Vulnerability</topic>
<affects>
<package>
<name>rubygem-mail</name>
<range><lt>2.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/43077/">
<p>Input passed via an email from address is not properly sanitised
in the "deliver()" function (lib/mail/network/delivery_methods/sendmail.rb)
before being used as a command line argument. This can be exploited
to inject arbitrary shell commands.</p>
</blockquote>
</body>
</description>
<references>
<bid>46021</bid>
<cvename>CVE-2011-0739</cvename>
<url>http://secunia.com/advisories/43077/</url>
<url>http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1</url>
</references>
<dates>
<discovery>2011-01-25</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="7c492ea2-3566-11e0-8e81-0022190034c0">
<topic>plone -- Remote Security Bypass</topic>
<affects>
<package>
<name>plone</name>
<range><ge>2.5</ge><lt>3</lt></range>
</package>
<package>
<name>plone3</name>
<range><ge>3</ge><le>3.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Plone developer reports:</p>
<blockquote cite="http://plone.org/products/plone/security/advisories/cve-2011-0720">
<p>This is an escalation of privileges attack that can be used by
anonymous users to gain access to a Plone site's administration
controls, view unpublished content, create new content and modify a
site's skin. The sandbox protecting access to the underlying
system is still in place, and it does not grant access to other
applications running on the same Zope instance.</p>
</blockquote>
</body>
</description>
<references>
<bid>46102</bid>
<cvename>CVE-2011-0720</cvename>
<url>http://plone.org/products/plone/security/advisories/cve-2011-0720</url>
</references>
<dates>
<discovery>2011-02-02</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="44ccfab0-3564-11e0-8e81-0022190034c0">
<topic>exim -- local privilege escalation</topic>
<affects>
<package>
<name>exim</name>
<name>exim-ldap</name>
<name>exim-ldap2</name>
<name>exim-mysql</name>
<name>exim-postgresql</name>
<name>exim-sa-exim</name>
<range><lt>4.74</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>exim.org reports:</p>
<blockquote cite="ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74">
<p>CVE-2011-0017 - check return value of setuid/setgid. This is a
privilege escalation vulnerability whereby the Exim run-time user
can cause root to append content of the attacker's choosing to
arbitrary files.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0017</cvename>
<url>ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74</url>
</references>
<dates>
<discovery>2011-01-31</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="f2b43905-3545-11e0-8e81-0022190034c0">
<topic>openoffice.org -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>openoffice.org</name>
<range><lt>3.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenOffice.org Security Team reports:</p>
<blockquote cite="http://www.openoffice.org/security/bulletin.html">
<p>Fixed in OpenOffice.org 3.3</p>
<ul>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-2935_CVE-2010-2936.html">
CVE-2010-2935 / CVE-2010-2936</a>: Security Vulnerability in OpenOffice.org related to PowerPoint document processing</li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-3450.html">
CVE-2010-3450</a>: Security Vulnerability in OpenOffice.org related to Extensions and filter package files</li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-3451_CVE-2010-3452.html">
CVE-2010-3451 / CVE-2010-3452</a>: Security Vulnerability in OpenOffice.org related to RTF document processing </li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-3453_CVE-2010-3454.html">
CVE-2010-3453 / CVE-2010-3454</a>: Security Vulnerability in OpenOffice.org related to Word document processing </li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-3689.html">
CVE-2010-3689</a>: Insecure LD_LIBRARY_PATH usage in OpenOffice.org shell scripts </li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-3702_CVE-2010-3704.html">
CVE-2010-3702 / CVE-2010-3704</a>: Security Vulnerability in OpenOffice.org's PDF Import extension resulting from 3rd party library XPDF</li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-4008_CVE-2010-4494.html">
CVE-2010-4008 / CVE-2010-4494</a>: Possible Security Vulnerability in OpenOffice.org resulting from 3rd party library LIBXML2 </li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-4253.html">
CVE-2010-4253</a>: Security Vulnerability in OpenOffice.org related to PNG file processing </li>
<li><a href="http://www.openoffice.org/security/cves/CVE-2010-4643.html">
CVE-2010-4643</a>: Security Vulnerability in OpenOffice.org related to TGA file processing </li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.openoffice.org/security/bulletin.html</url>
<url>http://secunia.com/advisories/40775/</url>
</references>
<dates>
<discovery>2010-08-04</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="35ecdcbe-3501-11e0-afcd-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vurnabilities.</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://permalink.gmane.org/gmane.os.opendarwin.webkit.gtk/405">
<p>This release has essentially security fixes. Refer to the
WebKit/gtk/NEWS file inside the tarball for details. We would like
to thank the Red Hat security team (Huzaifa Sidhpurwala in
particular) and Michael Gilbert from Debian for their help in
checking (and pushing!) security issues affecting the WebKitGTK+
stable branch for this release.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2901</cvename>
<cvename>CVE-2010-4040</cvename>
<cvename>CVE-2010-4042</cvename>
<cvename>CVE-2010-4199</cvename>
<cvename>CVE-2010-4492</cvename>
<cvename>CVE-2010-4493</cvename>
<cvename>CVE-2010-4578</cvename>
<cvename>CVE-2011-0482</cvename>
<cvename>CVE-2011-0778</cvename>
<url>https://bugs.webkit.org/show_bug.cgi?id=48328</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=50710</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=50840</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=50932</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=51993</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=53265</url>
<url>https://bugs.webkit.org/show_bug.cgi?id=53276</url>
<url>http://permalink.gmane.org/gmane.os.opendarwin.webkit.gtk/405</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="ce6ce2f8-34ac-11e0-8103-00215c6a37bb">
<topic>awstats -- arbitrary commands execution vulnerability</topic>
<affects>
<package>
<name>awstats</name>
<range><lt>7.0,1</lt></range>
</package>
<package>
<name>awstats-devel</name>
<range><gt>0</gt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Awstats change log reports:</p>
<blockquote cite="http://awstats.sourceforge.net/docs/awstats_changelog.txt">
<ul>
<li>Security fix (Traverse directory of LoadPlugin)</li>
<li>Security fix (Limit config to defined directory
to avoid access to external config file via a nfs
or webdav link).</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4367</cvename>
<url>http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.html</url>
<url>http://awstats.sourceforge.net/docs/awstats_changelog.txt</url>
</references>
<dates>
<discovery>2010-05-01</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="2eda0c54-34ab-11e0-8103-00215c6a37bb">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<name>opera-devel</name>
<name>linux-opera</name>
<range><lt>11.01</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1101/">
<p>Opera 11.01 is a recommended upgrade offering security and
stability enhancements.</p>
<p>The following security vulnerabilities have been fixed:</p>
<ul>
<li>Removed support for "<code>javascript:</code>" URLs in
CSS -o-link values, to make it easier for sites to filter
untrusted CSS.</li>
<li>Fixed an issue where large form inputs could allow
execution of arbitrary code, as reported by Jordi Chancel;
see our <a href="http://www.opera.com/support/kb/view/982/">advisory</a>.</li>
<li>Fixed an issue which made it possible to carry out
clickjacking attacks against internal opera: URLs;
see our <a href="http://www.opera.com/support/kb/view/983/">advisory</a>.</li>
<li>Fixed issues which allowed web pages to gain limited
access to files on the user's computer; see our
<a href="http://www.opera.com/support/kb/view/984/">advisory</a>.</li>
<li>Fixed an issue where email passwords were not immediately
deleted when deleting private data; see our
<a href="http://www.opera.com/support/kb/view/986/">advisory</a>.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0450</cvename>
<cvename>CVE-2011-0681</cvename>
<cvename>CVE-2011-0682</cvename>
<cvename>CVE-2011-0683</cvename>
<cvename>CVE-2011-0684</cvename>
<cvename>CVE-2011-0685</cvename>
<cvename>CVE-2011-0686</cvename>
<cvename>CVE-2011-0687</cvename>
<url>http://www.opera.com/support/kb/view/982/</url>
<url>http://www.opera.com/support/kb/view/983/</url>
<url>http://www.opera.com/support/kb/view/984/</url>
<url>http://secunia.com/advisories/43023</url>
</references>
<dates>
<discovery>2011-01-26</discovery>
<entry>2011-02-10</entry>
</dates>
</vuln>
<vuln vid="bd760627-3493-11e0-8103-00215c6a37bb">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py27-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><gt>1.2</gt><lt>1.2.5</lt></range>
<range><gt>1.1</gt><lt>1.1.4</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py27-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>15470,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django project reports:</p>
<blockquote cite="http://www.djangoproject.com/weblog/2011/feb/08/security/">
<p>Today the Django team is issuing multiple releases --
Django 1.2.5 and Django 1.1.4 -- to remedy three security
issues reported to us. All users of affected versions of
Django are urged to upgrade immediately.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.djangoproject.com/weblog/2011/feb/08/security/</url>
</references>
<dates>
<discovery>2011-02-08</discovery>
<entry>2011-02-09</entry>
</dates>
</vuln>
<vuln vid="8d04cfbd-344d-11e0-8669-0025222482c5">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><lt>1.16.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Medawiki reports:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-February/000095.html">
<p>An arbitrary script inclusion vulnerability was discovered. The
vulnerability only allows execution of files with names ending in
".php" which are already present in the local filesystem. Only servers
running Microsoft Windows and possibly Novell Netware are affected.
Despite these mitigating factors, all users are advised to upgrade,
since there is a risk of complete server compromise. MediaWiki 1.8.0
and later is affected.</p>
<p>Security researcher mghack discovered a CSS injection
vulnerability. For Internet Explorer and similar browsers, this is
equivalent to an XSS vulnerability, that is to say, it allows the
compromise of wiki user accounts. For other browsers, it allows private
data such as IP addresses and browsing patterns to be sent to a malicious
external web server. It affects all versions of MediaWiki. All users are
advised to upgrade.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0047</cvename>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=27094</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=27093</url>
<url>http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/RELEASE-NOTES</url>
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-February/000095.html</url>
</references>
<dates>
<discovery>2011-02-01</discovery>
<entry>2011-02-09</entry>
</dates>
</vuln>
<vuln vid="8c93e997-30e0-11e0-b300-485d605f4717">
<topic>wordpress -- SQL injection vulnerability</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.0.2,1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<name>zh-wordpress-zh_CN</name>
<name>zh-wordpress-zh_TW</name>
<range><lt>3.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Vendor reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4257">
<p>SQL injection vulnerability in the do_trackbacks function in
wp-includes/comment.php in WordPress before 3.0.2 allows remote
authenticated users to execute arbitrary SQL commands via the Send
Trackbacks field.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4257</cvename>
<url>http://www.cvedetails.com/cve/CVE-2010-4257/</url>
</references>
<dates>
<discovery>2010-11-16</discovery>
<entry>2011-02-05</entry>
<modified>2011-02-09</modified>
</dates>
</vuln>
<vuln vid="f9258873-2ee2-11e0-afcd-0015f2db7bde">
<topic>vlc -- Insufficient input validation in MKV demuxer</topic>
<affects>
<package>
<name>vlc</name>
<range><lt>1.1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VLC team reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1102.html">
<p>When parsing an invalid MKV (Matroska or WebM) file, input
validation are insufficient.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.videolan.org/security/sa1102.html</url>
</references>
<dates>
<discovery>2011-01-26</discovery>
<entry>2011-02-02</entry>
</dates>
</vuln>
<vuln vid="8015600f-2c80-11e0-9cc1-00163e5bf4f9">
<topic>maradns -- denial of service when resolving a long DNS hostname</topic>
<affects>
<package>
<name>maradns</name>
<range><lt>1.4.06</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MaraDNS developer Sam Trenholme reports:</p>
<blockquote cite="http://samiam.org/blog/20110129.html">
<p>... a mistake in allocating an array of integers, allocating it
in bytes instead of sizeof(int) units. This resulted in a buffer
being too small, allowing it to be overwritten. The impact of this
programming error is that MaraDNS can be crashed by sending
MaraDNS a single "packet of death". Since the data placed in the
overwritten array can not be remotely controlled (it is a list of
increasing integers), there is no way to increase privileges
exploiting this bug.</p>
</blockquote>
</body>
</description>
<references>
<bid>45966</bid>
<cvename>CVE-2011-0520</cvename>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610834</url>
</references>
<dates>
<discovery>2011-01-23</discovery>
<entry>2011-01-31</entry>
</dates>
</vuln>
<vuln vid="dc9f8335-2b3b-11e0-a91b-00e0815b8da8">
<topic>isc-dhcp-server -- DHCPv6 crash</topic>
<affects>
<package>
<name>isc-dhcp41-server</name>
<range><le>4.1.2,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/dhcp/advisories/cve-2011-0413">
<p>When the DHCPv6 server code processes a message for an address
that was previously declined and internally tagged as abandoned
it can trigger an assert failure resulting in the server crashing.
This could be used to crash DHCPv6 servers remotely. This issue
only affects DHCPv6 servers. DHCPv4 servers are unaffected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0413</cvename>
<url>http://www.isc.org/software/dhcp/advisories/cve-2011-0413</url>
<url>http://www.kb.cert.org/vuls/id/686084</url>
</references>
<dates>
<discovery>2011-01-26</discovery>
<entry>2011-01-28</entry>
</dates>
</vuln>
<vuln vid="c8c927e5-2891-11e0-8f26-00151735203a">
<topic>bugzilla -- multiple serious vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>2.14.*</ge><lt>3.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.2.9/">
<p>This advisory covers three security issues that have recently been
fixed in the Bugzilla code:</p>
<ul>
<li>A weakness in Bugzilla could allow a user to gain unauthorized
access to another Bugzilla account.</li>
<li>A weakness in the Perl CGI.pm module allows injecting HTTP
headers and content to users via several pages in Bugzilla.</li>
<li>If you put a harmful "javascript:" or "data:" URL into
Bugzilla's "URL" field, then there are multiple situations in
which Bugzilla will unintentionally make that link clickable.</li>
<li>Various pages lack protection against cross-site request
forgeries.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<bid>25425</bid>
<cvename>CVE-2010-4568</cvename>
<cvename>CVE-2010-2761</cvename>
<cvename>CVE-2010-4411</cvename>
<cvename>CVE-2010-4572</cvename>
<cvename>CVE-2010-4567</cvename>
<cvename>CVE-2010-0048</cvename>
<cvename>CVE-2011-0046</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621591</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=619594</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=591165</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621572</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=619588</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=628034</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621090</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621105</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621107</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621108</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621109</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=621110</url>
</references>
<dates>
<discovery>2011-01-24</discovery>
<entry>2011-01-25</entry>
</dates>
</vuln>
<vuln vid="7580f00e-280c-11e0-b7c8-00215c6a37bb">
<topic>dokuwiki -- multiple privilege escalation vulnerabilities</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20101107a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dokuwiki reports:</p>
<blockquote cite="http://bugs.dokuwiki.org/index.php?do=details&task_id=2136">
<p>This security update fixes problems in the XMLRPC
interface where ACLs where not checked correctly
sometimes, making it possible to access and write
information that should not have been accessible/writable.
This only affects users who have enabled the XMLRPC
interface (default is off) and have enabled XMLRPC
access for users who can't access/write all content
anyway (default is nobody, see <a href="http://www.dokuwiki.org/config:xmlrpcuser">http://www.dokuwiki.org/config:xmlrpcuser</a>
for details).</p>
<p>This update also includes a fix for a problem in
the general ACL checking function that could be exploited
to gain access to restricted pages and media files in rare
conditions (when you had rights for an id you could get
the same rights on ids where one character has been
replaced by a ".").</p>
</blockquote>
</body>
</description>
<references>
<url>http://bugs.dokuwiki.org/index.php?do=details&task_id=2136</url>
</references>
<dates>
<discovery>2011-01-16</discovery>
<entry>2011-01-24</entry>
</dates>
</vuln>
<vuln vid="5ab9fb2a-23a5-11e0-a835-0003ba02bf30">
<topic>asterisk -- Exploitable Stack Buffer Overflow</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.39.1</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.16.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk Development Team reports:</p>
<blockquote cite="http://lists.digium.com/pipermail/asterisk-announce/2011-January/000297.html">
<p>The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1,
1.6.2.16.2, 1.8.1.2, and 1.8.2.1 resolve an issue when forming an
outgoing SIP request while in pedantic mode, which can cause a stack
buffer to be made to overflow if supplied with carefully crafted
caller ID information. The issue and resolution are described in the
AST-2011-001 security advisory.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2011-001.pdf</url>
</references>
<dates>
<discovery>2011-01-18</discovery>
<entry>2011-01-19</entry>
</dates>
</vuln>
<vuln vid="2c2d4e83-2370-11e0-a91b-00e0815b8da8">
<topic>tarsnap -- cryptographic nonce reuse</topic>
<affects>
<package>
<name>tarsnap</name>
<range><ge>1.0.22</ge><le>1.0.27</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Colin Percival reports:</p>
<blockquote cite="http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html">
<p>In versions 1.0.22 through 1.0.27 of Tarsnap, the CTR nonce value
is not incremented after each chunk is encrypted. (The CTR counter
is correctly incremented after each 16 bytes of data was processed,
but this counter is reset to zero for each new chunk.)</p>
<p>Note that since the Tarsnap client-server protocol is encrypted,
being able to intercept Tarsnap client-server traffic does not
provide an attacker with access to the data.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html</url>
</references>
<dates>
<discovery>2011-01-18</discovery>
<entry>2011-01-19</entry>
</dates>
</vuln>
<vuln vid="4c017345-1d89-11e0-bbee-0014a5e3cda6">
<topic>MoinMoin -- cross-site scripting vulnerabilities</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MoinMoin developers reports:</p>
<blockquote cite="http://hg.moinmo.in/moin/1.9/raw-file/1.9.3/docs/CHANGES">
<p>Fix XSS in Despam action (CVE-2010-0828)</p>
</blockquote>
<blockquote cite="http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg">
<p>Fix XSS issues</p>
<ul>
<li>by escaping template name in messages</li>
<li>by fixing other places that had similar issues</li>
</ul>
</blockquote>
</body>
</description>
<references>
<bid>39110</bid>
<cvename>CVE-2010-0828</cvename>
<url>http://hg.moinmo.in/moin/1.9/raw-file/1.9.3/docs/CHANGES</url>
<url>http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg</url>
</references>
<dates>
<discovery>2010-04-05</discovery>
<entry>2011-01-11</entry>
</dates>
</vuln>
<vuln vid="38bdf10e-2293-11e0-bfa4-001676740879">
<topic>tor -- remote code execution and crash</topic>
<affects>
<package>
<name>tor</name>
<range><lt>0.2.1.29</lt></range>
</package>
<package>
<name>tor-devel</name>
<range><lt>0.2.2.21.a</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tor Project reports:</p>
<blockquote cite="http://archives.seul.org/or/announce/Jan-2011/msg00000.html">
<p>A remote heap overflow vulnerability that can allow remote
code execution. Other fixes address a variety of assert and crash
bugs, most of which we think are hard to exploit remotely.
All Tor users should upgrade.</p>
</blockquote>
</body>
</description>
<references>
<bid>45832</bid>
<cvename>CVE-2011-0427</cvename>
<freebsdpr>ports/154099</freebsdpr>
<mlist msgid="20110117155813.GG3300@moria.seul.org">http://archives.seul.org/or/announce/Jan-2011/msg00000.html</mlist>
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.1:/ChangeLog</url>
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ChangeLog</url>
</references>
<dates>
<discovery>2011-01-15</discovery>
<entry>2011-01-17</entry>
</dates>
</vuln>
<vuln vid="908f4cf2-1e8b-11e0-a587-001b77d09812">
<topic>sudo -- local privilege escalation</topic>
<affects>
<package>
<name>sudo</name>
<range><ge>1.7.0</ge><lt>1.7.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.sudo.ws/sudo/alerts/runas_group_pw.html">
<p>Beginning with sudo version 1.7.0 it has been possible
to grant permission to run a command using a specified
group via sudo's -g option (run as group), if allowed by
the sudoers file. A flaw exists in sudo's password
checking logic that allows a user to run a command
with only the group changed without being prompted
for a password.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0010</cvename>
<url>http://www.sudo.ws/sudo/alerts/runas_group_pw.html</url>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641</url>
</references>
<dates>
<discovery>2011-01-11</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="71612099-1e93-11e0-a587-001b77d09812">
<topic>subversion -- multiple DoS</topic>
<affects>
<package>
<name>subversion</name>
<range><lt>1.6.15</lt></range>
</package>
<package>
<name>subversion-freebsd</name>
<range><lt>1.6.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2010-4539 says:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4539">
<p>The walk function in repos.c in the mod_dav_svn module
for the Apache HTTP Server, as distributed in Apache
Subversion before 1.6.15, allows remote authenticated
users to cause a denial of service (NULL pointer
dereference and daemon crash) via vectors that trigger
the walking of SVNParentPath collections.</p>
</blockquote>
<p>Entry for CVE-2010-4644 says:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4644">
<p>Multiple memory leaks in rev_hunt.c in Apache Subversion
before 1.6.15 allow remote authenticated users to cause
a denial of service (memory consumption and daemon crash)
via the -g option to the blame command.</p>
</blockquote>
</body>
</description>
<references>
<bid>45655</bid>
<cvename>CVE-2010-4539</cvename>
<cvename>CVE-2010-4644</cvename>
</references>
<dates>
<discovery>2011-01-02</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="2b6ed5c7-1a7f-11e0-b61d-000c29d1636d">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.5</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP developers reports:</p>
<blockquote cite="http://www.php.net/releases/5_3_5.php">
<p>Security Enhancements and Fixes in PHP 5.3.5:</p>
<ul>
<li>Fixed bug #53632 (PHP hangs on numeric value
2.2250738585072011e-308). (CVE-2010-4645)</li>
</ul>
</blockquote>
<blockquote cite="http://www.php.net/releases/5_2_17.php">
<p>Security Enhancements and Fixes in PHP 5.2.17:</p>
<ul>
<li>Fixed bug #53632 (PHP hangs on numeric value
2.2250738585072011e-308). (CVE-2010-4645)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4645</cvename>
</references>
<dates>
<discovery>2011-01-06</discovery>
<entry>2011-01-09</entry>
<modified>2011-01-09</modified>
</dates>
</vuln>
<vuln vid="e4fcf020-0447-11e0-becc-0022156e8794">
<topic>exim -- local privilege escalation</topic>
<affects>
<package>
<name>exim</name>
<range><lt>4.73</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Woodhouse reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3">
<p>Secondly a privilege escalation where the trusted 'exim'
user is able to tell Exim to use arbitrary config files,
in which further ${run ...} commands will be invoked as
root.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4345</cvename>
<url>http://www.exim.org/lurker/message/20101209.022730.dbb6732d.en.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3</url>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-08</entry>
</dates>
</vuln>
<vuln vid="e177c410-1943-11e0-9d1c-000c29ba66d2">
<topic>mediawiki -- Clickjacking vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><gt>1.16</gt><lt>1.16.1</lt></range>
<range><gt>1.15</gt><lt>1.15.5_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Clickjacking vulnerabilities:</p>
<blockquote cite="https://bugzilla.wikimedia.org/show_bug.cgi?id=26561">
<p>Clickjacking is a type of vulnerability discovered in 2008, which
is similar to CSRF. The attack involves displaying the target webpage
in a iframe embedded in a malicious website. Using CSS, the submit button
of the form on the targeit webpage is made invisible, and then overlaid
with some button or link on the malicious website that encourages
the user to click on it.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=26561</url>
</references>
<dates>
<discovery>2011-01-04</discovery>
<entry>2011-01-06</entry>
</dates>
</vuln>
<vuln vid="06a12e26-142e-11e0-bea2-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vulnabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS">
<p>The patches to fix the following CVEs are included with help
from Huzaifa Sidhpurwala from the Red Hat security team.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1791</cvename>
<cvename>CVE-2010-3812</cvename>
<cvename>CVE-2010-3813</cvename>
<cvename>CVE-2010-4197</cvename>
<cvename>CVE-2010-4198</cvename>
<cvename>CVE-2010-4204</cvename>
<cvename>CVE-2010-4206</cvename>
<cvename>CVE-2010-4577</cvename>
<url>http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS</url>
</references>
<dates>
<discovery>2010-12-28</discovery>
<entry>2010-12-30</entry>
</dates>
</vuln>
<vuln vid="14a37474-1383-11e0-8a58-00215c6a37bb">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py27-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><gt>1.2</gt><lt>1.2.4</lt></range>
<range><gt>1.1</gt><lt>1.1.3</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py27-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>15032,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django project reports:</p>
<blockquote cite="http://www.djangoproject.com/weblog/2010/dec/22/security/">
<p>Today the Django team is issuing multiple releases
-- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 --
to remedy two security issues reported to us. All users
of affected versions of Django are urged to upgrade
immediately.</p>
<h3>Information leakage in Django administrative interface</h3>
<p>The Django administrative interface, django.contrib.admin
supports filtering of displayed lists of objects by fields
on the corresponding models, including across database-level
relationships. This is implemented by passing lookup arguments
in the querystring portion of the URL, and options on the
ModelAdmin class allow developers to specify particular
fields or relationships which will generate automatic links
for filtering.</p>
<h3>Denial-of-service attack in password-reset mechanism</h3>
<p>Django's bundled authentication framework,
django.contrib.auth, offers views which allow users to
reset a forgotten password. The reset mechanism involves
generating a one-time token composed from the user's ID,
the timestamp of the reset request converted to a base36
integer, and a hash derived from the user's current password
hash (which will change once the reset is complete, thus
invalidating the token).</p>
</blockquote>
</body>
</description>
<references>
<bid>45562</bid>
<bid>45563</bid>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=665373</url>
<url>http://secunia.com/advisories/42715/</url>
</references>
<dates>
<discovery>2010-12-22</discovery>
<entry>2010-12-29</entry>
</dates>
</vuln>
<vuln vid="ff8b419a-0ffa-11e0-becc-0022156e8794">
<topic>Drupal Views plugin -- cross-site scripting</topic>
<affects>
<package>
<name>drupal6-views</name>
<range><lt>2.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal security team reports:</p>
<blockquote cite="http://drupal.org/node/999380">
<p>The Views module provides a flexible method for Drupal site
designers to control how lists and tables of content are
presented. Under certain circumstances, Views could display
parts of the page path without escaping, resulting in a
relected Cross Site Scripting (XSS) vulnerability. An attacker
could exploit this to gain full administrative access.</p>
<p>Mitigating factors: This vulnerability only occurs with a
specific combination of configuration options for a specific
View, but this combination is used in the default Views
provided by some additional modules. A malicious user would
need to get an authenticated administrative user to visit a
specially crafted URL.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4521</cvename>
<url>http://drupal.org/node/999380</url>
</references>
<dates>
<discovery>2010-12-15</discovery>
<entry>2010-12-28</entry>
</dates>
</vuln>
<vuln vid="584c506d-0e98-11e0-b59b-0050569b2d21">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>1.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jean-Philippe Lang reports:</p>
<blockquote cite="http://www.redmine.org/news/49">
<p>This release also fixes 3 security issues reported by
joernchen of Phenoelit:</p>
<ul>
<li>logged in users may be able to access private data
(affected versions: 1.0.x)</li>
<li>persistent XSS vulnerability in textile formatter
(affected versions: all previous releases)</li>
<li>remote command execution in bazaar repository adapter
(affected versions: 0.9.x, 1.0.x)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/news/49</url>
</references>
<dates>
<discovery>2010-12-23</discovery>
<entry>2010-12-23</entry>
</dates>
</vuln>
<vuln vid="4bd33bc5-0cd6-11e0-bfa4-001676740879">
<topic>tor -- remote crash and potential remote code execution</topic>
<affects>
<package>
<name>tor</name>
<range><lt>0.2.1.28</lt></range>
</package>
<package>
<name>tor-devel</name>
<range><lt>0.2.2.20-alpha</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tor Project reports:</p>
<blockquote cite="http://archives.seul.org/or/announce/Dec-2010/msg00000.html">
<p>Remotely exploitable bug that could be used to crash instances
of Tor remotely by overflowing on the heap. Remote-code execution
hasn't been confirmed, but can't be ruled out. Everyone should
upgrade.</p>
</blockquote>
</body>
</description>
<references>
<bid>45500</bid>
<cvename>CVE-2010-1676</cvename>
<freebsdpr>ports/153326</freebsdpr>
<mlist msgid="20101220135830.GU3300@moria.seul.org">http://archives.seul.org/or/announce/Dec-2010/msg00000.html</mlist>
<mlist msgid="20101220141526.GS3255@moria.seul.org">http://archives.seul.org/or/talk/Dec-2010/msg00167.html</mlist>
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.1:/ChangeLog</url>
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ChangeLog</url>
</references>
<dates>
<discovery>2010-12-17</discovery>
<entry>2010-12-22</entry>
</dates>
</vuln>
<vuln vid="d560b346-08a2-11e0-bcca-0050568452ac">
<topic>YUI JavaScript library -- JavaScript injection exploits in Flash components</topic>
<affects>
<package>
<name>yahoo-ui</name>
<range><lt>2.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The YUI team reports:</p>
<blockquote cite="http://yuilibrary.com/support/2.8.2/">
<p>A security-related defect was introduced in the YUI 2 Flash
component infrastructure beginning with the YUI 2.4.0 release.
This defect allows JavaScript injection exploits to be created
against domains that host affected YUI .swf files.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4207</cvename>
<cvename>CVE-2010-4208</cvename>
<cvename>CVE-2010-4209</cvename>
<url>http://www.yuiblog.com/blog/2010/10/25/yui-2-8-2-security-update/</url>
<url>http://secunia.com/advisories/41955</url>
<url>http://www.openwall.com/lists/oss-security/2010/11/07/1</url>
<url>http://yuilibrary.com/support/2.8.2/</url>
</references>
<dates>
<discovery>2010-10-25</discovery>
<entry>2010-12-15</entry>
</dates>
</vuln>
<vuln vid="2a41233d-10e7-11e0-becc-0022156e8794">
<topic>php-zip -- multiple Denial of Service vulnerabilities</topic>
<affects>
<package>
<name>php5-zip</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52-zip</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The following DoS conditions in Zip extension
were fixed in PHP 5.3.4 and PHP 5.2.15:</p>
<ul>
<li>
<blockquote cite="http://www.php.net/releases/5_3_4.php">
<p>Fixed crash in zip extract method (possible
CWE-170).</p>
</blockquote>
</li>
<li>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3709">
<p>The ZipArchive::getArchiveComment function
in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3
allows context-dependent attackers to cause a denial
of service (NULL pointer dereference and application
crash) via a crafted ZIP archive.</p>
</blockquote>
</li>
</ul>
</body>
</description>
<references>
<cvename>CVE-2010-3709</cvename>
<url>http://www.php.net/releases/5_3_4.php</url>
<url>http://www.php.net/releases/5_2_15.php</url>
<url>http://securityreason.com/achievement_securityalert/90</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="c623f058-10e7-11e0-becc-0022156e8794">
<topic>php-filter -- Denial of Service</topic>
<affects>
<package>
<name>php5-filter</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52-filter</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The following DoS condition in filter extension
was fixed in PHP 5.3.4 and PHP 5.2.15:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3710">
<p>Stack consumption vulnerability in the filter_var
function in PHP 5.2.x through 5.2.14 and 5.3.x through
5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows
remote attackers to cause a denial of service (memory
consumption and application crash) via a long e-mail
address string.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3710</cvename>
<url>http://www.php.net/releases/5_3_4.php</url>
<url>http://www.php.net/releases/5_2_15.php</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="1a0704e7-0edf-11e0-becc-0022156e8794">
<topic>php-imap -- Denial of Service</topic>
<affects>
<package>
<name>php5-imap</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52-imap</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The following DoS condition in IMAP extension
was fixed in PHP 5.3.4 and PHP 5.2.15:</p>
<blockquote cite="http://securitytracker.com/alerts/2010/Nov/1024761.html">
<p>A remote user can send specially crafted IMAP user name
or password data to trigger a double free memory error
in 'ext/imap/php_imap.c' and cause the target service
to crash.</p>
<p>It may be possible to execute arbitrary code.
However, code execution was not confirmed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4150</cvename>
<url>http://www.php.net/releases/5_3_4.php</url>
<url>http://www.php.net/releases/5_2_15.php</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="da3d381b-0ee6-11e0-becc-0022156e8794">
<topic>pecl-phar -- format string vulnerability</topic>
<affects>
<package>
<name>pecl-phar</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2010-2094 says:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2094">
<p>Multiple format string vulnerabilities in the phar
extension in PHP 5.3 before 5.3.2 allow context-dependent
attackers to obtain sensitive information (memory
contents) and possibly execute arbitrary code via a
crafted phar:// URI that is not properly handled by the
(1) phar_stream_flush, (2) phar_wrapper_unlink,
(3) phar_parse_url, or (4) phar_wrapper_open_url functions
in ext/phar/stream.c; and the (5) phar_wrapper_open_dir
function in ext/phar/dirstream.c, which triggers errors
in the php_stream_wrapper_log_error function.</p>
</blockquote>
<p>PECL source code for PHAR extension shares the same code,
so it is vulnerable too.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2094</cvename>
<url>http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html</url>
<url>http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.htm</url>
<url>http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.htm</url>
<url>http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.htm</url>
<url>http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html</url>
</references>
<dates>
<discovery>2010-12-13</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="3761df02-0f9c-11e0-becc-0022156e8794">
<topic>php -- NULL byte poisoning</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52</name>
<range><ge>0</ge></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP-specific version of NULL-byte poisoning was briefly
described by ShAnKaR:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded">
<p>Poison NULL byte vulnerability for perl CGI applications
was described in
<a href="http://artofhacking.com/files/phrack/phrack55/P55-07.TXT">[1]</a>.
ShAnKaR noted, that same vulnerability also affects
different PHP applications.</p>
</blockquote>
<p>PHP developers report that branch 5.3 received a fix:</p>
<blockquote cite="http://www.php.net/releases/5_3_4.php">
<p>Paths with NULL in them (foo\0bar.txt) are now considered
as invalid (CVE-2006-7243).</p>
</blockquote>
<blockquote cite="http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/171583">
<p>The php52 backports maintainer reports that this issue is unlikely
to be fixed in 5.2 due to design roadblocks. Users are strongly
encouraged to upgrade as soon as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2006-7243</cvename>
<url>http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded</url>
<url>http://artofhacking.com/files/phrack/phrack55/P55-07.TXT</url>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-13</entry>
<modified>2012-09-19</modified>
</dates>
</vuln>
<vuln vid="73634294-0fa7-11e0-becc-0022156e8794">
<topic>php -- open_basedir bypass</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3436">
<p>fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow
remote attackers to bypass open_basedir restrictions via
vectors related to the length of a filename.</p>
</blockquote>
</body>
</description>
<references>
<bid>44723</bid>
<cvename>CVE-2010-3436</cvename>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="f3148a05-0fa7-11e0-becc-0022156e8794">
<topic>php -- corruption of $GLOBALS and $this variables via extract() method</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.3.4</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Off-by-one error in the sanity validator for the extract()
method allowed attackers to replace the values of $GLOBALS
and $this when mode EXTR_OVERWRITE was used.</p>
</body>
</description>
<references>
<url>http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html</url>
<url>http://www.php.net/releases/5_2_15.php</url>
</references>
<dates>
<discovery>2010-12-10</discovery>
<entry>2011-01-13</entry>
</dates>
</vuln>
<vuln vid="b2a6fc0e-070f-11e0-a6e9-00215c6a37bb">
<cancelled/>
</vuln>
<vuln vid="1d8ff4a2-0445-11e0-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.13,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.16,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.13</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.13,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.16</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.11</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>3.1</ge><lt>3.1.7</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.11</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.11</lt></range>
<range><ge>3.1</ge><lt>3.1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)</p>
<p>MFSA 2010-75 Buffer overflow while line breaking after document.write with long string</p>
<p>MFSA 2010-76 Chrome privilege escalation with window.open and isindex element</p>
<p>MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree</p>
<p>MFSA 2010-78 Add support for OTS font sanitizer</p>
<p>MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh</p>
<p>MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver</p>
<p>MFSA 2010-81 Integer overflow vulnerability in NewIdArray</p>
<p>MFSA 2010-82 Incomplete fix for CVE-2010-0179</p>
<p>MFSA 2010-83 Location bar SSL spoofing using network error page</p>
<p>MFSA 2010-84 XSS hazard in multiple character encodings</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3766</cvename>
<cvename>CVE-2010-3767</cvename>
<cvename>CVE-2010-3768</cvename>
<cvename>CVE-2010-3769</cvename>
<cvename>CVE-2010-3770</cvename>
<cvename>CVE-2010-3771</cvename>
<cvename>CVE-2010-3772</cvename>
<cvename>CVE-2010-3773</cvename>
<cvename>CVE-2010-3774</cvename>
<cvename>CVE-2010-3775</cvename>
<cvename>CVE-2010-3776</cvename>
<cvename>CVE-2010-3777</cvename>
<cvename>CVE-2010-3778</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-74.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-75.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-76.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-77.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-78.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-79.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-80.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-81.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-82.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-83.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-84.html</url>
</references>
<dates>
<discovery>2010-12-09</discovery>
<entry>2010-12-10</entry>
</dates>
</vuln>
<vuln vid="4ccbd40d-03f7-11e0-bf50-001a926c7637">
<topic>krb5 -- client impersonation vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 KDC may issue tickets not requested
by a client, based on an attacker-chosen KrbFastArmoredReq.</p>
<p>An authenticated remote attacker that controls a legitimate service
principal could obtain a valid service ticket to itself containing
valid KDC-generated authorization data for a client whose TGS-REQ it
has intercepted. The attacker could then use this ticket for
S4U2Proxy to impersonate the targeted client even if the client
never authenticated to the subverted service. The vulnerable
configuration is believed to be rare.</p>
</blockquote>
</body>
</description>
<references>
<bid>45122</bid>
<cvename>CVE-2010-4021</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69607</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="1d193bba-03f6-11e0-bf50-001a926c7637">
<topic>krb5 -- RFC 3961 key-derivation checksum handling vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.8.0</ge><le>1.8.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 (releases incorrectly accepts RFC 3961
key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH
and AD-KDC-ISSUED authorization data.</p>
<p>An authenticated remote attacker that controls a legitimate service
principal has a 1/256 chance of forging the AD-SIGNEDPATH signature
if the TGT key is RC4, allowing it to use self-generated "evidence"
tickets for S4U2Proxy, instead of tickets obtained from the user or
with S4U2Self. Configurations using RC4 for the TGT key are
believed to be rare.</p>
<p>An authenticated remote attacker has a 1/256 chance of forging
AD-KDC-ISSUED signatures on authdata elements in tickets having
an RC4 service key, resulting in privilege escalation against
a service that relies on these signatures. There are no known
uses of the KDC-ISSUED authdata container at this time.</p>
</blockquote>
</body>
</description>
<references>
<bid>45117</bid>
<cvename>CVE-2010-4020</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69608</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="9f971cea-03f5-11e0-bf50-001a926c7637">
<topic>krb5 -- unkeyed PAC checksum handling vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 incorrectly accepts an unkeyed checksum for PAC
signatures.</p>
<p>An authenticated remote attacker can forge PACs if using a KDC that
does not filter client-provided PAC data. This can result in
privilege escalation against a service that relies on PAC contents
to make authorization decisions.</p>
</blockquote>
</body>
</description>
<references>
<bid>45116</bid>
<cvename>CVE-2010-1324</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69609</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="0d57c1d9-03f4-11e0-bf50-001a926c7637">
<topic>krb5 -- multiple checksum handling vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
<range><ge>1.8.0</ge><le>1.8.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb incorrectly accepts an unkeyed
checksum with DES session keys for version 2 (RFC 4121)
of the GSS-API krb5 mechanism.</p>
<p>An unauthenticated remote attacker can forge GSS tokens that are
intended to be integrity-protected but unencrypted, if the targeted
pre-existing application session uses a DES session key.</p>
<p>MIT krb5 KDC incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying the
req-checksum in a KrbFastArmoredReq.</p>
<p>An unauthenticated remote attacker has a 1/256 chance of swapping a
client-issued KrbFastReq into a different KDC-REQ, if the armor
key is RC4. The consequences are believed to be minor.</p>
</blockquote>
</body>
</description>
<references>
<bid>45116</bid>
<cvename>CVE-2010-1324</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69609</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="11bbccbc-03ee-11e0-bcdb-001fc61c2a55">
<topic>krb5 -- multiple checksum handling vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.3.0</ge><lt>1.7.2</lt></range>
<range><ge>1.8.0</ge><le>1.8.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
<p>MIT krb5 clients incorrectly accept an unkeyed checksums
in the SAM-2 preauthentication challenge.</p>
<p>An unauthenticated remote attacker could alter a SAM-2 challenge,
affecting the prompt text seen by the user or the kind of response
sent to the KDC. Under some circumstances, this can negate the
incremental security benefit of using a single-use authentication
mechanism token.</p>
<p>MIT krb5 incorrectly accepts RFC 3961 key-derivation checksums
using RC4 keys when verifying KRB-SAFE messages.</p>
<p>An unauthenticated remote attacker has a 1/256 chance of forging
KRB-SAFE messages in an application protocol if the targeted
pre-existing session uses an RC4 session key. Few application
protocols use KRB-SAFE messages.</p>
</blockquote>
</body>
</description>
<references>
<bid>45118</bid>
<cvename>CVE-2010-1323</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
<url>http://osvdb.org/69610</url>
</references>
<dates>
<discovery>2010-11-30</discovery>
<entry>2010-12-09</entry>
</dates>
</vuln>
<vuln vid="6887828f-0229-11e0-b84d-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
<package>
<name>chromium</name>
<range><lt>15.0.874.121</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Chrome Releases reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/search/label/Stable%20updates">
<p>Fixed in 15.0.874.121:<br/>
[103259] High CVE-2011-3900: Out-of-bounds write in v8. Credit to
Christian Holler.</p>
<p>Fixed in 15.0.874.120:<br/>
[100465] High CVE-2011-3892: Double free in Theora decoder. Credit
to Aki Helin of OUSPG.<br/>
[100492] [100543] Medium CVE-2011-3893: Out of bounds reads in MKV
and Vorbis media handlers. Credit to Aki Helin of OUSPG.<br/>
[101172] High CVE-2011-3894: Memory corruption regression in VP8
decoding. Credit to Andrew Scherkus of the Chromium development
community.<br/>
[101458] High CVE-2011-3895: Heap overflow in Vorbis decoder.
Credit to Aki Helin of OUSPG.<br/>
[101624] High CVE-2011-3896: Buffer overflow in shader variable
mapping. Credit to Ken "strcpy" Russell of the Chromium
development community.<br/>
[102242] High CVE-2011-3897: Use-after-free in editing. Credit to
pa_kt reported through ZDI (ZDI-CAN-1416).<br/>
[102461] Low CVE-2011-3898: Failure to ask for permission to run
applets in JRE7. Credit to Google Chrome Security Team (Chris
Evans).</p>
<p>Fixed in 15.0.874.102:<br/>
[86758] High CVE-2011-2845: URL bar spoof in history handling.
Credit to Jordi Chancel.<br/>
[88949] Medium CVE-2011-3875: URL bar spoof with drag+drop of URLs.
Credit to Jordi Chancel.<br/>
[90217] Low CVE-2011-3876: Avoid stripping whitespace at the end of
download filenames. Credit to Marc Novak.<br/>
[91218] Low CVE-2011-3877: XSS in appcache internals page. Credit
to Google Chrome Security Team (Tom Sepez) plus independent
discovery by Juho Nurminen.<br/>
[94487] Medium CVE-2011-3878: Race condition in worker process
initialization. Credit to miaubiz.<br/>
[95374] Low CVE-2011-3879: Avoid redirect to chrome scheme URIs.
Credit to Masato Kinugawa.<br/>
[95992] Low CVE-2011-3880: Don't permit as a HTTP header delimiter.
Credit to Vladimir Vorontsov, ONsec company.<br/>
[96047] [96885] [98053] [99512] [99750] High CVE-2011-3881:
Cross-origin policy violations. Credit to Sergey Glazunov.<br/>
[96292] High CVE-2011-3882: Use-after-free in media buffer handling.
Credit to Google Chrome Security Team (Inferno).<br/>
[96902] High CVE-2011-3883: Use-after-free in counter handling.
Credit to miaubiz.<br/>
[97148] High CVE-2011-3884: Timing issues in DOM traversal. Credit
to Brian Ryner of the Chromium development community.<br/>
[97599] [98064] [98556] [99294] [99880] [100059] High CVE-2011-3885:
Stale style bugs leading to use-after-free. Credit to
miaubiz.<br/>
[98773] [99167] High CVE-2011-3886: Out of bounds writes in v8.
Credit to Christian Holler.<br/>
[98407] Medium CVE-2011-3887: Cookie theft with javascript URIs.
Credit to Sergey Glazunov.<br/>
[99138] High CVE-2011-3888: Use-after-free with plug-in and editing.
Credit to miaubiz.<br/>
[99211] High CVE-2011-3889: Heap overflow in Web Audio. Credit to
miaubiz.<br/>
[99553] High CVE-2011-3890: Use-after-free in video source handling.
Credit to Ami Fischman of the Chromium development community.<br/>
[100332] High CVE-2011-3891: Exposure of internal v8 functions.
Credit to Steven Keuchel of the Chromium development community
plus independent discovery by Daniel Divricean.</p>
<p>Fixed in 14.0.835.202:<br/>
[93788] High CVE-2011-2876: Use-after-free in text line box
handling. Credit to miaubiz.<br/>
[95072] High CVE-2011-2877: Stale font in SVG text handling. Credit
to miaubiz.<br/>
[95671] High CVE-2011-2878: Inappropriate cross-origin access to the
window prototype. Credit to Sergey Glazunov.<br/>
[96150] High CVE-2011-2879: Lifetime and threading issues in audio
node handling. Credit to Google Chrome Security Team
(Inferno).<br/>
[97451] [97520] [97615] High CVE-2011-2880: Use-after-free in the v8
bindings. Credit to Sergey Glazunov.<br/>
[97784] High CVE-2011-2881: Memory corruption with v8 hidden
objects. Credit to Sergey Glazunov.<br/>
[98089] Critical CVE-2011-3873: Memory corruption in shader
translator. Credit to Zhenyao Mo of the Chromium development
community.</p>
<p>Fixed in 14.0.835.163:<br/>
[49377] High CVE-2011-2835: Race condition in the certificate cache. Credit to Ryan Sleevi of the Chromium development community.<br/>
[51464] Low CVE-2011-2836: Infobar the Windows Media Player plug-in
to avoid click-free access to the system Flash. Credit to
electronixtar.<br/>
[Linux only] [57908] Low CVE-2011-2837: Use PIC / pie compiler
flags. Credit to wbrana.<br/>
[75070] Low CVE-2011-2838: Treat MIME type more authoritatively when
loading plug-ins. Credit to Michal Zalewski of the Google Security
Team.<br/>
[76771] High CVE-2011-2839: Crash in v8 script object wrappers.
Credit to Kostya Serebryany of the Chromium development
community.<br/>
[78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with
unusual user interaction. Credit to kuzzcc.<br/>
[78639] High CVE-2011-2841: Garbage collection error in PDF. Credit
to Mario Gomes.<br/>
[82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers.
Credit to Kostya Serebryany of the Chromium development
community.<br/>
[85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files.
Credit to Mario Gomes.<br/>
[89219] High CVE-2011-2846: Use-after-free in unload event handling.
Credit to Arthur Gerkis.<br/>
[89330] High CVE-2011-2847: Use-after-free in document loader.
Credit to miaubiz.<br/>
[89564] Medium CVE-2011-2848: URL bar spoof with forward button.
Credit to Jordi Chancel.<br/>
[89795] Low CVE-2011-2849: Browser NULL pointer crash with
WebSockets. Credit to Arthur Gerkis.<br/>
[89991] Medium CVE-2011-3234: Out-of-bounds read in box handling.
Credit to miaubiz.<br/>
[90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer
characters. Credit to miaubiz.<br/>
[90173] Medium CVE-2011-2851: Out-of-bounds read in video handling.
Credit to Google Chrome Security Team (Inferno).<br/>
[91120] High CVE-2011-2852: Off-by-one in v8. Credit to Christian
Holler.<br/>
[91197] High CVE-2011-2853: Use-after-free in plug-in handling.
Credit to Google Chrome Security Team (SkyLined).<br/>
[92651] [94800] High CVE-2011-2854: Use-after-free in ruby / table
style handing. Credit to Slawomir Blazek, and independent later
discoveries by miaubiz and Google Chrome Security Team
(Inferno).<br/>
[92959] High CVE-2011-2855: Stale node in stylesheet handling.
Credit to Arthur Gerkis.<br/>
[93416] High CVE-2011-2856: Cross-origin bypass in v8. Credit to
Daniel Divricean.<br/>
[93420] High CVE-2011-2857: Use-after-free in focus controller.
Credit to miaubiz.<br/>
[93472] High CVE-2011-2834: Double free in libxml XPath handling.
Credit to Yang Dingning from NCNIPC, Graduate University of
Chinese Academy of Sciences.<br/>
[93497] Medium CVE-2011-2859: Incorrect permissions assigned to
non-gallery pages. Credit to Bernhard "Bruhns" Brehm of Recurity
Labs.<br/>
[93587] High CVE-2011-2860: Use-after-free in table style handling.
Credit to miaubiz.<br/>
[93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki
Helin of OUSPG.<br/>
[93906] High CVE-2011-2862: Unintended access to v8 built-in
objects. Credit to Sergey Glazunov.<br/>
[95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan
characters. Credit to Google Chrome Security Team (Inferno).<br/>
[95625] Medium CVE-2011-2858: Out-of-bounds read with triangle
arrays. Credit to Google Chrome Security Team (Inferno).<br/>
[95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a
session. Credit to Nishant Yadant of VMware and Craig Chamberlain
(@randomuserid).<br/>
High CVE-2011-2875: Type confusion in v8 object sealing. Credit to
Christian Holler.</p>
<p>Fixed in 13.0.782.215:<br/>
[89402] High CVE-2011-2821: Double free in libxml XPath handling.
Credit to Yang Dingning from NCNIPC, Graduate University of
Chinese Academy of Sciences.<br/>
[82552] High CVE-2011-2823: Use-after-free in line box handling.
Credit to Google Chrome Security Team (SkyLined) and independent
later discovery by miaubiz.<br/>
[88216] High CVE-2011-2824: Use-after-free with counter nodes.
Credit to miaubiz.<br/>
[88670] High CVE-2011-2825: Use-after-free with custom fonts. Credit
to wushi of team509 reported through ZDI (ZDI-CAN-1283), plus
indepdendent later discovery by miaubiz.<br/>
[87453] High CVE-2011-2826: Cross-origin violation with empty
origins. Credit to Sergey Glazunov.<br/>
[90668] High CVE-2011-2827: Use-after-free in text searching. Credit
to miaubiz.<br/>
[91517] High CVE-2011-2828: Out-of-bounds write in v8. Credit to
Google Chrome Security Team (SkyLined).<br/>
[32-bit only] [91598] High CVE-2011-2829: Integer overflow in
uniform arrays. Credit to Sergey Glazunov.<br/>
[Linux only] [91665] High CVE-2011-2839: Buggy memset() in PDF.
Credit to Aki Helin of OUSPG.</p>
<p>Fixed in 13.0.782.107:<br/>
[75821] Medium CVE-2011-2358: Always confirm an extension install
via a browser dialog. Credit to Sergey Glazunov.<br/>
[78841] High CVE-2011-2359: Stale pointer due to bad line box
tracking in rendering. Credit to miaubiz and Martin Barbella.<br/>
[79266] Low CVE-2011-2360: Potential bypass of dangerous file
prompt. Credit to kuzzcc.<br/>
[79426] Low CVE-2011-2361: Improve designation of strings in the
basic auth dialog. Credit to kuzzcc.<br/>
[Linux only] [81307] Medium CVE-2011-2782: File permissions error
with drag and drop. Credit to Evan Martin of the Chromium
development community.<br/>
[83273] Medium CVE-2011-2783: Always confirm a developer mode NPAPI
extension install via a browser dialog. Credit to Sergey
Glazunov.<br/>
[83841] Low CVE-2011-2784: Local file path disclosure via GL
program log. Credit to kuzzcc.<br/>
[84402] Low CVE-2011-2785: Sanitize the homepage URL in extensions.
Credit to kuzzcc.<br/>
[84600] Low CVE-2011-2786: Make sure the speech input bubble is
always on-screen. Credit to Olli Pettay of Mozilla.<br/>
[84805] Medium CVE-2011-2787: Browser crash due to GPU lock
re-entrancy issue. Credit to kuzzcc.<br/>
[85559] Low CVE-2011-2788: Buffer overflow in inspector
serialization. Credit to Mikolaj Malecki.<br/>
[85808] Medium CVE-2011-2789: Use after free in Pepper plug-in
instantiation. Credit to Mario Gomes and kuzzcc.<br/>
[86502] High CVE-2011-2790: Use-after-free with floating styles.
Credit to miaubiz.<br/>
[86900] High CVE-2011-2791: Out-of-bounds write in ICU. Credit to
Yang Dingning from NCNIPC, Graduate University of Chinese Academy
of Sciences.<br/>
[87148] High CVE-2011-2792: Use-after-free with float removal.
Credit to miaubiz.<br/>
[87227] High CVE-2011-2793: Use-after-free in media selectors.
Credit to miaubiz.<br/>
[87298] Medium CVE-2011-2794: Out-of-bounds read in text iteration.
Credit to miaubiz.<br/>
[87339] Medium CVE-2011-2795: Cross-frame function leak. Credit to
Shih Wei-Long.<br/>
[87548] High CVE-2011-2796: Use-after-free in Skia. Credit to Google
Chrome Security Team (Inferno) and Kostya Serebryany of the
Chromium development community.<br/>
[87729] High CVE-2011-2797: Use-after-free in resource caching.
Credit to miaubiz.<br/>
[87815] Low CVE-2011-2798: Prevent a couple of internal schemes from
being web accessible. Credit to sirdarckcat of the Google Security
Team.<br/>
[87925] High CVE-2011-2799: Use-after-free in HTML range handling.
Credit to miaubiz.<br/>
[88337] Medium CVE-2011-2800: Leak of client-side redirect target.
Credit to Juho Nurminen.<br/>
[88591] High CVE-2011-2802: v8 crash with const lookups. Credit to
Christian Holler.<br/>
[88827] Medium CVE-2011-2803: Out-of-bounds read in Skia paths.
Credit to Google Chrome Security Team (Inferno).<br/>
[88846] High CVE-2011-2801: Use-after-free in frame loader. Credit
to miaubiz.<br/>
[88889] High CVE-2011-2818: Use-after-free in display box rendering.
Credit to Martin Barbella.<br/>
[89142] High CVE-2011-2804: PDF crash with nested functions. Credit
to Aki Helin of OUSPG.<br/>
[89520] High CVE-2011-2805: Cross-origin script injection. Credit to
Sergey Glazunov.<br/>
[90222] High CVE-2011-2819: Cross-origin violation in base URI
handling. Credit to Sergey Glazunov.</p>
<p>Fixed in 12.0.742.112:<br/>
[77493] Medium CVE-2011-2345: Out-of-bounds read in NPAPI string
handling. Credit to Philippe Arteau.<br/>
[84355] High CVE-2011-2346: Use-after-free in SVG font handling.
Credit to miaubiz.<br/>
[85003] High CVE-2011-2347: Memory corruption in CSS parsing. Credit
to miaubiz.<br/>
[85102] High CVE-2011-2350: Lifetime and re-entrancy issues in the
HTML parser. Credit to miaubiz.<br/>
[85177] High CVE-2011-2348: Bad bounds check in v8. Credit to Aki
Helin of OUSPG.<br/>
[85211] High CVE-2011-2351: Use-after-free with SVG use element.
Credit to miaubiz.<br/>
[85418] High CVE-2011-2349: Use-after-free in text selection. Credit
to miaubiz.</p>
<p>Fixed in 12.0.742.91:<br/>
[73962] [79746] High CVE-2011-1808: Use-after-free due to integer
issues in float handling. Credit to miaubiz.<br/>
[75496] Medium CVE-2011-1809: Use-after-free in accessibility
support. Credit to Google Chrome Security Team (SkyLined).<br/>
[75643] Low CVE-2011-1810: Visit history information leak in CSS.
Credit to Jesse Mohrland of Microsoft and Microsoft Vulnerability
Research (MSVR).<br/>
[76034] Low CVE-2011-1811: Browser crash with lots of form
submissions. Credit to "DimitrisV22".<br/>
[77026] Medium CVE-2011-1812: Extensions permission bypass. Credit
to kuzzcc.<br/>
[78516] High CVE-2011-1813: Stale pointer in extension framework.
Credit to Google Chrome Security Team (Inferno).<br/>
[79362] Medium CVE-2011-1814: Read from uninitialized pointer.
Credit to Eric Roman of the Chromium development community.<br/>
[79862] Low CVE-2011-1815: Extension script injection into new tab
page. Credit to kuzzcc.<br/>
[80358] Medium CVE-2011-1816: Use-after-free in developer tools.
Credit to kuzzcc.<br/>
[81916] Medium CVE-2011-1817: Browser memory corruption in history
deletion. Credit to Collin Payne.<br/>
[81949] High CVE-2011-1818: Use-after-free in image loader. Credit
to miaubiz.<br/>
[83010] Medium CVE-2011-1819: Extension injection into chrome://
pages. Credit to Vladislavas Jarmalis, plus subsequent
independent discovery by Sergey Glazunov.<br/>
[83275] High CVE-2011-2332: Same origin bypass in v8. Credit to
Sergey Glazunov.<br/>
[83743] High CVE-2011-2342: Same origin bypass in DOM. Credit to
Sergey Glazunov.</p>
<p>Fixed in 11.0.696.71:<br/>
[72189] Low CVE-2011-1801: Pop-up blocker bypass. Credit to Chamal
De Silva.<br/>
[82546] High CVE-2011-1804: Stale pointer in floats rendering.
Credit to Martin Barbella.<br/>
[82873] Critical CVE-2011-1806: Memory corruption in GPU command
buffer. Credit to Google Chrome Security Team (Cris Neckar).<br/>
[82903] Critical CVE-2011-1807: Out-of-bounds write in blob
handling. Credit to Google Chrome Security Team (Inferno) and
Kostya Serebryany of the Chromium development community.</p>
<p>Fixed in 11.0.696.68:<br/>
[64046] High CVE-2011-1799: Bad casts in Chromium WebKit glue.
Credit to Google Chrome Security Team (SkyLined).<br/>
[80608] High CVE-2011-1800: Integer overflows in SVG filters.
Credit to Google Chrome Security Team (Cris Neckar).</p>
<p>Fixed in 11.0.696.57:<br/>
[61502] High CVE-2011-1303: Stale pointer in floating object
handling. Credit to Scott Hess of the Chromium development
community and Martin Barbella.<br/>
[70538] Low CVE-2011-1304: Pop-up block bypass via plug-ins. Credit
to Chamal De Silva.<br/>
[Linux / Mac only] [70589] Medium CVE-2011-1305: Linked-list race
in database handling. Credit to Kostya Serebryany of the
Chromium development community.<br/>
[71586] Medium CVE-2011-1434: Lack of thread safety in MIME
handling. Credit to Aki Helin.<br/>
[72523] Medium CVE-2011-1435: Bad extension with "tabs" permission
can capture local files. Credit to Cole Snodgrass.<br/>
[Linux only] [72910] Low CVE-2011-1436: Possible browser crash due
to bad interaction with X. Credit to miaubiz.<br/>
[73526] High CVE-2011-1437: Integer overflows in float rendering.
Credit to miaubiz.<br/>
[74653] High CVE-2011-1438: Same origin policy violation with
blobs. Credit to kuzzcc.<br/>
[Linux only] [74763] High CVE-2011-1439: Prevent interference
between renderer processes. Credit to Julien Tinnes of the
Google Security Team.<br/>
[75186] High CVE-2011-1440: Use-after-free with <ruby> tag
and CSS. Credit to Jose A. Vazquez.<br/>
[75347] High CVE-2011-1441: Bad cast with floating select lists.
Credit to Michael Griffiths.<br/>
[75801] High CVE-2011-1442: Corrupt node trees with mutation events.
Credit to Sergey Glazunov and wushi of team 509.<br/>
[76001] High CVE-2011-1443: Stale pointers in layering code. Credit
to Martin Barbella.<br/>
[Linux only] [76542] High CVE-2011-1444: Race condition in sandbox
launcher. Credit to Dan Rosenberg.<br/>
Medium CVE-2011-1445: Out-of-bounds read in SVG. Credit to wushi of
team509.<br/>
[76666] [77507] [78031] High CVE-2011-1446: Possible URL bar spoofs
with navigation errors and interrupted loads. Credit to
kuzzcc.<br/>
[76966] High CVE-2011-1447: Stale pointer in drop-down list
handling. Credit to miaubiz.<br/>
[77130] High CVE-2011-1448: Stale pointer in height calculations.
Credit to wushi of team509.<br/>
[77346] High CVE-2011-1449: Use-after-free in WebSockets. Credit to
Marek Majkowski.<br/>
Low CVE-2011-1450: Dangling pointers in file dialogs. Credit to
kuzzcc.<br/>
[77463] High CVE-2011-1451: Dangling pointers in DOM id map. Credit
to Sergey Glazunov.<br/>
[77786] Medium CVE-2011-1452: URL bar spoof with redirect and manual
reload. Credit to Jordi Chancel.<br/>
[79199] High CVE-2011-1454: Use-after-free in DOM id handling.
Credit to Sergey Glazunov.<br/>
[79361] Medium CVE-2011-1455: Out-of-bounds read with
multipart-encoded PDF. Credit to Eric Roman of the Chromium
development community.<br/>
[79364] High CVE-2011-1456: Stale pointers with PDF forms. Credit to
Eric Roman of the Chromium development community.</p>
<p>Fixed in 10.0.648.205:<br/>
[75629] Critical CVE-2011-1301: Use-after-free in the GPU process.
Credit to Google Chrome Security Team (Inferno).<br/>
[78524] Critical CVE-2011-1302: Heap overflow in the GPU process.
Credit to Christoph Diehl.</p>
<p>Fixed in 10.0.648.204:<br/>
[72517] High CVE-2011-1291: Buffer error in base string handling.
Credit to Alex Turpin.<br/>
[73216] High CVE-2011-1292: Use-after-free in the frame loader.
Credit to Slawomir Blazek.<br/>
[73595] High CVE-2011-1293: Use-after-free in HTMLCollection.
Credit to Sergey Glazunov.<br/>
[74562] High CVE-2011-1294: Stale pointer in CSS handling.
Credit to Sergey Glazunov.<br/>
[74991] High CVE-2011-1295: DOM tree corruption with broken node
parentage. Credit to Sergey Glazunov.<br/>
[75170] High CVE-2011-1296: Stale pointer in SVG text handling.
Credit to Sergey Glazunov.</p>
<p>Fixed in 10.0.648.133:<br/>
[75712] High Memory corruption in style handling.
Credit to Vincenzo Iozzo, Ralf Philipp Weinmann and Willem
Pinckaers reported through ZDI.</p>
<p>Fixed in 10.0.648.127:<br/>
[42765] Low Possible to navigate or close the top location in a
sandboxed frame. Credit to sirdarckcat of the Google Security
Team.<br/>
[Linux only] [49747] Low Work around an X server bug and crash with
long messages. Credit to Louis Lang.<br/>
[Linux only] [66962] Low Possible browser crash with parallel
print()s. Credit to Aki Helin of OUSPG.<br/>
[69187] Medium Cross-origin error message leak. Credit to Daniel
Divricean.<br/>
[69628] High Memory corruption with counter nodes. Credit to Martin
Barbella.<br/>
[70027] High Stale node in box layout. Credit to Martin
Barbella.<br/>
[70336] Medium Cross-origin error message leak with workers. Credit
to Daniel Divricean.<br/>
[70442] High Use after free with DOM URL handling. Credit to Sergey
Glazunov.<br/>
[Linux only] [70779] Medium Out of bounds read handling unicode
ranges. Credit to miaubiz.<br/>
[70877] High Same origin policy bypass in v8. Credit to Daniel
Divricean.<br/>
[70885] [71167] Low Pop-up blocker bypasses. Credit to Chamal de
Silva.<br/>
[71763] High Use-after-free in document script lifetime handling.
Credit to miaubiz.<br/>
[71788] High Out-of-bounds write in the OGG container. Credit to
Google Chrome Security Team (SkyLined); plus subsequent
independent discovery by David Weston of Microsoft and MSVR.<br/>
[72028] High Stale pointer in table painting. Credit to Martin
Barbella.<br/>
[73026] High Use of corrupt out-of-bounds structure in video code.
Credit to Tavis Ormandy of the Google Security Team.<br/>
[73066] High Crash with the DataView object. Credit to Sergey
Glazunov.<br/>
[73134] High Bad cast in text rendering. Credit to miaubiz.<br/>
[73196] High Stale pointer in WebKit context code. Credit to Sergey
Glazunov.<br/>
[73716] Low Leak of heap address in XSLT. Credit to Google Chrome
Security Team (Chris Evans).<br/>
[73746] High Stale pointer with SVG cursors. Credit to Sergey
Glazunov.<br/>
[74030] High DOM tree corruption with attribute handling. Credit to
Sergey Glazunov.<br/>
[74662] High Corruption via re-entrancy of RegExp code. Credit to
Christian Holler.<br/>
[74675] High Invalid memory access in v8. Credit to Christian
Holler.</p>
<p>Fixed in 9.0.597.107:<br/>
[54262] High URL bar spoof. Credit to Jordi Chancel.<br/>
[63732] High Crash with javascript dialogs. Credit to Sergey
Radchenko.<br/>
[68263] High Stylesheet node stale pointer. Credit to Sergey
Glazunov.<br/>
[68741] High Stale pointer with key frame rule. Credit to Sergey
Glazunov.<br/>
[70078] High Crash with forms controls. Credit to Stefan van
Zanden.<br/>
[70244] High Crash in SVG rendering. Credit to Slawomir Blazek.<br/>
[64-bit Linux only] [70376] Medium Out-of-bounds read in pickle
deserialization. Credit to Evgeniy Stepanov of the Chromium
development community.<br/>
[71114] High Stale node in table handling. Credit to Martin
Barbella.<br/>
[71115] High Stale pointer in table rendering. Credit to Martin
Barbella.<br/>
[71296] High Stale pointer in SVG animations. Credit to
miaubiz.<br/>
[71386] High Stale nodes in XHTML. Credit to wushi of team509.<br/>
[71388] High Crash in textarea handling. Credit to wushi of
team509.<br/>
[71595] High Stale pointer in device orientation. Credit to Sergey
Glazunov.<br/>
[71717] Medium Out-of-bounds read in WebGL. Credit to miaubiz.<br/>
[71855] High Integer overflow in textarea handling. Credit to
miaubiz.<br/>
[71960] Medium Out-of-bounds read in WebGL. Credit to Google Chrome
Security Team (Inferno).<br/>
[72214] High Accidental exposure of internal extension functions.
Credit to Tavis Ormandy of the Google Security Team.<br/>
[72437] High Use-after-free with blocked plug-ins. Credit to Chamal
de Silva.<br/>
[73235] High Stale pointer in layout. Credit to Martin Barbella.</p>
<p>Fixed in 9.0.597.94:<br/>
[67234] High Stale pointer in animation event handling. Credit to
Rik Cabanier.<br/>
[68120] High Use-after-free in SVG font faces. Credit to
miaubiz.<br/>
[69556] High Stale pointer with anonymous block handling. Credit to
Martin Barbella.<br/>
[69970] Medium Out-of-bounds read in plug-in handling. Credit to
Bill Budge of Google.<br/>
[70456] Medium Possible failure to terminate process on
out-of-memory condition. Credit to David Warren of CERT/CC.</p>
<p>Fixed in 9.0.597.84:<br/>
[Mac only] [42989] Low Minor sandbox leak via stat(). Credit to
Daniel Cheng of the Chromium development community.<br/>
[55831] High Use-after-free in image loading. Credit to Aki
Helin of OUSPG.<br/>
[59081] Low Apply some restrictions to cross-origin drag + drop.
Credit to Google Chrome Security Team (SkyLined) and the Google
Security Team (Michal Zalewski, David Bloom).<br/>
[62791] Low Browser crash with extension with missing key. Credit
to Brian Kirchoff.<br/>
[64051] High Crashing when printing in PDF event handler. Credit to
Aki Helin of OUSPG.<br/>
[65669] Low Handle merging of autofill profiles more gracefully.
Credit to Google Chrome Security Team (Inferno).<br/>
[Mac only] [66931] Low Work around a crash in the Mac OS 10.5 SSL
libraries. Credit to Dan Morrison.<br/>
[68244] Low Browser crash with bad volume setting. Credit to
Matthew Heidermann.<br/>
[69195] Critical Race condition in audio handling. Credit to the
gamers of Reddit!</p>
<p>Fixed in 8.0.552.237:<br/>
[58053] Medium Browser crash in extensions notification handling.
Credit to Eric Roman of the Chromium development community.<br/>
[65764] High Bad pointer handling in node iteration. Credit to
Sergey Glazunov.<br/>
[66334] High Crashes when printing multi-page PDFs. Credit to
Google Chrome Security Team (Chris Evans).<br/>
[66560] High Stale pointer with CSS + canvas. Credit to Sergey
Glazunov.<br/>
[66748] High Stale pointer with CSS + cursors. Credit to Jan
Tosovsk.<br/>
[67100] High Use after free in PDF page handling. Credit to Google
Chrome Security Team (Chris Evans).<br/>
[67208] High Stack corruption after PDF out-of-memory condition.
Credit to Jared Allar of CERT.<br/>
[67303] High Bad memory access with mismatched video frame sizes.
Credit to Aki Helin of OUSPG; plus independent discovery by
Google Chrome Security Team (SkyLined) and David Warren of
CERT.<br/>
[67363] High Stale pointer with SVG use element. Credited
anonymously; plus indepdent discovery by miaubiz.<br/>
[67393] Medium Uninitialized pointer in the browser triggered by
rogue extension. Credit to kuzzcc.<br/>
[68115] High Vorbis decoder buffer overflows. Credit to David
Warren of CERT.<br/>
[68170] High Buffer overflow in PDF shading. Credit to Aki Helin of
OUSPG.<br/>
[68178] High Bad cast in anchor handling. Credit to Sergey
Glazunov.<br/>
[68181] High Bad cast in video handling. Credit to Sergey
Glazunov.<br/>
[68439] High Stale rendering node after DOM node removal. Credit to
Martin Barbella; plus independent discovery by Google Chrome
Security Team (SkyLined).<br/>
[68666] Critical Stale pointer in speech handling. Credit to Sergey
Glazunov.</p>
<p>Fixed in 8.0.552.224:<br/>
[64-bit Linux only] [56449] High Bad validation for message
deserialization on 64-bit builds. Credit to Lei Zhang of the
Chromium development community.<br/>
[60761] Medium Bad extension can cause browser crash in tab
handling. Credit to kuzzcc.<br/>
[63529] Low Browser crash with NULL pointer in web worker handling.
Credit to Nathan Weizenbaum of Google.<br/>
[63866] Medium Out-of-bounds read in CSS parsing. Credit to Chris
Rohlf.<br/>
[64959] High Stale pointers in cursor handling. Credit to Slawomir
Blazek and Sergey Glazunov.</p>
<p>Fixed in 8.0.552.215:<br/>
[17655] Low Possible pop-up blocker bypass. Credit to Google Chrome
Security Team (SkyLined).<br/>
[55745] Medium Cross-origin video theft with canvas. Credit to
Nirankush Panchbhai and Microsoft Vulnerability Research
(MSVR).<br/>
[56237] Low Browser crash with HTML5 databases. Credit to Google
Chrome Security Team (Inferno).<br/>
[58319] Low Prevent excessive file dialogs, possibly leading to
browser crash. Credit to Cezary Tomczak (gosu.pl).<br/>
[59554] High Use after free in history handling. Credit to Stefan
Troger.<br/>
[Linux / Mac] [59817] Medium Make sure the "dangerous file types"
list is uptodate with the Windows platforms. Credit to Billy Rios
of the Google Security Team.<br/>
[61701] Low Browser crash with HTTP proxy authentication. Credit to
Mohammed Bouhlel.<br/>
[61653] Medium Out-of-bounds read regression in WebM video support.
Credit to Google Chrome Security Team (Chris Evans), based on
earlier testcases from Mozilla and Microsoft (MSVR).<br/>
[62127] High Crash due to bad indexing with malformed video. Credit
to miaubiz.<br/>
[62168] Medium Possible browser memory corruption via malicious
privileged extension. Credit to kuzzcc.<br/>
[62401] High Use after free with SVG animations. Credit to Slawomir
Blazek.<br/>
[63051] Medium Use after free in mouse dragging event handling.
Credit to kuzzcc.<br/>
[63444] High Double free in XPath handling. Credit to Yang Dingning
from NCNIPC, Graduate University of Chinese Academy of Sciences.</p>
<p>Fixed in 7.0.517.44:<br/>
[51602] High Use-after-free in text editing. Credit to David Bloom
of the Google Security Team, Google Chrome Security Team (Inferno)
and Google Chrome Security Team (Cris Neckar).<br/>
[55257] High Memory corruption with enormous text area. Credit to
wushi of team509.<br/>
[58657] High Bad cast with the SVG use element. Credit to the
kuzzcc.<br/>
[58731] High Invalid memory read in XPath handling. Credit to Bui
Quang Minh from Bkis (www.bkis.com).<br/>
[58741] High Use-after-free in text control selections. Credit to
"vkouchna".<br/>
[Linux only] [59320] High Integer overflows in font handling. Credit
to Aki Helin of OUSPG.<br/>
[60055] High Memory corruption in libvpx. Credit to Christoph
Diehl.<br/>
[60238] High Bad use of destroyed frame object. Credit to various
developers, including "gundlach".<br/>
[60327] [60769] [61255] High Type confusions with event objects.
Credit to "fam.lam" and Google Chrome Security Team
(Inferno).<br/>
[60688] High Out-of-bounds array access in SVG handling. Credit to
wushi of team509.</p>
<p>Fixed in 7.0.517.43:<br/>
[48225] [51727] Medium Possible autofill / autocomplete profile
spamming. Credit to Google Chrome Security Team (Inferno).<br/>
[48857] High Crash with forms. Credit to the Chromium development
community.<br/>
[50428] Critical Browser crash with form autofill. Credit to the
Chromium development community.<br/>
[51680] High Possible URL spoofing on page unload. Credit to kuzzcc;
plus independent discovery by Jordi Chancel.<br/>
[53002] Low Pop-up block bypass. Credit to kuzzcc.<br/>
[53985] Medium Crash on shutdown with Web Sockets. Credit to the
Chromium development community.<br/>
[Linux only] [54132] Low Bad construction of PATH variable. Credit
to Dan Rosenberg, Virtual Security Research.<br/>
[54500] High Possible memory corruption with animated GIF. Credit to
Simon Schaak.<br/>
[Linux only] [54794] High Failure to sandbox worker processes on
Linux. Credit to Google Chrome Security Team (Chris Evans).<br/>
[56451] High Stale elements in an element map. Credit to Michal
Zalewski of the Google Security Team.</p>
</blockquote>
</body>
</description>
<references>
<url>http://googlechromereleases.blogspot.com/search/label/Stable%20updates</url>
<cvename>CVE-2011-1290</cvename>
<cvename>CVE-2011-1291</cvename>
<cvename>CVE-2011-1292</cvename>
<cvename>CVE-2011-1293</cvename>
<cvename>CVE-2011-1294</cvename>
<cvename>CVE-2011-1295</cvename>
<cvename>CVE-2011-1296</cvename>
<cvename>CVE-2011-1301</cvename>
<cvename>CVE-2011-1302</cvename>
<cvename>CVE-2011-1303</cvename>
<cvename>CVE-2011-1304</cvename>
<cvename>CVE-2011-1305</cvename>
<cvename>CVE-2011-1434</cvename>
<cvename>CVE-2011-1435</cvename>
<cvename>CVE-2011-1436</cvename>
<cvename>CVE-2011-1437</cvename>
<cvename>CVE-2011-1438</cvename>
<cvename>CVE-2011-1439</cvename>
<cvename>CVE-2011-1440</cvename>
<cvename>CVE-2011-1441</cvename>
<cvename>CVE-2011-1442</cvename>
<cvename>CVE-2011-1443</cvename>
<cvename>CVE-2011-1444</cvename>
<cvename>CVE-2011-1445</cvename>
<cvename>CVE-2011-1446</cvename>
<cvename>CVE-2011-1447</cvename>
<cvename>CVE-2011-1448</cvename>
<cvename>CVE-2011-1449</cvename>
<cvename>CVE-2011-1450</cvename>
<cvename>CVE-2011-1451</cvename>
<cvename>CVE-2011-1452</cvename>
<cvename>CVE-2011-1454</cvename>
<cvename>CVE-2011-1455</cvename>
<cvename>CVE-2011-1456</cvename>
<cvename>CVE-2011-1799</cvename>
<cvename>CVE-2011-1800</cvename>
<cvename>CVE-2011-1801</cvename>
<cvename>CVE-2011-1804</cvename>
<cvename>CVE-2011-1806</cvename>
<cvename>CVE-2011-1807</cvename>
<cvename>CVE-2011-1808</cvename>
<cvename>CVE-2011-1809</cvename>
<cvename>CVE-2011-1810</cvename>
<cvename>CVE-2011-1811</cvename>
<cvename>CVE-2011-1812</cvename>
<cvename>CVE-2011-1813</cvename>
<cvename>CVE-2011-1814</cvename>
<cvename>CVE-2011-1815</cvename>
<cvename>CVE-2011-1816</cvename>
<cvename>CVE-2011-1817</cvename>
<cvename>CVE-2011-1818</cvename>
<cvename>CVE-2011-1819</cvename>
<cvename>CVE-2011-2332</cvename>
<cvename>CVE-2011-2342</cvename>
<cvename>CVE-2011-2345</cvename>
<cvename>CVE-2011-2346</cvename>
<cvename>CVE-2011-2347</cvename>
<cvename>CVE-2011-2348</cvename>
<cvename>CVE-2011-2349</cvename>
<cvename>CVE-2011-2350</cvename>
<cvename>CVE-2011-2351</cvename>
<cvename>CVE-2011-2358</cvename>
<cvename>CVE-2011-2359</cvename>
<cvename>CVE-2011-2360</cvename>
<cvename>CVE-2011-2361</cvename>
<cvename>CVE-2011-2782</cvename>
<cvename>CVE-2011-2783</cvename>
<cvename>CVE-2011-2784</cvename>
<cvename>CVE-2011-2785</cvename>
<cvename>CVE-2011-2786</cvename>
<cvename>CVE-2011-2787</cvename>
<cvename>CVE-2011-2788</cvename>
<cvename>CVE-2011-2789</cvename>
<cvename>CVE-2011-2790</cvename>
<cvename>CVE-2011-2791</cvename>
<cvename>CVE-2011-2792</cvename>
<cvename>CVE-2011-2793</cvename>
<cvename>CVE-2011-2794</cvename>
<cvename>CVE-2011-2795</cvename>
<cvename>CVE-2011-2796</cvename>
<cvename>CVE-2011-2797</cvename>
<cvename>CVE-2011-2798</cvename>
<cvename>CVE-2011-2799</cvename>
<cvename>CVE-2011-2800</cvename>
<cvename>CVE-2011-2801</cvename>
<cvename>CVE-2011-2802</cvename>
<cvename>CVE-2011-2803</cvename>
<cvename>CVE-2011-2804</cvename>
<cvename>CVE-2011-2805</cvename>
<cvename>CVE-2011-2818</cvename>
<cvename>CVE-2011-2819</cvename>
<cvename>CVE-2011-2821</cvename>
<cvename>CVE-2011-2823</cvename>
<cvename>CVE-2011-2824</cvename>
<cvename>CVE-2011-2825</cvename>
<cvename>CVE-2011-2826</cvename>
<cvename>CVE-2011-2827</cvename>
<cvename>CVE-2011-2828</cvename>
<cvename>CVE-2011-2829</cvename>
<cvename>CVE-2011-2834</cvename>
<cvename>CVE-2011-2835</cvename>
<cvename>CVE-2011-2836</cvename>
<cvename>CVE-2011-2837</cvename>
<cvename>CVE-2011-2838</cvename>
<cvename>CVE-2011-2839</cvename>
<cvename>CVE-2011-2840</cvename>
<cvename>CVE-2011-2841</cvename>
<cvename>CVE-2011-2842</cvename>
<cvename>CVE-2011-2843</cvename>
<cvename>CVE-2011-2844</cvename>
<cvename>CVE-2011-2845</cvename>
<cvename>CVE-2011-2846</cvename>
<cvename>CVE-2011-2847</cvename>
<cvename>CVE-2011-2848</cvename>
<cvename>CVE-2011-2849</cvename>
<cvename>CVE-2011-2850</cvename>
<cvename>CVE-2011-2851</cvename>
<cvename>CVE-2011-2852</cvename>
<cvename>CVE-2011-2853</cvename>
<cvename>CVE-2011-2854</cvename>
<cvename>CVE-2011-2855</cvename>
<cvename>CVE-2011-2856</cvename>
<cvename>CVE-2011-2857</cvename>
<cvename>CVE-2011-2858</cvename>
<cvename>CVE-2011-2859</cvename>
<cvename>CVE-2011-2860</cvename>
<cvename>CVE-2011-2861</cvename>
<cvename>CVE-2011-2862</cvename>
<cvename>CVE-2011-2864</cvename>
<cvename>CVE-2011-2874</cvename>
<cvename>CVE-2011-2875</cvename>
<cvename>CVE-2011-2876</cvename>
<cvename>CVE-2011-2877</cvename>
<cvename>CVE-2011-2878</cvename>
<cvename>CVE-2011-2879</cvename>
<cvename>CVE-2011-2880</cvename>
<cvename>CVE-2011-2881</cvename>
<cvename>CVE-2011-3234</cvename>
<cvename>CVE-2011-3873</cvename>
<cvename>CVE-2011-3873</cvename>
<cvename>CVE-2011-3875</cvename>
<cvename>CVE-2011-3876</cvename>
<cvename>CVE-2011-3877</cvename>
<cvename>CVE-2011-3878</cvename>
<cvename>CVE-2011-3879</cvename>
<cvename>CVE-2011-3880</cvename>
<cvename>CVE-2011-3881</cvename>
<cvename>CVE-2011-3882</cvename>
<cvename>CVE-2011-3883</cvename>
<cvename>CVE-2011-3884</cvename>
<cvename>CVE-2011-3885</cvename>
<cvename>CVE-2011-3886</cvename>
<cvename>CVE-2011-3887</cvename>
<cvename>CVE-2011-3888</cvename>
<cvename>CVE-2011-3889</cvename>
<cvename>CVE-2011-3890</cvename>
<cvename>CVE-2011-3891</cvename>
<cvename>CVE-2011-3892</cvename>
<cvename>CVE-2011-3893</cvename>
<cvename>CVE-2011-3894</cvename>
<cvename>CVE-2011-3895</cvename>
<cvename>CVE-2011-3896</cvename>
<cvename>CVE-2011-3897</cvename>
<cvename>CVE-2011-3898</cvename>
<cvename>CVE-2011-3900</cvename>
</references>
<dates>
<discovery>2010-10-19</discovery>
<entry>2010-12-07</entry>
<modified>2011-11-17</modified>
</dates>
</vuln>
<vuln vid="ed7fa1b4-ff59-11df-9759-080027284eaa">
<topic>proftpd -- Compromised source packages backdoor</topic>
<affects>
<package>
<name>proftpd</name>
<range><eq>1.3.3c_2</eq></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The ProFTPD Project team reports:</p>
<blockquote cite="http://proftpd.org/">
<p>The security issue is caused due to the distribution of compromised
ProFTPD 1.3.3c source code packages via the project's main FTP server
and all of the mirror servers, which contain a backdoor allowing
remote root access.</p>
</blockquote>
</body>
</description>
<references>
<url>http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org</url>
<url>http://secunia.com/advisories/42449</url>
</references>
<dates>
<discovery>2010-11-28</discovery>
<entry>2010-12-04</entry>
</dates>
</vuln>
<vuln vid="753f8185-5ba9-42a4-be02-3f55ee580093">
<topic>phpMyAdmin -- XSS attack in database search</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.3.8.1</lt></range>
</package>
<package>
<name>phpMyAdmin211</name>
<range><lt>2.11.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php">
<p>It was possible to conduct a XSS attack using spoofed request on the
db search script.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/152685</freebsdpr>
<freebsdpr>ports/152686</freebsdpr>
<cvename>CVE-2010-4329</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php</url>
</references>
<dates>
<discovery>2010-11-29</discovery>
<entry>2010-11-30</entry>
</dates>
</vuln>
<vuln vid="f154a3c7-f7f4-11df-b617-00e0815b8da8">
<topic>isc-dhcp-server -- Empty link-address denial of service</topic>
<affects>
<package>
<name>isc-dhcp41-server</name>
<range><ge>4.1.0</ge><lt>4.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/dhcp/advisories/cve-2010-3611">
<p>If the server receives a DHCPv6 packet containing one or more
Relay-Forward messages, and none of them supply an address in the
Relay-Forward link-address field, then the server will crash. This
can be used as a single packet crash attack vector.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3611</cvename>
<url>http://www.isc.org/software/dhcp/advisories/cve-2010-3611</url>
<url>http://www.kb.cert.org/vuls/id/102047</url>
</references>
<dates>
<discovery>2010-11-02</discovery>
<entry>2010-11-24</entry>
</dates>
</vuln>
<vuln vid="373e412e-f748-11df-96cd-0015f2db7bde">
<topic>OpenTTD -- Denial of service (server/client) via invalid read</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>1.0.0</ge><lt>1.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2010-4168">
<p>When a client disconnects, without sending the "quit" or
"client error" message, the server has a chance of reading and
writing a just freed piece of memory. The writing can only
happen while the server is sending the map. Depending on what
happens directly after freeing the memory there is a chance of
segmentation fault, and thus a denial of service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-4168</cvename>
<url>http://security.openttd.org/en/CVE-2010-4168</url>
</references>
<dates>
<discovery>2010-11-20</discovery>
<entry>2010-11-23</entry>
</dates>
</vuln>
<vuln vid="a3314314-f731-11df-a757-0011098ad87f">
<topic>horde-base -- XSS: VCARD attachments vulnerability</topic>
<affects>
<package>
<name>horde-base</name>
<range><lt>3.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/532">
<p>The major changes compared to Horde version 3.3.10 are:</p>
<p>* Fixed XSS vulnerability when viewing details of a vCard.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/532</url>
<url>http://bugs.horde.org/ticket/9357</url>
</references>
<dates>
<discovery>2010-11-02</discovery>
<entry>2010-11-23</entry>
</dates>
</vuln>
<vuln vid="533d20e7-f71f-11df-9ae1-000bcdf0a03b">
<topic>proftpd -- remote code execution vulnerability</topic>
<affects>
<package>
<name>proftpd</name>
<range><lt>1.3.3c</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tippingpoint reports:</p>
<blockquote cite="http://www.zerodayinitiative.com/advisories/ZDI-10-229/">
<p>This vulnerability allows remote attackers to execute arbitrary
code on vulnerable installations of ProFTPD. Authentication is not
required to exploit this vulnerability.</p>
<p>The flaw exists within the proftpd server component which
listens by default on TCP port 21. When reading user input if a
TELNET_IAC escape sequence is encountered the process
miscalculates a buffer length counter value allowing a user
controlled copy of data to a stack buffer. A remote attacker can
exploit this vulnerability to execute arbitrary code under the
context of the proftpd process.</p>
</blockquote>
</body>
</description>
<references>
<bid>44562</bid>
<cvename>CVE-2010-4221</cvename>
<url>http://www.zerodayinitiative.com/advisories/ZDI-10-229/</url>
</references>
<dates>
<discovery>2010-11-02</discovery>
<entry>2010-11-23</entry>
</dates>
</vuln>
<vuln vid="3042c33a-f237-11df-9d02-0018fe623f2b">
<topic>openssl -- TLS extension parsing race condition</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL Team reports:</p>
<blockquote cite="http://openssl.org/news/secadv_20101116.txt">
<p>Rob Hulswit has found a flaw in the OpenSSL TLS server extension
code parsing which on affected servers can be exploited in a buffer
overrun attack.</p>
<p>Any OpenSSL based TLS server is vulnerable if it is multi-threaded
and uses OpenSSL's internal caching mechanism. Servers that are
multi-process and/or disable internal session caching are NOT
affected.</p>
<p>In particular the Apache HTTP server (which never uses OpenSSL
internal caching) and Stunnel (which includes its own workaround)
are NOT affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3864</cvename>
<url>http://openssl.org/news/secadv_20101116.txt</url>
</references>
<dates>
<discovery>2010-10-08</discovery>
<entry>2010-11-17</entry>
</dates>
</vuln>
<vuln vid="76b597e4-e9c6-11df-9e10-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r289</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r102</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-26.html">
<p>Critical vulnerabilities have been identified in
Adobe Flash Player 10.1.85.3 and earlier versions for
Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player
10.1.95.1 for Android. These vulnerabilities, including
CVE-2010-3654 referenced in Security Advisory APSA10-05,
could cause the application to crash and could potentially
allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3636</cvename>
<cvename>CVE-2010-3637</cvename>
<cvename>CVE-2010-3638</cvename>
<cvename>CVE-2010-3639</cvename>
<cvename>CVE-2010-3640</cvename>
<cvename>CVE-2010-3641</cvename>
<cvename>CVE-2010-3642</cvename>
<cvename>CVE-2010-3643</cvename>
<cvename>CVE-2010-3644</cvename>
<cvename>CVE-2010-3645</cvename>
<cvename>CVE-2010-3646</cvename>
<cvename>CVE-2010-3647</cvename>
<cvename>CVE-2010-3648</cvename>
<cvename>CVE-2010-3649</cvename>
<cvename>CVE-2010-3650</cvename>
<cvename>CVE-2010-3652</cvename>
<cvename>CVE-2010-3654</cvename>
<cvename>CVE-2010-3676</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-26.html</url>
<url>http://www.adobe.com/support/security/advisories/apsa10-05.html</url>
</references>
<dates>
<discovery>2010-09-28</discovery>
<entry>2010-11-06</entry>
</dates>
</vuln>
<vuln vid="b2eaa7c2-e64a-11df-bc65-0022156e8794">
<topic>Wireshark -- DoS in the BER-based dissectors</topic>
<affects>
<package>
<name>wireshark</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
<package>
<name>tshark</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><ge>1.3</ge><lt>1.4.1</lt></range>
<range><ge>1.0</ge><lt>1.2.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41535">
<p>A vulnerability has been discovered in Wireshark, which can
be exploited by malicious people to cause a DoS (Denial of
Service).</p>
<p>The vulnerability is caused due to an infinite recursion
error in the "dissect_unknown_ber()" function in
epan/dissectors/packet-ber.c and can be exploited to cause a
stack overflow e.g. via a specially crafted SNMP packet.</p>
<p>The vulnerability is confirmed in version 1.4.0 and
reported in version 1.2.11 and prior and version 1.4.0 and
prior.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3445</cvename>
<url>http://www.wireshark.org/lists/wireshark-announce/201010/msg00002.html</url>
<url>http://www.wireshark.org/lists/wireshark-announce/201010/msg00001.html</url>
</references>
<dates>
<discovery>2010-09-16</discovery>
<entry>2010-11-05</entry>
</dates>
</vuln>
<vuln vid="4ab29e12-e787-11df-adfa-00e0815b8da8">
<topic>Mailman -- cross-site scripting in web interface</topic>
<affects>
<package>
<name>mailman</name>
<range><lt>2.1.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41265">
<p>Two vulnerabilities have been reported in Mailman, which
can be exploited by malicious users to conduct script
insertion attacks.</p>
<p>Certain input passed via the list descriptions is not
properly sanitised before being displayed to the user. This
can be exploited to insert arbitrary HTML and script code,
which will be executed in a user's browser session in context
of an affected site when the malicious data is being
viewed.</p>
<p>Successful exploitation requires "list owner" permissions.</p>
</blockquote>
</body>
</description>
<references>
<bid>43187</bid>
<cvename>CVE-2010-3089</cvename>
<url>http://secunia.com/advisories/41265</url>
</references>
<dates>
<discovery>2010-09-14</discovery>
<entry>2010-11-03</entry>
</dates>
</vuln>
<vuln vid="96e776c7-e75c-11df-8f26-00151735203a">
<topic>OTRS -- Multiple XSS and denial of service vulnerabilities</topic>
<affects>
<package>
<name>otrs</name>
<range><gt>2.3.*</gt><lt>2.4.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://otrs.org/advisory/OSA-2010-02-en/">
<ul>
<li>Multiple Cross Site Scripting issues:
Missing HTML quoting allows authenticated agents or
customers to inject HTML tags. This vulnerability
allows an attacker to inject script code into the OTRS
web-interface which will be loaded and executed
in the browsers of system users.</li>
<li>Possible Denial of Service Attack:
Perl's regular expressions consume 100% CPU time
on the server if an agent or customer views an affected
article. To exploit this vulnerability the malicious user
needs to send extremely large HTML emails to your
system address.</li>
</ul>
</blockquote>
<blockquote cite="http://otrs.org/advisory/OSA-2010-03-en/">
<p>AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails:</p>
<p>Whenever a customer sends an HTML e-mail and RichText is enabled
in OTRS, javascript contained in the email can do everything
in the OTRS agent interface that the agent himself could do.</p>
<p>Most relevant is that this type of exploit can be used in such
a way that the agent won't even detect he is being exploited.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2080</cvename>
<cvename>CVE-2010-4071</cvename>
<url>http://otrs.org/advisory/OSA-2010-02-en/</url>
<url>http://otrs.org/advisory/OSA-2010-03-en/</url>
</references>
<dates>
<discovery>2010-09-15</discovery>
<entry>2010-11-03</entry>
</dates>
</vuln>
<vuln vid="c223b00d-e272-11df-8e32-000f20797ede">
<topic>mozilla -- Heap buffer overflow mixing document.write and DOM insertion</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.12,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.15,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.12</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.12,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.15</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.0.10</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>3.1.6</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.10</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.10</lt></range>
<range><ge>3.1</ge><lt>3.1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3765</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-73.html</url>
</references>
<dates>
<discovery>2010-10-27</discovery>
<entry>2010-10-28</entry>
</dates>
</vuln>
<vuln vid="aab187d4-e0f3-11df-b1ea-001999392805">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Opera Desktop Team reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1063/">
<ul>
<li>Fixed an issue that allowed cross-domain checks to be bypassed,
allowing limited data theft using CSS, as reported by Isaac
Dawson.</li>
<li>Fixed an issue where manipulating the window could be used to
spoof the page address.</li>
<li>Fixed an issue with reloads and redirects that could allow
spoofing and cross-site scripting.</li>
<li>Fixed an issue that allowed private video streams to be
intercepted, as reported by Nirankush Panchbhai of Microsoft
Vulnerability Research.</li>
<li>Fixed an issue that caused JavaScript to run in the wrong
security context after manual interaction.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/971/</url>
<url>http://www.opera.com/support/kb/view/972/</url>
<url>http://www.opera.com/support/kb/view/973/</url>
<url>http://www.opera.com/support/kb/view/974/</url>
<url>http://www.opera.com/support/kb/view/976/</url>
</references>
<dates>
<discovery>2010-10-12</discovery>
<entry>2010-10-26</entry>
</dates>
</vuln>
<vuln vid="0ddb57a9-da20-4e99-b048-4366092f3d31">
<topic>bzip2 -- integer overflow vulnerability</topic>
<affects>
<package>
<name>bzip2</name>
<range><lt>1.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41452">
<p>A vulnerability has been reported in bzip2, which can be exploited by
malicious people to cause a DoS (Denial of Service) or potentially
compromise a vulnerable system.</p>
<p>The vulnerability is caused due to an integer overflow in the
"BZ2_decompress()" function in decompress.c and can be exploited to
cause a crash or potentially execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-10:08.bzip2</freebsdsa>
<freebsdpr>ports/151364</freebsdpr>
<cvename>CVE-2010-0405</cvename>
<bid>43331</bid>
<mlist>http://www.openwall.com/lists/oss-security/2010/09/21/4</mlist>
<url>http://secunia.com/advisories/41452</url>
</references>
<dates>
<discovery>2010-09-21</discovery>
<entry>2010-10-25</entry>
</dates>
</vuln>
<vuln vid="18dc48fe-ca42-11df-aade-0050568f000c">
<topic>FreeBSD -- Integer overflow in bzip2 decompression</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.4</gt><lt>6.4_11</lt></range>
<range><gt>7.1</gt><lt>7.1_14</lt></range>
<range><gt>7.3</gt><lt>7.3_3</lt></range>
<range><gt>8.0</gt><lt>8.0_5</lt></range>
<range><gt>8.1</gt><lt>8.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When decompressing data, the run-length encoded values are not
adequately sanity-checked, allowing for an integer overflow.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:08.bzip2</freebsdsa>
</references>
<dates>
<discovery>2010-09-20</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="7a09a8df-ca41-11df-aade-0050568f000c">
<topic>FreeBSD -- Lost mbuf flag resulting in data corruption</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>7.1</gt><lt>7.1_13</lt></range>
<range><gt>7.3</gt><lt>7.3_2</lt></range>
<range><gt>8.0</gt><lt>8.0_4</lt></range>
<range><gt>8.1</gt><lt>8.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The read-only flag is not correctly copied when a mbuf buffer
reference is duplicated. When the sendfile(2) system call is used to
transmit data over the loopback interface, this can result in the
backing pages for the transmitted file being modified, causing data
corruption.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:07.mbuf</freebsdsa>
</references>
<dates>
<discovery>2010-07-13</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="0dc91089-ca41-11df-aade-0050568f000c">
<topic>FreeBSD -- Unvalidated input in nfsclient</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>7.2</gt><lt>7.2_8</lt></range>
<range><gt>7.3</gt><lt>7.3_1</lt></range>
<range><gt>8.0</gt><lt>8.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The NFS client subsystem fails to correctly validate the length of a
parameter provided by the user when a filesystem is mounted.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:06.nfsclient</freebsdsa>
</references>
<dates>
<discovery>2010-05-27</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="768cfe70-ca40-11df-aade-0050568f000c">
<topic>FreeBSD -- OPIE off-by-one stack overflow</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.4</gt><lt>6.4_10</lt></range>
<range><gt>7.1</gt><lt>7.1_12</lt></range>
<range><gt>7.2</gt><lt>7.2_8</lt></range>
<range><gt>7.3</gt><lt>7.3_1</lt></range>
<range><gt>8.0</gt><lt>8.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>A programming error in the OPIE library could allow an off-by-one
buffer overflow to write a single zero byte beyond the end of an
on-stack buffer.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:05.opie</freebsdsa>
</references>
<dates>
<discovery>2010-05-27</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="f6eb2279-ca3f-11df-aade-0050568f000c">
<topic>FreeBSD -- Insufficient environment sanitization in jail(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>8.0</gt><lt>8.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The jail(8) utility does not change the current working directory
while imprisoning. The current working directory can be accessed by
its descendants.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:04.jail</freebsdsa>
</references>
<dates>
<discovery>2010-05-27</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="97f09f2f-ca3f-11df-aade-0050568f000c">
<topic>FreeBSD -- ZFS ZIL playback with insecure permissions</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>7.1</gt><lt>7.1_10</lt></range>
<range><gt>7.2</gt><lt>7.2_6</lt></range>
<range><gt>8.0</gt><lt>8.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When replaying setattr transaction, the replay code would set the
attributes with certain insecure defaults, when the logged
transaction did not touch these attributes.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:03.zfs</freebsdsa>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="48103b0a-ca3f-11df-aade-0050568f000c">
<topic>FreeBSD -- ntpd mode 7 denial of service</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.3</gt><lt>6.3_15</lt></range>
<range><gt>6.4</gt><lt>6.4_9</lt></range>
<range><gt>7.1</gt><lt>7.1_10</lt></range>
<range><gt>7.2</gt><lt>7.2_6</lt></range>
<range><gt>8.0</gt><lt>8.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>If ntpd receives a mode 7 (MODE_PRIVATE) request or error response
from a source address not listed in either a 'restrict ... noquery'
or a 'restrict ... ignore' section it will log the even and send a
mode 7 error response.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:02.ntpd</freebsdsa>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="e500b9bf-ca3e-11df-aade-0050568f000c">
<topic>FreeBSD -- BIND named(8) cache poisoning with DNSSEC validation</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.3</gt><lt>6.3_15</lt></range>
<range><gt>6.4</gt><lt>6.4_9</lt></range>
<range><gt>7.1</gt><lt>7.1_10</lt></range>
<range><gt>7.2</gt><lt>7.2_6</lt></range>
<range><gt>8.0</gt><lt>8.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>If a client requests DNSSEC records with the Checking Disabled (CD)
flag set, BIND may cache the unvalidated responses. These responses
may later be returned to another client that has not set the CD
flag.</p>
</body>
</description>
<references>
<freebsdsa>SA-10:01.bind</freebsdsa>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="6e87b696-ca3e-11df-aade-0050568f000c">
<topic>FreeBSD -- Inappropriate directory permissions in freebsd-update(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.3</gt><lt>6.3_14</lt></range>
<range><gt>6.4</gt><lt>6.4_8</lt></range>
<range><gt>7.1</gt><lt>7.1_9</lt></range>
<range><gt>7.2</gt><lt>7.2_5</lt></range>
<range><gt>8.0</gt><lt>8.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When downloading updates to FreeBSD via 'freebsd-update fetch' or
'freebsd-update upgrade', the freebsd-update(8) utility copies
currently installed files into its working directory
(/var/db/freebsd-update by default) both for the purpose of merging
changes to configuration files and in order to be able to roll back
installed updates.</p>
<p>The default working directory used by freebsd-update(8) is normally
created during the installation of FreeBSD with permissions which
allow all local users to see its contents, and freebsd-update(8) does
not take any steps to restrict access to files stored in said
directory.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:17.freebsd-update</freebsdsa>
</references>
<dates>
<discovery>2009-12-03</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="ad08d14b-ca3d-11df-aade-0050568f000c">
<topic>FreeBSD -- Improper environment sanitization in rtld(1)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>7.1</gt><lt>7.1_9</lt></range>
<range><gt>7.2</gt><lt>7.2_5</lt></range>
<range><gt>8.0</gt><lt>8.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>When running setuid programs rtld will normally remove potentially
dangerous environment variables. Due to recent changes in FreeBSD
environment variable handling code, a corrupt environment may
result in attempts to unset environment variables failing.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:16.rtld</freebsdsa>
</references>
<dates>
<discovery>2009-12-03</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="406779fd-ca3b-11df-aade-0050568f000c">
<topic>FreeBSD -- SSL protocol flaw</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><gt>6.3</gt><lt>6.3_14</lt></range>
<range><gt>6.4</gt><lt>6.4_8</lt></range>
<range><gt>7.1</gt><lt>7.1_9</lt></range>
<range><gt>7.2</gt><lt>7.2_5</lt></range>
<range><gt>8.0</gt><lt>8.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Problem Description:</h1>
<p>The SSL version 3 and TLS protocols support session
renegotiation without cryptographically tying the new
session parameters to the old parameters.</p>
</body>
</description>
<references>
<freebsdsa>SA-09:15.ssl</freebsdsa>
</references>
<dates>
<discovery>2009-12-03</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="c9a6ae4a-df8b-11df-9573-00262d5ed8ee">
<topic>monotone -- remote denial of service in default setup</topic>
<affects>
<package>
<name>monotone</name>
<range><lt>0.48.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The monotone developers report:</p>
<blockquote cite="http://www.monotone.ca/NEWS">
<p>Running "mtn ''" or "mtn ls ''" doesn't cause an internal
error anymore. In monotone 0.48 and earlier this behavior
could be used to crash a server remotely (but only if it was
configured to allow execution of remote commands).</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/151665</freebsdpr>
<url>http://www.monotone.ca/NEWS</url>
<url>http://www.thomaskeller.biz/blog/2010/10/22/monotone-0-48-1-released-please-update-your-servers/</url>
</references>
<dates>
<discovery>2010-10-21</discovery>
<entry>2010-10-24</entry>
</dates>
</vuln>
<vuln vid="c4f067b9-dc4a-11df-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.11,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.14,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.11</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.11,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.14</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.9</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.9</lt></range>
<range><ge>3.1</ge><lt>3.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)</p>
<p>MFSA 2010-65 Buffer overflow and memory corruption using document.write</p>
<p>MFSA 2010-66 Use-after-free error in nsBarProp</p>
<p>MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter</p>
<p>MFSA 2010-68 XSS in gopher parser when parsing hrefs</p>
<p>MFSA 2010-69 Cross-site information disclosure via modal calls</p>
<p>MFSA 2010-70 SSL wildcard certificate matching IP addresses</p>
<p>MFSA 2010-71 Unsafe library loading vulnerabilities</p>
<p>MFSA 2010-72 Insecure Diffie-Hellman key exchange</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3170</cvename>
<cvename>CVE-2010-3173</cvename>
<cvename>CVE-2010-3174</cvename>
<cvename>CVE-2010-3175</cvename>
<cvename>CVE-2010-3176</cvename>
<cvename>CVE-2010-3177</cvename>
<cvename>CVE-2010-3178</cvename>
<cvename>CVE-2010-3179</cvename>
<cvename>CVE-2010-3180</cvename>
<cvename>CVE-2010-3181</cvename>
<cvename>CVE-2010-3182</cvename>
<cvename>CVE-2010-3183</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-64.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-65.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-66.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-67.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-68.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-69.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-70.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-71.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-72.html</url>
</references>
<dates>
<discovery>2010-10-19</discovery>
<entry>2010-10-20</entry>
</dates>
</vuln>
<vuln vid="e5090d2a-dbbe-11df-82f8-0015f2db7bde">
<topic>Webkit-gtk2 -- Multiple Vulnabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS">
<p>The patches to fix the following CVEs are included with help from
Vincent Danen and other members of the Red Hat security team:</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1780</cvename>
<cvename>CVE-2010-1807</cvename>
<cvename>CVE-2010-1812</cvename>
<cvename>CVE-2010-1814</cvename>
<cvename>CVE-2010-1815</cvename>
<cvename>CVE-2010-3113</cvename>
<cvename>CVE-2010-3114</cvename>
<cvename>CVE-2010-3115</cvename>
<cvename>CVE-2010-3116</cvename>
<cvename>CVE-2010-3255</cvename>
<cvename>CVE-2010-3257</cvename>
<cvename>CVE-2010-3259</cvename>
<url>http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS</url>
</references>
<dates>
<discovery>2010-10-01</discovery>
<entry>2010-10-19</entry>
</dates>
</vuln>
<vuln vid="dd943fbb-d0fe-11df-95a8-00219b0fc4d8">
<topic>apr -- multiple vunerabilities</topic>
<affects>
<package>
<name>apr1</name>
<range><lt>1.4.2.1.3.10</lt></range>
</package>
<package>
<name>apr0</name>
<range><lt>0.9.19.0.9.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/41701">
<p>Multiple vulnerabilities have been reported in APR-util, which can
be exploited by malicious people to cause a DoS (Denial of
Service).</p>
<p>Two XML parsing vulnerabilities exist in the bundled version of
expat.</p>
<p>An error within the "apr_brigade_split_line()" function in
buckets/apr_brigade.c can be exploited to cause high memory
consumption.</p>
</blockquote>
</body>
</description>
<references>
<bid>43673</bid>
<cvename>CVE-2009-3560</cvename>
<cvename>CVE-2009-3720</cvename>
<cvename>CVE-2010-1623</cvename>
<url>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</url>
<url>http://secunia.com/advisories/41701</url>
</references>
<dates>
<discovery>2010-10-02</discovery>
<entry>2010-10-06</entry>
<modified>2010-10-20</modified>
</dates>
</vuln>
<vuln vid="99021f88-ca3c-11df-be21-00e018aa7788">
<topic>phpmyfaq -- cross site scripting vulnerabilities</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><lt>2.6.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyFAQ project reports:</p>
<blockquote cite="http://www.phpmyfaq.de/advisory_2010-09-28.php">
<p>The phpMyFAQ Team has learned of a security issue that has been
discovered in phpMyFAQ 2.6.x: phpMyFAQ doesn't sanitize
some variables in different pages correctly. With a
properly crafted URL it is e.g. possible to inject
JavaScript code into the output of a page, which could
result in the leakage of domain cookies (f.e. session
identifiers)..</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/151055</freebsdpr>
<url>http://www.phpmyfaq.de/advisory_2010-09-28.php</url>
</references>
<dates>
<discovery>2010-09-28</discovery>
<entry>2010-10-02</entry>
</dates>
</vuln>
<vuln vid="e08c596e-cb28-11df-9c1b-0011098ad87f">
<topic>horde-gollem -- XSS vulnerability</topic>
<affects>
<package>
<name>horde-gollem</name>
<range><lt>1.1.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/523">
<p>The major changes compared to Gollem version H3 (1.1.1) are:</p>
<p>* Fixed an XSS vulnerability in the file viewer.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/523</url>
<url>http://git.horde.org/diff.php/gollem/docs/CHANGES?rt=horde&r1=1.114.2.55&r2=1.114.2.59&ty=h</url>
<url>http://bugs.horde.org/ticket/9191</url>
</references>
<dates>
<discovery>2010-08-21</discovery>
<entry>2010-09-28</entry>
</dates>
</vuln>
<vuln vid="6c4db192-cb23-11df-9c1b-0011098ad87f">
<topic>horde-imp -- XSS vulnerability</topic>
<affects>
<package>
<name>horde-imp</name>
<range><gt>4.2,1</gt><lt>4.3.8,1</lt></range>
<range><lt>4.3.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/516">
<p>Thanks to Naumann IT Security Consulting for reporting the XSS
vulnerability.</p>
<p>The major changes compared to IMP version H3 (4.3.7) are:</p>
<p>* Fixed an XSS vulnerability in the Fetchmail configuration.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/516</url>
<url>http://git.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.424&r2=1.699.2.430&ty=h</url>
</references>
<dates>
<discovery>2010-09-28</discovery>
<entry>2010-09-28</entry>
<modified>2011-09-23</modified>
</dates>
</vuln>
<vuln vid="8fc55043-cb1e-11df-9c1b-0011098ad87f">
<topic>horde-base -- XSS and CSRF vulnerabilities</topic>
<affects>
<package>
<name>horde-base</name>
<range><lt>3.3.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Horde team reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/515">
<p>Thanks to Naumann IT Security Consulting for reporting the XSS
vulnerability.</p>
<p>Thanks to Secunia for releasing an advisory for the new CSRF
protection in the preference interface</p>
<p>The major changes compared to Horde version 3.3.8 are:</p>
<p>* Fixed XSS vulnerability in util/icon_browser.php.</p>
<p>* Protected preference forms against CSRF attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>http://article.gmane.org/gmane.comp.horde.announce/515</url>
<url>http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.607&r2=1.515.2.620&ty=h</url>
<url>http://secunia.com/advisories/39860/</url>
<url>http://holisticinfosec.org/content/view/145/45/</url>
</references>
<dates>
<discovery>2010-06-03</discovery>
<entry>2010-09-28</entry>
</dates>
</vuln>
<vuln vid="80b6d6cc-c970-11df-bb18-0015587e2cc1">
<topic>openx -- remote code execution vulnerability</topic>
<affects>
<package>
<name>openx</name>
<range><lt>2.8.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenX project reported:</p>
<blockquote cite="http://blog.openx.org/09/security-update/">
<p>It has been brought to our attention that there is a vulnerability
in the 2.8 downloadable version of OpenX that can result in a server
running the downloaded version of OpenX being compromised.</p>
</blockquote>
<p>This vulnerability exists in the file upload functionality
and allows attackers to upload and execute PHP code of
their choice.</p>
</body>
</description>
<references>
<url>http://blog.openx.org/09/security-update/</url>
<url>http://www.h-online.com/security/news/item/Web-sites-distribute-malware-via-hacked-OpenX-servers-1079099.html</url>
</references>
<dates>
<discovery>2010-09-14</discovery>
<entry>2010-09-26</entry>
</dates>
</vuln>
<vuln vid="e4dac715-c818-11df-a92c-0015587e2cc1">
<topic>squid -- Denial of service vulnerability in request handling</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.0.1</ge><lt>3.0.25_3</lt></range>
<range><ge>3.1.0.1</ge><lt>3.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2010:3 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_3.txt">
<p>Due to an internal error in string handling Squid is
vulnerable to a denial of service attack when processing
specially crafted requests.</p>
<p>This problem allows any trusted client to perform a
denial of service attack on the Squid service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3072</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_3.txt</url>
</references>
<dates>
<discovery>2010-08-30</discovery>
<entry>2010-09-24</entry>
</dates>
</vuln>
<vuln vid="8a34d9e6-c662-11df-b2e1-001b2134ef46">
<topic>linux-flashplugin -- remote code execution</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r283</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r85</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa10-03.html">
<p>A critical vulnerability exists in Adobe Flash Player
10.1.82.76 and earlier versions for Windows, Macintosh,
Linux, Solaris, and Adobe Flash Player 10.1.92.10 for
Android. This vulnerability also affects Adobe Reader
9.3.4 and earlier versions for Windows, Macintosh and
UNIX, and Adobe Acrobat 9.3.4 and earlier versions for
Windows and Macintosh. This vulnerability (CVE-2010-2884)
could cause a crash and potentially allow an attacker
to take control of the affected system. There are
reports that this vulnerability is being actively
exploited in the wild against Adobe Flash Player on
Windows. Adobe is not aware of any attacks exploiting
this vulnerability against Adobe Reader or Acrobat to
date.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2884</cvename>
<url>http://www.adobe.com/support/security/advisories/apsa10-03.html</url>
</references>
<dates>
<discovery>2010-09-14</discovery>
<entry>2010-09-22</entry>
</dates>
</vuln>
<vuln vid="3ff95dd3-c291-11df-b0dc-00215c6a37bb">
<topic>django -- cross-site scripting vulnerability</topic>
<affects>
<package>
<name>py23-django</name>
<name>py24-django</name>
<name>py25-django</name>
<name>py26-django</name>
<name>py30-django</name>
<name>py31-django</name>
<range><gt>1.2</gt><lt>1.2.2</lt></range>
</package>
<package>
<name>py23-django-devel</name>
<name>py24-django-devel</name>
<name>py25-django-devel</name>
<name>py26-django-devel</name>
<name>py30-django-devel</name>
<name>py31-django-devel</name>
<range><lt>13698,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Django project reports:</p>
<blockquote cite="http://www.djangoproject.com/weblog/2010/sep/08/security-release/">
<p>The provided template tag for inserting the CSRF
token into forms -- {% csrf_token %} -- explicitly
trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the
value of the CSRF cookie can cause arbitrary content
to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.</p>
</blockquote>
</body>
</description>
<references>
<bid>43116</bid>
<cvename>CVE-2010-3082</cvename>
<url>http://xforce.iss.net/xforce/xfdb/61729</url>
</references>
<dates>
<discovery>2010-09-13</discovery>
<entry>2010-09-17</entry>
</dates>
</vuln>
<vuln vid="9bcfd7b6-bcda-11df-9a6a-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vulnabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha Silva reports:</p>
<blockquote cite="http://gitorious.org/webkitgtk/stable/commit/9d07fda89aab7105962d933eef32ca15dda610d8">
<p>With help from Vincent Danen and other members of the Red Hat
security team, the following CVE's where fixed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1781</cvename>
<cvename>CVE-2010-1782</cvename>
<cvename>CVE-2010-1784</cvename>
<cvename>CVE-2010-1785</cvename>
<cvename>CVE-2010-1786</cvename>
<cvename>CVE-2010-1787</cvename>
<cvename>CVE-2010-1788</cvename>
<cvename>CVE-2010-1790</cvename>
<cvename>CVE-2010-1792</cvename>
<cvename>CVE-2010-1793</cvename>
<cvename>CVE-2010-2647</cvename>
<cvename>CVE-2010-2648</cvename>
<cvename>CVE-2010-3119</cvename>
<url>http://gitorious.org/webkitgtk/stable/commit/9d07fda89aab7105962d933eef32ca15dda610d8</url>
</references>
<dates>
<discovery>2010-09-7</discovery>
<entry>2010-09-10</entry>
</dates>
</vuln>
<vuln vid="f866d2af-bbba-11df-8a8d-0008743bf21a">
<topic>vim6 -- heap-based overflow while parsing shell metacharacters</topic>
<affects>
<package>
<name>vim6</name>
<name>vim6+ruby</name>
<range><ge>6.2.429</ge><lt>6.3.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Description for CVE-2008-3432 says:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432">
<p>Heap-based buffer overflow in the mch_expand_wildcards
function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted
attackers to execute arbitrary code via shell metacharacters
in filenames, as demonstrated by the netrw.v3 test case.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-3432</cvename>
<url>http://www.openwall.com/lists/oss-security/2008/07/15/4</url>
</references>
<dates>
<discovery>2008-07-31</discovery>
<entry>2010-09-09</entry>
</dates>
</vuln>
<vuln vid="4a21ce2c-bb13-11df-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.9,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.12,1</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.9</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.9,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.12</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.7</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.7</lt></range>
<range><ge>3.1</ge><lt>3.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)</p>
<p>MFSA 2010-50 Frameset integer overflow vulnerability</p>
<p>MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array</p>
<p>MFSA 2010-52 Windows XP DLL loading vulnerability</p>
<p>MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText</p>
<p>MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection</p>
<p>MFSA 2010-55 XUL tree removal crash and remote code execution</p>
<p>MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView</p>
<p>MFSA 2010-57 Crash and remote code execution in normalizeDocument</p>
<p>MFSA 2010-58 Crash on Mac using fuzzed font in data: URL</p>
<p>MFSA 2010-59 SJOW creates scope chains ending in outer object</p>
<p>MFSA 2010-60 XSS using SJOW scripted function</p>
<p>MFSA 2010-61 UTF-7 XSS by overriding document charset using object type attribute</p>
<p>MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS</p>
<p>MFSA 2010-63 Information leak via XMLHttpRequest statusText</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2762</cvename>
<cvename>CVE-2010-2763</cvename>
<cvename>CVE-2010-2764</cvename>
<cvename>CVE-2010-2765</cvename>
<cvename>CVE-2010-2766</cvename>
<cvename>CVE-2010-2767</cvename>
<cvename>CVE-2010-2768</cvename>
<cvename>CVE-2010-2769</cvename>
<cvename>CVE-2010-2770</cvename>
<cvename>CVE-2010-2760</cvename>
<cvename>CVE-2010-3131</cvename>
<cvename>CVE-2010-3166</cvename>
<cvename>CVE-2010-3167</cvename>
<cvename>CVE-2010-3168</cvename>
<cvename>CVE-2010-3169</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-49.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-50.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-51.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-52.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-53.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-54.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-55.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-56.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-57.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-58.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-59.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-60.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-61.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-62.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-63.html</url>
</references>
<dates>
<discovery>2010-09-07</discovery>
<entry>2010-09-08</entry>
<modified>2010-09-15</modified>
</dates>
</vuln>
<vuln vid="67b514c3-ba8f-11df-8f6e-000c29a67389">
<topic>sudo -- Flaw in Runas group matching</topic>
<affects>
<package>
<name>sudo</name>
<range><ge>1.7.0</ge><lt>1.7.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.sudo.ws/sudo/alerts/runas_group.html">
<p>Beginning with sudo version 1.7.0 it has been possible to grant
permission to run a command using a specified group via sudo -g
option (run as group). A flaw exists in the logic that matches
Runas groups in the sudoers file when the -u option is also
specified (run as user). This flaw results in a positive match for
the user specified via -u so long as the group specified via -g
is allowed by the sudoers file.</p>
<p>Exploitation of the flaw requires that Sudo be configured with
sudoers entries that contain a Runas group. Entries that do not
contain a Runas group, or only contain a Runas user are not
affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2956</cvename>
<url>http://www.sudo.ws/sudo/alerts/runas_group.html</url>
</references>
<dates>
<discovery>2010-09-07</discovery>
<entry>2010-09-07</entry>
</dates>
</vuln>
<vuln vid="29b7e3f4-b6a9-11df-ae63-f255a795cb21">
<topic>lftp -- multiple HTTP client download filename vulnerability</topic>
<affects>
<package>
<name>lftp</name>
<range><lt>4.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The get1 command, as used by lftpget, in LFTP before 4.0.6 does
not properly validate a server-provided filename before determining
the destination filename of a download, which allows remote servers
to create or overwrite arbitrary files via a Content-Disposition
header that suggests a crafted filename, and possibly execute
arbitrary code as a consequence of writing to a dotfile in a home
directory.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2251</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=591580</url>
</references>
<dates>
<discovery>2010-06-09</discovery>
<entry>2010-09-03</entry>
</dates>
</vuln>
<vuln vid="d754b7d2-b6a7-11df-826c-e464a695cb21">
<topic>wget -- multiple HTTP client download filename vulnerability</topic>
<affects>
<package>
<name>wget</name>
<name>wget-devel</name>
<range><le>1.12_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GNU Wget version 1.12 and earlier uses a server-provided filename
instead of the original URL to determine the destination filename of
a download, which allows remote servers to create or overwrite
arbitrary files via a 3xx redirect to a URL with a .wgetrc filename
followed by a 3xx redirect to a URL with a crafted filename, and
possibly execute arbitrary code as a consequence of writing to a
dotfile in a home directory.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2252</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=602797</url>
</references>
<dates>
<discovery>2010-06-09</discovery>
<entry>2010-09-03</entry>
</dates>
</vuln>
<vuln vid="3a7c5fc4-b50c-11df-977b-ecc31dd8ad06">
<topic>p5-libwww -- possibility to remote servers to create file with a .(dot) character</topic>
<affects>
<package>
<name>p5-libwww</name>
<range><lt>5.835</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>lwp-download in libwww-perl before 5.835 does not reject downloads
to filenames that begin with a `.' (dot) character, which allows
remote servers to create or overwrite files via a 3xx redirect to a
URL with a crafted filename or a Content-Disposition header that
suggests a crafted filename, and possibly execute arbitrary code as
a consequence of writing to a dotfile in a home directory.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2253</cvename>
<url>http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes</url>
</references>
<dates>
<discovery>2010-06-09</discovery>
<entry>2010-08-31</entry>
</dates>
</vuln>
<vuln vid="167953a4-b01c-11df-9a98-0015587e2cc1">
<topic>quagga -- stack overflow and DoS vulnerabilities</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Red Hat security team reported two vulnerabilities:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/08/24/3">
<p>A stack buffer overflow flaw was found in the way Quagga's bgpd
daemon processed Route-Refresh messages. A configured
Border Gateway Protocol (BGP) peer could send a
Route-Refresh message with specially-crafted Outbound
Route Filtering (ORF) record, which would cause the
master BGP daemon (bgpd) to crash or, possibly, execute
arbitrary code with the privileges of the user running
bgpd.</p>
<p>A NULL pointer dereference flaw was found in the way
Quagga's bgpd daemon parsed paths of autonomous systems
(AS). A configured BGP peer could send a BGP update AS
path request with unknown AS type, which could lead to
denial of service (bgpd daemon crash).</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openwall.com/lists/oss-security/2010/08/24/3</url>
<url>http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100</url>
</references>
<dates>
<discovery>2010-08-24</discovery>
<entry>2010-08-25</entry>
</dates>
</vuln>
<vuln vid="8cbf4d65-af9a-11df-89b8-00151735203a">
<topic>bugzilla -- information disclosure, denial of service</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>2.17.1</gt><lt>3.6.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.2.7/">
<ul>
<li>Remote Information Disclosure:
An unprivileged user is normally not allowed to view
other users' group membership. But boolean charts
let the user use group-based pronouns, indirectly
disclosing group membership. This security fix
restricts the use of pronouns to groups the user
belongs to.</li>
<li>Notification Bypass:
Normally, when a user is impersonated, he receives
an email informing him that he is being impersonated,
containing the identity of the impersonator. However,
it was possible to impersonate a user without this
notification being sent.</li>
<li>Remote Information Disclosure:
An error message thrown by the "Reports" and "Duplicates"
page confirmed the non-existence of products, thus
allowing users to guess confidential product names.
(Note that the "Duplicates" page was not vulnerable
in Bugzilla 3.6rc1 and above though.)</li>
<li>Denial of Service:
If a comment contained the phrases "bug X" or
"attachment X", where X was an integer larger than the
maximum 32-bit signed integer size, PostgreSQL would
throw an error, and any page containing that comment would
not be viewable. On most Bugzillas, any user can enter
a comment on any bug, so any user could have used this to
deny access to one or all bugs. Bugzillas running on
databases other than PostgreSQL are not affected.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2756</cvename>
<cvename>CVE-2010-2757</cvename>
<cvename>CVE-2010-2758</cvename>
<cvename>CVE-2010-2759</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=417048</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=450013</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=577139</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=519835</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=583690</url>
</references>
<dates>
<discovery>2010-08-05</discovery>
<entry>2010-08-24</entry>
</dates>
</vuln>
<vuln vid="b6069837-aadc-11df-82df-0015f2db7bde">
<topic>OpenTTD -- Denial of service (server) via infinite loop</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>1.0.1</ge><lt>1.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenTTD project reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2010-2534">
<p>When multiple commands are queued (at the server) for execution
in the next game tick and an client joins the server can get into
an infinite loop. With the default settings triggering this bug
is difficult (if not impossible), however the larger value of
the "frame_freq" setting is easier it is to trigger the bug.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2534</cvename>
<url>http://security.openttd.org/en/CVE-2010-2534</url>
</references>
<dates>
<discovery>2010-06-27</discovery>
<entry>2010-08-22</entry>
</dates>
</vuln>
<vuln vid="67a1c3ae-ad69-11df-9be6-0015587e2cc1">
<topic>corkscrew -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>corkscrew</name>
<range><le>2.0</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The affected corkscrew versions use sscanf calls without proper
bounds checking. In the authentication file parsing routine
this can cause an exploitable buffer overflow condition.
A similar but issue exists in the server response code but
appears to be non-exploitable.</p>
</body>
</description>
<references>
<url>http://people.freebsd.org/~niels/issues/corkscrew-20100821.txt</url>
</references>
<dates>
<discovery>2010-08-21</discovery>
<entry>2010-08-21</entry>
</dates>
</vuln>
<vuln vid="274922b8-ad20-11df-af1f-00e0814cab4e">
<topic>phpmyadmin -- Several XSS vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.3.5.1</lt></range>
</package>
<package>
<name>phpMyAdmin211</name>
<range><lt>2.11.10.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>phpMyAdmin Team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php">
<p>It was possible to conduct a XSS attack using crafted URLs org
POST parameters on several pages.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3056</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php</url>
</references>
<dates>
<discovery>2010-08-09</discovery>
<entry>2010-08-21</entry>
</dates>
</vuln>
<vuln vid="68c7187a-abd2-11df-9be6-0015587e2cc1">
<topic>slim -- insecure PATH assignment</topic>
<affects>
<package>
<name>slim</name>
<range><lt>1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SLiM assigns logged on users a PATH in which the current
working directory ("./") is included. This PATH can allow
unintentional code execution through planted binaries and
has therefore been fixed SLiM version 1.3.2.</p>
</body>
</description>
<references>
<cvename>CVE-2010-2945</cvename>
<url>http://seclists.org/oss-sec/2010/q3/198</url>
</references>
<dates>
<discovery>2010-05-12</discovery>
<entry>2010-08-19</entry>
<modified>2010-08-20</modified>
</dates>
</vuln>
<vuln vid="34e0316a-aa91-11df-8c2e-001517289bf8">
<topic>ruby -- UTF-7 encoding XSS vulnerability in WEBrick</topic>
<affects>
<package>
<name>ruby</name>
<name>ruby+pthreads</name>
<name>ruby+pthreads+oniguruma</name>
<name>ruby+oniguruma</name>
<range><ge>1.8.*,1</ge><lt>1.8.7.248_3,1</lt></range>
<range><ge>1.9.*,1</ge><lt>1.9.1.430,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/">
<p>WEBrick have had a cross-site scripting vulnerability that allows
an attacker to inject arbitrary script or HTML via a crafted URI.
This does not affect user agents that strictly implement HTTP/1.1,
however, some user agents do not.</p>
</blockquote>
</body>
</description>
<references>
<bid>40895</bid>
<cvename>CVE-2010-0541</cvename>
<url>http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/</url>
</references>
<dates>
<discovery>2010-08-16</discovery>
<entry>2010-08-17</entry>
<modified>2010-08-20</modified>
</dates>
</vuln>
<vuln vid="b74a8076-9b1f-11df-9f58-021e8c343e76">
<topic>isolate -- local root exploit</topic>
<affects>
<package>
<name>isolate</name>
<range><lt>20100717</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://code.google.com/p/isolate/">
<p>Isolate currently suffers from some bad security bugs! These
are local root privilege escalation bugs. Thanks to the helpful
person who reported them (email Chris if you want credit!).
We're working to fix them ASAP, but until then, isolate is
unsafe and you should uninstall it. Sorry!</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/148911</freebsdpr>
<url>http://code.google.com/p/isolate/</url>
</references>
<dates>
<discovery>2010-07-29</discovery>
<entry>2010-08-13</entry>
</dates>
</vuln>
<vuln vid="e7d91a3c-a7c9-11df-870c-00242b513d7c">
<topic>vlc -- invalid id3v2 tags may lead to invalid memory dereferencing</topic>
<affects>
<package>
<name>vlc</name>
<range><gt>0.9.0,3</gt><lt>1.1.2_1,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VideoLAN project reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1004.html">
<p>VLC fails to perform sufficient input validation when trying to
extract some meta-informations about input media through ID3v2
tags. In the failure case, VLC attempt dereference an invalid
memory address, and a crash will ensure.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2937</cvename>
<url>http://www.videolan.org/security/sa1004.html</url>
</references>
<dates>
<discovery>2010-07-29</discovery>
<entry>2010-08-14</entry>
</dates>
</vuln>
<vuln vid="e19e74a4-a712-11df-b234-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r280</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r82</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-16.html">
<p>Critical vulnerabilities have been identified in Adobe
Flash Player version 10.1.53.64 and earlier. These
vulnerabilities could cause the application to crash and
could potentially allow an attacker to take control of the
affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0209</cvename>
<cvename>CVE-2010-2188</cvename>
<cvename>CVE-2010-2213</cvename>
<cvename>CVE-2010-2214</cvename>
<cvename>CVE-2010-2215</cvename>
<cvename>CVE-2010-2216</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-16.html</url>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-08-13</entry>
</dates>
</vuln>
<vuln vid="71273c4d-a6ec-11df-8a8d-0008743bf21a">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.61</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Opera Destkop Team reports:</p>
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1061/">
<ul>
<li>Fixed an issue where heap buffer overflow in HTML5 canvas could
be used to execute arbitrary code, as reported by Kuzzcc.</li>
<li>Fixed an issue where unexpected changes in tab focus could be
used to run programs from the Internet, as reported by Jakob Balle
and Sven Krewitt of Secunia.</li>
<li>Fixed an issue where news feed preview could subscribe to feeds
without interaction, as reported by Alexios Fakos.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/search/view/966/</url>
<url>http://www.opera.com/support/search/view/967/</url>
<url>http://www.opera.com/support/search/view/968/</url>
</references>
<dates>
<discovery>2010-08-12</discovery>
<entry>2010-08-13</entry>
</dates>
</vuln>
<vuln vid="c2eac2b5-9a7d-11df-8e32-000f20797ede">
<topic>firefox -- Dangling pointer crash regression from plugin parameter array fix</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.8,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.8,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2755</cvename>
<url>https://www.mozilla.org/security/announce/2010/mfsa2010-48.html</url>
</references>
<dates>
<discovery>2010-07-20</discovery>
<entry>2010-08-09</entry>
</dates>
</vuln>
<vuln vid="26e1c48a-9fa7-11df-81b5-00e0814cab4e">
<topic>Piwik -- Local File Inclusion Vulnerability</topic>
<affects>
<package>
<name>piwik</name>
<range><gt>0.6</gt><lt>0.6.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Piwik versions 0.6 through 0.6.3 are vulnerable to arbitrary,
remote file inclusion using a directory traversal pattern infinite
a crafted request for a data renderer.</p>
<blockquote cite="http://secunia.com/advisories/40703">
<p>A vulnerability has been reported in Piwik, which can before
exploited by malicious people to disclose potentially
sensitive information. Input passed to unspecified parameters
when requesting a data renderer is not properly verified before
being used to include files. This can be exploited to includes
arbitrary files from local resources via directory traversal
attacks.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2786</cvename>
<url>http://secunia.com/advisories/40703</url>
</references>
<dates>
<discovery>2010-07-28</discovery>
<entry>2010-08-04</entry>
</dates>
</vuln>
<vuln vid="43024078-9b63-11df-8983-001d60d86f38">
<topic>libmspack -- infinite loop denial of service</topic>
<affects>
<package>
<name>libmspack</name>
<range><le>0.0.20060920</le></range>
</package>
<package>
<name>cabextract</name>
<range><lt>1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>There is a denial of service vulnerability in libmspack. The
libmspack code is built into cabextract, so it is also
vulnerable.</p>
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/40719/">
<p>The vulnerability is caused due to an error when copying data
from an uncompressed block (block type 0) and can be exploited
to trigger an infinite loop by tricking an application using the
library into processing specially crafted MS-ZIP archives.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/40719/</url>
</references>
<dates>
<discovery>2010-07-26</discovery>
<entry>2010-07-30</entry>
</dates>
</vuln>
<vuln vid="28a7310f-9855-11df-8d36-001aa0166822">
<topic>apache -- Remote DoS bug in mod_cache and mod_dav</topic>
<affects>
<package>
<name>apache</name>
<range><ge>2.2.0</ge><lt>2.2.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache ChangeLog reports:</p>
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.2.16">
<p>mod_dav, mod_cache: Fix Handling of requests without a path segment.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1452</cvename>
<url>http://www.apache.org/dist/httpd/CHANGES_2.2.16</url>
<url>https://issues.apache.org/bugzilla/show_bug.cgi?id=49246</url>
<url>http://svn.apache.org/viewvc?view=revision&revision=966349</url>
</references>
<dates>
<discovery>2010-07-21</discovery>
<entry>2010-07-26</entry>
</dates>
</vuln>
<vuln vid="827bc2b7-95ed-11df-9160-00e0815b8da8">
<topic>git -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>git</name>
<range><ge>1.5.6</ge><lt>1.7.1.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Greg Brockman reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/07/22/1">
<p>If an attacker were to create a crafted working copy where the
user runs any git command, the attacker could force execution
of arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2542</cvename>
<url>http://git.kernel.org/?p=git/git.git;a=commit;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc</url>
<url>http://www.openwall.com/lists/oss-security/2010/07/22/1</url>
</references>
<dates>
<discovery>2010-07-20</discovery>
<entry>2010-07-23</entry>
</dates>
</vuln>
<vuln vid="0502c1cb-8f81-11df-a0bb-0050568452ac">
<topic>codeigniter -- file upload class vulnerability</topic>
<affects>
<package>
<name>codeigniter</name>
<range><lt>1.7.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Derek Jones reports:</p>
<blockquote cite="http://codeigniter.com/news/codeigniter_1.7.2_security_patch/">
<p>A fix has been implemented for a security flaw in
CodeIgniter 1.7.2. All applications using the File
Upload class should install the patch to ensure that
their application is not subject to a vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://codeigniter.com/news/codeigniter_1.7.2_security_patch/</url>
<url>http://www.phpframeworks.com/news/p/16365/codeigniter-1-7-2-security-patch</url>
</references>
<dates>
<discovery>2010-07-12</discovery>
<entry>2010-07-21</entry>
</dates>
</vuln>
<vuln vid="8c2ea875-9499-11df-8e32-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.7,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.11,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.6.7,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.11</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.6</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)</p>
<p>MFSA 2010-35 DOM attribute cloning remote code execution vulnerability</p>
<p>MFSA 2010-36 Use-after-free error in NodeIterator</p>
<p>MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability</p>
<p>MFSA 2010-38 Arbitrary code execution using SJOW and fast native function</p>
<p>MFSA 2010-39 nsCSSValue::Array index integer overflow</p>
<p>MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability</p>
<p>MFSA 2010-41 Remote code execution using malformed PNG image</p>
<p>MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts</p>
<p>MFSA 2010-43 Same-origin bypass using canvas context</p>
<p>MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish</p>
<p>MFSA 2010-45 Multiple location bar spoofing vulnerabilities</p>
<p>MFSA 2010-46 Cross-domain data theft using CSS</p>
<p>MFSA 2010-47 Cross-origin data leakage from script filename in error messages</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0654</cvename>
<cvename>CVE-2010-1205</cvename>
<cvename>CVE-2010-1206</cvename>
<cvename>CVE-2010-1207</cvename>
<cvename>CVE-2010-1208</cvename>
<cvename>CVE-2010-1209</cvename>
<cvename>CVE-2010-1210</cvename>
<cvename>CVE-2010-1211</cvename>
<cvename>CVE-2010-1212</cvename>
<cvename>CVE-2010-1213</cvename>
<cvename>CVE-2010-1214</cvename>
<cvename>CVE-2010-1215</cvename>
<cvename>CVE-2010-2751</cvename>
<cvename>CVE-2010-2752</cvename>
<cvename>CVE-2010-2753</cvename>
<cvename>CVE-2010-2754</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-34.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-35.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-36.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-37.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-38.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-39.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-40.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-41.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-42.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-43.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-44.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-45.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-46.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-47.html</url>
</references>
<dates>
<discovery>2010-07-20</discovery>
<entry>2010-07-21</entry>
</dates>
</vuln>
<vuln vid="9a8fecef-92c0-11df-b140-0015f2db7bde">
<topic>vte -- Classic terminal title set+query attack</topic>
<affects>
<package>
<name>vte</name>
<range><lt>0.24.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kees Cook reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/512388">
<p>Janne Snabb discovered that applications using VTE, such as
gnome-terminal, did not correctly filter window and icon title
request escape codes. If a user were tricked into viewing
specially crafted output in their terminal, a remote attacker
could execute arbitrary commands with user privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2713</cvename>
<url>http://www.securityfocus.com/archive/1/512388</url>
</references>
<dates>
<discovery>2010-07-15</discovery>
<entry>2010-07-18</entry>
</dates>
</vuln>
<vuln vid="19419b3b-92bd-11df-b140-0015f2db7bde">
<topic>webkit-gtk2 -- Multiple vulnabilities</topic>
<affects>
<package>
<name>webkit-gtk2</name>
<range><lt>1.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gustavo Noronha reports:</p>
<blockquote cite="http://blog.kov.eti.br/?p=116">
<p>Debian's Michael Gilbert has done a great job going through all
CVEs released about WebKit, and including patches in the Debian
package. 1.2.3 includes all of the commits from trunk to fix those,
too.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1386</cvename>
<cvename>CVE-2010-1392</cvename>
<cvename>CVE-2010-1405</cvename>
<cvename>CVE-2010-1407</cvename>
<cvename>CVE-2010-1416</cvename>
<cvename>CVE-2010-1417</cvename>
<cvename>CVE-2010-1418</cvename>
<cvename>CVE-2010-1421</cvename>
<cvename>CVE-2010-1422</cvename>
<cvename>CVE-2010-1501</cvename>
<cvename>CVE-2010-1664</cvename>
<cvename>CVE-2010-1665</cvename>
<cvename>CVE-2010-1758</cvename>
<cvename>CVE-2010-1759</cvename>
<cvename>CVE-2010-1760</cvename>
<cvename>CVE-2010-1761</cvename>
<cvename>CVE-2010-1762</cvename>
<cvename>CVE-2010-1767</cvename>
<cvename>CVE-2010-1770</cvename>
<cvename>CVE-2010-1771</cvename>
<cvename>CVE-2010-1772</cvename>
<cvename>CVE-2010-1773</cvename>
<cvename>CVE-2010-1774</cvename>
<cvename>CVE-2010-2264</cvename>
<url>http://blog.kov.eti.br/?p=116</url>
</references>
<dates>
<discovery>2010-07-16</discovery>
<entry>2010-07-18</entry>
</dates>
</vuln>
<vuln vid="ba61ce15-8a7b-11df-87ec-0050569b2d21">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>0.9.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Eric Davis reports:</p>
<blockquote cite="http://www.redmine.org/news/41">
<p>This security release addresses some security
vulnerabilities found in the advanced subversion
integration module (Redmine.pm perl script).</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.redmine.org/news/41</url>
</references>
<dates>
<discovery>2010-07-08</discovery>
<entry>2010-07-10</entry>
</dates>
</vuln>
<vuln vid="25ed4ff8-8940-11df-a339-0026189baca3">
<topic>bogofilter -- heap underrun on malformed base64 input</topic>
<affects>
<package>
<name>bogofilter</name>
<range><lt>1.2.1_2</lt></range>
</package>
<package>
<name>bogofilter-sqlite</name>
<range><lt>1.2.1_1</lt></range>
</package>
<package>
<name>bogofilter-tc</name>
<range><lt>1.2.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Julius Plenz reports:</p>
<blockquote cite="http://www.bogofilter.org/pipermail/bogofilter-dev/2010-June/003475.html">
<p>I found a bug in the base64_decode function which may cause memory
corruption when the function is executed on a malformed base64
encoded string.</p>
<p>If a string starting with an equal-sign is passed to the
base64_decode function it triggers a memory corruption that
in some cases makes bogofilter crash.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2494</cvename>
<url>http://bogofilter.sourceforge.net/security/bogofilter-SA-2010-01</url>
</references>
<dates>
<discovery>2010-06-28</discovery>
<entry>2010-07-06</entry>
</dates>
</vuln>
<vuln vid="f1331504-8849-11df-89b8-00151735203a">
<topic>bugzilla -- information disclosure</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>2.17.1</gt><lt>3.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.2.6/">
<ul>
<li>Normally, information about time-tracking (estimated
hours, actual hours, hours worked, and deadlines) is
restricted to users in the "time-tracking group".
However, any user was able, by crafting their own
search URL, to search for bugs based using those
fields as criteria, thus possibly exposing sensitive
time-tracking information by a user seeing that a bug
matched their search.</li>
<li>If $use_suexec was set to "1" in the localconfig file,
then the localconfig file's permissions were set as
world-readable by checksetup.pl. This allowed any user
with local shell access to see the contents of the file,
including the database password and the site_wide_secret
variable used for CSRF protection.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1204</cvename>
<cvename>CVE-2010-0180</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=309952</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=561797</url>
</references>
<dates>
<discovery>2010-06-24</discovery>
<entry>2010-07-05</entry>
</dates>
</vuln>
<vuln vid="8685d412-8468-11df-8d45-001d7d9eb79a">
<topic>kvirc -- multiple vulnerabilities</topic>
<affects>
<package>
<name>kvirc</name>
<name>kvirc-devel</name>
<range><lt>4.0.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two security vulnerabilities have been discovered:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2451">
<p>Multiple format string vulnerabilities in the DCC functionality
in KVIrc 3.4 and 4.0 have unspecified impact and remote attack vectors.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2452">
<p>Directory traversal vulnerability in the DCC functionality
in KVIrc 3.4 and 4.0 allows remote attackers to overwrite
arbitrary files via unknown vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-2451</cvename>
<cvename>CVE-2010-2452</cvename>
<url>http://lists.omnikron.net/pipermail/kvirc/2010-May/000867.html</url>
</references>
<dates>
<discovery>2010-05-17</discovery>
<entry>2010-06-30</entry>
</dates>
</vuln>
<vuln vid="edef3f2f-82cf-11df-bcce-0018f3e2eb82">
<topic>png -- libpng decompression buffer overflow</topic>
<affects>
<package>
<name>png</name>
<range>
<lt>1.4.3</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PNG project describes the problem in an advisory:</p>
<blockquote cite="http://www.libpng.org/pub/png/libpng.html">
<p>Several versions of libpng through 1.4.2 (and through 1.2.43
in the older series) contain a bug whereby progressive
applications such as web browsers (or the rpng2 demo app included
in libpng) could receive an extra row of image data beyond the
height reported in the header, potentially leading to an
out-of-bounds write to memory (depending on how the application
is written) and the possibility of execution of an attacker's
code with the privileges of the libpng user (including remote
compromise in the case of a libpng-based browser visiting a
hostile web site).</p>
</blockquote>
</body>
</description>
<references>
<bid>41174</bid>
<cvename>CVE-2010-1205</cvename>
<url>http://www.libpng.org/pub/png/libpng.html</url>
</references>
<dates>
<discovery>2010-03-30</discovery>
<entry>2010-06-28</entry>
<modified>2010-06-28</modified>
</dates>
</vuln>
<vuln vid="66759ce6-7530-11df-9c33-000c29ba66d2">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle</name>
<range><lt>1.9.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Moodle release notes report multiple vulnerabilities
which could allow cross site scripting, XSS attacks,
unauthorised deletion of attempts in some instances.</p>
</body>
</description>
<references>
<url>http://docs.moodle.org/en/Moodle_1.9.9_release_notes</url>
</references>
<dates>
<discovery>2010-06-08</discovery>
<entry>2010-06-28</entry>
</dates>
</vuln>
<vuln vid="1cd87e2a-81e3-11df-81d8-00262d5ed8ee">
<topic>mDNSResponder -- corrupted stack crash when parsing bad resolv.conf</topic>
<affects>
<package>
<name>mDNSResponder</name>
<range><le>214</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Juli Mallett reports:</p>
<blockquote cite="http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/147007">
<p>mdnsd will crash on some systems with a corrupt stack and once
that's fixed it will still leak a file descriptor when parsing
resolv.conf. The crash is because scanf is used with %10s for a
buffer that is only 10 chars long. The buffer size needs increased
to 11 chars to hold the trailing NUL. To fix the leak, an fclose
needs added.</p>
</blockquote>
</body>
</description>
<references>
<freebsdpr>ports/147007</freebsdpr>
</references>
<dates>
<discovery>2010-05-26</discovery>
<entry>2010-06-27</entry>
</dates>
</vuln>
<vuln vid="77b9f9bc-7fdf-11df-8a8d-0008743bf21a">
<topic>opera -- Data URIs can be used to allow cross-site scripting</topic>
<affects>
<package>
<name>opera</name>
<range><lt>10.11</lt></range>
</package>
<package>
<name>opera-devel</name>
<range><le>10.20_2,1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Opera Desktop Team reports:</p>
<blockquote cite="http://www.opera.com/support/kb/view/955/">
<p>Data URIs are allowed to run scripts that manipulate
pages from the site that directly opened them. In some cases, the opening site
is not correctly detected. In these cases, Data URIs may erroneously be able to
run scripts so that they interact with sites that did not directly cause them to
be opened.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/955/</url>
</references>
<dates>
<discovery>2010-06-21</discovery>
<entry>2010-06-25</entry>
</dates>
</vuln>
<vuln vid="e02e6a4e-6b26-11df-96b2-0015587e2cc1">
<topic>cacti -- multiple vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.7f</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple vulnerabilities have been reported to exist in older version of
Cacti. The release notes of Cacti 0.8.7f summarizes the problems as
follows:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_7f.php">
<ul>
<li>SQL injection and shell escaping issues</li>
<li>Cross-site scripting issues</li>
<li>Cacti Graph Viewer SQL injection vulnerability</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html</url>
<url>http://www.cacti.net/release_notes_0_8_7f.php</url>
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php</url>
<url>http://www.vupen.com/english/advisories/2010/1204</url>
</references>
<dates>
<discovery>2010-05-24</discovery>
<entry>2010-06-24</entry>
</dates>
</vuln>
<vuln vid="99858b7c-7ece-11df-a007-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6.*,1</gt><lt>3.6.4,1</lt></range>
<range><gt>3.5.*,1</gt><lt>3.5.10,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.10</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.5</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-33 User tracking across sites using Math.random()</p>
<p>MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present</p>
<p>MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes</p>
<p>MFSA 2010-30 Integer Overflow in XSLT Node Sorting</p>
<p>MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal</p>
<p>MFSA 2010-28 Freed object reuse across plugin instances</p>
<p>MFSA 2010-27 Use-after-free error in nsCycleCollector::MarkRoots()</p>
<p>MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)</p>
<p>MFSA 2010-25 Re-use of freed object due to scope confusion</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-5913</cvename>
<cvename>CVE-2010-0183</cvename>
<cvename>CVE-2010-1121</cvename>
<cvename>CVE-2010-1125</cvename>
<cvename>CVE-2010-1197</cvename>
<cvename>CVE-2010-1199</cvename>
<cvename>CVE-2010-1196</cvename>
<cvename>CVE-2010-1198</cvename>
<cvename>CVE-2010-1200</cvename>
<cvename>CVE-2010-1201</cvename>
<cvename>CVE-2010-1202</cvename>
<cvename>CVE-2010-1203</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-33.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-32.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-31.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-30.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-29.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-28.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-27.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-26.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-25.html</url>
</references>
<dates>
<discovery>2010-06-22</discovery>
<entry>2010-06-23</entry>
</dates>
</vuln>
<vuln vid="25673e6e-786b-11df-a921-0245fb008c0b">
<topic>ziproxy -- security vulnerability in PNG decoder</topic>
<affects>
<package>
<name>ziproxy</name>
<range><ge>3.1.0</ge></range>
<range><lt>3.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Daniel Mealha Cabrita reports:</p>
<blockquote cite="http://ziproxy.sourceforge.net/#news">
<p>Fixed security vulnerability (heap-related) in PNG decoder.
(new bug from 3.1.0)</p>
</blockquote>
</body>
</description>
<references>
<url>http://ziproxy.sourceforge.net/#news</url>
<mlist msgid="201006150731.30474.dancab@gmx.net">http://sourceforge.net/mailarchive/message.php?msg_name=201006150731.30474.dancab%40gmx.net</mlist>
</references>
<dates>
<discovery>2010-06-15</discovery>
<entry>2010-06-15</entry>
</dates>
</vuln>
<vuln vid="8816bf3a-7929-11df-bcce-0018f3e2eb82">
<topic>tiff -- Multiple integer overflows</topic>
<affects>
<package>
<name>tiff</name>
<range><lt>3.9.4</lt></range>
</package>
<package>
<name>linux-tiff</name>
<range><lt>3.9.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tielei Wang:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2009-012.html">
<p>Multiple integer overflows in inter-color spaces conversion
tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow
context-dependent attackers to execute arbitrary code via a
TIFF image with large (1) width and (2) height values, which
triggers a heap-based buffer overflow in the (a) cvt_whole_image
function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-2347</cvename>
<url>http://www.remotesensing.org/libtiff/v3.9.4.html</url>
<url>http://www.ocert.org/advisories/ocert-2009-012.html</url>
</references>
<dates>
<discovery>2009-05-22</discovery>
<entry>2010-06-16</entry>
</dates>
</vuln>
<vuln vid="144e524a-77eb-11df-ae06-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r277</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.1r53</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-14.html">
<p>Critical vulnerabilities have been identified in Adobe
Flash Player version 10.0.45.2 and earlier. These
vulnerabilities could cause the application to crash and
could potentially allow an attacker to take control of the
affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-4546</cvename>
<cvename>CVE-2009-3793</cvename>
<cvename>CVE-2010-1297</cvename>
<cvename>CVE-2010-2160</cvename>
<cvename>CVE-2010-2161</cvename>
<cvename>CVE-2010-2162</cvename>
<cvename>CVE-2010-2163</cvename>
<cvename>CVE-2010-2164</cvename>
<cvename>CVE-2010-2165</cvename>
<cvename>CVE-2010-2166</cvename>
<cvename>CVE-2010-2167</cvename>
<cvename>CVE-2010-2169</cvename>
<cvename>CVE-2010-2170</cvename>
<cvename>CVE-2010-2171</cvename>
<cvename>CVE-2010-2172</cvename>
<cvename>CVE-2010-2173</cvename>
<cvename>CVE-2010-2174</cvename>
<cvename>CVE-2010-2175</cvename>
<cvename>CVE-2010-2176</cvename>
<cvename>CVE-2010-2177</cvename>
<cvename>CVE-2010-2178</cvename>
<cvename>CVE-2010-2179</cvename>
<cvename>CVE-2010-2180</cvename>
<cvename>CVE-2010-2181</cvename>
<cvename>CVE-2010-2182</cvename>
<cvename>CVE-2010-2183</cvename>
<cvename>CVE-2010-2184</cvename>
<cvename>CVE-2010-2185</cvename>
<cvename>CVE-2010-2186</cvename>
<cvename>CVE-2010-2187</cvename>
<cvename>CVE-2010-2188</cvename>
<cvename>CVE-2010-2189</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-14.html</url>
</references>
<dates>
<discovery>2008-10-02</discovery>
<entry>2010-06-14</entry>
</dates>
</vuln>
<vuln vid="313da7dc-763b-11df-bcce-0018f3e2eb82">
<topic>tiff -- buffer overflow vulnerability</topic>
<affects>
<package>
<name>tiff</name>
<range><lt>3.9.3</lt></range>
</package>
<package>
<name>linux-tiff</name>
<range><lt>3.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kevin Finisterre reports:</p>
<blockquote cite="http://support.apple.com/kb/HT4196">
<p>Multiple integer overflows in the handling of TIFF files may
result in a heap buffer overflow. Opening a maliciously crafted
TIFF file may lead to an unexpected application termination or
arbitrary code execution. The issues are addressed through
improved bounds checking. Credit to Kevin Finisterre of
digitalmunition.com for reporting these issues.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1411</cvename>
<url>http://www.remotesensing.org/libtiff/v3.9.3.html</url>
<url>http://support.apple.com/kb/HT4196</url>
</references>
<dates>
<discovery>2010-04-15</discovery>
<entry>2010-06-12</entry>
</dates>
</vuln>
<vuln vid="d42e5b66-6ea0-11df-9c8d-00e0815b8da8">
<topic>sudo -- Secure path vulnerability</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.7.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://sudo.ws/sudo/alerts/secure_path.html">
<p>Most versions of the C library function getenv() return the
first instance of an environment variable to the caller. However,
some programs, notably the GNU Bourne Again SHell (bash), do
their own environment parsing and may choose the last instance
of a variable rather than the first one.</p>
<p>An attacker may manipulate the environment of the process that
executes Sudo such that a second PATH variable is present. When
Sudo runs a bash script, it is this second PATH variable that
is used by bash, regardless of whether or not Sudo has overwritten
the first instance of PATH. This may allow an attacker to
subvert the program being run under Sudo and execute commands
he/she would not otherwise be allowed to run.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1646</cvename>
<url>http://sudo.ws/sudo/alerts/secure_path.html</url>
</references>
<dates>
<discovery>2010-06-02</discovery>
<entry>2010-06-02</entry>
</dates>
</vuln>
<vuln vid="b43004b8-6a53-11df-bc7b-0245fb008c0b">
<topic>ziproxy -- atypical huge picture files vulnerability</topic>
<affects>
<package>
<name>ziproxy</name>
<range><lt>3.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ziproxy 3.0.1 release fixes a security vulnerability related
to atypical huge picture files (>4GB of size once expanded).</p>
</body>
</description>
<references>
<bid>40344</bid>
<cvename>CVE-2010-1513</cvename>
<url>http://ziproxy.sourceforge.net/#news</url>
<url>http://secunia.com/advisories/39941</url>
<mlist msgid="201005210019.37119.dancab@gmx.net">http://sourceforge.net/mailarchive/message.php?msg_name=201005210019.37119.dancab%40gmx.net</mlist>
</references>
<dates>
<discovery>2010-05-20</discovery>
<entry>2010-05-28</entry>
</dates>
</vuln>
<vuln vid="fc55e396-6deb-11df-8b8e-000c29ba66d2">
<topic>mediawiki -- two security vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><lt>1.15.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two security vulnerabilities were discovered:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html">
<p>Noncompliant CSS parsing behaviour in Internet Explorer
allows attackers to construct CSS strings which are treated
as safe by previous versions of MediaWiki, but are decoded
to unsafe strings by Internet Explorer.</p>
<p>A CSRF vulnerability was discovered in our login interface.
Although regular logins are protected as of 1.15.3, it was
discovered that the account creation and password reset
reset features were not protected from CSRF. This could lead
to unauthorised access to private wikis.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/39922/</url>
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html</url>
</references>
<dates>
<discovery>2010-05-28</discovery>
<entry>2010-06-02</entry>
</dates>
</vuln>
<vuln vid="fcc39d22-5777-11df-bf33-001a92771ec2">
<topic>redmine -- multiple vulnerabilities</topic>
<affects>
<package>
<name>redmine</name>
<range><lt>0.9.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Redmine release announcement reports that
several cross side scripting vulnerabilities
and a potential data disclosure vulnerability have
been fixed in the latest release.</p>
</body>
</description>
<references>
<url>http://www.redmine.org/news/39</url>
</references>
<dates>
<discovery>2010-05-01</discovery>
<entry>2010-05-14</entry>
</dates>
</vuln>
<vuln vid="28022228-5a0e-11df-942d-0015587e2cc1">
<topic>wireshark -- DOCSIS dissector denial of service</topic>
<affects>
<package>
<name>wireshark</name>
<range><le>1.2.6_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A vulnerability found in the DOCSIS dissector can cause
Wireshark to crash when a malformed packet trace file is
opened. This means that an attacker will have to trick a
victim into opening such a trace file before being able
to crash the application</p>
</body>
</description>
<references>
<cvename>CVE-2010-1455</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2010-03.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2010-04.html</url>
</references>
<dates>
<discovery>2010-05-05</discovery>
<entry>2010-05-07</entry>
</dates>
</vuln>
<vuln vid="c0869649-5a0c-11df-942d-0015587e2cc1">
<topic>piwik -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>piwik</name>
<range><le>0.5.5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Piwik security advisory reports:</p>
<blockquote cite="http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/">
<p>A non-persistent, cross-site scripting vulnerability
(XSS) was found in Piwik's Login form that reflected
the form_url parameter without being properly escaped
or filtered.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1453</cvename>
<url>http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/</url>
</references>
<dates>
<discovery>2010-04-15</discovery>
<entry>2010-05-07</entry>
</dates>
</vuln>
<vuln vid="7132c842-58e2-11df-8d80-0015587e2cc1">
<topic>spamass-milter -- remote command execution vulnerability</topic>
<affects>
<package>
<name>spamass-milter</name>
<range><le>0.3.1_8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The spamassassin milter plugin contains a vulnerability
that can allow remote attackers to execute commands on
affected systems.</p>
<p>The vulnerability can be exploited trough a special-crafted
email header when the plugin was started with the '-x'
(expand) flag.</p>
</body>
</description>
<references>
<cvename>CVE-2010-1132</cvename>
<url>http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html</url>
<url>http://xforce.iss.net/xforce/xfdb/56732</url>
</references>
<dates>
<discovery>2010-03-07</discovery>
<entry>2010-05-06</entry>
</dates>
</vuln>
<vuln vid="694da5b4-5877-11df-8d80-0015587e2cc1">
<topic>mediawiki -- authenticated CSRF vulnerability</topic>
<affects>
<package>
<name>mediawiki</name>
<range><lt>1.15.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A MediaWiki security announcement reports:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html">
<p>MediaWiki was found to be vulnerable to login CSRF.
An attacker who controls a user account on the target
wiki can force the victim to log in as the attacker,
via a script on an external website.</p>
<p>If the wiki is configured to allow user scripts, say
with "$wgAllowUserJs = true" in LocalSettings.php, then
the attacker can proceed to mount a phishing-style
attack against the victim to obtain their password.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1150</cvename>
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=23076</url>
</references>
<dates>
<discovery>2010-04-07</discovery>
<entry>2010-05-05</entry>
</dates>
</vuln>
<vuln vid="0491d15a-5875-11df-8d80-0015587e2cc1">
<topic>lxr -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>lxr</name>
<range><le>0.9.6</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dan Rosenberg reports:</p>
<blockquote cite="http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com">
<p>There are several cross-site scripting vulnerabilities
in LXR. These vulnerabilities could allow an attacker
to execute scripts in a user's browser, steal cookies
associated with vulnerable domains, redirect the user
to malicious websites, etc.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4497</cvename>
<freebsdpr>ports/146337</freebsdpr>
<url>http://secunia.com/advisories/38117</url>
<url>http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com</url>
</references>
<dates>
<discovery>2010-01-05</discovery>
<entry>2010-05-05</entry>
</dates>
</vuln>
<vuln vid="752ce039-5242-11df-9139-00242b513d7c">
<topic>vlc -- unintended code execution with specially crafted data</topic>
<affects>
<package>
<name>vlc</name>
<range><lt>1.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>VideoLAN project reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1003.html">
<p>VLC media player suffers from various vulnerabilities when
attempting to parse malformatted or overly long byte streams.</p>
</blockquote>
</body>
</description>
<references>
<bid>39629</bid>
<url>http://www.videolan.org/security/sa1003.html</url>
</references>
<dates>
<discovery>2010-04-19</discovery>
<entry>2010-05-01</entry>
<modified>2010-05-05</modified>
</dates>
</vuln>
<vuln vid="8d10038e-515c-11df-83fb-0015587e2cc1">
<topic>joomla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>joomla15</name>
<range><ge>1.5.1</ge><le>1.5.15</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Joomla! reported the following vulnerabilities:</p>
<blockquote cite="http://developer.joomla.org/security/news/311-20100423-core-negative-values-for-limit-and-offset.html">
<p>If a user entered a URL with a negative query limit
or offset, a PHP notice would display revealing information
about the system..</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/news/310-20100423-core-installer-migration-script.html">
<p>The migration script in the Joomla! installer does not
check the file type being uploaded. If the installation
application is present, an attacker could use it to
upload malicious files to a server.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/news/309-20100423-core-sessation-fixation.html">
<p>Session id doesn't get modified when user logs in. A
remote site may be able to forward a visitor to the
Joomla! site and set a specific cookie. If the user
then logs in, the remote site can use that cookie to
authenticate as that user.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/news/308-20100423-core-password-reset-tokens.html">
<p>When a user requests a password reset, the reset tokens
were stored in plain text in the database. While this
is not a vulnerability in itself, it allows user accounts
to be compromised if there is an extension on the site
with an SQL injection vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://developer.joomla.org/security/news/308-20100423-core-password-reset-tokens.html</url>
<url>http://developer.joomla.org/security/news/309-20100423-core-sessation-fixation.html</url>
<url>http://developer.joomla.org/security/news/310-20100423-core-installer-migration-script.html</url>
<url>http://developer.joomla.org/security/news/311-20100423-core-negative-values-for-limit-and-offset.html</url>
</references>
<dates>
<discovery>2010-04-23</discovery>
<entry>2010-04-26</entry>
</dates>
</vuln>
<vuln vid="5198ef84-4fdc-11df-83fb-0015587e2cc1">
<topic>cacti -- SQL injection and command execution vulnerabilities</topic>
<affects>
<package>
<name>cacti</name>
<range><le>0.8.7e4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Bonsai information security reports:</p>
<blockquote cite="http://www.bonsai-sec.com/en/research/vulnerability.php">
<p>A Vulnerability has been discovered in Cacti, which
can be exploited by any user to conduct SQL Injection
attacks. Input passed via the "export_item_id" parameter
to "templates_export.php" script is not properly sanitized
before being used in a SQL query.</p>
</blockquote>
<p>The same source also reported a command execution
vulnerability. This second issue can be exploited by
Cacti users who have the rights to modify device or
graph configurations.</p>
</body>
</description>
<references>
<cvename>CVE-2010-1431</cvename>
<freebsdpr>ports/146021</freebsdpr>
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php</url>
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php</url>
<url>http://www.debian.org/security/2010/dsa-2039</url>
</references>
<dates>
<discovery>2010-04-21</discovery>
<entry>2010-04-24</entry>
<modified>2010-05-12</modified>
</dates>
</vuln>
<vuln vid="f6429c24-4fc9-11df-83fb-0015587e2cc1">
<topic>moodle -- multiple vulnerabilities</topic>
<affects>
<package>
<name>moodle</name>
<range><lt>1.9.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Moodle release notes report multiple vulnerabilities
which could allow remote attackers to perform, amongst
others, cross site scripting, user enumeration and SQL
injection attacks.</p>
</body>
</description>
<references>
<url>http://docs.moodle.org/en/Moodle_1.9.8_release_notes</url>
</references>
<dates>
<discovery>2010-03-25</discovery>
<entry>2010-04-24</entry>
</dates>
</vuln>
<vuln vid="3383e706-4fc3-11df-83fb-0015587e2cc1">
<topic>tomcat -- information disclosure vulnerability</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>5.5.0</gt><lt>5.5.30</lt></range>
<range><gt>6.0.0</gt><lt>6.0.27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache software foundation reports:</p>
<blockquote cite="http://seclists.org/bugtraq/2010/Apr/200">
<p>The "WWW-Authenticate" header for BASIC and DIGEST
authentication includes a realm name. If a <realm-name>
element is specified for the application in web.xml it
will be used. However, a <realm-name> is not
specified then Tomcat will generate one.</p>
<p>In some circumstances this can expose the local
hostname or IP address of the machine running Tomcat.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1157</cvename>
<freebsdpr>ports/146022</freebsdpr>
<url>http://seclists.org/bugtraq/2010/Apr/200</url>
</references>
<dates>
<discovery>2010-04-22</discovery>
<entry>2010-04-24</entry>
</dates>
</vuln>
<vuln vid="f6b6beaa-4e0e-11df-83fb-0015587e2cc1">
<cancelled/>
</vuln>
<vuln vid="86b8b655-4d1a-11df-83fb-0015587e2cc1">
<topic>krb5 -- KDC double free vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><ge>1.7</ge><lt>1.7.2</lt></range>
<range><ge>1.8</ge><lt>1.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The MIT Kerberos team reports:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt">
<p>An authenticated remote attacker can crash the KDC by
inducing the KDC to perform a double free. Under some
circumstances on some platforms, this could also allow
malicious code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1320</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt</url>
</references>
<dates>
<discovery>2010-04-20</discovery>
<entry>2010-04-21</entry>
</dates>
</vuln>
<vuln vid="a4746a86-4c89-11df-83fb-0015587e2cc1">
<topic>e107 -- code execution and XSS vulnerabilities</topic>
<affects>
<package>
<name>e107</name>
<range><lt>0.7.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia Research reported two vulnerabilities in e107:</p>
<p>The first problem affects installations that have the
Content Manager plugin enabled. This plugin does not
sanitize the "content_heading" parameter correctly and
is therefore vulnerable to a cross site scripting attack.</p>
<p>The second vulnerability is related to the avatar upload
functionality. Images containing PHP code can be uploaded
and executed.</p>
</body>
</description>
<references>
<bid>39540</bid>
<cvename>CVE-2010-0996</cvename>
<cvename>CVE-2010-0997</cvename>
<freebsdpr>ports/145885</freebsdpr>
<url>http://e107.org/comment.php?comment.news.864</url>
<url>http://secunia.com/secunia_research/2010-43/</url>
<url>http://secunia.com/secunia_research/2010-44/</url>
<url>http://xforce.iss.net/xforce/xfdb/57932</url>
</references>
<dates>
<discovery>2010-04-15</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="09910d76-4c82-11df-83fb-0015587e2cc1">
<topic>fetchmail -- denial of service vulnerability</topic>
<affects>
<package>
<name>fetchmail</name>
<range>
<ge>4.6.3</ge>
<le>6.3.16</le>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Fetchmail developer Matthias Andree reported a vulnerability
that allows remote attackers to crash the application
when it is runs in verbose mode.</p>
<blockquote cite="http://gitorious.org/fetchmail/fetchmail/commit/ec06293">
<p>Fetchmail before release 6.3.17 did not properly
sanitize external input (mail headers and UID). When a
multi-character locale (such as UTF-8) was in use, this
could cause memory exhaustion and thus a denial of
service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1167</cvename>
<freebsdpr>ports/145857</freebsdpr>
<url>http://gitorious.org/fetchmail/fetchmail/commit/ec06293</url>
<url>http://seclists.org/oss-sec/2010/q2/76</url>
</references>
<dates>
<discovery>2010-04-18</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="a2c4d3d5-4c7b-11df-83fb-0015587e2cc1">
<topic>pidgin -- multiple remote denial of service vulnerabilities</topic>
<affects>
<package>
<name>pidgin</name>
<range><lt>2.6.6</lt></range>
</package>
<package>
<name>libpurple</name>
<range><lt>2.6.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Three denial of service vulnerabilities where found in
pidgin and allow remote attackers to crash the application.
The developers summarized these problems as follows:</p>
<blockquote cite="http://pidgin.im/news/security/?id=45">
<p>Pidgin can become unresponsive when displaying large
numbers of smileys</p>
</blockquote>
<blockquote cite="http://pidgin.im/news/security/?id=44">
<p>Certain nicknames in group chat rooms can trigger a
crash in Finch</p>
</blockquote>
<blockquote cite="http://pidgin.im/news/security/?id=43">
<p>Failure to validate all fields of an incoming message
can trigger a crash</p>
</blockquote>
</body>
</description>
<references>
<bid>38294</bid>
<cvename>CVE-2010-0277</cvename>
<cvename>CVE-2010-0420</cvename>
<cvename>CVE-2010-0423</cvename>
<url>http://pidgin.im/news/security/?id=43</url>
<url>http://pidgin.im/news/security/?id=44</url>
<url>http://pidgin.im/news/security/?id=45</url>
</references>
<dates>
<discovery>2010-02-18</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="4fb5d2cd-4c77-11df-83fb-0015587e2cc1">
<topic>png -- libpng decompression denial of service</topic>
<affects>
<package>
<name>png</name>
<range>
<gt>1.2.43</gt>
<lt>1.4.1</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A vulnerability in libpng can result in denial of service
conditions when a remote attacker tricks a victim to open
a specially-crafted PNG file.</p>
<p>The PNG project describes the problem in an advisory:</p>
<blockquote cite="http://libpng.sourceforge.net/ADVISORY-1.4.1.html">
<p>Because of the efficient compression method used in
Portable Network Graphics (PNG) files, a small PNG file
can expand tremendously, acting as a "decompression
bomb".</p>
<p>Malformed PNG chunks can consume a large amount of CPU
and wall-clock time and large amounts of memory, up to
all memory available on a system</p>
</blockquote>
</body>
</description>
<references>
<bid>38478</bid>
<certvu>576029</certvu>
<cvename>CVE-2010-0205</cvename>
<url>http://libpng.sourceforge.net/ADVISORY-1.4.1.html</url>
<url>http://secunia.com/advisories/38774</url>
<url>http://xforce.iss.net/xforce/xfdb/56661</url>
</references>
<dates>
<discovery>2010-02-27</discovery>
<entry>2010-04-20</entry>
</dates>
</vuln>
<vuln vid="c8c31c41-49ed-11df-83fb-0015587e2cc1">
<topic>curl -- libcurl buffer overflow vulnerability</topic>
<affects>
<package>
<name>curl</name>
<range>
<ge>7.10.5</ge>
<lt>7.20.0</lt>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The cURL project reports in a security advisory:</p>
<blockquote cite="http://curl.haxx.se/docs/adv_20100209.html">
<p>Using the affected libcurl version to download compressed
content over HTTP, an application can ask libcurl to
automatically uncompress data. When doing so, libcurl
can wrongly send data up to 64K in size to the callback
which thus is much larger than the documented maximum
size.</p>
<p>An application that blindly trusts libcurl's max limit
for a fixed buffer size or similar is then a possible
target for a buffer overflow vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0734</cvename>
<url>http://curl.haxx.se/docs/adv_20100209.html</url>
<url>http://www.debian.org/security/2010/dsa-2023</url>
<url>http://www.openwall.com/lists/oss-security/2010/02/09/5</url>
</references>
<dates>
<discovery>2010-02-09</discovery>
<entry>2010-04-19</entry>
</dates>
</vuln>
<vuln vid="a04a3c13-4932-11df-83fb-0015587e2cc1">
<topic>ejabberd -- queue overload denial of service vulnerability</topic>
<affects>
<package>
<name>ejabberd</name>
<range><lt>2.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Red Hat security response team reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/01/29/1">
<p>A remotely exploitable DoS from XMPP client to ejabberd
server via too many "client2server" messages (causing the
message queue on the server to get overloaded, leading
to server crash) has been found.</p>
</blockquote>
</body>
</description>
<references>
<bid>38003</bid>
<cvename>CVE-2010-0305</cvename>
<url>http://secunia.com/advisories/38337</url>
<url>http://support.process-one.net/browse/EJAB-1173</url>
<url>http://www.openwall.com/lists/oss-security/2010/01/29/1</url>
<url>http://xforce.iss.net/xforce/xfdb/56025</url>
</references>
<dates>
<discovery>2010-01-29</discovery>
<entry>2010-04-19</entry>
</dates>
</vuln>
<vuln vid="3b7967f1-49e8-11df-83fb-0015587e2cc1">
<topic>irssi -- multiple vulnerabilities</topic>
<affects>
<package>
<name>irssi</name>
<range><lt>0.8.15</lt></range>
</package>
<package>
<name>zh-irssi</name>
<range><lt>0.8.15</lt></range>
</package>
<package>
<name>irssi-devel</name>
<range><lt>20100325</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two vulnerabilities have found in irssi. The first issue
could allow man-in-the-middle attacks due to a missing
comparison of SSL server hostnames and the certificate
domain names (e.g. CN).</p>
<p>A second vulnerability, related to the nick matching code,
could be triggered by remote attackers in order to crash
an irssi client when leaving a channel.</p>
</body>
</description>
<references>
<cvename>CVE-2010-1155</cvename>
<cvename>CVE-2010-1156</cvename>
<url>http://xforce.iss.net/xforce/xfdb/57790</url>
<url>http://xforce.iss.net/xforce/xfdb/57791</url>
</references>
<dates>
<discovery>2010-04-16</discovery>
<entry>2010-04-19</entry>
</dates>
</vuln>
<vuln vid="a30573dc-4893-11df-a5f9-001641aeabdf">
<topic>krb5 -- remote denial of service vulnerability</topic>
<affects>
<package>
<name>krb5</name>
<range><le>1.6.3_9</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>An authenticated remote attacker can causing a denial
of service by using a newer version of the kadmin protocol
than the server supports.</p>
<p>The MIT Kerberos team also reports the cause:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt">
<p>The Kerberos administration daemon (kadmind) can crash
due to referencing freed memory.</p>
</blockquote>
</body>
</description>
<references>
<bid>39247</bid>
<cvename>CVE-2010-0629</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt</url>
</references>
<dates>
<discovery>2010-04-06</discovery>
<entry>2010-04-18</entry>
</dates>
</vuln>
<vuln vid="9ac0f9c4-492b-11df-83fb-0015587e2cc1">
<topic>krb5 -- multiple denial of service vulnerabilities</topic>
<affects>
<package>
<name>krb5</name>
<range>
<ge>1.7</ge><le>1.7_2</le>
</range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Two vulnerabilities in krb5 can be used by remote
attackers in denial of service attacks. The MIT security
advisories report this as follows:</p>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt">
<p>An unauthenticated remote attacker can send an invalid
request to a KDC process that will cause it to crash
due to an assertion failure, creating a denial of
service.</p>
</blockquote>
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt">
<p>An unauthenticated remote attacker could cause a GSS-API
application, including the Kerberos administration
daemon (kadmind) to crash.</p>
</blockquote>
</body>
</description>
<references>
<bid>38260</bid>
<bid>38904</bid>
<cvename>CVE-2010-0283</cvename>
<cvename>CVE-2010-0628</cvename>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt</url>
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt</url>
</references>
<dates>
<discovery>2010-04-23</discovery>
<entry>2010-04-18</entry>
</dates>
</vuln>
<vuln vid="5053420c-4935-11df-83fb-0015587e2cc1">
<topic>mahara -- sql injection vulnerability</topic>
<affects>
<package>
<name>mahara</name>
<range><lt>1.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Debian security team reports:</p>
<blockquote cite="http://www.debian.org/security/2010/dsa-2030">
<p>It was discovered that mahara, an electronic portfolio,
weblog, and resume builder is not properly escaping input
when generating a unique username based on a remote user
name from a single sign-on application. An attacker can
use this to compromise the mahara database via crafted
user names.</p>
</blockquote>
</body>
</description>
<references>
<bid>39253</bid>
<cvename>CVE-2010-0400</cvename>
<url>http://www.debian.org/security/2010/dsa-2030</url>
</references>
<dates>
<discovery>2010-04-06</discovery>
<entry>2010-04-18</entry>
</dates>
</vuln>
<vuln vid="1a9f678d-48ca-11df-85f8-000c29a67389">
<topic>sudo -- Privilege escalation with sudoedit</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.7.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="">
<p>Sudo's command matching routine expects actual commands to include
one or more slash ('/') characters. The flaw is that sudo's path
resolution code did not add a "./" prefix to commands found in the
current working directory. This creates an ambiguity between a
"sudoedit" command found in the cwd and the "sudoedit"
pseudo-command in the sudoers file. As a result, a user may be
able to run an arbitrary command named "sudoedit" in the current
working directory. For the attack to be successful, the PATH
environment variable must include "." and may not include any other
directory that contains a "sudoedit" command.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1163</cvename>
<url>http://www.sudo.ws/pipermail/sudo-announce/2010-April/000093.html</url>
<url>http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html</url>
</references>
<dates>
<discovery>2010-04-09</discovery>
<entry>2010-04-15</entry>
</dates>
</vuln>
<vuln vid="3987c5d1-47a9-11df-a0d5-0016d32f24fb">
<topic>KDM -- local privilege escalation vulnerability</topic>
<affects>
<package>
<name>kdebase</name>
<range><le>3.5.10_6</le></range>
</package>
<package>
<name>kdebase-workspace</name>
<range><le>4.3.5_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>KDE Security Advisory reports:</p>
<blockquote cite="http://www.kde.org/info/security/advisory-20100413-1.txt">
<p>KDM contains a race condition that allows local attackers
to make arbitrary files on the system world-writeable.
This can happen while KDM tries to create its control
socket during user login. A local attacker with a valid
local account can under certain circumstances make use of
this vulnerability to execute arbitrary code as root.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0436</cvename>
<url>http://www.kde.org/info/security/advisory-20100413-1.txt</url>
</references>
<dates>
<discovery>2010-04-13</discovery>
<entry>2010-04-14</entry>
<modified>2010-04-14</modified>
</dates>
</vuln>
<vuln vid="805603a1-3e7a-11df-a5a1-0050568452ac">
<topic>dojo -- cross-site scripting and other vulnerabilities</topic>
<affects>
<package>
<name>dojo</name>
<range><lt>1.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Dojo Toolkit team reports:</p>
<blockquote cite="http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/">
<p>Some PHP files did not properly escape input.</p>
<p>Some files could operate like "open redirects". A bad actor
could form an URL that looks like it came from a trusted
site, but the user would be redirected or load content from
the bad actor's site.</p>
<p>A file exposed a more serious cross-site scripting
vulnerability with the possibility of executing code on the
domain where the file exists.</p>
<p>The Dojo build process defaulted to copying over tests and
demos, which are normally not needed and just increased the
number of files that could be targets of attacks.</p>
</blockquote>
</body>
</description>
<references>
<url>http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/</url>
<url>http://osdir.com/ml/bugtraq.security/2010-03/msg00133.html</url>
<url>http://packetstormsecurity.org/1003-exploits/dojo-xss.txt</url>
<url>http://secunia.com/advisories/38964</url>
<url>http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/</url>
</references>
<dates>
<discovery>2010-03-11</discovery>
<entry>2010-04-06</entry>
</dates>
</vuln>
<vuln vid="8ad1c404-3e78-11df-a5a1-0050568452ac">
<topic>Zend Framework -- security issues in bundled Dojo library</topic>
<affects>
<package>
<name>ZendFramework</name>
<range><lt>1.10.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Zend Framework team reports:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-07">
<p>Several files in the bundled Dojo library were identified
as having potential exploits, and the Dojo team also advised
disabling or removing any PHP scripts in the Dojo library tree
when deploying to production.</p>
</blockquote>
</body>
</description>
<references>
<url>http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/</url>
<url>http://framework.zend.com/security/advisory/ZF2010-07</url>
<url>http://osdir.com/ml/bugtraq.security/2010-03/msg00133.html</url>
<url>http://packetstormsecurity.org/1003-exploits/dojo-xss.txt</url>
<url>http://secunia.com/advisories/38964</url>
<url>http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/</url>
</references>
<dates>
<discovery>2010-04-01</discovery>
<entry>2010-04-06</entry>
</dates>
</vuln>
<vuln vid="ec8f449f-40ed-11df-9edc-000f20797ede">
<topic>firefox -- Re-use of freed object due to scope confusion</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6,1</gt><lt>3.6.3,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2009-25 Re-use of freed object due to scope confusion</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1121</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-25.html</url>
</references>
<dates>
<discovery>2010-04-01</discovery>
<entry>2010-04-05</entry>
</dates>
</vuln>
<vuln vid="9ccfee39-3c3b-11df-9edc-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>seamonkey</name>
<range><gt>2.0</gt><lt>2.0.4</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.4</lt></range>
</package>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.9,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.19,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.0.19,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy</p>
<p>MFSA 2010-23 Image src redirect to mailto: URL opens email editor</p>
<p>MFSA 2010-22 Update NSS to support TLS renegotiation indication</p>
<p>MFSA 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy</p>
<p>MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop</p>
<p>MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray</p>
<p>MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView</p>
<p>MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection</p>
<p>MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0181</cvename>
<cvename>CVE-2009-3555</cvename>
<cvename>CVE-2010-0179</cvename>
<cvename>CVE-2010-0178</cvename>
<cvename>CVE-2010-0177</cvename>
<cvename>CVE-2010-0176</cvename>
<cvename>CVE-2010-0175</cvename>
<cvename>CVE-2010-0174</cvename>
<cvename>CVE-2010-0173</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-24.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-23.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-22.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-21.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-20.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-19.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-18.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-17.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-16.html</url>
</references>
<dates>
<discovery>2010-03-30</discovery>
<entry>2010-03-30</entry>
</dates>
</vuln>
<vuln vid="e050119b-3856-11df-b2b2-002170daae37">
<topic>postgresql -- bitsubstr overflow</topic>
<affects>
<package>
<name>postgresql-server</name>
<range><ge>7.4</ge><lt>7.4.28</lt></range>
<range><ge>8.0</ge><lt>8.0.24</lt></range>
<range><ge>8.1</ge><lt>8.1.20</lt></range>
<range><ge>8.2</ge><lt>8.2.16</lt></range>
<range><ge>8.3</ge><lt>8.3.10</lt></range>
<range><ge>8.4</ge><lt>8.4.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BugTraq reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/37973">
<p>PostgreSQL is prone to a buffer-overflow
vulnerability because the application fails to
perform adequate boundary checks on user-supplied
data.</p>
<p>Attackers can exploit this issue to execute
arbitrary code with elevated privileges or
crash the affected application.</p>
</blockquote>
</body>
</description>
<references>
<bid>37973</bid>
<cvename>CVE-2010-0442</cvename>
</references>
<dates>
<discovery>2010-01-27</discovery>
<entry>2010-03-25</entry>
</dates>
</vuln>
<vuln vid="c175d72f-3773-11df-8bb8-0211d880e350">
<topic>gtar -- buffer overflow in rmt client</topic>
<affects>
<package>
<name>gtar</name>
<range><lt>1.22_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jakob Lell reports:</p>
<blockquote cite="http://www.agrs.tu-berlin.de/index.php?id=78327">
<p>The rmt client implementation of GNU Tar/Cpio contains
a heap-based buffer overflow which possibly allows
arbitrary code execution.</p>
<p>The problem can be exploited when using an
untrusted/compromised rmt server.</p>
</blockquote>
</body>
</description> <references>
<cvename>CVE-2010-0624</cvename>
<url>http://www.agrs.tu-berlin.de/index.php?id=78327</url>
</references> <dates>
<discovery>2010-03-24</discovery> <entry>2010-03-24</entry>
</dates>
</vuln>
<vuln vid="5d5ed535-3653-11df-9edc-000f20797ede">
<topic>firefox -- WOFF heap corruption due to integer overflow</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.6,1</gt><lt>3.6.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-08 WOFF heap corruption due to integer overflow</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-1028</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-08.html</url>
</references>
<dates>
<discovery>2010-03-22</discovery>
<entry>2010-03-23</entry>
</dates>
</vuln>
<vuln vid="56cfe192-329f-11df-abb2-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>seamonkey</name>
<name>linux-seamonkey</name>
<range><lt>1.1.19</lt></range>
</package>
<package>
<name>thunderbird</name>
<name>linux-thunderbird</name>
<range><lt>2.0.0.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-07 Fixes for potentially exploitable crashes ported to the legacy branch</p>
<p>MFSA 2010-06 Scriptable plugin execution in SeaMonkey mail</p>
<p>MFSA 2009-68 NTLM reflection vulnerability</p>
<p>MFSA 2009-62 Download filename spoofing with RTL override</p>
<p>MFSA 2009-59 Heap buffer overflow in string to number conversion</p>
<p>MFSA 2009-49 TreeColumns dangling pointer vulnerability</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0161</cvename>
<cvename>CVE-2010-0163</cvename>
<cvename>CVE-2009-3075</cvename>
<cvename>CVE-2009-3072</cvename>
<cvename>CVE-2009-2463</cvename>
<cvename>CVE-2009-3385</cvename>
<cvename>CVE-2009-3983</cvename>
<cvename>CVE-2009-3376</cvename>
<cvename>CVE-2009-0689</cvename>
<cvename>CVE-2009-3077</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-07.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-06.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-68.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-62.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-59.html</url>
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-49.html</url>
</references>
<dates>
<discovery>2010-03-16</discovery>
<entry>2010-03-19</entry>
</dates>
</vuln>
<vuln vid="e39caf05-2d6f-11df-aec2-000c29ba66d2">
<topic>egroupware -- two vulnerabilities</topic>
<affects>
<package>
<name>egroupware</name>
<range><lt>1.6.003</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Egroupware Team report:</p>
<blockquote cite="http://www.egroupware.org/Home?category_id=95&item=93">
<p>Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:</p>
<p>Serious remote command execution (allowing to run arbitrary command
on the web server by simply issuing a HTTP request!).</p>
<p>A reflected cross-site scripting (XSS).</p>
<p>Both require NO valid EGroupware account and work without being logged
in!</p>
</blockquote>
</body>
</description>
<references>
<bid>38609</bid>
<url>http://secunia.com/advisories/38859/</url>
<url>http://www.egroupware.org/Home?category_id=95&item=93</url>
</references>
<dates>
<discovery>2010-03-09</discovery>
<entry>2010-03-11</entry>
</dates>
</vuln>
<vuln vid="b3531fe1-2b03-11df-b6db-00248c9b4be7">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal5</name>
<range><lt>5.22</lt></range>
</package>
<package>
<name>drupal6</name>
<range><lt>6.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Team reports:</p>
<blockquote cite="http://drupal.org/node/731710">
<p>A user-supplied value is directly output during installation
allowing a malicious user to craft a URL and perform a cross-site
scripting attack. The exploit can only be conducted on sites not yet
installed.</p>
<p>The API function drupal_goto() is susceptible to a phishing attack.
An attacker could formulate a redirect in a way that gets the Drupal
site to send the user to an arbitrarily provided URL. No user
submitted data will be sent to that URL.</p>
<p>Locale module and dependent contributed modules do not sanitize the
display of language codes, native and English language names properly.
While these usually come from a preselected list, arbitrary
administrator input is allowed. This vulnerability is mitigated by the
fact that the attacker must have a role with the 'administer
languages' permission.</p>
<p>Under certain circumstances, a user with an open session that is
blocked can maintain his/her session on the Drupal site, despite being
blocked.</p>
</blockquote>
</body>
</description>
<references>
<url>http://drupal.org/node/731710</url>
</references>
<dates>
<discovery>2010-03-03</discovery>
<entry>2010-03-08</entry>
</dates>
</vuln>
<vuln vid="018a84d0-2548-11df-b4a3-00e0815b8da8">
<topic>sudo -- Privilege escalation with sudoedit</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.7.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="">
<p>When sudo performs its command matching, there is a special case
for pseudo-commands in the sudoers file (currently, the only
pseudo-command is sudoedit). Unlike a regular command,
pseudo-commands do not begin with a slash ('/'). The flaw is that
sudo's the matching code would only check against the list of
pseudo-commands if the user-specified command also contained no
slashes. As a result, if the user ran "sudo ./sudoedit" the normal
matching code path was followed, which uses stat(2) to verify that
the user-specified command matches the one in sudoers. In this
case, it would compare the "./sudoedit" specified by the user with
"sudoedit" from the sudoers file, resulting in a positive
match.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.sudo.ws/pipermail/sudo-announce/2010-February/000092.html</url>
<url>http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html</url>
<url>http://secunia.com/advisories/38659</url>
<cvename>CVE-2010-0426</cvename>
<bid>38362</bid>
</references>
<dates>
<discovery>2010-01-29</discovery>
<entry>2010-03-01</entry>
</dates>
</vuln>
<vuln vid="c97d7a37-2233-11df-96dd-001b2134ef46">
<topic>openoffice.org -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openoffice.org</name>
<range><lt>3.2.0</lt></range>
<range><ge>3.2.20010101</ge><lt>3.2.20100203</lt></range>
<range><ge>3.3.20010101</ge><lt>3.3.20100207</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenOffice.org Security Team reports:</p>
<blockquote cite="http://www.openoffice.org/security/bulletin.html">
<p>Fixed in OpenOffice.org 3.2</p>
<p>CVE-2006-4339: Potential vulnerability from 3rd party
libxml2 libraries</p>
<p>CVE-2009-0217: Potential vulnerability from 3rd party
libxmlsec libraries</p>
<p>CVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable
version of MSVC Runtime</p>
<p>CVE-2009-2949: Potential vulnerability related to XPM file
processing</p>
<p>CVE-2009-2950: Potential vulnerability related to GIF file
processing</p>
<p>CVE-2009-3301/2: Potential vulnerability related to MS-Word
document processing</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openoffice.org/security/bulletin.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2006-4339.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-0217.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-2493.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-2949.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-2950.html</url>
<url>http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html</url>
<cvename>CVE-2006-4339</cvename>
<cvename>CVE-2009-0217</cvename>
<cvename>CVE-2009-2493</cvename>
<cvename>CVE-2009-2949</cvename>
<cvename>CVE-2009-2950</cvename>
<cvename>CVE-2009-3301</cvename>
<cvename>CVE-2009-3302</cvename>
</references>
<dates>
<discovery>2006-08-24</discovery>
<entry>2010-02-25</entry>
<modified>2010-02-27</modified>
</dates>
</vuln>
<vuln vid="f82c85d8-1c6e-11df-abb2-000f20797ede">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>3.5.*,1</gt><lt>3.5.8,1</lt></range>
<range><gt>3.*,1</gt><lt>3.0.18,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>3.0.18,1</lt></range>
</package>
<package>
<name>linux-firefox-devel</name>
<range><lt>3.5.8</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><gt>2.0.*</gt><lt>2.0.3</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>3.0</ge><lt>3.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2010-05 XSS hazard using SVG document and binary Content-Type</p>
<p>MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain</p>
<p>MFSA 2010-03 Use-after-free crash in HTML parser</p>
<p>MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability</p>
<p>MFSA 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0159</cvename>
<cvename>CVE-2010-0160</cvename>
<cvename>CVE-2009-1571</cvename>
<cvename>CVE-2009-3988</cvename>
<cvename>CVE-2010-0162</cvename>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-01.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-02.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-03.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-04.html</url>
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-05.html</url>
</references>
<dates>
<discovery>2010-02-17</discovery>
<entry>2010-02-18</entry>
<modified>2010-02-28</modified>
</dates>
</vuln>
<vuln vid="1a3bd81f-1b25-11df-bd1a-002170daae37">
<topic>lighttpd -- denial of service vulnerability</topic>
<affects>
<package>
<name>lighttpd</name>
<range><lt>1.4.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Lighttpd security advisory reports:</p>
<blockquote cite="http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt">
<p>If you send the request data very slow (e.g. sleep
0.01 after each byte), lighttpd will easily use all
available memory and die (especially for parallel
requests), allowing a DoS within minutes.</p>
</blockquote>
</body>
</description>
<references>
<bid>38036</bid>
<cvename>CVE-2010-0295</cvename>
<url>http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt</url>
</references>
<dates>
<discovery>2010-02-02</discovery>
<entry>2010-02-16</entry>
</dates>
</vuln>
<vuln vid="81d9dc0c-1988-11df-8e66-0019996bc1f7">
<topic>squid -- Denial of Service vulnerability in HTCP</topic>
<affects>
<package>
<name>squid</name>
<range><ge>2.7.1</ge><lt>2.7.7_4</lt></range>
<range><ge>3.0.1</ge><lt>3.0.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2010:2 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_2.txt">
<p>Due to incorrect processing Squid is vulnerable to a
denial of service attack when receiving specially crafted
HTCP packets.</p>
<p>This problem allows any machine to perform a denial
of service attack on the Squid service when its HTCP port
is open.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0639</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_2.txt</url>
</references>
<dates>
<discovery>2010-02-12</discovery>
<entry>2010-02-14</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="ff6519ad-18e5-11df-9bdd-001b2134ef46">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-flashplugin</name>
<range><lt>9.0r262</lt></range>
</package>
<package>
<name>linux-f8-flashplugin</name>
<name>linux-f10-flashplugin</name>
<range><lt>10.0r45</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe Product Security Incident Response Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-06.html">
<p>A critical vulnerability has been identified in Adobe
Flash Player version 10.0.42.34 and earlier. This
vulnerability (CVE-2010-0186) could subvert the domain sandbox
and make unauthorized cross-domain requests. This update also
resolves a potential Denial of Service issue (CVE-2010-0187).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0186</cvename>
<cvename>CVE-2010-0187</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb10-06.html</url>
</references>
<dates>
<discovery>2010-02-11</discovery>
<entry>2010-02-13</entry>
</dates>
</vuln>
<vuln vid="0a82ac0c-1886-11df-b0d1-0015f2db7bde">
<topic>gnome-screensaver -- Multiple monitor hotplug issues</topic>
<affects>
<package>
<name>gnome-screensaver</name>
<range><lt>2.28.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ray Strode reports:</p>
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=609337">
<p>Under certain circumstances it is possible to circumvent the security of screen
locking functionality of gnome-screensaver by changing the systems physical
monitor configuration.</p>
</blockquote>
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=609789">
<p>gnome-screensaver can lose its keyboard grab when locked, exposing the system
to intrusion by adding and removing monitors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0414</cvename>
<cvename>CVE-2010-0422</cvename>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=609337</url>
<url>https://bugzilla.gnome.org/show_bug.cgi?id=609789</url>
</references>
<dates>
<discovery>2010-02-08</discovery>
<entry>2010-02-13</entry>
</dates>
</vuln>
<vuln vid="2a6a966f-1774-11df-b5c1-0026189baca3">
<topic>fetchmail -- heap overflow on verbose X.509 display</topic>
<affects>
<package>
<name>fetchmail</name>
<range><ge>6.3.11</ge><lt>6.3.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2010-01.txt">
<p>In verbose mode, fetchmail prints X.509 certificate subject and
issuer information to the user, and counts and allocates a malloc()
buffer for that purpose.</p>
<p>If the material to be displayed contains characters with high bit
set and the platform treats the "char" type as signed, this can cause
a heap buffer overrun because non-printing characters are escaped as
\xFF..FFnn, where nn is 80..FF in hex.</p>
</blockquote>
</body>
</description>
<references>
<bid>38088</bid>
<cvename>CVE-2010-0562</cvename>
<url>http://www.fetchmail.info/fetchmail-SA-2010-01.txt</url>
<mlist msgid="20100205014643.GA25506@merlin.emma.line.org">https://lists.berlios.de/pipermail/fetchmail-announce/2010-February/000073.html</mlist>
</references>
<dates>
<discovery>2010-02-04</discovery>
<entry>2010-02-12</entry>
</dates>
</vuln>
<vuln vid="bb0a8795-15dc-11df-bf0a-002170daae37">
<topic>wireshark -- LWRES vulnerability</topic>
<affects>
<package>
<name>wireshark</name>
<name>wireshark-lite</name>
<range><lt>1.2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark project reports:</p>
<blockquote cite="http://www.wireshark.org/security/wnpa-sec-2010-02.html">
<p>Babi discovered several buffer overflows in the
LWRES dissector.</p>
<p>It may be possible to make Wireshark crash remotely
or by convincing someone to read a malformed packet
trace file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0304</cvename>
<url>http://secunia.com/advisories/38257/</url>
<url>http://www.wireshark.org/security/wnpa-sec-2010-02.html</url>
</references>
<dates>
<discovery>2010-01-27</discovery>
<entry>2010-02-10</entry>
</dates>
</vuln>
<vuln vid="6b575419-14cf-11df-a628-001517351c22">
<topic>otrs -- SQL injection</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>2.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://otrs.org/advisory/OSA-2010-01-en/">
<p>Missing security quoting for SQL statements allows agents and
customers to manipulate SQL queries. So it's possible for
authenticated users to inject SQL queries
via string manipulation of statements.</p>
<p>A malicious user may be able to manipulate SQL queries to read
or modify records in the database. This way it could also be
possible to get access to more permissions (e. g. administrator
permissions).</p>
<p>To use this vulnerability the malicious user needs to have
a valid Agent- or Customer-session.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0438</cvename>
<url>http://otrs.org/advisory/OSA-2010-01-en/</url>
</references>
<dates>
<discovery>2010-02-08</discovery>
<entry>2010-02-08</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="cae01d7b-110d-11df-955a-00219b0fc4d8">
<topic>apache -- Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long)</topic>
<affects>
<package>
<name>apache</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache+mod_perl</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache+ipv6</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache_fp</name>
<range><ge>0</ge></range>
</package>
<package>
<name>ru-apache</name>
<range><lt>1.3.42+30.23</lt></range>
</package>
<package>
<name>ru-apache+mod_ssl</name>
<range><lt>1.3.42</lt></range>
</package>
<package>
<name>apache+ssl</name>
<range><lt>1.3.42.1.57_2</lt></range>
</package>
<package>
<name>apache+mod_ssl</name>
<name>apache+mod_ssl+ipv6</name>
<name>apache+mod_ssl+mod_accel</name>
<name>apache+mod_ssl+mod_accel+ipv6</name>
<name>apache+mod_ssl+mod_accel+mod_deflate</name>
<name>apache+mod_ssl+mod_accel+mod_deflate+ipv6</name>
<name>apache+mod_ssl+mod_deflate</name>
<name>apache+mod_ssl+mod_deflate+ipv6</name>
<name>apache+mod_ssl+mod_snmp</name>
<name>apache+mod_ssl+mod_snmp+mod_accel</name>
<name>apache+mod_ssl+mod_snmp+mod_accel+ipv6</name>
<name>apache+mod_ssl+mod_snmp+mod_deflate</name>
<name>apache+mod_ssl+mod_snmp+mod_deflate+ipv6</name>
<name>apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6</name>
<range><lt>1.3.41+2.8.27_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache ChangeLog reports:</p>
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_1.3.42">
<p>Integer overflow in the ap_proxy_send_fb function in
proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before
1.3.42 on 64-bit platforms allows remote origin servers to cause a
denial of service (daemon crash) or possibly execute arbitrary code
via a large chunk size that triggers a heap-based buffer overflow.</p>
</blockquote>
</body>
</description>
<references>
<url>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0010</url>
<url>http://www.security-database.com/detail.php?alert=CVE-2010-0010</url>
<url>http://security-tracker.debian.org/tracker/CVE-2010-0010</url>
<url>http://www.vupen.com/english/Reference-CVE-2010-0010.php</url>
</references>
<dates>
<discovery>2009-06-30</discovery>
<entry>2010-02-03</entry>
<modified>2010-02-03</modified>
</dates>
</vuln>
<vuln vid="296ecb59-0f6b-11df-8bab-0019996bc1f7">
<topic>squid -- Denial of Service vulnerability in DNS handling</topic>
<affects>
<package>
<name>squid</name>
<range><ge>2.7.1</ge><lt>2.7.7_3</lt></range>
<range><ge>3.0.1</ge><lt>3.0.23</lt></range>
<range><ge>3.1.0.1</ge><lt>3.1.0.15_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid security advisory 2010:1 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_1.txt">
<p>Due to incorrect data validation Squid is vulnerable to a denial
of service attack when processing specially crafted DNS packets.</p>
<p>This problem allows any trusted client or external server who can
determine the squid receiving port to perform a short-term denial
of service attack on the Squid service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0308</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_1.txt</url>
</references>
<dates>
<discovery>2010-01-14</discovery>
<entry>2010-02-01</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="696053c6-0f50-11df-a628-001517351c22">
<topic>bugzilla -- information leak</topic>
<affects>
<package>
<name>bugzilla</name>
<range><gt>3.3.1</gt><lt>3.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.0.10/">
<p>When moving a bug from one product to another, an intermediate
page is displayed letting you select the groups the bug should
be restricted to in the new product. However, a regression in
the 3.4.x series made it ignore all groups which are not
available in both products. As a workaround, you had to move
the bug to the new product first and then restrict it to the
desired groups, in two distinct steps, which could make the bug
temporarily public.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-3387</cvename>
<url>http://www.bugzilla.org/security/3.0.10/</url>
</references>
<dates>
<discovery>2010-01-31</discovery>
<entry>2010-02-01</entry>
</dates>
</vuln>
<vuln vid="192609c8-0c51-11df-82a0-00248c9b4be7">
<topic>irc-ratbox -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ircd-ratbox</name>
<range><lt>2.2.9</lt></range>
</package>
<package>
<name>ircd-ratbox-devel</name>
<range><lt>3.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/509201">
<p>The first affects the /quote HELP module and allows a user
to trigger an IRCD crash on some platforms.</p>
<p>The second affects the /links processing module when the
flatten_links configuration option is not enabled.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4016</cvename>
<cvename>CVE-2010-0300</cvename>
<url>http://www.debian.org/security/2010/dsa-1980</url>
<url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000890.html</url>
<url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000891.html</url>
</references>
<dates>
<discovery>2010-01-25</discovery>
<entry>2010-01-28</entry>
</dates>
</vuln>
<vuln vid="848539dc-0458-11df-8dd7-002170daae37">
<topic>dokuwiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20091225_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dokuwiki reports:</p>
<blockquote cite="http://bugs.splitbrain.org/index.php?do=details&task_id=1853">
<p>The plugin does no checks against cross-site request
forgeries (CSRF) which can be exploited to e.g. change
the access control rules by tricking a logged in
administrator into visiting a malicious web site.</p>
</blockquote>
<blockquote cite="http://bugs.splitbrain.org/index.php?do=details&task_id=1847">
<p>The bug allows listing the names of arbitrary file on
the webserver - not their contents. This could leak
private information about wiki pages and server structure.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-0288</cvename>
<cvename>CVE-2010-0287</cvename>
<cvename>CVE-2010-0289</cvename>
<url>http://bugs.splitbrain.org/index.php?do=details&task_id=1847</url>
<url>http://bugs.splitbrain.org/index.php?do=details&task_id=1853</url>
</references>
<dates>
<discovery>2010-01-17</discovery>
<entry>2010-01-18</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="c9263916-006f-11df-94cb-0050568452ac">
<topic>Zend Framework -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ZendFramework</name>
<range><lt>1.9.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Zend Framework team reports:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-06">
<p>Potential XSS or HTML Injection vector in Zend_Json.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-05">
<p>Potential XSS vector in Zend_Service_ReCaptcha_MailHide.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-04">
<p>Potential MIME-type Injection in Zend_File_Transfer
Executive Summary.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-03">
<p>Potential XSS vector in Zend_Filter_StripTags when
comments allowed.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-02">
<p>Potential XSS vector in Zend_Dojo_View_Helper_Editor.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-01">
<p>Potential XSS vectors due to inconsistent encodings.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2009-02">
<p>XSS vector in Zend_Filter_StripTags.</p>
</blockquote>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2009-01">
<p>LFI vector in Zend_View::setScriptPath() and render().</p>
</blockquote>
</body>
</description>
<references>
<url>http://framework.zend.com/security/advisory/ZF2010-06</url>
<url>http://framework.zend.com/security/advisory/ZF2010-05</url>
<url>http://framework.zend.com/security/advisory/ZF2010-04</url>
<url>http://framework.zend.com/security/advisory/ZF2010-03</url>
<url>http://framework.zend.com/security/advisory/ZF2010-02</url>
<url>http://framework.zend.com/security/advisory/ZF2010-01</url>
<url>http://framework.zend.com/security/advisory/ZF2009-02</url>
<url>http://framework.zend.com/security/advisory/ZF2009-01</url>
</references>
<dates>
<discovery>2009-12-31</discovery>
<entry>2010-01-11</entry>
</dates>
</vuln>
<vuln vid="dd8f2394-fd08-11de-b425-00215c6a37bb">
<topic>powerdns-recursor -- multiple vulnerabilities</topic>
<affects>
<package>
<name>powerdns-recursor</name>
<range><lt>3.1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PowerDNS Security Advisory reports:</p>
<blockquote cite="http://doc.powerdns.com/powerdns-advisory-2010-01.html">
<p>PowerDNS Recursor up to and including 3.1.7.1 can be
brought down and probably exploited.</p>
</blockquote>
<blockquote cite="http://doc.powerdns.com/powerdns-advisory-2010-02.html">
<p>PowerDNS Recursor up to and including 3.1.7.1 can be
spoofed into accepting bogus data</p>
</blockquote>
</body>
</description>
<references>
<bid>37650</bid>
<bid>37653</bid>
<cvename>CVE-2009-4010</cvename>
<cvename>CVE-2009-4009</cvename>
</references>
<dates>
<discovery>2010-01-06</discovery>
<entry>2010-01-09</entry>
</dates>
</vuln>
<vuln vid="56ba8728-f987-11de-b28d-00215c6a37bb">
<topic>PEAR -- Net_Ping and Net_Traceroute remote arbitrary command injection</topic>
<affects>
<package>
<name>pear-Net_Ping</name>
<range><lt>2.4.5</lt></range>
</package>
<package>
<name>pear-Net_Traceroute</name>
<range><lt>0.21.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PEAR Security Advisory reports:</p>
<blockquote cite="http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/">
<p>Multiple remote arbitrary command injections have been
found in the Net_Ping and Net_Traceroute.</p>
<p>When input from forms are used directly, the attacker
could pass variables that would allow him to execute
remote arbitrary command injections.</p>
</blockquote>
</body>
</description>
<references>
<bid>37093</bid>
<bid>37094</bid>
<cvename>CVE-2009-4024</cvename>
<cvename>CVE-2009-4025</cvename>
<url>http://pear.php.net/advisory20091114-01.txt</url>
</references>
<dates>
<discovery>2009-11-14</discovery>
<entry>2010-01-04</entry>
</dates>
</vuln>
<vuln vid="751823d4-f189-11de-9344-00248c9b4be7">
<topic>drupal -- multiple cross-site scripting</topic>
<affects>
<package>
<name>drupal5</name>
<range><lt>5.21</lt></range>
</package>
<package>
<name>drupal6</name>
<range><lt>6.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Team reports:</p>
<blockquote cite="http://drupal.org/node/661586">
<p>The Contact module does not correctly handle certain user input
when displaying category information. Users privileged to create
contact categories can insert arbitrary HTML and script code into the
contact module administration page. Such a cross-site scripting attack
may lead to the malicious user gaining administrative access.</p>
<p>The Menu module does not correctly handle certain user input when
displaying the menu administration overview. Users privileged to
create new menus can insert arbitrary HTML and script code into the
menu module administration page. Such a cross-site scripting attack
may lead to the malicious user gaining administrative access.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-4370</cvename>
<url>http://drupal.org/node/661586</url>
</references>
<dates>
<discovery>2009-12-16</discovery>
<entry>2009-12-25</entry>
<modified>2010-05-02</modified>
</dates>
</vuln>
<vuln vid="4d6076fe-ee7a-11de-9cd0-001a926c7637">
<topic>fuser -- missing user's privileges check</topic>
<affects>
<package>
<name>fuser</name>
<range><lt>1142334561_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Denis Barov reports:</p>
<blockquote cite="http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/141852">
<p>sysutils/fuser allows user to send any signal to any process when
installed with suid bit.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/141852</url>
</references>
<dates>
<discovery>2009-09-15</discovery>
<entry>2009-12-21</entry>
</dates>
</vuln>
<vuln vid="4465c897-ee5c-11de-b6ef-00215c6a37bb">
<topic>monkey -- improper input validation vulnerability</topic>
<affects>
<package>
<name>monkey</name>
<range><lt>0.9.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Census Labs reports:</p>
<blockquote cite="http://census-labs.com/news/2009/12/14/monkey-httpd/">
<p>We have discovered a remotely exploitable
"improper input validation" vulnerability in the Monkey
web server that allows an attacker to perform denial of
service attacks by repeatedly crashing worker threads
that process HTTP requests.</p>
</blockquote>
</body>
</description>
<references>
<url>http://census-labs.com/news/2009/12/14/monkey-httpd/</url>
<url>http://groups.google.com/group/monkeyd/browse_thread/thread/055b4e9b83973861/</url>
</references>
<dates>
<discovery>2009-12-14</discovery>
<entry>2009-12-21</entry>
</dates>
</vuln>
<vuln vid="39a25a63-eb5c-11de-b650-00215c6a37bb">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.2.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PHP developers reports:</p>
<blockquote cite="http://www.php.net/releases/5_2_12.php">
<p>This release focuses on improving the stability of the
PHP 5.2.x branch with over 60 bug fixes, some of which
are security related. All users of PHP 5.2 are encouraged
to upgrade to this release.</p>
<p>Security Enhancements and Fixes in PHP 5.2.12:</p>
<ul>
<li>Fixed a safe_mode bypass in tempnam() identified by
Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)</li>
<li>Fixed a open_basedir bypass in posix_mkfifo()
identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)</li>
<li>Added "max_file_uploads" INI directive, which can
be set to limit the number of file uploads per-request
to 20 by default, to prevent possible DOS via temporary
file exhaustion, identified by Bogdan Calin.
(CVE-