diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 7c5f419351ec..0cf936c8da20 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -109,14 +109,14 @@ Note: Please add new entries to the beginning of this file.

Nathan Dors, Pubcookie Project reports:

An Abuse of Functionality vulnerability in the Pubcookie - authentication process was found. This vulnerability - allows an attacker to appear as if he or she were - authenticated using an empty userid when such a userid - isn't expected. Unauthorized access to web content and - applications may result where access is restricted to - users who can authenticate successfully but where no - additional authorization is performed after - authentication.

+ authentication process was found. This vulnerability + allows an attacker to appear as if he or she were + authenticated using an empty userid when such a userid + isn't expected. Unauthorized access to web content and + applications may result where access is restricted to + users who can authenticate successfully but where no + additional authorization is performed after + authentication.

@@ -167,10 +167,11 @@ Note: Please add new entries to the beginning of this file.

The Apache Portable Runtime Project reports:

A flaw was discovered in the apr_fnmatch() function in the Apache Portable - Runtime (APR) library 1.4.4 (or any backported versions that contained the - upstream fix for CVE-2011-0419). This could cause httpd workers to enter a - hung state (100% CPU utilization).

-

apr-util 1.3.11 could cause crashes with httpd's mod_authnz_ldap in some situations.

+ Runtime (APR) library 1.4.4 (or any backported versions that contained the + upstream fix for CVE-2011-0419). This could cause httpd workers to enter a + hung state (100% CPU utilization).

+

apr-util 1.3.11 could cause crashes with httpd's mod_authnz_ldap in some + situations.

@@ -287,8 +288,8 @@ Note: Please add new entries to the beginning of this file. 46767 - CVE-2011-0418 - CVE-2011-1575 + CVE-2011-0418 + CVE-2011-1575 2011-04-01 @@ -353,10 +354,10 @@ Note: Please add new entries to the beginning of this file.

The Apache Portable Runtime Project reports:

Note especially a security fix to APR 1.4.4, excessive CPU - consumption was possible due to an unconstrained, recursive - invocation of apr_fnmatch, as apr_fnmatch processed '*' wildcards. - Reimplement apr_fnmatch() from scratch using a non-recursive algorithm - now has improved compliance with the fnmatch() spec. (William Rowe)

+ consumption was possible due to an unconstrained, recursive + invocation of apr_fnmatch, as apr_fnmatch processed '*' wildcards. + Reimplement apr_fnmatch() from scratch using a non-recursive algorithm + now has improved compliance with the fnmatch() spec. (William Rowe)

@@ -449,11 +450,11 @@ Note: Please add new entries to the beginning of this file.

The Postfix SMTP server has a memory corruption error, - when the Cyrus SASL library is used with authentication - mechanisms other than PLAIN and LOGIN (ANONYMOUS is not - affected, but should not be used for other reasons). - This memory corruption is known to result in a program - crash (SIGSEV).

+ when the Cyrus SASL library is used with authentication + mechanisms other than PLAIN and LOGIN (ANONYMOUS is not + affected, but should not be used for other reasons). + This memory corruption is known to result in a program + crash (SIGSEV).

@@ -664,9 +665,9 @@ Note: Please add new entries to the beginning of this file.

Best Practical reports:

In the process of preparing the release of RT 4.0.0, we performed - an extensive security audit of RT's source code. During this - audit, several vulnerabilities were found which affect earlier - releases of RT.

+ an extensive security audit of RT's source code. During this + audit, several vulnerabilities were found which affect earlier + releases of RT.

@@ -698,15 +699,15 @@ Note: Please add new entries to the beginning of this file.

An advisory published by the MIT Kerberos team says:

The password-changing capability of the MIT krb5 administration - daemon (kadmind) has a bug that can cause it to attempt to free() - an invalid pointer under certain error conditions. This can cause - the daemon to crash or induce the execution of arbitrary code - (which is believed to be difficult). No exploit that executes - arbitrary code is known to exist, but it is easy to trigger a - denial of service manually.

+ daemon (kadmind) has a bug that can cause it to attempt to free() + an invalid pointer under certain error conditions. This can cause + the daemon to crash or induce the execution of arbitrary code + (which is believed to be difficult). No exploit that executes + arbitrary code is known to exist, but it is easy to trigger a + denial of service manually.

Some platforms detect attempted freeing of invalid pointers and - protectively terminate the process, preventing arbitrary code - execution on those platforms.

+ protectively terminate the process, preventing arbitrary code + execution on those platforms.