WordPress -- cross site scripting vulnerability wordpress 3.3.1,1 de-wordpress zh-wordpress-zh_CN zh-wordpress-zh_TW 3.3.1

WordPress development team reports:

WordPress 3.3.1 is now available. This maintenance release fixes 15 issues with WordPress 3.3, as well as a fix for a cross-site scripting vulnerability that affected version 3.3. Thanks to Joshua H., Hoang T., Stefan Zimmerman, Chris K., and the Go Daddy security team for responsibly disclosing the bug to our security team.

http://threatpost.com/en_us/blogs/xss-bug-found-wordpress-33-010312 2012-01-03 2012-01-03
zabbix-frontend -- multiple XSS vulnerabilities zabbix-frontend 1.8.10,2

Martina Matari reports:

These URLs (hostgroups.php, usergrps.php) are vulnerable to persistent XSS attacks due to improper sanitation of gname variable when creating user and host groups.

https://support.zabbix.com/browse/ZBX-4015 2011-08-04 2011-12-29
lighttpd -- remote DoS in HTTP authentication lighttpd 1.4.30

US-CERT/NIST reports:

Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.

CVE-2011-4362 2011-11-29 2011-12-28
krb5-appl -- telnetd code execution vulnerability FreeBSD 7.37.3_9 7.47.4_5 8.18.1_7 8.28.2_5 krb5-appl 1.0.2_1

The MIT Kerberos Team reports:

When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. Also see MITKRB5-SA-2011-008.

SA-11:08.telnetd CVE-2011-4862 http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt 2011-12-23 2011-12-26 2012-01-29
proftpd -- arbitrary code execution vulnerability with chroot FreeBSD 7.37.3_9 7.47.4_5 8.18.1_6 8.28.2_5 proftpd proftpd-mysql 1.3.3g_1 proftpd-devel 1.3.3.r4_3,1

The FreeBSD security advisory FreeBSD-SA-11:07.chroot reports:

If ftpd is configured to place a user in a chroot environment, then an attacker who can log in as that user may be able to run arbitrary code(...).

Proftpd shares the same problem of a similar nature.

SA-11:07.chroot http://seclists.org/fulldisclosure/2011/Nov/452 2011-11-30 2011-12-23 2012-01-29
phpMyAdmin -- Multiple XSS phpMyAdmin 3.43.4.9.r1

The phpMyAdmin development team reports:

Using crafted url parameters, it was possible to produce XSS on the export panels in the server, database and table sections.

Crafted values entered in the setup interface can produce XSS; also, if the config directory exists and is writeable, the XSS payload can be saved to this directory.

CVE-2011-4780 CVE-2011-4782 http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php 2011-12-16 2011-12-22
mozilla -- multiple vulnerabilities firefox 4.0,19.0,1 linux-firefox 9.0,1 linux-seamonkey 2.6 linux-thunderbird 9.0 seamonkey 2.6 thunderbird 4.09.0

The Mozilla Project reports:

MFSA 2011-53 Miscellaneous memory safety hazards (rv:9.0)

MFSA 2011-54 Potentially exploitable crash in the YARR regular expression library

MFSA 2011-55 nsSVGValue out-of-bounds access

MFSA 2011-56 Key detection without JavaScript via SVG animation

MFSA 2011-58 Crash scaling video to extreme sizes

CVE-2011-3658 CVE-2011-3660 CVE-2011-3661 CVE-2011-3663 CVE-2011-3665 http://www.mozilla.org/security/announce/2011/mfsa2011-53.html http://www.mozilla.org/security/announce/2011/mfsa2011-54.html http://www.mozilla.org/security/announce/2011/mfsa2011-55.html http://www.mozilla.org/security/announce/2011/mfsa2011-56.html http://www.mozilla.org/security/announce/2011/mfsa2011-58.html 2011-12-20 2011-12-21 2011-12-21
unbound -- denial of service vulnerabilities from nonstandard redirection and denial of existence unbound 1.4.14

Unbound developer reports:

Unbound crashes when confronted with a non-standard response from a server for a domain. This domain produces duplicate RRs from a certain type and is DNSSEC signed. Unbound also crashes when confronted with a query that eventually, and under specific circumstances, resolves to a domain that misses expected NSEC3 records.

CVE-2011-4528 http://unbound.nlnetlabs.nl/downloads/CVE-2011-4528.txt 2011-12-19 2011-12-19
typo3 -- Remote Code Execution typo3 4.64.6.2 4.5.9

The typo3 security team reports:

A crafted request to a vulnerable TYPO3 installation will allow an attacker to load PHP code from an external source and to execute it on the TYPO3 installation.

This is caused by a PHP file, which is part of the workspaces system extension, that does not validate passed arguments.

CVE-2011-4614 http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2011-004/ 2011-12-16 2011-12-18
krb5 -- KDC null pointer dereference in TGS handling krb5 1.91.9.2_1

The MIT Kerberos Team reports:

In releases krb5-1.9 and later, the KDC can crash due to a NULL pointer dereference in code that handles TGS (Ticket Granting Service) requests. The trigger condition is trivial to produce using unmodified client software, but requires the ability to authenticate as a principal in the KDC's realm.

CVE-2011-1530 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-007.txt 2011-12-11 2011-12-14
opera -- multiple vulnerabilities opera linux-opera 11.60 opera-devel 11.60,1

Opera software reports:

  • Fixed a moderately severe issue; details will be disclosed at a later date
  • Fixed an issue that could allow pages to set cookies or communicate cross-site for some top level domains; see our advisory
  • Improved handling of certificate revocation corner cases
  • Added a fix for a weakness in the SSL v3.0 and TLS 1.0 specifications, as reported by Thai Duong and Juliano Rizzo; see our advisory
  • Fixed an issue where the JavaScript "in" operator allowed leakage of cross-domain information, as reported by David Bloom; see our advisory
CVE-2011-3389 CVE-2011-4681 CVE-2011-4682 CVE-2011-4683 http://www.opera.com/support/kb/view/1003/ http://www.opera.com/support/kb/view/1004/ http://www.opera.com/support/kb/view/1005/ 2011-12-06 2011-12-13
PuTTY -- Password vulnerability putty 0.590.62

Simon Tatham reports:

PuTTY 0.62 fixes a security issue present in 0.59, 0.60 and 0.61. If you log in using SSH-2 keyboard-interactive authentication (which is the usual method used by modern servers to request a password), the password you type was accidentally kept in PuTTY's memory for the rest of its run, where it could be retrieved by other processes reading PuTTY's memory, or written out to swap files or crash dumps.

CVE-2011-4607 http://lists.tartarus.org/pipermail/putty-announce/2011/000017.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html 2011-12-10 2011-12-12 2013-08-07
asterisk -- Multiple Vulnerabilities asterisk18 1.8.7.2 asterisk16 1.6.2.21

Asterisk project reports:

It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header.

When the "automon" feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash.

CVE-2011-4597 CVE-2011-4598 http://downloads.asterisk.org/pub/security/AST-2011-013.html http://downloads.asterisk.org/pub/security/AST-2011-014.html 2011-12-08 2011-12-09
isc-dhcp-server -- Remote DoS isc-dhcp42-server 4.2.3_1 isc-dhcp41-server 4.1.e_3,2

ISC reports:

A bug exists which allows an attacker who is able to send DHCP Request packets, either directly or through a relay, to remotely crash an ISC DHCP server if that server is configured to evaluate expressions using a regular expression (i.e. uses the "~=" or "~~" comparison operators).

CVE-2011-4539 2011-12-07 2011-12-07
phpMyAdmin -- Multiple XSS phpMyAdmin 3.43.4.8.r1

The phpMyAdmin development team reports:

Using crafted database names, it was possible to produce XSS in the Database Synchronize and Database rename panels. Using an invalid and crafted SQL query, it was possible to produce XSS when editing a query on a table overview panel or when using the view creation dialog. Using a crafted column type, it was possible to produce XSS in the table search and create index dialogs.

CVE-2011-4634 http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php 2011-11-24 2011-12-01
hiawatha -- memory leak in PreventSQLi routine hiawatha 7.67.8.2

Hugo Leisink reports via private mail to maintainer:

The memory leak was introduced in version 7.6. It is in the routing that checks for SQL injections. So, if you have set PreventSQLi to 'no', there is no problem.

http://www.hiawatha-webserver.org/changelog 2011-11-18 2011-11-18
BIND -- Remote DOS FreeBSD 7.37.3_9 7.47.4_5 8.18.1_7 8.28.2_5 bind96 9.6.3.1.ESV.R5.1 bind97 9.7.4.1 bind98 9.8.1.1

The Internet Systems Consortium reports:

Organizations across the Internet reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9.

Because it may be possible to trigger this bug even on networks that do not allow untrusted users to access the recursive name servers (perhaps via specially crafted e-mail messages, and/or malicious web sites) it is recommended that ALL operators of recursive name servers upgrade immediately.

SA-11:06.bind CVE-2011-4313 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313 https://www.isc.org/software/bind/advisories/cve-2011-4313 2011-11-16 2011-11-16 2012-01-29
Apache 1.3 -- mod_proxy reverse proxy exposure apache 1.3.43 apache+ssl 1.3.43.1.59_2 apache+ipv6 1.3.43 apache+mod_perl 1.3.43 apache+mod_ssl 1.3.41+2.8.31_4 apache+mod_ssl+ipv6 1.3.41+2.8.31_4 ru-apache-1.3 1.3.43+30.23_1 ru-apache+mod_ssl 1.3.43+30.23_1

Apache HTTP server project reports:

An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. There is no patch against this issue!

CVE-2011-3368 http://httpd.apache.org/security/vulnerabilities_13.html http://seclists.org/fulldisclosure/2011/Oct/232 2011-10-05 2011-11-14
kdeutils4 -- Directory traversal vulnerability kdeutils 4.0.*4.7.3

Tim Brown from Nth Dimention reports:

I recently discovered that the Ark archiving tool is vulnerable to directory traversal via malformed. When attempts are made to view files within the malformed Zip file in Ark's default view, the wrong file may be displayed due to incorrect construction of the temporary file name. Whilst this does not allow the wrong file to be overwritten, after closing the default view, Ark will then attempt to delete the temporary file which could result in the deletion of the incorrect file.

CVE-2011-2725 http://seclists.org/fulldisclosure/2011/Oct/351 2011-10-19 2011-11-14
Apache APR -- DoS vulnerabilities apr0 0.9.20.0.9.19

The Apache Portable Runtime Project reports:

Reimplement apr_fnmatch() from scratch using a non-recursive algorithm; now has improved compliance with the fnmatch() spec.

CVE-2011-0419 http://www.apache.org/dist/apr/Announcement0.9.html 2011-05-19 2011-11-13
phpmyadmin -- Local file inclusion phpMyAdmin 3.43.4.7.1 3.3.10.5

Jan Lieskovsky reports:

Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server).

CVE-2011-4107 http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php 2011-11-10 2011-11-12
linux-flashplugin -- multiple vulnerabilities linux-f10-flashplugin 10.3r183.11 1111.1r102.55

Adobe Product Security Incident Response Team reports:

Critical vulnerabilities have been identified in Adobe Flash Player 11.0.1.152 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.0.1.153 and earlier versions for Android.

In addition a patch was released for users of flash10.

CVE-2011-2445 CVE-2011-2450 CVE-2011-2451 CVE-2011-2452 CVE-2011-2453 CVE-2011-2454 CVE-2011-2455 CVE-2011-2456 CVE-2011-2457 CVE-2011-2458 CVE-2011-2459 CVE-2011-2460 https://www.adobe.com/support/security/bulletins/apsb11-28.html 2011-11-10 2011-11-11
libxml -- Integer overflow libxml 1.8.17_5 libxml2 linux-f10-libxml2 2.7.8

Integer overflow in xpath.c, allows context-dependent attackers to to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions.

CVE-2011-1944 2011-09-02 2011-11-10 2011-11-12
libxml -- Multiple use-after-free vulnerabilities libxml 1.8.17_5

Multiple use-after-free vulnerabilities in libxml 1.8.17 that allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file.

CVE-2009-2416 2009-08-03 2011-11-10 2011-11-12
libxml -- Stack consumption vulnerability libxml 1.8.17_5

Stack consumption vulnerability allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD.

CVE-2009-2414 2009-08-03 2011-11-10 2011-11-12
gnutls -- client session resumption vulnerability gnutls 2.12.14

The GnuTLS team reports:

GNUTLS-SA-2011-2 Possible buffer overflow/Denial of service.

CVE-2011-4128 http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5596 2011-11-08 2011-11-10
mozilla -- multiple vulnerabilities firefox 4.0,18.0,1 3.6.*,13.6.24,1 libxul 1.9.2.*1.9.2.24 linux-firefox 8.0,1 linux-thunderbird 8.0 thunderbird 4.08.0 3.1.16

The Mozilla Project reports:

MFSA 2011-46 loadSubScript unwraps XPCNativeWrapper scope parameter (1.9.2 branch)

MFSA 2011-47 Potential XSS against sites using Shift-JIS

MFSA 2011-48 Miscellaneous memory safety hazards (rv:8.0)

MFSA 2011-49 Memory corruption while profiling using Firebug

MFSA 2011-50 Cross-origin data theft using canvas and Windows D2D

MFSA 2011-51 Cross-origin image theft on Mac with integrated Intel GPU

MFSA 2011-52 Code execution via NoWaiverWrapper

CVE-2011-3647 CVE-2011-3648 CVE-2011-3649 CVE-2011-3650 CVE-2011-3651 CVE-2011-3652 CVE-2011-3653 CVE-2011-3654 CVE-2011-3655 http://www.mozilla.org/security/announce/2011/mfsa2011-46.html http://www.mozilla.org/security/announce/2011/mfsa2011-47.html http://www.mozilla.org/security/announce/2011/mfsa2011-48.html http://www.mozilla.org/security/announce/2011/mfsa2011-49.html http://www.mozilla.org/security/announce/2011/mfsa2011-50.html http://www.mozilla.org/security/announce/2011/mfsa2011-51.html http://www.mozilla.org/security/announce/2011/mfsa2011-52.html 2011-11-08 2011-11-08
caml-light -- insecure use of temporary files caml-light 0.75

caml-light uses mktemp() insecurely, and also does unsafe things in /tmp during make install.

CVE-2011-4119 http://seclists.org/oss-sec/2011/q4/249 2011-11-02 2011-11-06
freetype -- Some type 1 fonts handling vulnerabilities freetype2 2.4.7

The FreeType project reports:

A couple of vulnerabilities in handling Type 1 fonts.

CVE-2011-3256 http://sourceforge.net/projects/freetype/files/freetype2/2.4.7/README/view https://bugzilla.redhat.com/attachment.cgi?id=528829&action=diff 2011-10-12 2011-11-01
cacti -- Multiple vulnerabilities cacti 0.8.7h

Cacti Group reports:

SQL injection issue with user login, and cross-site scripting issues.

http://www.cacti.net/release_notes_0_8_7h.php 2011-09-26 2011-10-26
phpmyfaq -- Remote PHP Code Injection Vulnerability phpmyfaq 2.6.19

The phpMyFAQ project reports:

The phpMyFAQ Team has learned of a serious security issue that has been discovered in our bundled ImageManager library we use in phpMyFAQ 2.6 and 2.7. The bundled ImageManager library allows injection of arbitrary PHP code via POST requests.

http://www.phpmyfaq.de/advisory_2011-10-25.php http://forum.phpmyfaq.de/viewtopic.php?f=3&t=13402 2011-10-25 2011-10-26
phpLDAPadmin -- Remote PHP code injection vulnerability phpldapadmin 1.2.01.2.1.1_1,1

EgiX (n0b0d13s at gmail dot com) reports:

The $sortby parameter passed to 'masort' function in file lib/functions.php isn't properly sanitized before being used in a call to create_function() at line 1080. This can be exploited to inject and execute arbitrary PHP code. The only possible attack vector is when handling the 'query_engine' command, in which input passed through $_REQUEST['orderby'] is passed as $sortby parameter to 'masort' function.

http://packetstormsecurity.org/files/106120/phpldapadmin-inject.txt http://sourceforge.net/tracker/?func=detail&aid=3417184&group_id=61828&atid=498546 2011-10-23 2011-10-24
kdelibs4, rekonq -- input validation failure kdelibs 4.0.*4.7.2 rekonq 0.8.0

KDE Security Advisory reports:

The default rendering type for a QLabel is QLabel::AutoText, which uses heuristics to determine whether to render the given content as plain text or rich text. KSSL and Rekonq did not properly force its QLabels to use QLabel::PlainText. As a result, if given a certificate containing rich text in its fields, they would render the rich text. Specifically, a certificate containing a common name (CN) that has a table element will cause the second line of the table to be displayed. This can allow spoofing of the certificate's common name.

http://www.kde.org/info/security/advisory-20111003-1.txt http://www.nth-dimension.org.uk/pub/NDSA20111003.txt.asc CVE-2011-3365 CVE-2011-3366 2011-10-03 2011-10-23
piwik -- unknown critical vulnerabilities piwik 1.11.6

Secunia reports:

Multiple vulnerabilities with an unknown impact have been reported in Piwik. The vulnerabilities are caused due to unspecified errors. No further information is currently available.

http://secunia.com/advisories/46461/ http://piwik.org/blog/2011/10/piwik-1-6/ 2011-10-18 2011-10-20
Xorg server -- two vulnerabilities in X server lock handling code xorg-server 1.7.7_3

Matthieu Herrb reports:

It is possible to deduce if a file exists or not by exploiting the way that Xorg creates its lock files. This is caused by the fact that the X server is behaving differently if the lock file already exists as a symbolic link pointing to an existing or non-existing file.

It is possible for a non-root user to set the permissions for all users on any file or directory to 444, giving unwanted read access or causing denies of service (by removing execute permission). This is caused by a race between creating the lock file and setting its access modes.

CVE-2011-4028 CVE-2011-4029 2011-10-18 2011-10-18
asterisk -- remote crash vulnerability in SIP channel driver asterisk18 1.8.*1.8.7.1 asterisk 10.0.0.*10.0.0.r1

Asterisk project reports:

A remote authenticated user can cause a crash with a malformed request due to an unitialized variable.

CVE-2011-4063 2011-10-17 2011-10-17
PivotX -- Remote File Inclusion Vulnerability of TimThumb pivotx 2.3.0

The PivotX team reports:

TimThumb domain name security bypass and insecure cache handling. PivotX before 2.3.0 includes a vulnerable version of TimThumb.

If you are still running PivotX 2.2.6, you might be vulnerable to a security exploit, that was patched previously. Version 2.3.0 doesn't have this issue, but any older version of PivotX might be vulnerable.

48963 https://secunia.com/advisories/45416/ 2011-08-03 2011-10-17
OpenTTD -- Multiple buffer overflows in validation of external data openttd 0.1.01.1.3

The OpenTTD Team reports:

Multiple buffer overflows in OpenTTD before 1.1.3 allow local users to cause a denial of service (daemon crash) or possibly gain privileges via (1) a crafted BMP file with RLE compression or (2) crafted dimensions in a BMP file.

CVE-2011-3343 http://security.openttd.org/en/CVE-2011-3343 2011-08-25 2011-10-16
OpenTTD -- Buffer overflows in savegame loading openttd 0.1.01.1.3

The OpenTTD Team reports:

Multiple buffer overflows in OpenTTD before 1.1.3 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors related to (1) NAME, (2) PLYR, (3) CHTS, or (4) AIPL (aka AI config) chunk loading from a savegame.

CVE-2011-3342 http://security.openttd.org/en/CVE-2011-3342 2011-08-08 2011-10-16
OpenTTD -- Denial of service via improperly validated commands openttd 0.3.51.1.3

The OpenTTD Team reports:

Multiple off-by-one errors in order_cmd.cpp in OpenTTD before 1.1.3 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted CMD_INSERT_ORDER command.

CVE-2011-3341 http://security.openttd.org/en/CVE-2011-3341 2011-08-25 2011-10-16
quagga -- multiple vulnerabilities quagga 0.99.19

CERT-FI reports:

Five vulnerabilities have been found in the BGP, OSPF, and OSPFv3 components of Quagga. The vulnerabilities allow an attacker to cause a denial of service or potentially to execute his own code by sending a specially modified packets to an affected server. Routing messages are typically accepted from the routing peers. Exploiting these vulnerabilities may require an established routing session (BGP peering or OSPF/OSPFv3 adjacency) to the router.

The vulnerability CVE-2011-3327 is related to the extended communities handling in BGP messages. Receiving a malformed BGP update can result in a buffer overflow and disruption of IPv4 routing.

The vulnerability CVE-2011-3326 results from the handling of LSA (Link State Advertisement) states in the OSPF service. Receiving a modified Link State Update message with malicious state information can result in denial of service in IPv4 routing.

The vulnerability CVE-2011-3325 is a denial of service vulnerability related to Hello message handling by the OSPF service. As Hello messages are used to initiate adjacencies, exploiting the vulnerability may be feasible from the same broadcast domain without an established adjacency. A malformed packet may result in denial of service in IPv4 routing.

The vulnerabilities CVE-2011-3324 and CVE-2011-3323 are related to the IPv6 routing protocol (OSPFv3) implemented in ospf6d daemon. Receiving modified Database Description and Link State Update messages, respectively, can result in denial of service in IPv6 routing.

CVE-2011-3323 CVE-2011-3324 CVE-2011-3325 CVE-2011-3326 CVE-2011-3327 2011-09-26 2011-10-05
Mozilla -- multiple vulnerabilities firefox 4.0,17.0,1 3.6.*,13.6.23,1 libxul 1.9.2.*1.9.2.23 linux-firefox 7.0,1 linux-seamonkey 2.4 linux-thunderbird 7.0 seamonkey 2.4 thunderbird 4.07.0 3.1.15

The Mozilla Project reports:

MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)

MFSA 2011-37 Integer underflow when using JavaScript RegExp

MFSA 2011-38 XSS via plugins and shadowed window.location object

MFSA 2011-39 Defense against multiple Location headers due to CRLF Injection

MFSA 2011-40 Code installation through holding down Enter

MFSA 2011-41 Potentially exploitable WebGL crashes

MFSA 2011-42 Potentially exploitable crash in the YARR regular expression library

MFSA 2011-43 loadSubScript unwraps XPCNativeWrapper scope parameter

MFSA 2011-44 Use after free reading OGG headers

MFSA 2011-45 Inferring Keystrokes from motion data

CVE-2011-2372 CVE-2011-2995 CVE-2011-2996 CVE-2011-2997 CVE-2011-2999 CVE-2011-3000 CVE-2011-3001 CVE-2011-3002 CVE-2011-3003 CVE-2011-3004 CVE-2011-3005 CVE-2011-3232 http://www.mozilla.org/security/announce/2011/mfsa2011-36.html http://www.mozilla.org/security/announce/2011/mfsa2011-37.html http://www.mozilla.org/security/announce/2011/mfsa2011-38.html http://www.mozilla.org/security/announce/2011/mfsa2011-39.html http://www.mozilla.org/security/announce/2011/mfsa2011-40.html http://www.mozilla.org/security/announce/2011/mfsa2011-41.html http://www.mozilla.org/security/announce/2011/mfsa2011-42.html http://www.mozilla.org/security/announce/2011/mfsa2011-43.html http://www.mozilla.org/security/announce/2011/mfsa2011-44.html http://www.mozilla.org/security/announce/2011/mfsa2011-45.html 2011-09-27 2011-09-28
linux-flashplugin -- multiple vulnerabilities linux-flashplugin 9.0r289 linux-f10-flashplugin 10.3r183.10

Adobe Product Security Incident Response Team reports:

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

There are reports that one of these vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. This universal cross-site scripting issue could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website.

https://www.adobe.com/support/security/bulletins/apsb11-26.html CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2429 CVE-2011-2430 CVE-2011-2444 2011-06-06 2011-09-22
phpMyAdmin -- multiple XSS vulnerabilities phpMyAdmin 3.4.5

phpMyAdmin development team reports:

Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities.

Versions 3.4.0 to 3.4.4 were found vulnerable.

http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php 2011-09-11 2011-09-14
django -- multiple vulnerabilities py23-django py24-django py25-django py26-django py27-django py30-django py31-django 1.31.3.1 1.21.2.7 py23-django-devel py24-django-devel py25-django-devel py26-django-devel py27-django-devel py30-django-devel py31-django-devel 16758,1

The Django project reports:

Please reference CVE/URL list for details

https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/ 2011-09-09 2011-09-13 2011-11-01
roundcube -- XSS vulnerability roundcube 0.5.4,1

RoundCube development Team reports:

We just published a new release which fixes a recently reported XSS vulnerability as an update to the stable 0.5 branch. Please update your installations with this new version or patch them with the fix which is also published in the downloads section or our sourceforge.net page.

and:

During one of pen-tests I found that _mbox parameter is not properly sanitized and reflected XSS attack is possible.

CVE-2011-2937 2011-08-09 2011-09-13
libsndfile -- PAF file processing integer overflow libsndfile 1.0.25

Secunia reports:

Hossein Lotfi has discovered a vulnerability in libsndfile, which can be exploited by malicious people to potentially compromise an application using the library. The vulnerability is caused due to an integer overflow error in the "paf24_init()" function (src/paf.c) when processing Paris Audio (PAF) files. This can be exploited to cause a heap-based buffer overflow via a specially crafted file. Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in version 1.0.24. Other versions may also be affected.

CVE-2011-2696 http://secunia.com/advisories/45125/ 2011-07-12 2011-09-12
OpenSSL -- multiple vulnerabilities openssl 1.0.01.0.0_6 0.9.81.0.0 linux-f10-openssl 0.9.80.9.8r

OpenSSL Team reports:

Two security flaws have been fixed in OpenSSL 1.0.0e

Under certain circumstances OpenSSL's internal certificate verification routines can incorrectly accept a CRL whose nextUpdate field is in the past. (CVE-2011-3207)

OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and furthermore can crash if a client violates the protocol by sending handshake messages in incorrect order. (CVE-2011-3210)

CVE-2011-3207 CVE-2011-3210 http://www.openssl.org/news/secadv_20110906.txt 2011-09-06 2011-09-07 2014-04-10
XSS issue in MantisBT mantis 1.2.01.2.7

Net.Edit0r from BlACK Hat Group reported an XSS issue in search.php. All MantisBT users (including anonymous users that are not logged in to public bug trackers) could be impacted by this vulnerability.

ports/160368 CVE-2011-2938 2011-08-18 2011-09-05
security/cfs -- buffer overflow cfs 1.4.1_6

Debian reports:

Zorgon found several buffer overflows in cfsd, a daemon that pushes encryption services into the Unix(tm) file system. We are not yet sure if these overflows can successfully be exploited to gain root access to the machine running the CFS daemon. However, since cfsd can easily be forced to die, a malicious user can easily perform a denial of service attack to it.

CVE-2002-0351 http://www.debian.org/security/2002/dsa-116 2002-03-02 2011-09-04
ca_root_nss -- extraction of explicitly-untrusted certificates into trust bundle ca_root_nss 3.12.11

Matthias Andree reports that the ca-bundle.pl used in older versions of the ca_root_nss FreeBSD port before 3.12.11 did not take the Mozilla/NSS/CKBI untrusted markers into account and would add certificates to the trust bundle that were marked unsafe by Mozilla.

ports/160455 2011-09-04 2011-09-04
nss/ca_root_nss -- fraudulent certificates issued by DigiNotar.nl nss 3.12.11 ca_root_nss 3.12.11 firefox 3.6.*,13.6.22,1 4.0.*,16.0.2,1 seamonkey 2.3.2 linux-firefox 3.6.22,1 thunderbird 3.1.*3.1.14 5.0.*6.0.2 linux-thunderbird 3.1.14 linux-seamonkey 2.3.2

Heather Adkins, Google's Information Security Manager, reported that Google received

[...] reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). [...]

VASCO Data Security International Inc., owner of DigiNotar, issued a press statement confirming this incident:

On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. [...] an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. [...]

Mozilla, maintainer of the NSS package, from which FreeBSD derived ca_root_nss, stated that they:

revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.

Three central issues informed our decision:

  1. Failure to notify. [...]
  2. The scope of the breach remains unknown. [...]
  3. The attack is not theoretical.
http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx http://www.mozilla.org/security/announce/2011/mfsa2011-34.html http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html 2011-07-19 2011-09-03 2011-09-06
apache -- Range header DoS vulnerability apache apache-event apache-itk apache-peruser apache-worker 2.*2.2.20

Apache HTTP server project reports:

A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by Apache HTTPD server.

CVE-2011-3192 https://people.apache.org/~dirkx/CVE-2011-3192.txt https://svn.apache.org/viewvc?view=revision&revision=1161534 https://svn.apache.org/viewvc?view=revision&revision=1162874 2011-08-24 2011-08-30 2011-09-01
stunnel -- heap corruption vulnerability stunnel 4.404.42

Michal Trojnara reports:

Version 4.42, 2011.08.18, urgency: HIGH:

Fixed a heap corruption vulnerability in versions 4.40 and 4.41. It may possibly be leveraged to perform DoS or remote code execution attacks.

49254 CVE-2011-2940 2011-08-25 2011-08-26
phpMyAdmin -- multiple XSS vulnerabilities phpMyAdmin 3.4.4

The phpMyAdmin development team reports:

Multiple XSS in the Tracking feature.

CVE-2011-3181 2011-08-24 2011-08-24
PHP -- crypt() returns only the salt for MD5 php5 5.3.75.3.7_2

PHP development team reports:

If crypt() is executed with MD5 salts, the return value consists of the salt only. DES and BLOWFISH salts work as expected.

https://bugs.php.net/bug.php?id=55439 2011-08-17 2011-08-23 2011-08-30
php -- multiple vulnerabilities php5 php5-sockets 5.3.7

PHP development team reports:

Security Enhancements and Fixes in PHP 5.3.7:

  • Updated crypt_blowfish to 1.2. (CVE-2011-2483)
  • Fixed crash in error_log(). Reported by Mateusz Kocielski
  • Fixed buffer overflow on overlog salt in crypt().
  • Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
  • Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
  • Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)
49241 CVE-2011-2483 CVE-2011-2202 CVE-2011-1938 CVE-2011-1148 2011-08-18 2011-08-20
rubygem-rails -- multiple vulnerabilities rubygem-rails 3.0.10

SecurityFocus reports:

Ruby on Rails is prone to multiple vulnerabilities including SQL-injection, information-disclosure, HTTP-header-injection, security-bypass and cross-site scripting issues.

49179 http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6 http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768 http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12 http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195 2011-08-16 2011-08-19
dovecot -- denial of service vulnerability dovecot 1.2.17 2.02.0.13

Timo Sirainen reports:

Fixed potential crashes and other problems when parsing header names that contained NUL characters.

47930 CVE-2011-1929 2011-05-25 2011-08-19
OTRS -- Vulnerabilities in OTRS-Core allows read access to any file on local file system otrs 2.1.*3.0.10

OTRS Security Advisory reports:

  • An attacker with valid session and admin permissions could get read access to any file on the servers local operating system. For this it would be needed minimum one installed OTRS package.
CVE-2011-2746 http://otrs.org/advisory/OSA-2011-03-en/ 2011-08-16 2011-08-18
mozilla -- multiple vulnerabilities firefox 3.6.*,13.6.20,1 5.0.*,16.0,1 seamonkey 2.3 linux-firefox 3.6.20,1 thunderbird 3.1.12 linux-thunderbird 3.1.12

The Mozilla Project reports:

MFSA 2011-29 Security issues addressed in Firefox 6

MFSA 2011-28 Security issues addressed in Firefox 3.6.20

http://www.mozilla.org/security/announce/2011/mfsa2011-29.html http://www.mozilla.org/security/announce/2011/mfsa2011-30.html CVE-2011-2982 CVE-2011-0084 CVE-2011-2981 CVE-2011-2378 CVE-2011-2984 CVE-2011-2980 CVE-2011-2983 CVE-2011-2989 CVE-2011-2991 CVE-2011-2992 CVE-2011-2985 CVE-2011-2993 CVE-2011-2988 CVE-2011-2987 CVE-2011-0084 CVE-2011-2990 CVE-2011-2986 2011-08-16 2011-08-16
Samba -- cross site scripting and request forgery vulnerabilities samba34 3.4.*3.4.14 samba35 3.5.*3.5.10

Samba security advisory reports:

All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool (SWAT). By tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT.

All current released versions of Samba are vulnerable to a cross-site scripting issue in the Samba Web Administration Tool (SWAT). On the "Change Password" field, it is possible to insert arbitrary content into the "user" field.

48901 48899 CVE-2011-2522 CVE-2011-2694 2011-07-27 2011-08-16
isc-dhcp-server -- server halt upon processing certain packets isc-dhcp31-server 3.1.ESV_1,1 isc-dhcp41-server 4.1.e_2,2 isc-dhcp42-server 4.2.2

ISC reports:

A pair of defects cause the server to halt upon processing certain packets. The patch is to properly discard or process those packets.

CVE-2011-2748 CVE-2011-2749 2011-08-10 2011-08-13
bugzilla -- multiple vulnerabilities bugzilla 2.4.*3.6.6 4.0.*4.0.2

A Bugzilla Security Advisory reports:

The following security issues have been discovered in Bugzilla:

  • Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment.
  • It is possible to determine whether or not certain group names exist while creating or updating bugs.
  • Attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications sent to the requestee or the requester when editing an attachment flag.
  • If an attacker has access to a user's session, he can modify that user's email address without that user being notified of the change.
  • Temporary files for uploaded attachments are not deleted on Windows, which could let a user with local access to the server read them.
  • Up to Bugzilla 3.4.11, if a BUGLIST cookie is compromised, it can be used to inject HTML code when viewing a bug report, leading to a cross-site scripting attack.

All affected installations are encouraged to upgrade as soon as possible.

CVE-2011-2379 CVE-2011-2380 CVE-2011-2979 CVE-2011-2381 CVE-2011-2978 CVE-2011-2977 CVE-2011-2976 https://bugzilla.mozilla.org/show_bug.cgi?id=637981 https://bugzilla.mozilla.org/show_bug.cgi?id=653477 https://bugzilla.mozilla.org/show_bug.cgi?id=674497 https://bugzilla.mozilla.org/show_bug.cgi?id=657158 https://bugzilla.mozilla.org/show_bug.cgi?id=670868 https://bugzilla.mozilla.org/show_bug.cgi?id=660502 https://bugzilla.mozilla.org/show_bug.cgi?id=660053 2011-08-04 2011-08-13
dtc -- multiple vulnerabilities dtc 0.32.9

Ansgar Burchardt reports:

Ansgar Burchardt discovered several vulnerabilities in DTC, a web control panel for admin and accounting hosting services: The bw_per_moth.php graph contains an SQL injection vulnerability; insufficient checks in bw_per_month.php can lead to bandwidth usage information disclosure; after a registration, passwords are sent in cleartext email messages and Authenticated users could delete accounts using an obsolete interface which was incorrectly included in the package.

CVE-2011-0434 CVE-2011-0435 CVE-2011-0436 CVE-2011-0437 http://www.debian.org/security/2011/dsa-2179 2011-03-02 2011-08-13
libXfont -- possible local privilege escalation libXfont 1.4.4_1,1

Tomas Hoger reports:

The compress/ LZW decompress implentation does not correctly handle compressed streams that contain code words that were not yet added to the decompression table. This may lead to arbitrary memory corruption. Successfull exploitation may possible lead to a local privilege escalation.

CVE-2011-2895 https://bugzilla.redhat.com/show_bug.cgi?id=725760 2011-07-26 2011-08-11 2012-03-13
freetype2 -- execute arbitrary code or cause denial of service freetype2 2.4.6

Vincent Danen reports:

Due to an error within the t1_decoder_parse_charstrings() function (src/psaux/t1decode.c) and can be exploited to corrupt memory by tricking a user into processing a specially-crafted postscript Type1 font in an application that uses the freetype library.

CVE-2011-0226 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0226 2011-07-19 2011-08-11
linux-flashplugin -- multiple vulnerabilities linux-flashplugin 9.0r289 linux-f10-flashplugin 10.3r183.5

Adobe Product Security Incident Response Team reports:

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.25 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 https://www.adobe.com/support/security/bulletins/apsb11-21.html 2011-05-13 2011-08-10 2012-11-05
libsoup -- unintentionally allow access to entire local filesystem libsoup 2.32.2_3

Dan Winship reports:

Fixed a security hole that caused some SoupServer users to unintentionally allow accessing the entire local filesystem when they thought they were only providing access to a single directory.

CVE-2011-2054 http://mail.gnome.org/archives/ftp-release-list/2011-July/msg00176.html https://bugzilla.gnome.org/show_bug.cgi?id=653258 2011-06-23 2011-07-28
phpmyadmin -- multiple vulnerabilities phpMyAdmin 3.4.3.2

The phpMyAdmin development team reports:

XSS in table Print view.

Via a crafted MIME-type transformation parameter, an attacker can perform a local file inclusion.

In the 'relational schema' code a parameter was not sanitized before being used to concatenate a class name.

The end result is a local file inclusion vulnerability and code execution.

It was possible to manipulate the PHP session superglobal using some of the Swekey authentication code.

This is very similar to PMASA-2011-5, documented in 7e4e5c53-a56c-11e0-b180-00216aa06fc2

CVE-2011-2642 CVE-2011-2643 http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php 2011-07-23 2011-07-24 2011-07-28
opensaml2 -- unauthenticated login opensaml2 02.4.3

OpenSAML developer reports:

The Shibboleth software relies on the OpenSAML libraries to perform verification of signed XML messages such as attribute queries or SAML assertions. Both the Java and C++ versions are vulnerable to a so-called "wrapping attack" that allows a remote, unauthenticated attacker to craft specially formed messages that can be successfully verified, but contain arbitrary content.

CVE-2011-1411 https://groups.google.com/a/shibboleth.net/group/announce/browse_thread/thread/cf3e0d76afbb57d9 2011-07-25 2011-07-25
rsync -- incremental recursion memory corruption vulnerability rsync 3.03.0.8

rsync development team reports:

Fixed a data-corruption issue when preserving hard-links without preserving file ownership, and doing deletions either before or during the transfer (CVE-2011-1097). This fixes some assert errors in the hard-linking code, and some potential failed checksums (via -c) that should have matched.

CVE-2011-1097 https://bugzilla.samba.org/show_bug.cgi?id=7936 2011-04-08 2011-07-20
BIND -- Remote DoS against authoritative and recursive servers bind96 9.6.3.1.ESV.R4.3 bind97 9.7.3.3 bind98 9.8.0.4

ISC reports:

A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet.

This defect affects both recursive and authoritative servers.

CVE-2011-2464 https://www.isc.org/software/bind/advisories/cve-2011-2464 2011-07-05 2011-07-05
BIND -- Remote DoS with certain RPZ configurations bind98 9.8.0.4

ISC reports:

Two defects were discovered in ISC's BIND 9.8 code. These defects only affect BIND 9.8 servers which have recursion enabled and which use a specific feature of the software known as Response Policy Zones (RPZ) and where the RPZ zone contains a specific rule/action pattern.

CVE-2011-2465 https://www.isc.org/software/bind/advisories/cve-2011-2465 2011-07-05 2011-07-05
phpmyadmin -- multiple vulnerabilities phpMyAdmin 3.4.3.1

The phpMyAdmin development team reports:

It was possible to manipulate the PHP session superglobal using some of the Swekey authentication code. This could open a path for other attacks.

An unsanitized key from the Servers array is written in a comment of the generated config. An attacker can modify this key by modifying the SESSION superglobal array. This allows the attacker to close the comment and inject code.

Through a possible bug in PHP running on Windows systems a NULL byte can truncate the pattern string allowing an attacker to inject the /e modifier causing the preg_replace function to execute its second argument as PHP code.

Fixed filtering of a file path in the MIME-type transformation code, which allowed for directory traversal.

CVE-2011-2505 CVE-2011-2506 CVE-2011-2507 CVE-2011-2508 http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php 2011-07-02 2011-07-03 2011-07-28
Asterisk -- multiple vulnerabilities asterisk14 1.4.*1.4.41.2 asterisk16 1.6.*1.6.2.18.2 asterisk18 1.8.*1.8.4.4

The Asterisk Development Team reports:

AST-2011-008: If a remote user sends a SIP packet containing a NULL, Asterisk assumes available data extends past the null to the end of the packet when the buffer is actually truncated when copied. This causes SIP header parsing to modify data past the end of the buffer altering unrelated memory structures. This vulnerability does not affect TCP/TLS connections.

AST-2011-009: A remote user sending a SIP packet containing a Contact header with a missing left angle bracket causes Asterisk to access a null pointer.

AST-2011-010: A memory address was inadvertently transmitted over the network via IAX2 via an option control frame and the remote party would try to access it.

Possible enumeration of SIP users due to differing authentication responses.

CVE-2011-2529 CVE-2011-2535 CVE-2011-2536 http://downloads.asterisk.org/pub/security/AST-2011-008.html http://downloads.asterisk.org/pub/security/AST-2011-009.html http://downloads.asterisk.org/pub/security/AST-2011-010.html http://downloads.asterisk.org/pub/security/AST-2011-011.html 2011-06-24 2011-06-25 2011-06-29
ejabberd -- remote denial of service vulnerability ejabberd 2.1.7

It's reported in CVE advisory that:

expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2011-1753 http://www.ejabberd.im/ejabberd-2.1.7 2011-04-27 2011-06-24
mozilla -- multiple vulnerabilities firefox 3.5.*,13.5.20,1 3.6.*,13.6.18,1 4.0.*,15.0,1 linux-firefox 3.6.18,1 thunderbird 3.1.11 linux-thunderbird 3.1.11

The Mozilla Project reports:

MFSA 2011-19 Miscellaneous memory safety hazards (rv:3.0/1.9.2.18)

MFSA 2011-20 Use-after-free vulnerability when viewing XUL document with script disabled

MFSA 2011-21 Memory corruption due to multipart/x-mixed-replace images

MFSA 2011-22 Integer overflow and arbitrary code execution in Array.reduceRight()

MFSA 2011-23 Multiple dangling pointer vulnerabilities

MFSA 2011-24 Cookie isolation error

MFSA 2011-25 Stealing of cross-domain images using WebGL textures

MFSA 2011-26 Multiple WebGL crashes

MFSA 2011-27 XSS encoding hazard with inline SVG

MFSA 2011-28 Non-whitelisted site can trigger xpinstall

http://www.mozilla.org/security/announce/2011/mfsa2011-19.html http://www.mozilla.org/security/announce/2011/mfsa2011-20.html http://www.mozilla.org/security/announce/2011/mfsa2011-21.html http://www.mozilla.org/security/announce/2011/mfsa2011-22.html http://www.mozilla.org/security/announce/2011/mfsa2011-23.html http://www.mozilla.org/security/announce/2011/mfsa2011-24.html http://www.mozilla.org/security/announce/2011/mfsa2011-25.html http://www.mozilla.org/security/announce/2011/mfsa2011-26.html http://www.mozilla.org/security/announce/2011/mfsa2011-27.html http://www.mozilla.org/security/announce/2011/mfsa2011-28.html 2011-06-21 2011-06-21 2011-06-23
Samba -- Denial of service - memory corruption samba34 3.4.*3.4.12 samba35 3.5.*3.5.7

The Samba team reports:

Samba is vulnerable to a denial of service, caused by a memory corruption error related to missing range checks on file descriptors being used in the "FD_SET" macro. By performing a select on a bad file descriptor set, a remote attacker could exploit this vulnerability to cause the application to crash or possibly execute arbitrary code on the system.

CVE-2011-0719 http://www.samba.org/samba/security/CVE-2011-0719.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0719 2011-02-28 2011-06-21
Piwik -- remote command execution vulnerability piwik 1.21.5

The Piwik security advisory reports:

The Piwik 1.5 release addresses a critical security vulnerability, which affect all Piwik users that have let granted some access to the "anonymous" user.

Piwik contains a remotely exploitable vulnerability that could allow a remote attacker to execute arbitrary code. Only installations that have granted untrusted view access to their stats (ie. grant "view" access to a website to anonymous) are at risk.

ports/158084 http://piwik.org/blog/2011/06/piwik-1-5-security-advisory/ 2011-06-21 2011-06-21
Dokuwiki -- cross site scripting vulnerability dokuwiki 20110525a

Dokuwiki reports:

We just released a Hotfix Release "2011-05-25a Rincewind". It contains the following changes:

Security fix for a Cross Site Scripting vulnerability. Malicious users could abuse DokuWiki's RSS embedding mechanism to create links containing arbitrary JavaScript. Note: this security problem is present in at least Anteater and Rincewind but probably in older releases as well.

http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind 2011-06-14 2011-06-20
linux-flashplugin -- remote code execution vulnerability linux-flashplugin 9.0r289 linux-f10-flashplugin 10.3r181.26

Adobe Product Security Incident Response Team reports:

A critical vulnerability has been identified in Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.23 and earlier versions for Android. This memory corruption vulnerability (CVE-2011-2110) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.

CVE-2011-2110 http://www.adobe.com/support/security/bulletins/apsb11-18.html 2011-05-13 2011-06-15
ikiwiki -- tty hijacking via ikiwiki-mass-rebuild ikiwiki 3.20110608

The IkiWiki development team reports:

Ludwig Nussel discovered a way for users to hijack root's tty when ikiwiki-mass-rebuild was run. Additionally, there was some potential for information disclosure via symlinks.

CVE-2011-1408 http://ikiwiki.info/security/#index40h2 2011-06-08 2011-06-15
linux-flashplugin -- cross-site scripting vulnerability linux-flashplugin 9.0r289 linux-f10-flashplugin 10.3r181.22

Adobe Product Security Incident Response Team reports:

An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

CVE-2011-2107 http://www.adobe.com/support/security/bulletins/apsb11-13.html 2011-05-13 2011-06-08
BIND -- Large RRSIG RRsets and Negative Caching DoS bind9-sdb-ldap bind9-sdb-postgresql 9.4.3.4 bind96 9.6.3.1.ESV.R4.1 bind97 9.7.3.1 bind98 9.8.0.2 FreeBSD 7.37.3_6 7.47.4_2 8.18.1_4 8.28.2_2

ISC reports:

A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to crash.

CVE-2011-1910 SA-11:02.bind http://www.isc.org/software/bind/advisories/cve-2011-1910 2011-05-26 2011-06-04 2016-08-09
fetchmail -- STARTTLS denial of service fetchmail 6.3.20

Matthias Andree reports:

Fetchmail version 5.9.9 introduced STLS support for POP3, version 6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated in-band SSL/TLS negotiation was not guarded by a timeout.

Depending on the operating system defaults as to TCP stream keepalive mode, fetchmail hangs in excess of one week after sending STARTTLS were observed if the connection failed without notifying the operating system, for instance, through network outages or hard server crashes.

A malicious server that does not respond, at the network level, after acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail in this protocol state, and thus render fetchmail unable to complete the poll, or proceed to the next server, effecting a denial of service.

SSL-wrapped mode on dedicated ports was unaffected by this problem, so can be used as a workaround.

CVE-2011-1947 http://www.fetchmail.info/fetchmail-SA-2011-01.txt https://gitorious.org/fetchmail/fetchmail/commit/7dc67b8cf06f74aa57525279940e180c99701314 2011-04-28 2011-06-06
asterisk -- Remote crash vulnerability asterisk18 1.8.*1.8.4.2

The Asterisk Development Team reports:

If a remote user initiates a SIP call and the recipient picks up, the remote user can reply with a malformed Contact header that Asterisk will improperly handle and cause a crash due to a segmentation fault.

CVE-2011-2216 http://downloads.asterisk.org/pub/security/AST-2011-007.pdf 2011-06-02 2011-06-02
Subversion -- multiple vulnerabilities subversion 1.6.17 subversion-freebsd 1.6.17

Subversion team reports:

Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if asked to deliver baselined WebDAV resources.

This can lead to a DoS. An exploit has been tested, and tools or users have been observed triggering this problem in the wild.

Subversion's mod_dav_svn Apache HTTPD server module may in certain scenarios enter a logic loop which does not exit and which allocates memory in each iteration, ultimately exhausting all the available memory on the server.

This can lead to a DoS. There are no known instances of this problem being observed in the wild, but an exploit has been tested.

Subversion's mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users.

There are no known instances of this problem being observed in the wild, but an exploit has been tested.

CVE-2011-1752 CVE-2011-1783 CVE-2011-1921 2011-05-28 2011-06-02
drupal6 -- multiple vulnerabilities drupal6 6.22

Drupal Team reports:

A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin / settings / error-reporting. This is the recommended setting for production sites.

When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission.

http://drupal.org/node/1168756 2011-05-25 2011-05-26
Erlang -- ssh library uses a weak random number generator erlang r14b03

US-CERT reports:

The Erlang/OTP ssh library implements a number of cryptographic operations that depend on cryptographically strong random numbers. Unfortunately the RNG used by the library is not cryptographically strong, and is further weakened by the use of predictable seed material. The RNG (Wichman-Hill) is not mixed with an entropy source.

CVE-2011-0766 http://www.erlang.org/download/otp_src_R14B03.readme https://github.com/erlang/otp/commit/f228601de45c5b53241b103af6616453c50885a5 2011-05-25 2011-05-25
Unbound -- an empty error packet handling assertion failure unbound 1.4.10

Unbound developer reports:

NLnet Labs was notified of an error in Unbound's code-path for error replies which is triggered under special conditions. The error causes the program to abort.

CVE-2011-1922 http://unbound.nlnetlabs.nl/downloads/CVE-2011-1922.txt 2011-05-25 2011-05-25
Pubcookie Login Server -- XSS vulnerability pubcookie-login-server 3.3.2d

Nathan Dors, Pubcookie Project reports:

A new non-persistent XSS vulnerability was found in the Pubcookie login server's compiled binary "index.cgi" CGI program. The CGI program mishandles untrusted data when printing responses to the browser. This makes the program vulnerable to carefully crafted requests containing script or HTML. If an attacker can lure an unsuspecting user to visit carefully staged content, the attacker can use it to redirect the user to his or her local Pubcookie login page and attempt to exploit the XSS vulnerability.

http://pubcookie.org/news/20070606-login-secadv.html 2007-05-25 2011-05-23
mod_pubcookie -- Empty Authentication Security Advisory ap20-mod_pubcookie 3.1.03.3.2b

Nathan Dors, Pubcookie Project reports:

An Abuse of Functionality vulnerability in the Pubcookie authentication process was found. This vulnerability allows an attacker to appear as if he or she were authenticated using an empty userid when such a userid isn't expected. Unauthorized access to web content and applications may result where access is restricted to users who can authenticate successfully but where no additional authorization is performed after authentication.

http://pubcookie.org/news/20061106-empty-auth-secadv.html 2006-10-04 2011-05-23
ViewVC -- user-reachable override of cvsdb row limit viewvc 1.1.11

ViewVC.org reports:

Security fix: remove user-reachable override of cvsdb row limit.

http://viewvc.tigris.org/source/browse/*checkout*/viewvc/branches/1.1.x/CHANGES 2011-05-17 2011-05-23
Apache APR -- DoS vulnerabilities apr1 1.4.5.1.3.12

The Apache Portable Runtime Project reports:

A flaw was discovered in the apr_fnmatch() function in the Apache Portable Runtime (APR) library 1.4.4 (or any backported versions that contained the upstream fix for CVE-2011-0419). This could cause httpd workers to enter a hung state (100% CPU utilization).

apr-util 1.3.11 could cause crashes with httpd's mod_authnz_ldap in some situations.

47929 CVE-2011-1928 CVE-2011-0419 http://www.apache.org/dist/apr/Announcement1.x.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1928 2011-05-19 2011-05-23
linux-flashplugin -- multiple vulnerabilities linux-flashplugin 9.0r289 linux-f10-flashplugin 10.3r181.14

Adobe Product Security Incident Response Team reports:

Critical vulnerabilities have been identified in Adobe Flash Player 10.2.159.1 and earlier versions (Adobe Flash Player 10.2.154.28 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.2.157.51 and earlier versions for Android. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports of malware attempting to exploit one of the vulnerabilities, CVE-2011-0627, in the wild via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. However, to date, Adobe has not obtained a sample that successfully completes an attack.

CVE-2011-0579 CVE-2011-0618 CVE-2011-0619 CVE-2011-0620 CVE-2011-0621 CVE-2011-0622 CVE-2011-0623 CVE-2011-0624 CVE-2011-0625 CVE-2011-0626 CVE-2011-0627 http://www.adobe.com/support/security/bulletins/apsb11-12.html 2011-01-20 2011-05-23
Opera -- code injection vulnerability through broken frameset handling opera11.11 opera-devel11.11 linux-opera11.11

Opera Software ASA reports:

Fixed an issue with framesets that could allow execution of arbitrary code, as reported by an anonymous contributor working with the SecuriTeam Secure Disclosure program.

http://www.opera.com/docs/changelogs/unix/1111/ http://www.opera.com/support/kb/view/992/ 2011-05-18 2011-05-23
pureftpd -- multiple vulnerabilities pure-ftpd 1.0.32

Pure-FTPd development team reports:

Support for braces expansion in directory listings has been disabled -- Cf. CVE-2011-0418.

Fix a STARTTLS flaw similar to Postfix's CVE-2011-0411. If you're using TLS, upgrading is recommended.

46767 CVE-2011-0418 CVE-2011-1575 2011-04-01 2011-05-23
Exim -- remote code execution and information disclosure exim 4.704.76

Release notes for Exim 4.76 says:

Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a format-string attack -- SECURITY: remote arbitrary code execution.

DKIM signature header parsing was double-expanded, second time unintentionally subject to list matching rules, letting the header cause arbitrary Exim lookups (of items which can occur in lists, *not* arbitrary string expansion). This allowed for information disclosure.

Also, impact assessment was redone shortly after the original announcement:

Further analysis revealed that the second security was more severe than I realised at the time that I wrote the announcement. The second security issue has been assigned CVE-2011-1407 and is also a remote code execution flaw. For clarity: both issues were introduced with 4.70.

CVE-2011-1764 CVE-2011-1407 https://lists.exim.org/lurker/message/20110512.102909.8136175a.en.html http://bugs.exim.org/show_bug.cgi?id=1106 2011-05-10 2011-05-14
Apache APR -- DoS vulnerabilities apr1 1.4.4.1.3.11

The Apache Portable Runtime Project reports:

Note especially a security fix to APR 1.4.4, excessive CPU consumption was possible due to an unconstrained, recursive invocation of apr_fnmatch, as apr_fnmatch processed '*' wildcards. Reimplement apr_fnmatch() from scratch using a non-recursive algorithm now has improved compliance with the fnmatch() spec. (William Rowe)

CVE-2011-0419 http://www.apache.org/dist/apr/Announcement1.x.html 2011-05-10 2011-05-12
Zend Framework -- potential SQL injection when using PDO_MySql ZendFramework 1.11.6

The Zend Framework team reports:

Developers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue.

http://framework.zend.com/security/advisory/ZF2011-02 http://zend-framework-community.634137.n4.nabble.com/Zend-Framework-1-11-6-and-1-10-9-released-td3503741.html 2011-05-06 2011-05-13
mediawiki -- multiple vulnerabilities mediawiki 1.16.5

Mediawiki reports:

(Bug 28534) XSS vulnerability for IE 6 clients. This is the third attempt at fixing bug 28235.

(Bug 28639) Potential privilege escalation when $wgBlockDisablesLogin is enabled.

https://bugzilla.wikimedia.org/show_bug.cgi?id=28534 https://bugzilla.wikimedia.org/show_bug.cgi?id=28639 http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-May/000098.html http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_5/phase3/RELEASE-NOTES 2011-04-14 2011-05-12
Postfix -- memory corruption vulnerability postfix postfix-base 2.8.*,12.8.3,1 2.7.*,12.7.4,1 2.6.*,12.6.10,1 2.5.*,22.5.13,2 2.4.16,1 postfix-current postfix-current-base 2.9.20110501,4

The Postfix SMTP server has a memory corruption error, when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN (ANONYMOUS is not affected, but should not be used for other reasons). This memory corruption is known to result in a program crash (SIGSEV).

CVE-2011-1720 http://www.postfix.org/CVE-2011-1720.html 2011-05-09 2011-05-09
Mozilla -- multiple vulnerabilities firefox 3.6.*,13.6.17,1 3.5.*,13.5.19,1 4.0.*,14.0.1,1 libxul 1.9.2.*1.9.2.17 linux-firefox 3.6.17,1 linux-firefox-devel 3.5.19 linux-seamonkey 2.0.*2.0.14 seamonkey 2.0.*2.0.14

The Mozilla Project reports:

MFSA 2011-12 Miscellaneous memory safety hazards

MFSA 2011-13 Multiple dangling pointer vulnerabilities

MFSA 2011-14 Information stealing via form history

MFSA 2011-15 Escalation of privilege through Java Embedding Plugin

MFSA 2011-16 Directory traversal in resource: protocol

MFSA 2011-17 WebGLES vulnerabilities

MFSA 2011-18 XSLT generate-id() function heap address leak

http://www.mozilla.org/security/announce/2011/mfsa2011-12.html http://www.mozilla.org/security/announce/2011/mfsa2011-13.html http://www.mozilla.org/security/announce/2011/mfsa2011-14.html http://www.mozilla.org/security/announce/2011/mfsa2011-15.html http://www.mozilla.org/security/announce/2011/mfsa2011-16.html http://www.mozilla.org/security/announce/2011/mfsa2011-17.html http://www.mozilla.org/security/announce/2011/mfsa2011-18.html 2011-04-28 2011-04-29
Asterisk -- multiple vulnerabilities asterisk14 1.4.*1.4.40.1 asterisk16 1.6.*1.6.2.17.3 asterisk18 1.8.*1.8.3.3

The Asterisk Development Team reports:

It is possible for a user of the Asterisk Manager Interface to bypass a security check and execute shell commands when they should not have that ability. Sending the "Async" header with the "Application" header during an Originate action, allows authenticated manager users to execute shell commands. Only users with the "system" privilege should be able to do this.

On systems that have the Asterisk Manager Interface, Skinny, SIP over TCP, or the built in HTTP server enabled, it is possible for an attacker to open as many connections to asterisk as he wishes. This will cause Asterisk to run out of available file descriptors and stop processing any new calls. Additionally, disk space can be exhausted as Asterisk logs failures to open new file descriptors.

CVE-2011-1507 http://downloads.asterisk.org/pub/security/AST-2011-005.pdf http://downloads.asterisk.org/pub/security/AST-2011-006.pdf 2011-04-21 2011-04-21
VLC -- Heap corruption in MP4 demultiplexer vlc 1.0.01.1.9

VideoLAN project reports:

When parsing some MP4 (MPEG-4 Part 14) files, insufficient buffer size might lead to corruption of the heap.

http://www.videolan.org/security/sa1103.html 2011-04-07 2011-04-17
linux-flashplugin -- remote code execution vulnerability linux-flashplugin 9.0r289 linux-f10-flashplugin 10.2r159.1

Adobe Product Security Incident Response Team reports:

A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

CVE-2011-0611 http://www.adobe.com/support/security/advisories/apsa11-02.html 2011-01-20 2011-04-17
rt -- multiple vulnerabilities rt36 3.6.11 rt38 3.8.10

Best Practical reports:

In the process of preparing the release of RT 4.0.0, we performed an extensive security audit of RT's source code. During this audit, several vulnerabilities were found which affect earlier releases of RT.

CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688 CVE-2011-1689 CVE-2011-1690 http://secunia.com/advisories/44189 2011-04-14 2011-04-17
krb5 -- MITKRB5-SA-2011-004, kadmind invalid pointer free() [CVE-2011-0285] krb5 1.71.7.2 1.81.8.4 1.9

An advisory published by the MIT Kerberos team says:

The password-changing capability of the MIT krb5 administration daemon (kadmind) has a bug that can cause it to attempt to free() an invalid pointer under certain error conditions. This can cause the daemon to crash or induce the execution of arbitrary code (which is believed to be difficult). No exploit that executes arbitrary code is known to exist, but it is easy to trigger a denial of service manually.

Some platforms detect attempted freeing of invalid pointers and protectively terminate the process, preventing arbitrary code execution on those platforms.

CVE-2011-0285 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt 2011-04-12 2011-04-14
krb5 -- MITKRB5-SA-2011-003, KDC vulnerable to double-free when PKINIT enabled krb5 1.71.7.2 1.81.8.4 1.9

An advisory published by the MIT Kerberos team says:

The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult).

An unauthenticated remote attacker can induce a double-free event, causing the KDC daemon to crash (denial of service), or to execute arbitrary code. Exploiting a double-free event to execute arbitrary code is believed to be difficult.

CVE-2011-0284 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt 2011-03-15 2011-04-14
krb5 -- MITKRB5-SA-2011-002, KDC vulnerable to hang when using LDAP back end krb5 1.71.7.2 1.81.8.4 1.9

An advisory published by the MIT Kerberos team says:

The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks from unauthenticated remote attackers. CVE-2011-0281 and CVE-2011-0282 occur only in KDCs using LDAP back ends, but CVE-2011-0283 occurs in all krb5-1.9 KDCs.

Exploit code is not known to exist, but the vulnerabilities are easy to trigger manually. The trigger for CVE-2011-0281 has already been disclosed publicly, but that fact might not be obvious to casual readers of the message in which it was disclosed. The triggers for CVE-2011-0282 and CVE-2011-0283 have not yet been disclosed publicly, but they are also trivial.

CVE-2011-0281: An unauthenticated remote attacker can cause a KDC configured with an LDAP back end to become completely unresponsive until restarted.

CVE-2011-0282: An unauthenticated remote attacker can cause a KDC configured with an LDAP back end to crash with a null pointer dereference.

CVE-2011-0283: An unauthenticated remote attacker can cause a krb5-1.9 KDC with any back end to crash with a null pointer dereference.

CVE-2011-0281 CVE-2011-0282 CVE-2011-0283 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt 2011-02-08 2011-04-14
krb5 -- MITKRB5-SA-2011-001, kpropd denial of service krb5 1.71.7.2 1.81.8.4 1.9

An advisory published by the MIT Kerberos team says:

The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial-of-service attack triggered by invalid network input. If a kpropd worker process receives invalid input that causes it to exit with an abnormal status, it can cause the termination of the listening process that spawned it, preventing the slave KDC it was running on from receiving database updates from the master KDC.

Exploit code is not known to exist, but the vulnerabilities are easy to trigger manually.

An unauthenticated remote attacker can cause kpropd running in standalone mode (the "-S" option) to terminate its listening process, preventing database propagations to the KDC host on which it was running. Configurations where kpropd runs in incremental propagation mode ("iprop") or as an inetd server are not affected.

CVE-2010-4022 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt 2011-02-08 2011-04-14
xrdb -- root hole via rogue hostname xrdb 1.0.6_1

Matthias Hopf reports:

By crafting hostnames with shell escape characters, arbitrary commands can be executed in a root environment when a display manager reads in the resource database via xrdb.

These specially crafted hostnames can occur in two environments:

Systems are affected are: systems set their hostname via DHCP, and the used DHCP client allows setting of hostnames with illegal characters. And systems that allow remote logins via xdmcp.

CVE-2011-0465 http://lists.freedesktop.org/archives/xorg-announce/2011-April/001636.html 2011-04-05 2011-04-14
OTRS -- Several XSS attacks possible otrs 2.3.*3.0.7

OTRS Security Advisory reports:

  • Several XSS attacks possible: An attacker could trick a logged in user to following a prepared URL inside of the OTRS system which causes a page to be shown that possibly includes malicious !JavaScript code because of incorrect escaping during the generation of the HTML page.
CVE-2011-1518 http://otrs.org/advisory/OSA-2011-01-en/ 2011-03-12 2011-04-12
isc-dhcp-client -- dhclient does not strip or escape shell meta-characters isc-dhcp31-client 3.1.ESV_1,1 isc-dhcp41-client 4.1.e,2

ISC reports:

ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client.

CVE-2011-0997 107886 2011-04-05 2011-04-10
tinyproxy -- ACL lists ineffective when range is configured tinyproxy 1.8.2_2,1

When including a line to allow a network of IP addresses, the access to tinyproxy 56 is actually allowed for all IP addresses.

CVE-2011-1499 https://banu.com/bugzilla/show_bug.cgi?id=90 2010-05-18 2011-04-08
quagga -- two DoS vulnerabilities quagga 0.99.17_6

Quagga developers report:

Quagga 0.99.18 has been released. This release fixes 2 denial of services in bgpd, which can be remotely triggered by malformed AS-Pathlimit or Extended-Community attributes. These issues have been assigned CVE-2010-1674 and CVE-2010-1675. Support for AS-Pathlimit has been removed with this release.

CVE-2010-1674 CVE-2010-1675 http://www.quagga.net/news2.php?y=2011&m=3&d=21#id1300723200 2010-04-30 2011-04-01
gdm -- privilege escalation vulnerability gdm 2.30.5_2

Sebastian Krahmer reports:

It was discovered that the GNOME Display Manager (gdm) cleared the cache directory, which is owned by an unprivileged user, with the privileges of the root user. A race condition exists in gdm where a local user could take advantage of this by writing to the cache directory between ending the session and the signal to clean up the session, which could lead to the execution of arbitrary code as the root user.

CVE-2011-0727 http://mail.gnome.org/archives/distributor-list/2011-March/msg00008.html https://bugzilla.redhat.com/show_bug.cgi?id=688323 2011-03-28 2011-03-29
php -- ZipArchive segfault with FL_UNCHANGED on empty archive php5-zip 5.3.6

US-CERT/NIST reports:

The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (application crash) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.

CVE-2011-0421 2011-03-20 2011-03-25
php -- crash on crafted tag in exif php5-exif 5.3.6

US-CERT/NIST reports:

exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read.

CVE-2011-0708 2011-03-20 2011-03-25
linux-flashplugin -- remote code execution vulnerability linux-flashplugin 9.0r289 linux-f8-flashplugin linux-f10-flashplugin 10.2r153

Adobe Product Security Incident Response Team reports:

A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.

CVE-2011-0609 http://www.adobe.com/support/security/advisories/apsa11-01.html 2011-01-20 2011-03-24
mozilla -- update to HTTPS certificate blacklist firefox 3.6.*,13.6.16,1 3.5.*,13.5.18,1 libxul 1.9.2.*1.9.2.16 linux-firefox 3.6.16,1 linux-firefox-devel 3.5.18 linux-seamonkey 2.0.*2.0.13 seamonkey 2.0.*2.0.13

The Mozilla Project reports:

MFSA 2011-11 Update to HTTPS certificate blacklist

http://www.mozilla.org/security/announce/2011/mfsa2011-11.html 2011-03-22 2011-03-24
postfix -- plaintext command injection with SMTP over TLS postfix postfix-base 2.7.*,12.7.3,1 2.6.*,12.6.9,1 2.5.*,22.5.12,2 2.4.*,12.4.16,1 postfix-current postfix-current-base 2.9.20100120,4

Wietse Venema has discovered a software flaw that allows an attacker to inject client commands into an SMTP session during the unprotected plaintext SMTP protocol phase, such that the server will execute those commands during the SMTP- over-TLS protocol phase when all communication is supposed to be protected.

CVE-2011-0411 http://www.postfix.org/CVE-2011-0411.html http://secunia.com/advisories/43646/ 2011-03-07 2011-03-19
hiawatha -- integer overflow in Content-Length header parsing hiawatha 7.4_1

Hugo Leisink reports:

A bug has been found in version 7.4 of the Hiawatha webserver, which could lead to a server crash. This is caused by an integer overflow in the routine that reads the HTTP request. A too large value of the Content-Length HTTP header results in an overflow.

http://www.hiawatha-webserver.org/weblog/16 http://secunia.com/advisories/43660/ http://securityvulns.com/Zdocument902.html http://packetstormsecurity.org/files/99021/Hiawatha-WebServer-7.4-Denial-Of-Service.html http://seclists.org/bugtraq/2011/Mar/65 2011-02-25 2011-03-17
asterisk -- Multiple Vulnerabilities asterisk16 1.6.*1.6.2.17.1 asterisk18 1.8.*1.8.3.1

The Asterisk Development Team reports:

The releases of Asterisk 1.6.1.23, 1.6.2.17.1, and 1.8.3.1 resolve two issues:

  • Resource exhaustion in Asterisk Manager Interface (AST-2011-003)
  • Remote crash vulnerability in TCP/TLS server (AST-2011-004)

The issues and resolutions are described in the AST-2011-003 and AST-2011-004 security advisories.

http://downloads.asterisk.org/pub/security/AST-2011-003.html http://downloads.asterisk.org/pub/security/AST-2011-004.html 2011-03-01 2011-03-16
avahi -- denial of service avahi avahi-app avahi-autoipd avahi-gtk avahi-libdns avahi-qt3 avahi-qt4 avahi-sharp 0.6.29

Avahi developers reports:

A vulnerability has been reported in Avahi, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing certain UDP packets, which can be exploited to trigger an infinite loop by e.g. sending an empty packet to port 5353/UDP.

CVE-2011-1002 CVE-2010-2244 http://secunia.com/advisories/43361/ https://bugzilla.redhat.com/show_bug.cgi?id=667187 2011-02-21 2011-03-13
mailman -- XSS vulnerability mailman 2.1.14_1

CVE reports:

Multiple cross-site scripting (XSS) vulnerabilities in Cgi/confirm.py in GNU Mailman 2.1.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) username field in a confirmation message.

CVE-2011-0707 http://mail.python.org/pipermail/mailman-announce/2011-February/000157.html 2011-02-13 2011-03-10
redmine -- XSS vulnerability redmine 1.01.1.2

Jean-Philippe Lang reports:

This maintenance release for 1.1.x users includes 13 bug fixes since 1.1.1 and a security fix (XSS vulnerability affecting all Redmine versions from 1.0.1 to 1.1.1).

http://www.redmine.org/news/53 2011-03-07 2011-03-07
subversion -- remote HTTP DoS vulnerability subversion 1.61.6.15 1.51.6.9 subversion-freebsd 1.61.6.15 1.51.6.9

Subversion project reports:

Subversion HTTP servers up to 1.5.9 (inclusive) or 1.6.15 (inclusive) are vulnerable to a remotely triggerable NULL-pointer dereference.

CVE-2011-0715 2011-02-27 2011-03-05
mozilla -- multiple vulnerabilities firefox 3.6.*,13.6.14,1 3.5.*,13.5.17,1 libxul 1.9.2.*1.9.2.14 linux-firefox 3.6.14,1 linux-firefox-devel 3.5.17 linux-seamonkey 2.0.*2.0.12 linux-thunderbird 3.13.1.8 seamonkey 2.0.*2.0.12 thunderbird 3.1.8

The Mozilla Project reports:

MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)

MFSA 2011-02 Recursive eval call causes confirm dialogs to evaluate to true

MFSA 2011-03 Use-after-free error in JSON.stringify

MFSA 2011-04 Buffer overflow in JavaScript upvarMap

MFSA 2011-05 Buffer overflow in JavaScript atom map

MFSA 2011-06 Use-after-free error using Web Workers

MFSA 2011-07 Memory corruption during text run construction (Windows)

MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome documents

MFSA 2011-09 Crash caused by corrupted JPEG image

MFSA 2011-10 CSRF risk with plugins and 307 redirects

CVE-2010-1585 CVE-2011-0051 CVE-2011-0053 CVE-2011-0054 CVE-2011-0055 CVE-2011-0056 CVE-2011-0057 CVE-2011-0058 CVE-2011-0059 CVE-2011-0061 CVE-2011-0062 https://www.mozilla.org/security/announce/2011/mfsa2011-01.html https://www.mozilla.org/security/announce/2011/mfsa2011-02.html https://www.mozilla.org/security/announce/2011/mfsa2011-03.html https://www.mozilla.org/security/announce/2011/mfsa2011-04.html https://www.mozilla.org/security/announce/2011/mfsa2011-05.html https://www.mozilla.org/security/announce/2011/mfsa2011-06.html https://www.mozilla.org/security/announce/2011/mfsa2011-07.html https://www.mozilla.org/security/announce/2011/mfsa2011-08.html https://www.mozilla.org/security/announce/2011/mfsa2011-09.html https://www.mozilla.org/security/announce/2011/mfsa2011-10.html 2011-03-01 2011-03-01
openldap -- two security bypass vulnerabilities openldap-server 2.4.02.4.24

Secunia reports:

Two vulnerabilities have been reported in OpenLDAP, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerabilities are reported in versions prior to 2.4.24.

http://secunia.com/advisories/43331/ 2011-02-14 2011-02-25
asterisk -- Exploitable Stack and Heap Array Overflows asterisk14 1.4.*1.4.39.2 asterisk16 1.6.*1.6.2.16.2 asterisk18 1.8.*1.8.2.4

The Asterisk Development Team reports:

The releases of Asterisk 1.4.39.2, 1.6.1.22, 1.6.2.16.2, and 1.8.2.4 resolve an issue that when decoding UDPTL packets, multiple heap based arrays can be made to overflow by specially crafted packets. Systems configured for T.38 pass through or termination are vulnerable. The issue and resolution are described in the AST-2011-002 security advisory.

http://downloads.asterisk.org/pub/security/AST-2011-002.html http://secunia.com/advisories/43429/ 2011-02-21 2011-02-22
PivotX -- administrator password reset vulnerability pivotx 2.2.4

US CERT reports:

PivotX contains a vulnerability that allows an attacker to change the password of any account just by guessing the username. Version 2.2.4 has been reported to not be affected. This vulnerability is being exploited in the wild and users should immediately upgrade to 2.2.5 or later. Mitigation steps for users that have been compromised have been posted to the PivotX Support Community.

CVE-2011-1035 2011-02-18 2011-02-20
tomcat -- Cross-site scripting vulnerability tomcat 5.5.05.5.32 tomcat 6.0.06.0.30 tomcat 7.0.07.0.6

The Tomcat security team reports:

The HTML Manager interface displayed web applciation provided data, such as display names, without filtering. A malicious web application could trigger script execution by an administartive user when viewing the manager pages.

CVE-2011-0013 http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.32 http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.30 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.6 2010-11-12 2011-02-15 2011-09-30
phpMyAdmin -- multiple vulnerabilities phpMyAdmin 3.3.9.2 phpMyAdmin211 2.11.11.3

phpMyAdmin team reports:

It was possible to create a bookmark which would be executed unintentionally by other users.

When the files README, ChangeLog or LICENSE have been removed from their original place (possibly by the distributor), the scripts used to display these files can show their full path, leading to possible further attacks.

http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php 2011-02-08 2011-02-11
linux-flashplugin -- multiple vulnerabilities linux-flashplugin 9.0r289 linux-f8-flashplugin linux-f10-flashplugin 10.2r152

Adobe Product Security Incident Response Team reports:

Critical vulnerabilities have been identified in Adobe Flash Player 10.1.102.64 and earlier versions for Windows, Macintosh, Linux, and Solaris. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

CVE-2011-0558 CVE-2011-0559 CVE-2011-0560 CVE-2011-0561 CVE-2011-0571 CVE-2011-0572 CVE-2011-0573 CVE-2011-0574 CVE-2011-0575 CVE-2011-0577 CVE-2011-0578 CVE-2011-0607 CVE-2011-0608 http://www.adobe.com/support/security/bulletins/apsb11-02.html 2011-02-08 2011-02-11
mupdf -- Remote System Access mupdf 0.8

Secunia reports:

The vulnerability is caused due to an error within the "closedctd()" function in fitz/filt_dctd.c when processing PDF files containing certain malformed JPEG images. This can be exploited to cause a stack corruption by e.g. tricking a user into opening a specially crafted PDF file.

46027 http://secunia.com/advisories/43020/ 2011-01-26 2011-02-10
rubygem-mail -- Remote Arbitrary Shell Command Injection Vulnerability rubygem-mail 2.2.15

Secunia reports:

Input passed via an email from address is not properly sanitised in the "deliver()" function (lib/mail/network/delivery_methods/sendmail.rb) before being used as a command line argument. This can be exploited to inject arbitrary shell commands.

46021 CVE-2011-0739 http://secunia.com/advisories/43077/ http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1 2011-01-25 2011-02-10
plone -- Remote Security Bypass plone 2.53 plone3 33.3

Plone developer reports:

This is an escalation of privileges attack that can be used by anonymous users to gain access to a Plone site's administration controls, view unpublished content, create new content and modify a site's skin. The sandbox protecting access to the underlying system is still in place, and it does not grant access to other applications running on the same Zope instance.

46102 CVE-2011-0720 http://plone.org/products/plone/security/advisories/cve-2011-0720 2011-02-02 2011-02-10
exim -- local privilege escalation exim exim-ldap exim-ldap2 exim-mysql exim-postgresql exim-sa-exim 4.74

exim.org reports:

CVE-2011-0017 - check return value of setuid/setgid. This is a privilege escalation vulnerability whereby the Exim run-time user can cause root to append content of the attacker's choosing to arbitrary files.

CVE-2011-0017 ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74 2011-01-31 2011-02-10
openoffice.org -- Multiple vulnerabilities openoffice.org 3.3.0

OpenOffice.org Security Team reports:

Fixed in OpenOffice.org 3.3

http://www.openoffice.org/security/bulletin.html http://secunia.com/advisories/40775/ 2010-08-04 2011-02-10
webkit-gtk2 -- Multiple vurnabilities. webkit-gtk2 1.2.7

Gustavo Noronha Silva reports:

This release has essentially security fixes. Refer to the WebKit/gtk/NEWS file inside the tarball for details. We would like to thank the Red Hat security team (Huzaifa Sidhpurwala in particular) and Michael Gilbert from Debian for their help in checking (and pushing!) security issues affecting the WebKitGTK+ stable branch for this release.

CVE-2010-2901 CVE-2010-4040 CVE-2010-4042 CVE-2010-4199 CVE-2010-4492 CVE-2010-4493 CVE-2010-4578 CVE-2011-0482 CVE-2011-0778 https://bugs.webkit.org/show_bug.cgi?id=48328 https://bugs.webkit.org/show_bug.cgi?id=50710 https://bugs.webkit.org/show_bug.cgi?id=50840 https://bugs.webkit.org/show_bug.cgi?id=50932 https://bugs.webkit.org/show_bug.cgi?id=51993 https://bugs.webkit.org/show_bug.cgi?id=53265 https://bugs.webkit.org/show_bug.cgi?id=53276 http://permalink.gmane.org/gmane.os.opendarwin.webkit.gtk/405 2011-02-08 2011-02-10
awstats -- arbitrary commands execution vulnerability awstats 7.0,1 awstats-devel 0

Awstats change log reports:

  • Security fix (Traverse directory of LoadPlugin)
  • Security fix (Limit config to defined directory to avoid access to external config file via a nfs or webdav link).
CVE-2010-4367 http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-001.html http://awstats.sourceforge.net/docs/awstats_changelog.txt 2010-05-01 2011-02-10
opera -- multiple vulnerabilities opera opera-devel linux-opera 11.01

Opera reports:

Opera 11.01 is a recommended upgrade offering security and stability enhancements.

The following security vulnerabilities have been fixed:

  • Removed support for "javascript:" URLs in CSS -o-link values, to make it easier for sites to filter untrusted CSS.
  • Fixed an issue where large form inputs could allow execution of arbitrary code, as reported by Jordi Chancel; see our advisory.
  • Fixed an issue which made it possible to carry out clickjacking attacks against internal opera: URLs; see our advisory.
  • Fixed issues which allowed web pages to gain limited access to files on the user's computer; see our advisory.
  • Fixed an issue where email passwords were not immediately deleted when deleting private data; see our advisory.
CVE-2011-0450 CVE-2011-0681 CVE-2011-0682 CVE-2011-0683 CVE-2011-0684 CVE-2011-0685 CVE-2011-0686 CVE-2011-0687 http://www.opera.com/support/kb/view/982/ http://www.opera.com/support/kb/view/983/ http://www.opera.com/support/kb/view/984/ http://secunia.com/advisories/43023 2011-01-26 2011-02-10
django -- multiple vulnerabilities py23-django py24-django py25-django py26-django py27-django py30-django py31-django 1.21.2.5 1.11.1.4 py23-django-devel py24-django-devel py25-django-devel py26-django-devel py27-django-devel py30-django-devel py31-django-devel 15470,1

Django project reports:

Today the Django team is issuing multiple releases -- Django 1.2.5 and Django 1.1.4 -- to remedy three security issues reported to us. All users of affected versions of Django are urged to upgrade immediately.

http://www.djangoproject.com/weblog/2011/feb/08/security/ 2011-02-08 2011-02-09
mediawiki -- multiple vulnerabilities mediawiki 1.16.2

Medawiki reports:

An arbitrary script inclusion vulnerability was discovered. The vulnerability only allows execution of files with names ending in ".php" which are already present in the local filesystem. Only servers running Microsoft Windows and possibly Novell Netware are affected. Despite these mitigating factors, all users are advised to upgrade, since there is a risk of complete server compromise. MediaWiki 1.8.0 and later is affected.

Security researcher mghack discovered a CSS injection vulnerability. For Internet Explorer and similar browsers, this is equivalent to an XSS vulnerability, that is to say, it allows the compromise of wiki user accounts. For other browsers, it allows private data such as IP addresses and browsing patterns to be sent to a malicious external web server. It affects all versions of MediaWiki. All users are advised to upgrade.

CVE-2011-0047 https://bugzilla.wikimedia.org/show_bug.cgi?id=27094 https://bugzilla.wikimedia.org/show_bug.cgi?id=27093 http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_2/phase3/RELEASE-NOTES http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-February/000095.html 2011-02-01 2011-02-09
wordpress -- SQL injection vulnerability wordpress 3.0.2,1 de-wordpress zh-wordpress-zh_CN zh-wordpress-zh_TW 3.0.2

Vendor reports:

SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field.

CVE-2010-4257 http://www.cvedetails.com/cve/CVE-2010-4257/ 2010-11-16 2011-02-05 2011-02-09
vlc -- Insufficient input validation in MKV demuxer vlc 1.1.7

VLC team reports:

When parsing an invalid MKV (Matroska or WebM) file, input validation are insufficient.

http://www.videolan.org/security/sa1102.html 2011-01-26 2011-02-02
maradns -- denial of service when resolving a long DNS hostname maradns 1.4.06

MaraDNS developer Sam Trenholme reports:

... a mistake in allocating an array of integers, allocating it in bytes instead of sizeof(int) units. This resulted in a buffer being too small, allowing it to be overwritten. The impact of this programming error is that MaraDNS can be crashed by sending MaraDNS a single "packet of death". Since the data placed in the overwritten array cannot be remotely controlled (it is a list of increasing integers), there is no way to increase privileges exploiting this bug.

45966 CVE-2011-0520 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610834 2011-01-23 2011-01-31
isc-dhcp-server -- DHCPv6 crash isc-dhcp41-server 4.1.2,1

ISC reports:

When the DHCPv6 server code processes a message for an address that was previously declined and internally tagged as abandoned it can trigger an assert failure resulting in the server crashing. This could be used to crash DHCPv6 servers remotely. This issue only affects DHCPv6 servers. DHCPv4 servers are unaffected.

CVE-2011-0413 http://www.isc.org/software/dhcp/advisories/cve-2011-0413 http://www.kb.cert.org/vuls/id/686084 2011-01-26 2011-01-28
bugzilla -- multiple serious vulnerabilities bugzilla 2.14.*3.6.4

A Bugzilla Security Advisory reports:

This advisory covers three security issues that have recently been fixed in the Bugzilla code:

  • A weakness in Bugzilla could allow a user to gain unauthorized access to another Bugzilla account.
  • A weakness in the Perl CGI.pm module allows injecting HTTP headers and content to users via several pages in Bugzilla.
  • If you put a harmful "javascript:" or "data:" URL into Bugzilla's "URL" field, then there are multiple situations in which Bugzilla will unintentionally make that link clickable.
  • Various pages lack protection against cross-site request forgeries.

All affected installations are encouraged to upgrade as soon as possible.

25425 CVE-2010-4568 CVE-2010-2761 CVE-2010-4411 CVE-2010-4572 CVE-2010-4567 CVE-2010-0048 CVE-2011-0046 https://bugzilla.mozilla.org/show_bug.cgi?id=621591 https://bugzilla.mozilla.org/show_bug.cgi?id=619594 https://bugzilla.mozilla.org/show_bug.cgi?id=591165 https://bugzilla.mozilla.org/show_bug.cgi?id=621572 https://bugzilla.mozilla.org/show_bug.cgi?id=619588 https://bugzilla.mozilla.org/show_bug.cgi?id=628034 https://bugzilla.mozilla.org/show_bug.cgi?id=621090 https://bugzilla.mozilla.org/show_bug.cgi?id=621105 https://bugzilla.mozilla.org/show_bug.cgi?id=621107 https://bugzilla.mozilla.org/show_bug.cgi?id=621108 https://bugzilla.mozilla.org/show_bug.cgi?id=621109 https://bugzilla.mozilla.org/show_bug.cgi?id=621110 2011-01-24 2011-01-25
dokuwiki -- multiple privilege escalation vulnerabilities dokuwiki 20101107a

Dokuwiki reports:

This security update fixes problems in the XMLRPC interface where ACLs where not checked correctly sometimes, making it possible to access and write information that should not have been accessible/writable. This only affects users who have enabled the XMLRPC interface (default is off) and have enabled XMLRPC access for users who can't access/write all content anyway (default is nobody, see http://www.dokuwiki.org/config:xmlrpcuser for details).

This update also includes a fix for a problem in the general ACL checking function that could be exploited to gain access to restricted pages and media files in rare conditions (when you had rights for an id you could get the same rights on ids where one character has been replaced by a ".").

http://bugs.dokuwiki.org/index.php?do=details&task_id=2136 2011-01-16 2011-01-24
asterisk -- Exploitable Stack Buffer Overflow asterisk14 1.4.*1.4.39.1 asterisk16 1.6.*1.6.2.16.1 asterisk18 1.8.*1.8.2.2

The Asterisk Development Team reports:

The releases of Asterisk 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.2, 1.8.1.2, and 1.8.2.1 resolve an issue when forming an outgoing SIP request while in pedantic mode, which can cause a stack buffer to be made to overflow if supplied with carefully crafted caller ID information. The issue and resolution are described in the AST-2011-001 security advisory.

http://downloads.asterisk.org/pub/security/AST-2011-001.pdf 2011-01-18 2011-01-19
tarsnap -- cryptographic nonce reuse tarsnap 1.0.221.0.27

Colin Percival reports:

In versions 1.0.22 through 1.0.27 of Tarsnap, the CTR nonce value is not incremented after each chunk is encrypted. (The CTR counter is correctly incremented after each 16 bytes of data was processed, but this counter is reset to zero for each new chunk.)

Note that since the Tarsnap client-server protocol is encrypted, being able to intercept Tarsnap client-server traffic does not provide an attacker with access to the data.

http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html 2011-01-18 2011-01-19
MoinMoin -- cross-site scripting vulnerabilities moinmoin 1.9.3

The MoinMoin developers reports:

Fix XSS in Despam action (CVE-2010-0828)

Fix XSS issues

  • by escaping template name in messages
  • by fixing other places that had similar issues
39110 CVE-2010-0828 http://hg.moinmo.in/moin/1.9/raw-file/1.9.3/docs/CHANGES http://moinmo.in/MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg 2010-04-05 2011-01-11
tor -- remote code execution and crash tor 0.2.1.29 tor-devel 0.2.2.21.a

The Tor Project reports:

A remote heap overflow vulnerability that can allow remote code execution. Other fixes address a variety of assert and crash bugs, most of which we think are hard to exploit remotely. All Tor users should upgrade.

45832 CVE-2011-0427 ports/154099 http://archives.seul.org/or/announce/Jan-2011/msg00000.html https://gitweb.torproject.org/tor.git/blob/release-0.2.1:/ChangeLog https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ChangeLog 2011-01-15 2011-01-17
sudo -- local privilege escalation sudo 1.7.01.7.4.5

Todd Miller reports:

Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo's -g option (run as group), if allowed by the sudoers file. A flaw exists in sudo's password checking logic that allows a user to run a command with only the group changed without being prompted for a password.

CVE-2011-0010 http://www.sudo.ws/sudo/alerts/runas_group_pw.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 2011-01-11 2011-01-13
subversion -- multiple DoS subversion 1.6.15 subversion-freebsd 1.6.15

Entry for CVE-2010-4539 says:

The walk function in repos.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.15, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger the walking of SVNParentPath collections.

Entry for CVE-2010-4644 says:

Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15 allow remote authenticated users to cause a denial of service (memory consumption and daemon crash) via the -g option to the blame command.

45655 CVE-2010-4539 CVE-2010-4644 2011-01-02 2011-01-13
php -- multiple vulnerabilities php5 5.3.5 php52 5.2.17

PHP developers reports:

Security Enhancements and Fixes in PHP 5.3.5:

  • Fixed bug #53632 (PHP hangs on numeric value 2.2250738585072011e-308). (CVE-2010-4645)

Security Enhancements and Fixes in PHP 5.2.17:

  • Fixed bug #53632 (PHP hangs on numeric value 2.2250738585072011e-308). (CVE-2010-4645)
CVE-2010-4645 2011-01-06 2011-01-09 2011-01-09
exim -- local privilege escalation exim 4.73

David Woodhouse reports:

Secondly a privilege escalation where the trusted 'exim' user is able to tell Exim to use arbitrary config files, in which further ${run ...} commands will be invoked as root.

CVE-2010-4345 http://www.exim.org/lurker/message/20101209.022730.dbb6732d.en.html https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3 2010-12-10 2011-01-08
mediawiki -- Clickjacking vulnerabilities mediawiki 1.161.16.1 1.151.15.5_1

Clickjacking vulnerabilities:

Clickjacking is a type of vulnerability discovered in 2008, which is similar to CSRF. The attack involves displaying the target webpage in a iframe embedded in a malicious website. Using CSS, the submit button of the form on the targeit webpage is made invisible, and then overlaid with some button or link on the malicious website that encourages the user to click on it.

https://bugzilla.wikimedia.org/show_bug.cgi?id=26561 2011-01-04 2011-01-06