mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-14 03:10:47 +00:00
Code Issues Releases Activity
46741adf8e
freebsd-ports/security/vuxml/vuln-2013.xml
Baptiste Daroussin e14ed8232d Rework vuxml a bit to make them validable again 
modify tidy.xsl to make it generates manually the xml declaration
xsl is not able to generate a list of entity otherwise.

Remove copyright form included files, they are redudundant anyway and
in the end only the vuln.xml file is distribued with entities expanded

Rework a bit the entity declaration in order for the document to look
great after expansion (as it did before we introduced the expansion
mechanism)

All validation are now processed direcly on the flattened file.

This is based on a patch from mfechner here

Submitted by:		mfechner
Differential Revision:	https://reviews.freebsd.org/D28299
2021-01-25 17:16:21 +00:00

8077 lines
289 KiB
XML
Raw Blame History

<vuln vid="3e33a0bb-6b2f-11e3-b042-20cf30e32f6d">
<topic>OpenX -- SQL injection vulnerability</topic>
<affects>
<package>
<name>openx</name>
<range><lt>3.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Revive reports:</p>
<blockquote cite="http://www.revive-adserver.com/security/revive-sa-2013-001/">
<p>An SQL-injection vulnerability was recently discovered and reported
to the Revive Adserver team by Florian Sander. The vulnerability is
known to be already exploited to gain unauthorised access to the
application using brute force mechanisms, however other kind of
attacks might be possible and/or already in use. The risk is rated
to be critical as the most common end goal of the attackers is to
spread malware to the visitors of all the websites and ad networks
that the ad server is being used on.</p>
<p>The vulnerability is also present and exploitable in OpenX Source
2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.revive-adserver.com/security/revive-sa-2013-001/</url>
<url>http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/</url>
<cvename>CVE-2013-7149</cvename>
</references>
<dates>
<discovery>2013-12-20</discovery>
<entry>2013-12-22</entry>
</dates>
</vuln>
<vuln vid="4e1f4abc-6837-11e3-9cda-3c970e169bc2">
<topic>cURL library -- cert name check ignore with GnuTLS</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.21.4</ge><lt>7.33.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cURL project reports:</p>
<blockquote cite="http://curl.haxx.se/docs/adv_20131217.html">
<p>libcurl is vulnerable to a case of missing out the checking
of the certificate CN or SAN name field when the digital
signature verification is turned off.</p>
<p>libcurl offers two separate and independent options for
verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER
and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to
verify the trust chain using a CA cert bundle, while the
second tells libcurl to make sure that the name fields in
the server certificate meets the criteria. Both options are
enabled by default.</p>
<p>This flaw had the effect that when an application disabled
CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also skipped the
CURLOPT_SSL_VERIFYHOST check. Applications can disable
CURLOPT_SSL_VERIFYPEER and still achieve security by doing
the check on its own using other means.</p>
<p>The curl command line tool is not affected by this problem
as it either enables both options or disables both at the
same time.</p>
</blockquote>
</body>
</description>
<references>
<url>http://curl.haxx.se/docs/adv_20131217.html</url>
<cvename>CVE-2013-6422</cvename>
</references>
<dates>
<discovery>2013-12-17</discovery>
<entry>2013-12-18</entry>
</dates>
</vuln>
<vuln vid="2e5715f8-67f7-11e3-9811-b499baab0cbe">
<topic>gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack</topic>
<affects>
<package>
<name>gnupg</name>
<range><lt>1.4.16</lt></range>
</package>
<package>
<name>gnupg1</name>
<range><lt>1.4.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Werner Koch reports:</p>
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html">
<p>CVE-2013-4576 has been assigned to this security bug.</p>
<p>The paper describes two attacks. The first attack allows
to distinguish keys: An attacker is able to notice which key is
currently used for decryption. This is in general not a problem but
may be used to reveal the information that a message, encrypted to a
commonly not used key, has been received by the targeted machine. We
do not have a software solution to mitigate this attack.</p>
<p>The second attack is more serious. It is an adaptive
chosen ciphertext attack to reveal the private key. A possible
scenario is that the attacker places a sensor (for example a standard
smartphone) in the vicinity of the targeted machine. That machine is
assumed to do unattended RSA decryption of received mails, for example
by using a mail client which speeds up browsing by opportunistically
decrypting mails expected to be read soon. While listening to the
acoustic emanations of the targeted machine, the smartphone will send
new encrypted messages to that machine and re-construct the private
key bit by bit. A 4096 bit RSA key used on a laptop can be revealed
within an hour.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4576</cvename>
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html</url>
</references>
<dates>
<discovery>2013-12-18</discovery>
<entry>2013-12-18</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="0c39bafc-6771-11e3-868f-0025905a4771">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk10</name>
<range><lt>10.12.4</lt></range>
</package>
<package>
<name>asterisk11</name>
<range><lt>11.6.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><lt>1.8.24.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>A 16 bit SMS message that contains an odd message length value will
cause the message decoding loop to run forever. The message buffer is
not on the stack but will be overflowed resulting in corrupted memory
and an immediate crash.</p>
<p>External control protocols, such as the Asterisk Manager Interface,
often have the ability to get and set channel variables; this allows
the execution of dialplan functions. Dialplan functions within
Asterisk are incredibly powerful, which is wonderful for building
applications using Asterisk. But during the read or write execution,
certain diaplan functions do much more. For example, reading the SHELL()
function can execute arbitrary commands on the system Asterisk is
running on. Writing to the FILE() function can change any file that
Asterisk has write access to. When these functions are executed from an
external protocol, that execution could result in a privilege escalation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-7100</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2013-006.pdf</url>
<url>http://downloads.asterisk.org/pub/security/AST-2013-007.pdf</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2013-12-16</discovery>
<entry>2013-12-17</entry>
</dates>
</vuln>
<vuln vid="3b86583a-66a7-11e3-868f-0025905a4771">
<topic>phpmyfaq -- arbitrary PHP code execution vulnerability</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><lt>2.8.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyFAQ team reports:</p>
<blockquote cite="http://www.phpmyfaq.de/advisory_2013-11-26.php">
<p>Secunia noticed while analysing the advisory that authenticated
users with "Right to add attachments" are able to exploit an already
publicly known issue in the bundled Ajax File Manager of phpMyFAQ version
2.8.3, which leads to arbitrary PHP code execution for authenticated
users with the permission "Right to add attachments".</p>
</blockquote>
</body>
</description>
<references>
<url>http://en.securitylab.ru/lab/PT-2013-41</url>
<url>http://www.phpmyfaq.de/advisory_2013-11-26.php</url>
</references>
<dates>
<discovery>2013-11-26</discovery>
<entry>2013-12-16</entry>
<modified>2013-12-17</modified>
</dates>
</vuln>
<vuln vid="44d0f8dc-6607-11e3-bb11-0025900931f8">
<topic>zabbix -- shell command injection vulnerability</topic>
<affects>
<package>
<name>zabbix2-agent</name>
<range><lt>2.0.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Recurity Labs Team project reports:</p>
<blockquote cite="https://support.zabbix.com/browse/ZBX-7479">
<p>Zabbix agent is vulnerable to remote command execution
from the Zabbix server in some cases.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-6824</cvename>
<url>https://support.zabbix.com/browse/ZBX-7479</url>
</references>
<dates>
<discovery>2013-12-03</discovery>
<entry>2013-12-16</entry>
</dates>
</vuln>
<vuln vid="47b4e713-6513-11e3-868f-0025905a4771">
<topic>PHP5 -- memory corruption in openssl_x509_parse()</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.4.0</ge><lt>5.4.23</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.28</lt></range>
</package>
<package>
<name>php55</name>
<range><ge>5.5.0</ge><lt>5.5.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Stefan Esser reports:</p>
<blockquote cite="https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html">
<p>The PHP function openssl_x509_parse() uses a helper function
called asn1_time_to_time_t() to convert timestamps from ASN1
string format into integer timestamp values. The parser within
this helper function is not binary safe and can therefore be
tricked to write up to five NUL bytes outside of an allocated
buffer.</p>
<p>This problem can be triggered by x509 certificates that contain
NUL bytes in their notBefore and notAfter timestamp fields and
leads to a memory corruption that might result in arbitrary
code execution.</p>
<p>Depending on how openssl_x509_parse() is used within a PHP
application the attack requires either a malicious cert signed
by a compromised/malicious CA or can be carried out with a
self-signed cert.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-6420</cvename>
<url>https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html</url>
</references>
<dates>
<discovery>2013-12-13</discovery>
<entry>2013-12-14</entry>
</dates>
</vuln>
<vuln vid="dd116b19-64b3-11e3-868f-0025905a4771">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>25.0,1</gt><lt>26.0,1</lt></range>
<range><lt>24.2.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>26.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.23</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>24.2.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.23</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>24.2.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2013-116 JPEG information leak</p>
<p>MFSA 2013-105 Application Installation doorhanger persists on
navigation</p>
<p>MFSA 2013-106 Character encoding cross-origin XSS attack</p>
<p>MFSA 2013-107 Sandbox restrictions not applied to nested object
elements</p>
<p>MFSA 2013-108 Use-after-free in event listeners</p>
<p>MFSA 2013-109 Use-after-free during Table Editing</p>
<p>MFSA 2013-110 Potential overflow in JavaScript binary search
algorithms</p>
<p>MFSA 2013-111 Segmentation violation when replacing ordered list
elements</p>
<p>MFSA 2013-112 Linux clipboard information disclosure though
selection paste</p>
<p>MFSA 2013-113 Trust settings for built-in roots ignored during EV
certificate validation</p>
<p>MFSA 2013-114 Use-after-free in synthetic mouse movement</p>
<p>MFSA 2013-115 GetElementIC typed array stubs can be generated
outside observed typesets</p>
<p>MFSA 2013-116 JPEG information leak</p>
<p>MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-5609</cvename>
<cvename>CVE-2013-5610</cvename>
<cvename>CVE-2013-5611</cvename>
<cvename>CVE-2013-5612</cvename>
<cvename>CVE-2013-5613</cvename>
<cvename>CVE-2013-5614</cvename>
<cvename>CVE-2013-5615</cvename>
<cvename>CVE-2013-5616</cvename>
<cvename>CVE-2013-5618</cvename>
<cvename>CVE-2013-5619</cvename>
<cvename>CVE-2013-6629</cvename>
<cvename>CVE-2013-6630</cvename>
<cvename>CVE-2013-6671</cvename>
<cvename>CVE-2013-6672</cvename>
<cvename>CVE-2013-6673</cvename>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-104.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-105.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-106.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-107.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-108.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-109.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-110.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-111.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-112.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-113.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-114.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-115.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-116.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-117.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2013-12-09</discovery>
<entry>2013-12-14</entry>
</dates>
</vuln>
<vuln vid="613e45d1-6154-11e3-9b62-000c292e4fd8">
<topic>samba -- multiple vulnerabilities</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>0</gt></range>
</package>
<package>
<name>samba35</name>
<range><gt>0</gt></range>
</package>
<package>
<name>samba36</name>
<range><gt>3.6.*</gt><lt>3.6.22</lt></range>
</package>
<package>
<name>samba4</name>
<range><gt>4.0.*</gt><lt>4.0.13</lt></range>
</package>
<package>
<name>samba41</name>
<range><gt>4.1.*</gt><lt>4.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba project reports:</p>
<blockquote cite="http://www.samba.org/samba/latest_news.html#4.1.3">
<p>These are security releases in order to address CVE-2013-4408
(DCE-RPC fragment length field is incorrectly checked) and CVE-2012-6150
(pam_winbind login without require_membership_of restrictions).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-6150</cvename>
<cvename>CVE-2013-4408</cvename>
<url>http://www.samba.org/samba/security/CVE-2012-6150</url>
<url>http://www.samba.org/samba/security/CVE-2013-4408</url>
</references>
<dates>
<discovery>2012-06-12</discovery>
<entry>2013-12-11</entry>
</dates>
</vuln>
<vuln vid="6a806960-3016-44ed-8575-8614a7cb57c7">
<topic>rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-actionmailer</name>
<range><lt>3.2.16</lt></range>
</package>
<package>
<name>rubygem-actionpack</name>
<range><lt>3.2.16</lt></range>
</package>
<package>
<name>rubygem-activemodel</name>
<range><lt>3.2.16</lt></range>
</package>
<package>
<name>rubygem-activerecord</name>
<range><lt>3.2.16</lt></range>
</package>
<package>
<name>rubygem-activeresource</name>
<range><lt>3.2.16</lt></range>
</package>
<package>
<name>rubygem-activesupport</name>
<range><lt>3.2.16</lt></range>
</package>
<package>
<name>rubygem-rails</name>
<range><lt>3.2.16</lt></range>
</package>
<package>
<name>rubygem-railties</name>
<range><lt>3.2.16</lt></range>
</package>
<package>
<name>rubygem-actionpack4</name>
<range><lt>4.0.2</lt></range>
</package>
<package>
<name>rubygem-activesupport4</name>
<range><lt>4.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Rails weblog:</p>
<blockquote cite="http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/">
<p>Rails 3.2.16 and 4.0.2 have been released! These two
releases contain important security fixes, so please upgrade
as soon as possible! In order to make upgrading as smooth as
possible, we've only included commits directly related to
each security issue.</p>
<p>The security fixes in 3.2.16 are:</p>
<ul>
<li>CVE-2013-4491</li>
<li>CVE-2013-6414</li>
<li>CVE-2013-6415</li>
<li>CVE-2013-6417</li>
</ul>
<p>The security fixes in 4.0.2 are:</p>
<ul>
<li>CVE-2013-4491</li>
<li>CVE-2013-6414</li>
<li>CVE-2013-6415</li>
<li>CVE-2013-6416</li>
<li>CVE-2013-6417</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4491</cvename>
<cvename>CVE-2013-6414</cvename>
<cvename>CVE-2013-6415</cvename>
<cvename>CVE-2013-6416</cvename>
<cvename>CVE-2013-6417</cvename>
<url>http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/</url>
</references>
<dates>
<discovery>2013-12-03</discovery>
<entry>2013-12-08</entry>
<modified>2014-04-23</modified>
</dates>
</vuln>
<vuln vid="d9649816-5e0d-11e3-8d23-3c970e169bc2">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal6</name>
<range><lt>6.29</lt></range>
</package>
<package>
<name>drupal7</name>
<range><lt>7.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team reports:</p>
<blockquote cite="https://drupal.org/SA-CORE-2013-003">
<p>Multiple vulnerabilities were fixed in the supported Drupal
core versions 6 and 7.</p>
<ul>
<li>Multiple vulnerabilities due to optimistic cross-site
request forgery protection (Form API validation - Drupal 6
and 7)</li>
<li>Multiple vulnerabilities due to weakness in pseudorandom
number generation using mt_rand() (Form API, OpenID and
random password generation - Drupal 6 and 7)</li>
<li>Code execution prevention (Files directory .htaccess for
Apache - Drupal 6 and 7)</li>
<li>Access bypass (Security token validation - Drupal 6 and 7)</li>
<li>Cross-site scripting (Image module - Drupal 7)</li>
<li>Cross-site scripting (Color module - Drupal 7)</li>
<li>Open redirect (Overlay module - Drupal 7)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://drupal.org/SA-CORE-2013-003</url>
</references>
<dates>
<discovery>2013-11-20</discovery>
<entry>2013-12-06</entry>
</dates>
</vuln>
<vuln vid="4158c57e-5d39-11e3-bc1e-6cf0490a8c18">
<topic>Joomla! -- Core XSS Vulnerabilities</topic>
<affects>
<package>
<name>joomla2</name>
<range><ge>2.5.*</ge><le>2.5.14</le></range>
</package>
<package>
<name>joomla3</name>
<range><ge>3.0.*</ge><le>3.1.5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="http://developer.joomla.org/security/570-core-xss-20131101.html">
<h2>[20131101] Core XSS Vulnerability</h2>
<p>Inadequate filtering leads to XSS vulnerability in com_contact.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/571-core-xss-20131102.html">
<h2>[20131102] Core XSS Vulnerability</h2>
<p>Inadequate filtering leads to XSS vulnerability in com_contact, com_weblinks, com_newsfeeds.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/572-core-xss-20131103.html">
<h2>[20131103] Core XSS Vulnerability</h2>
<p>Inadequate filtering leads to XSS vulnerability in com_contact.</p>
</blockquote>
</body>
</description>
<references>
<url>http://developer.joomla.org/security/570-core-xss-20131101.html</url>
<url>http://developer.joomla.org/security/571-core-xss-20131102.html</url>
<url>http://developer.joomla.org/security/572-core-xss-20131103.html</url>
</references>
<dates>
<discovery>2013-11-01</discovery>
<entry>2013-12-04</entry>
<modified>2014-04-23</modified>
</dates>
</vuln>
<vuln vid="d2073237-5b52-11e3-80f7-c86000cbc6ec">
<topic>OpenTTD -- Denial of service using forcefully crashed aircrafts</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>0.3.6</ge><lt>1.3.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="https://security.openttd.org/en/CVE-2013-6411">
<p>The problem is caused by incorrectly handling the fact that
the aircraft circling the corner airport will be outside of the
bounds of the map. In the 'out of fuel' crash code the height
of the tile under the aircraft is determined. In this case
that means a tile outside of the allocated map array, which
could occasionally trigger invalid reads.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-6411</cvename>
<url>https://security.openttd.org/en/CVE-2013-6411</url>
<url>http://bugs.openttd.org/task/5820</url>
<url>http://vcs.openttd.org/svn/changeset/26134</url>
</references>
<dates>
<discovery>2013-11-28</discovery>
<entry>2013-11-28</entry>
</dates>
</vuln>
<vuln vid="620cf713-5a99-11e3-878d-20cf30e32f6d">
<topic>monitorix -- serious bug in the built-in HTTP server</topic>
<affects>
<package>
<name>monitorix</name>
<range><lt>3.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Monitorix Project reports:</p>
<blockquote cite="http://www.monitorix.org/news.html#N331">
<p>A serious bug in the built-in HTTP server. It was discovered that the
handle_request() routine did not properly perform input sanitization
which led into a number of security vulnerabilities. An unauthenticated,
remote attacker could exploit this flaw to execute arbitrary commands on
the remote host. All users still using older versions are advised to
upgrade to this version, which resolves this issue.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.monitorix.org/news.html#N331</url>
<url>https://github.com/mikaku/Monitorix/issues/30</url>
</references>
<dates>
<discovery>2013-11-21</discovery>
<entry>2013-12-01</entry>
</dates>
</vuln>
<vuln vid="e3244a7b-5603-11e3-878d-20cf30e32f6d">
<topic>subversion -- multiple vulnerabilities</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.4.0</ge><lt>1.7.14</lt></range>
<range><ge>1.8.0</ge><lt>1.8.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion Project reports:</p>
<blockquote cite="http://subversion.apache.org/security/">
<p>mod_dontdothat does not restrict requests from serf based clients</p>
<p>mod_dontdothat allows you to block update REPORT requests against certain
paths in the repository. It expects the paths in the REPORT request
to be absolute URLs. Serf based clients send relative URLs instead
of absolute URLs in many cases. As a result these clients are not blocked
as configured by mod_dontdothat.</p>
<p>mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits</p>
<p>When SVNAutoversioning is enabled via SVNAutoversioning on
commits can be made by single HTTP requests such as MKCOL and
PUT. If Subversion is built with assertions enabled any such
requests that have non-canonical URLs, such as URLs with a
trailing /, may trigger an assert. An assert will cause the
Apache process to abort.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4505</cvename>
<cvename>CVE-2013-4558</cvename>
<url>http://subversion.apache.org/security/CVE-2013-4505-advisory.txt</url>
<url>http://subversion.apache.org/security/CVE-2013-4558-advisory.txt</url>
</references>
<dates>
<discovery>2013-11-15</discovery>
<entry>2013-11-25</entry>
</dates>
</vuln>
<vuln vid="742eb9e4-e3cb-4f5a-b94e-0e9a39420600">
<topic>ruby-gems -- Algorithmic Complexity Vulnerability</topic>
<affects>
<package>
<name>ruby19-gems</name>
<range><lt>1.8.27</lt></range>
</package>
<package>
<name>ruby20-gems</name>
<range><lt>1.8.27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby Gem developers report:</p>
<blockquote cite="http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html">
<p>The patch for CVE-2013-4363 was insufficiently verified so the
combined regular expression for verifying gem version remains
vulnerable following CVE-2013-4363.</p>
<p>RubyGems validates versions with a regular expression that is
vulnerable to denial of service due to backtracking. For specially
crafted RubyGems versions attackers can cause denial of service
through CPU consumption.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4363</cvename>
</references>
<dates>
<discovery>2013-09-24</discovery>
<entry>2013-11-24</entry>
</dates>
</vuln>
<vuln vid="54237182-9635-4a8b-92d7-33bfaeed84cd">
<topic>ruby-gems -- Algorithmic Complexity Vulnerability</topic>
<affects>
<package>
<name>ruby19-gems</name>
<range><lt>1.8.26</lt></range>
</package>
<package>
<name>ruby20-gems</name>
<range><lt>1.8.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby Gem developers report:</p>
<blockquote cite="http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html">
<p>RubyGems validates versions with a regular expression that is
vulnerable to denial of service due to backtracking. For specially
crafted RubyGems versions attackers can cause denial of service
through CPU consumption.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4287</cvename>
</references>
<dates>
<discovery>2013-09-09</discovery>
<entry>2013-11-24</entry>
</dates>
</vuln>
<vuln vid="cc9043cf-7f7a-426e-b2cc-8d1980618113">
<topic>ruby -- Heap Overflow in Floating Point Parsing</topic>
<affects>
<package>
<name>ruby19</name>
<range><lt>1.9.3.484,1</lt></range>
</package>
<package>
<name>ruby20</name>
<range><lt>2.0.0.353,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby developers report:</p>
<blockquote cite="https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/">
<p>Any time a string is converted to a floating point value, a
specially crafted string can cause a heap overflow. This can lead
to a denial of service attack via segmentation faults and possibly
arbitrary code execution. Any program that converts input of
unknown origin to floating point values (especially common when
accepting JSON) are vulnerable.
</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/</url>
<url>https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/</url>
<cvename>CVE-2013-4164</cvename>
</references>
<dates>
<discovery>2013-11-22</discovery>
<entry>2013-11-23</entry>
</dates>
</vuln>
<vuln vid="479efd57-516e-11e3-9b62-000c292e4fd8">
<topic>samba -- Private key in key.pem world readable</topic>
<affects>
<package>
<name>samba4</name>
<range><gt>4.0.*</gt><lt>4.0.11</lt></range>
</package>
<package>
<name>samba41</name>
<range><gt>4.1.*</gt><lt>4.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba project reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2013-4476">
<p>Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is
provided over SSL, uses world-readable permissions for a private key,
which allows local users to obtain sensitive information by reading the
key file, as demonstrated by access to the local filesystem on an AD
domain controller.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4476</cvename>
<url>http://www.samba.org/samba/security/CVE-2013-4476</url>
</references>
<dates>
<discovery>2013-06-12</discovery>
<entry>2013-11-19</entry>
</dates>
</vuln>
<vuln vid="a4f08579-516c-11e3-9b62-000c292e4fd8">
<topic>samba -- ACLs are not checked on opening an alternate data stream on a file or directory</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>0</gt></range>
</package>
<package>
<name>samba35</name>
<range><gt>0</gt></range>
</package>
<package>
<name>samba36</name>
<range><gt>3.6.*</gt><lt>3.6.20</lt></range>
</package>
<package>
<name>samba4</name>
<range><gt>4.0.*</gt><lt>4.0.11</lt></range>
</package>
<package>
<name>samba41</name>
<range><gt>4.1.*</gt><lt>4.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba project reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2013-4475">
<p>Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
file or directory ACL when opening an alternate data stream.</p>
<p>According to the SMB1 and SMB2+ protocols the ACL on an underlying
file or directory should control what access is allowed to alternate
data streams that are associated with the file or directory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4475</cvename>
<url>http://www.samba.org/samba/security/CVE-2013-4475</url>
</references>
<dates>
<discovery>2013-06-12</discovery>
<entry>2013-11-19</entry>
</dates>
</vuln>
<vuln vid="94b6264a-5140-11e3-8b22-f0def16c5c1b">
<topic>nginx -- Request line parsing vulnerability</topic>
<affects>
<package>
<name>nginx</name>
<range><ge>0.8.41</ge><lt>1.4.4,1</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><ge>0.8.41</ge><lt>1.5.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The nginx project reports:</p>
<blockquote cite="http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html">
<p>Ivan Fratric of the Google Security Team discovered a bug in nginx, which might
allow an attacker to bypass security restrictions in certain configurations by
using a specially crafted request, or might have potential other impact
(CVE-2013-4547).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4547</cvename>
<url>http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html</url>
</references>
<dates>
<discovery>2013-11-19</discovery>
<entry>2013-11-19</entry>
</dates>
</vuln>
<vuln vid="adcbdba2-4c27-11e3-9848-98fc11cdc4f5">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.327</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-26.html">
<p>These updates address vulnerabilities that could cause a crash
and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-5329</cvename>
<cvename>CVE-2013-5330</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb13-26.html</url>
</references>
<dates>
<discovery>2013-11-12</discovery>
<entry>2013-11-12</entry>
</dates>
</vuln>
<vuln vid="5709d244-4873-11e3-8a46-000d601460a4">
<topic>OpenSSH -- Memory corruption in sshd</topic>
<affects>
<package>
<name>openssh-portable</name>
<range><ge>6.2.p2,1</ge><lt>6.4.p1,1</lt></range>
</package>
<package>
<name>openssh-portable-base</name>
<range><ge>6.2.p2,1</ge><lt>6.4.p1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSH development team reports:</p>
<blockquote cite="http://www.openssh.com/txt/gcmrekey.adv">
<p>A memory corruption vulnerability exists in the post-
authentication sshd process when an AES-GCM cipher
(aes128-gcm@openssh.com or aes256-gcm@openssh.com) is
selected during kex exchange.</p>
<p>If exploited, this vulnerability might permit code execution
with the privileges of the authenticated user and may
therefore allow bypassing restricted shell/command
configurations.</p>
<p>Either upgrade to 6.4 or disable AES-GCM in the server
configuration. The following sshd_config option will disable
AES-GCM while leaving other ciphers active:</p>
<p>Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openssh.com/txt/gcmrekey.adv</url>
</references>
<dates>
<discovery>2013-11-07</discovery>
<entry>2013-11-08</entry>
<modified>2013-11-13</modified>
</dates>
</vuln>
<vuln vid="f969bad7-46fc-11e3-b6ee-00269ee29e57">
<topic>Quassel IRC -- SQL injection vulnerability</topic>
<affects>
<package>
<name>quassel</name>
<range><lt>0.9.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Quassel IRC developers report:</p>
<blockquote cite="http://www.quassel-irc.org/node/120">
<p>SQL injection vulnerability in Quassel IRC before 0.9.1,
when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used,
allows remote attackers to execute arbitrary SQL commands via
a \ (backslash) in a message.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4422</cvename>
</references>
<dates>
<discovery>2013-10-07</discovery>
<entry>2013-11-06</entry>
</dates>
</vuln>
<vuln vid="81f866ad-41a4-11e3-a4af-0025905a4771">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><lt>24.1.0,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>25.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.22</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>24.1.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.22</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>24.1.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p> MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 /
rv:24.1 / rv:17.0.10)</p>
<p> MFSA 2013-94 Spoofing addressbar though SELECT element</p>
<p> MFSA 2013-95 Access violation with XSLT and uninitialized data</p>
<p> MFSA 2013-96 Improperly initialized memory and overflows in some
JavaScript functions</p>
<p> MFSA 2013-97 Writing to cycle collected object during image
decoding</p>
<p> MFSA 2013-98 Use-after-free when updating offline cache</p>
<p> MFSA 2013-99 Security bypass of PDF.js checks using iframes</p>
<p> MFSA 2013-100 Miscellaneous use-after-free issues found through
ASAN fuzzing</p>
<p> MFSA 2013-101 Memory corruption in workers</p>
<p> MFSA 2013-102 Use-after-free in HTML document templates</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1739</cvename>
<cvename>CVE-2013-5590</cvename>
<cvename>CVE-2013-5591</cvename>
<cvename>CVE-2013-5592</cvename>
<cvename>CVE-2013-5593</cvename>
<cvename>CVE-2013-5595</cvename>
<cvename>CVE-2013-5596</cvename>
<cvename>CVE-2013-5597</cvename>
<cvename>CVE-2013-5598</cvename>
<cvename>CVE-2013-5599</cvename>
<cvename>CVE-2013-5600</cvename>
<cvename>CVE-2013-5601</cvename>
<cvename>CVE-2013-5602</cvename>
<cvename>CVE-2013-5603</cvename>
<cvename>CVE-2013-5604</cvename>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-93.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-94.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-95.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-96.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-97.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-98.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-99.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-100.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-101.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-102.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2013-10-29</discovery>
<entry>2013-10-30</entry>
<modified>2013-10-31</modified>
</dates>
</vuln>
<vuln vid="4e23644c-cb93-4f83-9e20-5bc07ad9b39f">
<topic>mod_pagespeed -- critical cross-site scripting (XSS) vulnerability</topic>
<affects>
<package>
<name>mod_pagespeed</name>
<range><lt>1.2.24.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>mod_pagespeed developers report:</p>
<blockquote cite="https://groups.google.com/forum/#!msg/mod-pagespeed-announce/oo015UHRxMc/JcAuf1hE8L8J">
<p>Various versions of mod_pagespeed are subject to critical
cross-site scripting (XSS) vulnerability, CVE-2013-6111. This
permits a hostile third party to execute JavaScript in users'
browsers in context of the domain running mod_pagespeed, which
could permit theft of users' cookies or data on the site.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-6111</cvename>
</references>
<dates>
<discovery>2013-10-04</discovery>
<entry>2013-10-28</entry>
</dates>
</vuln>
<vuln vid="cd082cc6-1548-4b8d-a3aa-a007be611a29">
<cancelled/>
</vuln>
<vuln vid="9065b930-3d8b-11e3-bd1a-e840f2096bd0">
<topic>gnutls -- denial of service</topic>
<affects>
<package>
<name>gnutls3</name>
<range><lt>3.1.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Salvatore Bonaccorso reports:</p>
<blockquote cite="http://www.gnutls.org/security.html#GNUTLS-SA-2013-3">
<p>This vulnerability affects the DANE library of gnutls 3.1.x and
gnutls 3.2.x. A server that returns more 4 DANE entries could
corrupt the memory of a requesting client.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4466</cvename>
<url>http://www.gnutls.org/security.html#GNUTLS-SA-2013-3</url>
</references>
<dates>
<discovery>2013-10-25</discovery>
<entry>2013-10-25</entry>
<modified>2013-11-01</modified>
</dates>
</vuln>
<vuln vid="9a57c607-3cab-11e3-b4d9-bcaec565249c">
<topic>xorg-server -- use-after-free</topic>
<affects>
<package>
<name>xorg-server</name>
<range><ge>1.7.0</ge><lt>1.7.7_11</lt></range>
<range><ge>1.12.0</ge><lt>1.12.4_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Alan Coopersmith reports:</p>
<blockquote cite="http://lists.x.org/archives/xorg-announce/2013-October/002332.html">
<p>Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org
security team in which an authenticated X client can cause an X
server to use memory after it was freed, potentially leading to
crash and/or memory corruption.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4396</cvename>
<url>http://lists.x.org/archives/xorg-announce/2013-October/002332.html</url>
</references>
<dates>
<discovery>2013-10-08</discovery>
<entry>2013-10-24</entry>
</dates>
</vuln>
<vuln vid="c0f122e2-3897-11e3-a084-3c970e169bc2">
<topic>pycrypto -- PRNG reseed race condition</topic>
<affects>
<package>
<name>py26-pycrypto</name>
<range><lt>2.6.1</lt></range>
</package>
<package>
<name>py27-pycrypto</name>
<range><lt>2.6.1</lt></range>
</package>
<package>
<name>py31-pycrypto</name>
<range><lt>2.6.1</lt></range>
</package>
<package>
<name>py32-pycrypto</name>
<range><lt>2.6.1</lt></range>
</package>
<package>
<name>py33-pycrypto</name>
<range><lt>2.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dwayne Litzenberger reports:</p>
<blockquote cite="http://lists.dlitz.net/pipermail/pycrypto/2013q4/000702.html">
<p>In PyCrypto before v2.6.1, the Crypto.Random pseudo-random
number generator (PRNG) exhibits a race condition that may cause
it to generate the same 'random' output in multiple processes that
are forked from each other. Depending on the application, this
could reveal sensitive information or cryptographic keys to remote
attackers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1445</cvename>
<url>http://lists.dlitz.net/pipermail/pycrypto/2013q4/000702.html</url>
</references>
<dates>
<discovery>2013-10-17</discovery>
<entry>2013-10-19</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="043d3a78-f245-4938-9bc7-3d0d35dd94bf">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>zh-wordpress-zh_CN</name>
<range><lt>3.6.1</lt></range>
</package>
<package>
<name>zh-wordpress-zh_TW</name>
<range><lt>3.6.1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<range><lt>3.6.1</lt></range>
</package>
<package>
<name>ja-wordpress</name>
<range><lt>3.6.1</lt></range>
</package>
<package>
<name>ru-wordpress</name>
<range><lt>3.6.1</lt></range>
</package>
<package>
<name>wordpress</name>
<range><lt>3.6.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The wordpress development team reports:</p>
<blockquote cite="http://wordpress.org/news/2013/09/wordpress-3-6-1/">
<ul>
<li>Block unsafe PHP unserialization that could occur in limited
situations and setups, which can lead to remote code
execution.</li>
<li>Prevent a user with an Author role, using a specially crafted
request, from being able to create a post "written by" another
user.</li>
<li>Fix insufficient input validation that could result in
redirecting or leading a user to another website.</li>
</ul>
<p>Additionally, we've adjusted security restrictions around file
uploads to mitigate the potential for cross-site scripting.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4338</cvename>
<cvename>CVE-2013-4339</cvename>
<cvename>CVE-2013-4340</cvename>
<cvename>CVE-2013-5738</cvename>
<cvename>CVE-2013-5739</cvename>
<url>http://wordpress.org/news/2013/09/wordpress-3-6-1/</url>
</references>
<dates>
<discovery>2013-09-11</discovery>
<entry>2013-10-19</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="206f9826-a06d-4927-9a85-771c37010b32">
<topic>node.js -- DoS Vulnerability</topic>
<affects>
<package>
<name>node</name>
<range><lt>0.10.21</lt></range>
</package>
<package>
<name>node-devel</name>
<range><lt>0.11.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>node.js developers report</p>
<blockquote cite="http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/">
<p>This release contains a security fix for the http server implementation, please upgrade as soon as possible.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/</url>
</references>
<dates>
<discovery>2013-10-19</discovery>
<entry>2013-10-19</entry>
</dates>
</vuln>
<vuln vid="e135f0c9-375f-11e3-80b7-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>4.0.0</ge><lt>4.0.11</lt></range>
</package>
<package>
<name>bugzilla40</name>
<range><ge>4.0.0</ge><lt>4.0.11</lt></range>
</package>
<package>
<name>bugzilla42</name>
<range><ge>4.2.0</ge><lt>4.2.7</lt></range>
</package>
<package>
<name>bugzilla44</name>
<range><ge>4.4</ge><lt>4.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>A Bugzilla Security Advisory reports:</h1>
<blockquote cite="http://www.bugzilla.org/security/4.0.10/">
<h1>Cross-Site Request Forgery</h1>
<p>When a user submits changes to a bug right after another
user did, a midair collision page is displayed to inform
the user about changes recently made. This page contains
a token which can be used to validate the changes if the
user decides to submit his changes anyway. A regression
in Bugzilla 4.4 caused this token to be recreated if a
crafted URL was given, even when no midair collision page
was going to be displayed, allowing an attacker to bypass
the token check and abuse a user to commit changes on his
behalf.</p>
<h1>Cross-Site Request Forgery</h1>
<p>When an attachment is edited, a token is generated to
validate changes made by the user. Using a crafted URL,
an attacker could force the token to be recreated,
allowing him to bypass the token check and abuse a user
to commit changes on his behalf.</p>
<h1>Cross-Site Scripting</h1>
<p>Some parameters passed to editflagtypes.cgi were not
correctly filtered in the HTML page, which could lead
to XSS.</p>
<h1>Cross-Site Scripting</h1>
<p>Due to an incomplete fix for CVE-2012-4189, some
incorrectly filtered field values in tabular reports
could lead to XSS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1733</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=911593</url>
<cvename>CVE-2013-1734</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=913904</url>
<cvename>CVE-2013-1742</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=924802</url>
<cvename>CVE-2013-1743</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=924932</url>
</references>
<dates>
<discovery>2013-10-16</discovery>
<entry>2013-10-17</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="8c9b48d1-3715-11e3-a624-00262d8b701d">
<topic>dropbear -- exposure of sensitive information, DoS</topic>
<affects>
<package>
<name>dropbear</name>
<range><ge>2012.55</ge><lt>2013.59</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Dropbear project reports:</p>
<blockquote cite="http://secunia.com/advisories/55173/">
<p>A weakness and a vulnerability have been reported in Dropbear
SSH Server, which can be exploited by malicious people to disclose
certain sensitive information and cause a DoS.</p>
</blockquote>
</body>
</description>
<references>
<bid>62958</bid>
<bid>62993</bid>
<cvename>CVE-2013-4421</cvename>
<cvename>CVE-2013-4434</cvename>
<url>http://secunia.com/advisories/55173</url>
</references>
<dates>
<discovery>2013-05-08</discovery>
<!-- discovery>2013-10-03</discovery -->
<entry>2013-10-17</entry>
</dates>
</vuln>
<vuln vid="9003b500-31e3-11e3-b0d0-20cf30e32f6d">
<topic>mod_fcgid -- possible heap buffer overwrite</topic>
<affects>
<package>
<name>ap22-mod_fcgid</name>
<range><lt>2.3.9</lt></range>
</package>
<package>
<name>ap24-mod_fcgid</name>
<range><lt>2.3.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache Project reports:</p>
<blockquote cite="https://mail-archives.apache.org/mod_mbox/httpd-cvs/201309.mbox/%3C20130929174048.13B962388831@eris.apache.org%3E">
<p>Fix possible heap buffer overwrite.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4365</cvename>
</references>
<dates>
<discovery>2013-09-29</discovery>
<entry>2013-10-10</entry>
</dates>
</vuln>
<vuln vid="749b5587-2da1-11e3-b1a9-b499baab0cbe">
<topic>gnupg -- possible infinite recursion in the compressed packet parser</topic>
<affects>
<package>
<name>gnupg</name>
<range><lt>1.4.15</lt></range>
<range><ge>2.0.0</ge><lt>2.0.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Werner Koch reports:</p>
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000333.html">
<p>Special crafted input data may be used to cause a denial of service
against GPG (GnuPG's OpenPGP part) and some other OpenPGP
implementations. All systems using GPG to process incoming data are
affected..</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4402</cvename>
</references>
<dates>
<discovery>2013-10-05</discovery>
<entry>2013-10-05</entry>
</dates>
</vuln>
<vuln vid="5c34664f-2c2b-11e3-87c2-00215af774f0">
<topic>xinetd -- ignores user and group directives for TCPMUX services</topic>
<affects>
<package>
<name>xinetd</name>
<range><lt>2.3.15_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>xinetd would execute configured TCPMUX services without dropping
privilege to match the service configuration allowing the service to
run with same privilege as the xinetd process (root).</p>
</body>
</description>
<references>
<cvename>CVE-2013-4342</cvename>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1006100</url>
</references>
<dates>
<discovery>2005-08-23</discovery>
<entry>2013-10-03</entry>
</dates>
</vuln>
<vuln vid="ccefac3e-2aed-11e3-af10-000c29789cb5">
<topic>polarssl -- Timing attack against protected RSA-CRT implementation</topic>
<affects>
<package>
<name>polarssl</name>
<range><lt>1.2.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PolarSSL Project reports:</p>
<blockquote cite="https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05">
<p>The researchers Cyril Arnaud and Pierre-Alain Fouque
investigated the PolarSSL RSA implementation and discovered
a bias in the implementation of the Montgomery multiplication
that we used. For which they then show that it can be used to
mount an attack on the RSA key. Although their test attack is
done on a local system, there seems to be enough indication
that this can properly be performed from a remote system as
well.</p>
<p>All versions prior to PolarSSL 1.2.9 and 1.3.0 are affected
if a third party can send arbitrary handshake messages to your
server.</p>
<p>If correctly executed, this attack reveals the entire private
RSA key after a large number of attack messages (&gt; 600.000 on
a local machine) are sent to show the timing differences.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-5915</cvename>
<url>https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05</url>
<url>https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released</url>
</references>
<dates>
<discovery>2013-10-01</discovery>
<entry>2013-10-02</entry>
</dates>
</vuln>
<vuln vid="e1f99d59-81aa-4662-bf62-c1076f5016c8">
<topic>py-graphite-web -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>py26-graphite-web</name>
<range><ge>0.9.5</ge><lt>0.9.11</lt></range>
</package>
<package>
<name>py27-graphite-web</name>
<range><ge>0.9.5</ge><lt>0.9.11</lt></range>
</package>
<package>
<name>py31-graphite-web</name>
<range><ge>0.9.5</ge><lt>0.9.11</lt></range>
</package>
<package>
<name>py32-graphite-web</name>
<range><ge>0.9.5</ge><lt>0.9.11</lt></range>
</package>
<package>
<name>py33-graphite-web</name>
<range><ge>0.9.5</ge><lt>0.9.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Graphite developers report:</p>
<blockquote cite="http://graphite.readthedocs.org/en/0.9.11/releases/0_9_11.html">
<p>This release contains several security fixes for cross-site
scripting (XSS) as well as a fix for a remote-execution exploit in
graphite-web (CVE-2013-5903).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-5093</cvename>
<url>https://github.com/rapid7/metasploit-framework/pull/2260</url>
</references>
<dates>
<discovery>2013-08-21</discovery>
<entry>2013-09-30</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="05dc6efa-2370-11e3-95b7-00e0814cab4e">
<topic>django -- denial-of-service via large passwords</topic>
<affects>
<package>
<name>py26-django</name>
<range><ge>1.5</ge><lt>1.5.4</lt></range>
<range><ge>1.4</ge><lt>1.4.8</lt></range>
</package>
<package>
<name>py27-django</name>
<range><ge>1.5</ge><lt>1.5.4</lt></range>
<range><ge>1.4</ge><lt>1.4.8</lt></range>
</package>
<package>
<name>py26-django-devel</name>
<range><lt>20130922,1</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<range><lt>20130922,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2013/sep/15/security/">
<p>These releases address a denial-of-service attack against Django's
authentication framework. All users of Django are encouraged to
upgrade immediately.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1443</cvename>
<url>https://www.djangoproject.com/weblog/2013/sep/15/security/</url>
</references>
<dates>
<discovery>2013-09-15</discovery>
<entry>2013-09-22</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="b72bad1c-20ed-11e3-be06-000c29ee3065">
<topic>FreeBSD -- Cross-mount links between nullfs(5) mounts</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>9.1</ge><lt>9.1_7</lt></range>
<range><ge>8.4</ge><lt>8.4_4</lt></range>
<range><ge>8.3</ge><lt>8.3_11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem Description:</p>
<p>The nullfs(5) implementation of the VOP_LINK(9) VFS
operation does not check whether the source and target of
the link are both in the same nullfs instance. It is
therefore possible to create a hardlink from a location in
one nullfs instance to a file in another, as long as the
underlying (source) filesystem is the same.</p>
<p>Impact:</p>
<p>If multiple nullfs views into the same filesystem are
mounted in different locations, a user with read access to
one of these views and write access to another will be able
to create a hard link from the latter to a file in the
former, even though they are, from the user's perspective,
different filesystems. The user may thereby gain write
access to files which are nominally on a read-only
filesystem.</p>
</body>
</description>
<references>
<cvename>CVE-2013-5710</cvename>
<freebsdsa>SA-13:13.nullfs</freebsdsa>
</references>
<dates>
<discovery>2013-09-10</discovery>
<entry>2013-09-19</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="4d87d357-202c-11e3-be06-000c29ee3065">
<topic>FreeBSD -- Insufficient credential checks in network ioctl(2)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>9.1</ge><lt>9.1_7</lt></range>
<range><ge>8.4</ge><lt>8.4_4</lt></range>
<range><ge>8.3</ge><lt>8.3_11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem Description:</p>
<p>As is commonly the case, the IPv6 and ATM network layer
ioctl request handlers are written in such a way that an
unrecognized request is passed on unmodified to the link
layer, which will either handle it or return an error
code.</p>
<p>Network interface drivers, however, assume that the
SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and
SIOCSIFNETMASK requests have been handled at the network
layer, and therefore do not perform input validation or
verify the caller's credentials. Typical link-layer actions
for these requests may include marking the interface as "up"
and resetting the underlying hardware.</p>
<p>Impact:</p>
<p>An unprivileged user with the ability to run arbitrary code
can cause any network interface in the system to perform the
link layer actions associated with a SIOCSIFADDR,
SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl
request; or trigger a kernel panic by passing a specially
crafted address structure which causes a network interface
driver to dereference an invalid pointer.</p>
<p>Although this has not been confirmed, the possibility that
an attacker may be able to execute arbitrary code in kernel
context cannot be ruled out.</p>
</body>
</description>
<references>
<cvename>CVE-2013-5691</cvename>
<freebsdsa>SA-13:12.ifioctl</freebsdsa>
</references>
<dates>
<discovery>2013-09-10</discovery>
<entry>2013-09-19</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="7dfed67b-20aa-11e3-b8d8-0025905a4771">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>18.0,1</gt><lt>24.0,1</lt></range>
<range><lt>17.0.9,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>17.0.9,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.21</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>17.0.9</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.21</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><lt>24.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p> MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 /
rv:17.0.9)</p>
<p> MFSA 2013-77 Improper state in HTML5 Tree Builder with templates</p>
<p> MFSA 2013-78 Integer overflow in ANGLE library</p>
<p> MFSA 2013-79 Use-after-free in Animation Manager during stylesheet
cloning</p>
<p> MFSA 2013-80 NativeKey continues handling key messages after
widget is destroyed</p>
<p> MFSA 2013-81 Use-after-free with select element</p>
<p> MFSA 2013-82 Calling scope for new Javascript objects can lead to
memory corruption</p>
<p> MFSA 2013-83 Mozilla Updater does not lock MAR file after
signature verification</p>
<p> MFSA 2013-84 Same-origin bypass through symbolic links</p>
<p> MFSA 2013-85 Uninitialized data in IonMonkey</p>
<p> MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA
graphic drivers</p>
<p> MFSA 2013-87 Shared object library loading from writable location</p>
<p> MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes</p>
<p> MFSA 2013-89 Buffer overflow with multi-column, lists, and floats</p>
<p> MFSA 2013-90 Memory corruption involving scrolling</p>
<p> MFSA 2013-91 User-defined properties on DOM proxies get the wrong
"this" object</p>
<p> MFSA 2013-92 GC hazard with default compartments and frame chain
restoration</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1718</cvename>
<cvename>CVE-2013-1719</cvename>
<cvename>CVE-2013-1720</cvename>
<cvename>CVE-2013-1721</cvename>
<cvename>CVE-2013-1722</cvename>
<cvename>CVE-2013-1723</cvename>
<cvename>CVE-2013-1724</cvename>
<cvename>CVE-2013-1725</cvename>
<cvename>CVE-2013-1726</cvename>
<cvename>CVE-2013-1727</cvename>
<cvename>CVE-2013-1728</cvename>
<cvename>CVE-2013-1729</cvename>
<cvename>CVE-2013-1730</cvename>
<cvename>CVE-2013-1731</cvename>
<cvename>CVE-2013-1732</cvename>
<cvename>CVE-2013-1735</cvename>
<cvename>CVE-2013-1736</cvename>
<cvename>CVE-2013-1737</cvename>
<cvename>CVE-2013-1738</cvename>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-76.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-77.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-78.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-79.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-80.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-81.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-82.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-83.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-84.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-85.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-86.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-87.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-88.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-89.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-90.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-91.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-92.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2013-08-17</discovery>
<entry>2013-08-18</entry>
<modified>2013-09-19</modified>
</dates>
</vuln>
<vuln vid="5bd6811f-1c75-11e3-ba72-98fc11cdc4f5">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.310</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-21.html">
<p>These updates address vulnerabilities that could cause a crash
and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-3361</cvename>
<cvename>CVE-2013-3362</cvename>
<cvename>CVE-2013-3363</cvename>
<cvename>CVE-2013-5324</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb13-21.html</url>
</references>
<dates>
<discovery>2013-09-10</discovery>
<entry>2013-09-13</entry>
</dates>
</vuln>
<vuln vid="a851b305-1bc3-11e3-95b7-00e0814cab4e">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py26-django</name>
<range><ge>1.5</ge><lt>1.5.3</lt></range>
<range><ge>1.4</ge><lt>1.4.7</lt></range>
</package>
<package>
<name>py27-django</name>
<range><ge>1.5</ge><lt>1.5.3</lt></range>
<range><ge>1.4</ge><lt>1.4.7</lt></range>
</package>
<package>
<name>py26-django-devel</name>
<range><lt>20130912,1</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<range><lt>20130912,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/">
<p>These releases address a directory-traversal vulnerability in one
of Django's built-in template tags. While this issue requires some
fairly specific factors to be exploitable, we encourage all users
of Django to upgrade promptly.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4315</cvename>
<url>https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/</url>
</references>
<dates>
<discovery>2013-09-10</discovery>
<entry>2013-09-12</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="f8a913cc-1322-11e3-8ffa-20cf30e32f6d">
<topic>svnserve is vulnerable to a local privilege escalation vulnerability via symlink attack.</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.4.0</ge><lt>1.6.23_2</lt></range>
<range><ge>1.7.0</ge><lt>1.7.13</lt></range>
<range><ge>1.8.0</ge><lt>1.8.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion Project reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2013-4277-advisory.txt">
<p>svnserve takes a --pid-file option which creates a file containing the
process id it is running as. It does not take steps to ensure that the file
it has been directed at is not a symlink. If the pid file is in a directory
writeable by unprivileged users, the destination could be replaced by a
symlink allowing for privilege escalation. svnserve does not create a pid
file by default.</p>
<p>All versions are only vulnerable when the --pid-file=ARG option is used.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4277</cvename>
<url>http://subversion.apache.org/security/CVE-2013-4277-advisory.txt</url>
</references>
<dates>
<discovery>2013-08-30</discovery>
<entry>2013-09-02</entry>
</dates>
</vuln>
<vuln vid="b3b8d491-0fbb-11e3-8c50-1c6f65c11ee6">
<topic>cacti -- allow remote attackers to execute arbitrary SQL commands</topic>
<affects>
<package>
<name>cacti</name>
<range><lt>0.8.8b</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cacti release reports:</p>
<blockquote cite="http://www.cacti.net/release_notes_0_8_8b.php">
<p>Multiple security vulnerabilities have been fixed:</p>
<ul>
<li>SQL injection vulnerabilities</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1434</cvename>
<cvename>CVE-2013-1435</cvename>
<url>http://www.cacti.net/release_notes_0_8_8b.php</url>
</references>
<dates>
<discovery>2013-08-06</discovery>
<entry>2013-08-29</entry>
</dates>
</vuln>
<vuln vid="fd2bf3b5-1001-11e3-ba94-0025905a4771">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk11</name>
<range><gt>11.*</gt><lt>11.5.1</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.12.3</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.21.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Remote Crash From Late Arriving SIP ACK With SDP</p>
<p>Remote Crash when Invalid SDP is sent in SIP Request</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-5641</cvename>
<cvename>CVE-2013-5642</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2013-004.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2013-005.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2013-08-27</discovery>
<entry>2013-08-28</entry>
<modified>2013-08-29</modified>
</dates>
</vuln>
<vuln vid="4d087b35-0990-11e3-a9f4-bcaec565249c">
<topic>gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav</topic>
<affects>
<package>
<name>gstreamer-ffmpeg</name>
<range><lt>0.10.13_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://libav.org/releases/libav-0.7.7.changelog">
<p>Bundled version of libav in gstreamer-ffmpeg contains a number of
vulnerabilities.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3892</cvename>
<cvename>CVE-2011-3893</cvename>
<cvename>CVE-2011-3895</cvename>
<cvename>CVE-2011-3929</cvename>
<cvename>CVE-2011-3936</cvename>
<cvename>CVE-2011-3937</cvename>
<cvename>CVE-2011-3940</cvename>
<cvename>CVE-2011-3945</cvename>
<cvename>CVE-2011-3947</cvename>
<cvename>CVE-2011-3951</cvename>
<cvename>CVE-2011-3952</cvename>
<cvename>CVE-2011-4031</cvename>
<cvename>CVE-2011-4351</cvename>
<cvename>CVE-2011-4352</cvename>
<cvename>CVE-2011-4353</cvename>
<cvename>CVE-2011-4364</cvename>
<cvename>CVE-2011-4579</cvename>
<cvename>CVE-2012-0848</cvename>
<cvename>CVE-2012-0850</cvename>
<cvename>CVE-2012-0851</cvename>
<cvename>CVE-2012-0852</cvename>
<cvename>CVE-2012-0853</cvename>
<cvename>CVE-2012-0858</cvename>
<cvename>CVE-2012-0947</cvename>
<cvename>CVE-2012-2772</cvename>
<cvename>CVE-2012-2775</cvename>
<cvename>CVE-2012-2777</cvename>
<cvename>CVE-2012-2779</cvename>
<cvename>CVE-2012-2783</cvename>
<cvename>CVE-2012-2784</cvename>
<cvename>CVE-2012-2786</cvename>
<cvename>CVE-2012-2787</cvename>
<cvename>CVE-2012-2788</cvename>
<cvename>CVE-2012-2790</cvename>
<cvename>CVE-2012-2791</cvename>
<cvename>CVE-2012-2793</cvename>
<cvename>CVE-2012-2794</cvename>
<cvename>CVE-2012-2798</cvename>
<cvename>CVE-2012-2800</cvename>
<cvename>CVE-2012-2801</cvename>
<cvename>CVE-2012-2803</cvename>
<cvename>CVE-2012-5144</cvename>
<url>http://libav.org/releases/libav-0.7.7.changelog</url>
</references>
<dates>
<discovery>2013-08-20</discovery>
<entry>2013-08-20</entry>
</dates>
</vuln>
<vuln vid="689c2bf7-0701-11e3-9a25-002590860428">
<topic>GnuPG and Libgcrypt -- side-channel attack vulnerability</topic>
<affects>
<package>
<name>libgcrypt</name>
<range><lt>1.5.3</lt></range>
</package>
<package>
<name>linux-f10-libgcrypt</name>
<range><lt>1.5.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Werner Koch of the GNU project reports:</p>
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html">
<p>Noteworthy changes in version 1.5.3:</p>
<p>Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys...</p>
<p>Note that Libgcrypt is used by GnuPG 2.x and thus this release fixes the above
problem. The fix for GnuPG less than 2.0 can be found in the just released GnuPG
1.4.14.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4242</cvename>
<url>http://eprint.iacr.org/2013/448</url>
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html</url>
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html</url>
</references>
<dates>
<discovery>2013-07-18</discovery>
<entry>2013-08-17</entry>
</dates>
</vuln>
<vuln vid="2b2f6092-0694-11e3-9e8e-000c29f6ae42">
<topic>puppet -- multiple vulnerabilities</topic>
<affects>
<package>
<name>puppet</name>
<range><ge>2.7</ge><lt>2.7.23</lt></range>
<range><ge>3.0</ge><lt>3.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Puppet Labs reports:</p>
<blockquote cite="http://puppetlabs.com/security/cve/cve-2013-4761/">
<p>By using the `resource_type` service, an attacker could
cause puppet to load arbitrary Ruby files from the puppet
master node's file system. While this behavior is not
enabled by default, `auth.conf` settings could be modified
to allow it. The exploit requires local file system access
to the Puppet Master.</p>
<p>Puppet Module Tool (PMT) did not correctly control
permissions of modules it installed, instead transferring
permissions that existed when the module was built.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4761</cvename>
<cvename>CVE-2013-4956</cvename>
<url>http://puppetlabs.com/security/cve/cve-2013-4761/</url>
<url>http://puppetlabs.com/security/cve/cve-2013-4956/</url>
</references>
<dates>
<discovery>2013-07-05</discovery>
<entry>2013-08-16</entry>
</dates>
</vuln>
<vuln vid="9a0a892e-05d8-11e3-ba09-000c29784fd1">
<topic>lcms2 -- Null Pointer Dereference Denial of Service Vulnerability</topic>
<affects>
<package>
<name>lcms2</name>
<range><lt>2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mageia security team reports:</p>
<blockquote cite="http://advisories.mageia.org/MGASA-2013-0240.html">
<p>It was discovered that Little CMS did not properly verify certain
memory allocations. If a user or automated system using Little CMS
were tricked into opening a specially crafted file, an attacker
could cause Little CMS to crash (CVE-2013-4160).
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4160</cvename>
<url>http://advisories.mageia.org/MGASA-2013-0240.html</url>
<url>https://bugs.mageia.org/show_bug.cgi?id=10816</url>
</references>
<dates>
<discovery>2013-07-22</discovery>
<entry>2013-08-15</entry>
<modified>2013-08-19</modified>
</dates>
</vuln>
<vuln vid="72bf9e21-03df-11e3-bd8d-080027ef73ec">
<topic>polarssl -- denial of service vulnerability</topic>
<affects>
<package>
<name>polarssl</name>
<range><lt>1.2.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Paul Bakker reports:</p>
<blockquote cite="https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03">
<p>A bug in the logic of the parsing of PEM encoded certificates in
x509parse_crt() can result in an infinite loop, thus hogging processing
power.</p>
<p>While parsing a Certificate message during the SSL/TLS handshake,
PolarSSL extracts the presented certificates and sends them on to
be parsed. As the RFC specifies that the certificates in the
Certificate message are always X.509 certificates in DER format,
bugs in the decoding of PEM certificates should normally not be
triggerable via the SSL/TLS handshake.</p>
<p>Versions of PolarSSL prior to 1.1.7 in the 1.1 branch and prior
to 1.2.8 in the 1.2 branch call the generic x509parse_crt()
function for parsing during the handshake. x509parse_crt() is a
generic functions that wraps parsing of both PEM-encoded and
DER-formatted certificates. As a result it is possible to craft
a Certificate message that includes a PEM encoded certificate in
the Certificate message that triggers the infinite loop.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4623</cvename>
<url>https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03</url>
</references>
<dates>
<discovery>2013-06-21</discovery>
<entry>2013-08-13</entry>
<modified>2013-08-15</modified>
</dates>
</vuln>
<vuln vid="e21c7c7a-0116-11e3-9e83-3c970e169bc2">
<topic>samba -- denial of service vulnerability</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>0</gt></range>
</package>
<package>
<name>samba35</name>
<range><gt>0</gt></range>
</package>
<package>
<name>samba36</name>
<range><gt>3.6.*</gt><lt>3.6.17</lt></range>
</package>
<package>
<name>samba4</name>
<range><gt>4.0.*</gt><lt>4.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba project reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2013-4124">
<p>All current released versions of Samba are vulnerable to
a denial of service on an authenticated or guest connection.
A malformed packet can cause the smbd server to loop the CPU
performing memory allocations and preventing any further service.</p>
<p>A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
if guest connections are allowed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4124</cvename>
<url>http://www.samba.org/samba/security/CVE-2013-4124</url>
</references>
<dates>
<discovery>2013-08-05</discovery>
<entry>2013-08-09</entry>
<modified>2013-08-09</modified>
</dates>
</vuln>
<vuln vid="0998e79d-0055-11e3-905b-0025905a4771">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>18.0,1</gt><lt>23.0,1</lt></range>
<range><lt>17.0.8,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>17.0.8,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.20</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>17.0.8</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.20</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>17.0.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 /
rv:17.0.8)</p>
<p>MFSA 2013-64 Use after free mutating DOM during SetBody</p>
<p>MFSA 2013-65 Buffer underflow when generating CRMF requests</p>
<p>MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and
Mozilla Updater</p>
<p>MFSA 2013-67 Crash during WAV audio file decoding</p>
<p>MFSA 2013-68 Document URI misrepresentation and masquerading</p>
<p>MFSA 2013-69 CRMF requests allow for code execution and XSS
attacks</p>
<p>MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes</p>
<p>MFSA 2013-71 Further Privilege escalation through Mozilla Updater</p>
<p>MFSA 2013-72 Wrong principal used for validating URI for some
Javascript components</p>
<p>MFSA 2013-73 Same-origin bypass with web workers and
XMLHttpRequest</p>
<p>MFSA 2013-74 Firefox full and stub installer DLL hijacking</p>
<p>MFSA 2013-75 Local Java applets may read contents of local file
system</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1701</cvename>
<cvename>CVE-2013-1702</cvename>
<cvename>CVE-2013-1704</cvename>
<cvename>CVE-2013-1705</cvename>
<cvename>CVE-2013-1706</cvename>
<cvename>CVE-2013-1707</cvename>
<cvename>CVE-2013-1708</cvename>
<cvename>CVE-2013-1709</cvename>
<cvename>CVE-2013-1710</cvename>
<cvename>CVE-2013-1711</cvename>
<cvename>CVE-2013-1712</cvename>
<cvename>CVE-2013-1713</cvename>
<cvename>CVE-2013-1714</cvename>
<cvename>CVE-2013-1715</cvename>
<cvename>CVE-2013-1717</cvename>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-63.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-64.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-65.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-66.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-67.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-68.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-69.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-70.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-71.html</url>
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-72.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2013-08-06</discovery>
<entry>2013-08-08</entry>
</dates>
</vuln>
<vuln vid="4b448a96-ff73-11e2-b28d-080027ef73ec">
<topic>PuTTY -- Four security holes in versions before 0.63</topic>
<affects>
<package>
<name>putty</name>
<range><lt>0.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon Tatham reports:</p>
<blockquote cite="http://lists.tartarus.org/pipermail/putty-announce/2013/000018.html">
<p>This [0.63] release fixes multiple security holes in previous versions of
PuTTY, which can allow an SSH-2 server to make PuTTY overrun or
underrun buffers and crash. [...]
</p><p>
These vulnerabilities can be triggered before host key verification,
which means that you are not even safe if you trust the server you
<em>think</em> you're connecting to, since it could be spoofed over the
network and the host key check would not detect this before the attack
could take place.
</p><p>
Additionally, when PuTTY authenticated with a user's private key, the
private key or information equivalent to it was accidentally kept in
PuTTY's memory for the rest of its run, where it could be retrieved by
other processes reading PuTTY's memory, or written out to swap files
or crash dumps. This release fixes that as well.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4206</cvename>
<cvename>CVE-2013-4207</cvename>
<cvename>CVE-2013-4208</cvename>
<cvename>CVE-2013-4852</cvename>
<mlist msgid="E1V6lUs-0007kP-40@atreus.tartarus.org">http://lists.tartarus.org/pipermail/putty-announce/2013/000018.html</mlist>
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html</url>
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html</url>
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html</url>
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html</url>
</references>
<dates>
<discovery>2013-07-08</discovery>
<entry>2013-08-07</entry>
</dates>
</vuln>
<vuln vid="e6839625-fdfa-11e2-9430-20cf30e32f6d">
<topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.5.0</ge><lt>4.5.29</lt></range>
<range><ge>4.7.0</ge><lt>4.7.14</lt></range>
<range><ge>6.1.0</ge><lt>6.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo Security Team reports:</p>
<blockquote cite="http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/">
<p>It has been discovered that TYPO3 Core is vulnerable to
Cross-Site Scripting and Remote Code Execution.</p>
<p>TYPO3 bundles flash files for video and audio playback. Old
versions of FlowPlayer and flashmedia are susceptible to
Cross-Site Scripting. No authentication is required to exploit
this vulnerability.</p>
<p>The file upload component and the File Abstraction Layer are
failing to check for denied file extensions, which allows
authenticated editors (even with limited permissions) to
upload php files with arbitrary code, which can then be
executed in web server's context.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3642</cvename>
<cvename>CVE-2013-1464</cvename>
</references>
<dates>
<discovery>2013-07-30</discovery>
<entry>2013-08-05</entry>
</dates>
</vuln>
<vuln vid="17326fd5-fcfb-11e2-9bb9-6805ca0b3d42">
<topic>phpMyAdmin -- clickJacking protection can be bypassed</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>4.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php">
<p> phpMyAdmin has a number of mechanisms to avoid a
clickjacking attack, however these mechanisms either work
only in modern browser versions, or can be bypassed.</p>
<p>"We have no solution for 3.5.x, due to the proposed
solution requiring JavaScript. We don't want to introduce a
dependency to JavaScript in the 3.5.x family."</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php</url>
</references>
<dates>
<discovery>2013-08-04</discovery>
<entry>2013-08-04</entry>
</dates>
</vuln>
<vuln vid="f4a0212f-f797-11e2-9bb9-6805ca0b3d42">
<topic>phpMyAdmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.0</ge><lt>4.0.4.2</lt></range>
</package>
<package>
<name>phpMyAdmin35</name>
<range><ge>3.5</ge><lt>3.5.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php">
<p>XSS due to unescaped HTML Output when executing a SQL query.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php">
<p>5 XSS vulnerabilities in setup, chart display, process
list, and logo link.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php">
<p>If a crafted version.json would be presented, an XSS
could be introduced.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php">
<p>Full path disclosure vulnerabilities.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php">
<p> XSS vulnerability when a text to link transformation is
used.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php">
<p>Self-XSS due to unescaped HTML output in schema
export.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php">
<p>SQL injection vulnerabilities, producing a privilege
escalation (control user).</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php</url>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php</url>
<url>http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.5.8.2/phpMyAdmin-3.5.8.2-notes.html/view</url>
<url>http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.4.2/phpMyAdmin-4.0.4.2-notes.html/view</url>
</references>
<dates>
<discovery>2013-07-28</discovery>
<entry>2013-07-28</entry>
<modified>2013-07-29</modified>
</dates>
</vuln>
<vuln vid="049332d2-f6e1-11e2-82f3-000c29ee3065">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.5.2,1</lt></range>
</package>
<package>
<name>zh-wordpress-zh_CN</name>
<range><lt>3.5.2</lt></range>
</package>
<package>
<name>zh-wordpress-zh_TW</name>
<range><lt>3.5.2</lt></range>
</package>
<package>
<name>de-wordpress</name>
<range><lt>3.5.2</lt></range>
</package>
<package>
<name>ja-wordpress</name>
<range><lt>3.5.2</lt></range>
</package>
<package>
<name>ru-wordpress</name>
<range><lt>3.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The wordpress development team reports:</p>
<blockquote cite="https://wordpress.org/news/2013/06/wordpress-3-5-2/">
<ul>
<li>Blocking server-side request forgery attacks, which could
potentially enable an attacker to gain access to a site</li>
<li>Disallow contributors from improperly publishing posts</li>
<li>An update to the SWFUpload external library to fix cross-site
scripting vulnerabilities</li>
<li>Prevention of a denial of service attack, affecting sites
using password-protected posts</li>
<li>An update to an external TinyMCE library to fix a cross-site
scripting vulnerability</li>
<li>Multiple fixes for cross-site scripting</li>
<li>Avoid disclosing a full file path when a upload fails</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2199</cvename>
<cvename>CVE-2013-2200</cvename>
<cvename>CVE-2013-2201</cvename>
<cvename>CVE-2013-2202</cvename>
<cvename>CVE-2013-2203</cvename>
<cvename>CVE-2013-2204</cvename>
<cvename>CVE-2013-2205</cvename>
<url>https://wordpress.org/news/2013/06/wordpress-3-5-2/</url>
</references>
<dates>
<discovery>2013-06-21</discovery>
<entry>2013-07-27</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="7943e521-f648-11e2-8607-3c970e169bc2">
<topic>bind -- denial of service vulnerability</topic>
<affects>
<package>
<name>bind99</name>
<range><gt>9.9.3</gt><lt>9.9.3.2</lt></range>
</package>
<package>
<name>bind99-base</name>
<range><gt>9.9.3</gt><lt>9.9.3.2</lt></range>
</package>
<package>
<name>bind98</name>
<range><gt>9.8.5</gt><lt>9.8.5.2</lt></range>
</package>
<package>
<name>bind98-base</name>
<range><gt>9.8.5</gt><lt>9.8.5.2</lt></range>
</package>
<package>
<name>FreeBSD</name>
<range><ge>9.0</ge><lt>9.1_5</lt></range>
<range><ge>8.4</ge><lt>8.4_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-01015/0">
<p>A specially crafted query that includes malformed
rdata can cause named to terminate with an assertion
failure while rejecting the malformed query.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4854</cvename>
<freebsdsa>SA-13:07.bind</freebsdsa>
<url>https://kb.isc.org/article/AA-01015/0</url>
</references>
<dates>
<discovery>2013-07-26</discovery>
<entry>2013-07-26</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="80771b89-f57b-11e2-bf21-b499baab0cbe">
<topic>gnupg -- side channel attack on RSA secret keys</topic>
<affects>
<package>
<name>gnupg</name>
<range><lt>1.4.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Yarom and Falkner paper reports:</p>
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html">
<p>Flush+Reload is a cache side-channel attack that monitors access to
data in shared pages. In this paper we demonstrate how to use the
attack to extract private encryption keys from GnuPG. The high
resolution and low noise of the Flush+Reload attack enables a spy
program to recover over 98% of the bits of the private key in a
single decryption or signing round. Unlike previous attacks, the
attack targets the last level L3 cache. Consequently, the spy
program and the victim do not need to share the execution core of
the CPU. The attack is not limited to a traditional OS and can be
used in a virtualised environment, where it can attack programs
executing in a different VM.</p>
</blockquote>
</body>
</description>
<references>
<url>http://eprint.iacr.org/2013/448</url>
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html</url>
</references>
<dates>
<discovery>2013-07-18</discovery>
<entry>2013-07-25</entry>
<modified>2013-07-26</modified>
</dates>
</vuln>
<vuln vid="c4d412c8-f4d1-11e2-b86c-000c295229d5">
<topic>openafs -- single-DES cell-wide key brute force vulnerability</topic>
<affects>
<package>
<name>openafs</name>
<range><lt>1.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenAFS Project reports:</p>
<blockquote cite="http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt">
<p>The small size of the DES key space permits an attacker to brute
force a cell's service key and then forge traffic from any user
within the cell. The key space search can be performed in under 1
day at a cost of around $100 using publicly available services.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4134</cvename>
<url>http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt</url>
<url>http://openafs.org/pages/security/how-to-rekey.txt</url>
<url>http://openafs.org/pages/security/install-rxkad-k5-1.6.txt</url>
</references>
<dates>
<discovery>2013-07-24</discovery>
<entry>2013-07-25</entry>
</dates>
</vuln>
<vuln vid="2ae24334-f2e6-11e2-8346-001e8c75030d">
<topic>subversion -- remotely triggerable "Assertion failed" DoS vulnerability or read overflow.</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.8.0</ge><lt>1.8.1</lt></range>
<range><ge>1.7.0</ge><lt>1.7.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion Project reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2013-4131-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module will trigger an assertion
on some requests made against a revision root. This can lead to a DoS.
If assertions are disabled it will trigger a read overflow which may cause a
SEGFAULT (or equivalent) or undefined behavior.</p>
<p>Commit access is required to exploit this.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4131</cvename>
<url>http://subversion.apache.org/security/CVE-2013-4131-advisory.txt</url>
</references>
<dates>
<discovery>2013-07-19</discovery>
<entry>2013-07-24</entry>
<modified>2013-07-25</modified>
</dates>
</vuln>
<vuln vid="2fbfd455-f2d0-11e2-8a46-000d601460a4">
<topic>suPHP -- Privilege escalation</topic>
<affects>
<package>
<name>suphp</name>
<range><lt>0.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>suPHP developer Sebastian Marsching reports:</p>
<blockquote cite="https://lists.marsching.com/pipermail/suphp/2013-May/002552.html">
<p>When the suPHP_PHPPath was set, mod_suphp would use the specified PHP
executable to pretty-print PHP source files (MIME type
x-httpd-php-source or application/x-httpd-php-source).</p>
<p>However, it would not sanitize the environment. Thus a user that was
allowed to use the SetEnv directive in a .htaccess file (AllowOverride
FileInfo) could make PHP load a malicious configuration file (e.g.
loading malicious extensions).</p>
<p>As the PHP process for highlighting the source file was run with the
privileges of the user Apache HTTPd was running as, a local attacker
could probably execute arbitrary code with the privileges of this user.</p>
</blockquote>
</body>
</description>
<references>
<url>https://lists.marsching.com/pipermail/suphp/2013-May/002552.html</url>
</references>
<dates>
<discovery>2013-05-20</discovery>
<entry>2013-07-22</entry>
</dates>
</vuln>
<vuln vid="ca4d63fb-f15c-11e2-b183-20cf30e32f6d">
<topic>apache24 -- several vulnerabilities</topic>
<affects>
<package>
<name>apache24</name>
<range><lt>2.4.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache HTTP SERVER PROJECT reports:</p>
<blockquote cite="http://www.apache.org/dist/httpd/Announcement2.4.html">
<p>mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn
with the source href (sent as part of the request body as XML) pointing
to a URI that is not configured for DAV will trigger a segfault.</p>
<p>mod_session_dbd: Make sure that dirty flag is respected when saving
sessions, and ensure the session ID is changed each time the session
changes. This changes the format of the updatesession SQL statement.
Existing configurations must be changed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1896</cvename>
<cvename>CVE-2013-2249</cvename>
<url>http://www.apache.org/dist/httpd/Announcement2.4.html</url>
</references>
<dates>
<discovery>2013-07-11</discovery>
<entry>2013-07-20</entry>
<modified>2013-07-21</modified>
</dates>
</vuln>
<vuln vid="9b037a0d-ef2c-11e2-b4a0-8c705af55518">
<topic>gallery -- multiple vulnerabilities</topic>
<affects>
<package>
<name>gallery3</name>
<range><lt>3.0.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Red Hat Security Response Team reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2013/07/04/7">
<p>Gallery upstream has released 3.0.9 version, correcting two
security flaws:</p>
<p>Issue #1 - Improper stripping of URL fragments in flowplayer
SWF file might lead to reply attacks (a different flaw than
CVE-2013-2138).</p>
<p>Issue #2 - gallery3: Multiple information exposure flaws in
data rest core module.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2240</cvename>
<cvename>CVE-2013-2241</cvename>
<url>http://sourceforge.net/apps/trac/gallery/ticket/2073</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=981197</url>
<url>http://sourceforge.net/apps/trac/gallery/ticket/2074</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=981198</url>
<url>http://galleryproject.org/gallery_3_0_9</url>
</references>
<dates>
<discovery>2013-06-28</discovery>
<entry>2013-07-17</entry>
</dates>
</vuln>
<vuln vid="31b145f2-d9d3-49a9-8023-11cf742205dc">
<topic>PHP5 -- Heap corruption in XML parser</topic>
<affects>
<package>
<name>php53</name>
<range><lt>5.3.27</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP development team reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113">
<p>ext/xml/xml.c in PHP before 5.3.27 does not properly
consider parsing depth, which allows remote attackers to
cause a denial of service (heap memory corruption) or
possibly have unspecified other impact via a crafted
document that is processed by the xml_parse_into_struct
function.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4113</cvename>
<url>https://bugs.php.net/bug.php?id=65236</url>
</references>
<dates>
<discovery>2013-07-10</discovery>
<entry>2013-07-16</entry>
</dates>
</vuln>
<vuln vid="5def3175-f3f9-4476-ba40-b46627cc638c">
<topic>PHP5 -- Integer overflow in Calendar module</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.4.0</ge><lt>5.4.16</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP development team reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4635">
<p>Integer overflow in the SdnToJewish function in jewish.c
in the Calendar component in PHP before 5.3.26 and 5.4.x
before 5.4.16 allows context-dependent attackers to cause a
denial of service (application hang) via a large argument to
the jdtojewish function.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4635</cvename>
<url>https://bugs.php.net/bug.php?id=64895</url>
</references>
<dates>
<discovery>2013-05-22</discovery>
<entry>2013-07-16</entry>
</dates>
</vuln>
<vuln vid="df428c01-ed91-11e2-9466-98fc11cdc4f5">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.297</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-17.html">
<p>These updates address vulnerabilities that could cause a crash
and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-3344</cvename>
<cvename>CVE-2013-3345</cvename>
<cvename>CVE-2013-3347</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb13-17.html</url>
</references>
<dates>
<discovery>2013-07-09</discovery>
<entry>2013-07-15</entry>
<modified>2013-07-18</modified>
</dates>
</vuln>
<vuln vid="30a04ab4-ed7b-11e2-8643-8c705af55518">
<topic>squid -- denial of service</topic>
<affects>
<package>
<name>squid</name>
<range><ge>3.2</ge><lt>3.2.12</lt></range>
<range><ge>3.3</ge><lt>3.3.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid project reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2013_3.txt">
<p>Due to incorrect data validation Squid is vulnerable to a
denial of service attack when processing specially crafted
HTTP requests</p>
<p>This problem allows any client who can generate HTTP requests
to perform a denial of service attack on the Squid service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4123</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2013_3.txt</url>
</references>
<dates>
<discovery>2013-07-13</discovery>
<entry>2013-07-15</entry>
</dates>
</vuln>
<vuln vid="04320e7d-ea66-11e2-a96e-60a44c524f57">
<topic>libzrtpcpp -- multiple security vulnerabilities</topic>
<affects>
<package>
<name>libzrtpcpp</name>
<range><lt>2.3.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mark Dowd reports:</p>
<blockquote cite="http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html">
<p>Vulnerability 1. Remote Heap Overflow: If an attacker sends a
packet larger than 1024 bytes that gets stored temporarily (which
occurs many times - such as when sending a ZRTP Hello packet), a
heap overflow will occur, leading to potential arbitrary code
execution on the vulnerable host.</p>
<p>Vulnerability 2. Multiple Stack Overflows: ZRTPCPP contains
multiple stack overflows that arise when preparing a response
to a client's ZRTP Hello packet.</p>
<p>Vulnerability 3. Information Leaking / Out of Bounds Reads:
The ZRTPCPP library performs very little validation regarding the
expected size of a packet versus the actual amount of data
received. This can lead to both information leaking and out
of bounds data reads (usually resulting in a crash).
Information leaking can be performed for example by sending
a malformed ZRTP Ping packet.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2221</cvename>
<cvename>CVE-2013-2222</cvename>
<cvename>CVE-2013-2223</cvename>
</references>
<dates>
<discovery>2013-06-27</discovery>
<entry>2013-07-11</entry>
</dates>
</vuln>
<vuln vid="ebd877b9-7ef4-4375-b1fd-c67780581898">
<topic>ruby -- Hostname check bypassing vulnerability in SSL client</topic>
<affects>
<package>
<name>ruby19</name>
<range><lt>1.9.3.448,1</lt></range>
</package>
<package>
<name>ruby18</name>
<range><lt>1.8.7.374,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby Developers report:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/">
<p>Ruby's SSL client implements hostname identity check but it does
not properly handle hostnames in the certificate that contain null
bytes.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4073</cvename>
<url>http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/</url>
</references>
<dates>
<discovery>2013-06-27</discovery>
<entry>2013-07-11</entry>
<modified>2013-09-24</modified>
</dates>
</vuln>
<vuln vid="e3e788aa-e9fd-11e2-a96e-60a44c524f57">
<topic>otrs -- Sql Injection + Xss Issue</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>3.2.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OTRS Project reports:</p>
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-05/">
<p>An attacker with a valid agent login could manipulate URLs leading to SQL injection. An attacker with a valid agent login could manipulate URLs in the ITSM ConfigItem search, leading to a JavaScript code injection (XSS) problem.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4717</cvename>
<cvename>CVE-2013-4718</cvename>
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-05/</url>
</references>
<dates>
<discovery>2013-07-09</discovery>
<entry>2013-07-11</entry>
</dates>
</vuln>
<vuln vid="f3d24aee-e5ad-11e2-b183-20cf30e32f6d">
<topic>apache22 -- several vulnerabilities</topic>
<affects>
<package>
<name>apache22</name>
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-event-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-itk-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-peruser-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
<package>
<name>apache22-worker-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Apache HTTP SERVER PROJECT reports:</h1>
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.2.25">
<p>The mod_rewrite module in the Apache HTTP Server 2.2.x before
2.2.25 writes data to a log file without sanitizing
non-printable characters, which might allow remote attackers to
execute arbitrary commands via an HTTP request containing an
escape sequence for a terminal emulator.</p>
<p>mod_dav: Sending a MERGE request against a URI handled by
mod_dav_svn with the source href (sent as part of the request
body as XML) pointing to a URI that is not configured for DAV
will trigger a segfault.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1862</cvename>
<cvename>CVE-2013-1896</cvename>
</references>
<dates>
<discovery>2013-06-21</discovery>
<entry>2013-07-05</entry>
<modified>2013-07-10</modified>
</dates>
</vuln>
<vuln vid="1b93f6fe-e1c1-11e2-948d-6805ca0b3d42">
<topic>phpMyAdmin -- Global variable scope injection</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.0</ge><lt>4.0.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php">
<p>The import.php script was vulnerable to GLOBALS variable
injection. Therefore, an attacker could manipulate any
configuration parameter.</p>
<p>This vulnerability can be triggered only by someone who
logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users from accessing the required
form.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php</url>
<cvename>CVE-2013-4729</cvename>
</references>
<dates>
<discovery>2013-06-30</discovery>
<entry>2013-06-30</entry>
</dates>
</vuln>
<vuln vid="81da673e-dfe1-11e2-9389-08002798f6ff">
<topic>apache-xml-security-c -- heap overflow during XPointer evaluation</topic>
<affects>
<package>
<name>apache-xml-security-c</name>
<range><lt>1.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://santuario.apache.org/secadv.data/CVE-2013-2210.txt">
<p>The attempted fix to address CVE-2013-2154 introduced the
possibility of a heap overflow, possibly leading to arbitrary code
execution, in the processing of malformed XPointer expressions in the
XML Signature Reference processing code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2210</cvename>
<url>http://santuario.apache.org/secadv.data/CVE-2013-2210.txt</url>
</references>
<dates>
<discovery>2013-06-27</discovery>
<entry>2013-06-28</entry>
</dates>
</vuln>
<vuln vid="b3fcb387-de4b-11e2-b1c6-0025905a4771">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>18.0,1</gt><lt>22.0,1</lt></range>
<range><lt>17.0.7,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>17.0.7,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.19</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>17.0.7</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.19</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>17.0.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)</p>
<p>Title: Memory corruption found using Address Sanitizer</p>
<p>Privileged content access and execution via XBL</p>
<p>Arbitrary code execution within Profiler</p>
<p>Execution of unmapped memory through onreadystatechange</p>
<p>Data in the body of XHR HEAD requests leads to CSRF attacks</p>
<p>SVG filters can lead to information disclosure</p>
<p>PreserveWrapper has inconsistent behavior</p>
<p>Sandbox restrictions not applied to nested frame elements</p>
<p>X-Frame-Options ignored when using server push with multi-part
responses</p>
<p>XrayWrappers can be bypassed to run user defined methods in a
privileged context</p>
<p>getUserMedia permission dialog incorrectly displays location</p>
<p>Homograph domain spoofing in .com, .net and .name</p>
<p>Inaccessible updater can lead to local privilege escalation</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1682</cvename>
<cvename>CVE-2013-1683</cvename>
<cvename>CVE-2013-1684</cvename>
<cvename>CVE-2013-1685</cvename>
<cvename>CVE-2013-1686</cvename>
<cvename>CVE-2013-1687</cvename>
<cvename>CVE-2013-1688</cvename>
<cvename>CVE-2013-1690</cvename>
<cvename>CVE-2013-1692</cvename>
<cvename>CVE-2013-1693</cvename>
<cvename>CVE-2013-1694</cvename>
<cvename>CVE-2013-1695</cvename>
<cvename>CVE-2013-1696</cvename>
<cvename>CVE-2013-1697</cvename>
<cvename>CVE-2013-1698</cvename>
<cvename>CVE-2013-1699</cvename>
<cvename>CVE-2013-1700</cvename>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-49.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-50.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-51.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-52.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-53.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-54.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-55.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-56.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-57.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-58.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-59.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-60.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-61.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-62.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2013-06-25</discovery>
<entry>2013-06-26</entry>
</dates>
</vuln>
<vuln vid="01cf67b3-dc3b-11e2-a6cd-c48508086173">
<topic>cURL library -- heap corruption in curl_easy_unescape</topic>
<affects>
<package>
<name>curl</name>
<range><ge>7.7</ge><lt>7.24.0_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>cURL developers report:</p>
<blockquote cite="http://curl.haxx.se/docs/adv_20130622.html">
<p>libcurl is vulnerable to a case of bad checking of the
input data which may lead to heap corruption.</p>
<p>The function curl_easy_unescape() decodes URL-encoded
strings to raw binary data. URL-encoded octets are
represented with %HH combinations where HH is a two-digit
hexadecimal number. The decoded string is written to an
allocated memory area that the function returns to the
caller.</p>
<p>The function takes a source string and a length
parameter, and if the length provided is 0 the function will
instead use strlen() to figure out how much data to
parse.</p>
<p>The "%HH" parser wrongly only considered the case where a
zero byte would terminate the input. If a length-limited
buffer was passed in which ended with a '%' character which
was followed by two hexadecimal digits outside of the buffer
libcurl was allowed to parse alas without a terminating
zero, libcurl would still parse that sequence as well. The
counter for remaining data to handle would then be decreased
too much and wrap to become a very large integer and the
copying would go on too long and the destination buffer that
is allocated on the heap would get overwritten.</p>
<p>We consider it unlikely that programs allow user-provided
strings unfiltered into this function. Also, only the not
zero-terminated input string use case is affected by this
flaw. Exploiting this flaw for gain is probably possible for
specific circumstances but we consider the general risk for
this to be low.</p>
<p>The curl command line tool is not affected by this
problem as it doesn't use this function.</p>
<p>There are no known exploits available at this time.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2174</cvename>
<url>http://curl.haxx.se/docs/adv_20130622.html</url>
</references>
<dates>
<discovery>2013-06-22</discovery>
<entry>2013-06-23</entry>
<modified>2013-07-01</modified>
</dates>
</vuln>
<vuln vid="b162b218-c547-4ba2-ae31-6fdcb61bc763">
<topic>puppet -- Unauthenticated Remote Code Execution Vulnerability</topic>
<affects>
<package>
<name>puppet</name>
<range><ge>2.7</ge><lt>2.7.22</lt></range>
<range><ge>3.0</ge><lt>3.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Puppet Developers report:</p>
<blockquote cite="http://puppetlabs.com/security/cve/cve-2013-3567/">
<p>When making REST api calls, the puppet master takes YAML from an
untrusted client, deserializes it, and then calls methods on the
resulting object. A YAML payload can be crafted to cause the
deserialization to construct an instance of any class available in
the ruby process, which allows an attacker to execute code
contained in the payload.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-3567</cvename>
</references>
<dates>
<discovery>2013-06-13</discovery>
<entry>2013-06-22</entry>
<modified>2013-08-01</modified>
</dates>
</vuln>
<vuln vid="8b97d289-d8cf-11e2-a1f5-60a44c524f57">
<topic>otrs -- information disclosure</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>3.2.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OTRS Project reports:</p>
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/">
<p>An attacker with a valid agent login could manipulate URLs in the ticket
watch mechanism to see contents of tickets they are not permitted to see.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-4088</cvename>
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/</url>
</references>
<dates>
<discovery>2013-06-18</discovery>
<entry>2013-06-19</entry>
</dates>
</vuln>
<vuln vid="abef280d-d829-11e2-b71c-8c705af55518">
<topic>FreeBSD -- Privilege escalation via mmap</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>9.0</ge><lt>9.1_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13%3a06.mmap.asc">
<p>Due to insufficient permission checks in the virtual memory
system, a tracing process (such as a debugger) may be able to
modify portions of the traced process's address space to which
the traced process itself does not have write access.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2171</cvename>
<freebsdsa>SA-13:06.mmap</freebsdsa>
</references>
<dates>
<discovery>2013-06-18</discovery>
<entry>2013-06-18</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="279e5f4b-d823-11e2-928e-08002798f6ff">
<topic>apache-xml-security-c -- heap overflow</topic>
<affects>
<package>
<name>apache-xml-security-c</name>
<range><lt>1.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://santuario.apache.org/secadv.data/CVE-2013-2156.txt">
<p>A heap overflow exists in the processing of the PrefixList
attribute optionally used in conjunction with Exclusive
Canonicalization, potentially allowing arbitary code execution.
If verification of the signature occurs prior to actual evaluation of a
signing key, this could be exploited by an unauthenticated attacker.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2156</cvename>
<url>http://santuario.apache.org/secadv.data/CVE-2013-2156.txt</url>
</references>
<dates>
<discovery>2013-06-18</discovery>
<entry>2013-06-18</entry>
</dates>
</vuln>
<vuln vid="80af2677-d6c0-11e2-8f5e-001966155bea">
<topic>tor -- guard discovery</topic>
<affects>
<package>
<name>tor-devel</name>
<range><lt>0.2.4.13.a_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tor Project reports:</p>
<blockquote cite="https://gitweb.torproject.org/tor.git/commit/2a95f3171681ee53c97ccba9d80f4454b462aaa7">
<p>Disable middle relay queue overfill detection code due to possible guard discovery attack</p>
</blockquote>
</body>
</description>
<references>
<url>https://trac.torproject.org/projects/tor/ticket/9072</url>
</references>
<dates>
<discovery>2013-06-15</discovery>
<entry>2013-06-16</entry>
</dates>
</vuln>
<vuln vid="4e9e410b-d462-11e2-8d57-080027019be0">
<topic>dbus -- local dos</topic>
<affects>
<package>
<name>dbus</name>
<range><lt>1.6.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon McVittie reports:</p>
<blockquote cite="http://lists.freedesktop.org/archives/dbus/2013-June/015696.html">
<p>Alexandru Cornea discovered a vulnerability in libdbus caused
by an implementation bug in _dbus_printf_string_upper_bound().
This vulnerability can be exploited by a local user to crash
system services that use libdbus, causing denial of service.
It is platform-specific: x86-64 Linux is known to be affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2168</cvename>
<url>http://lists.freedesktop.org/archives/dbus/2013-June/015696.html</url>
</references>
<dates>
<discovery>2013-06-13</discovery>
<entry>2013-06-13</entry>
</dates>
</vuln>
<vuln vid="fce67546-d2e7-11e2-a9bf-98fc11cdc4f5">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.291</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-16.html">
<p>These updates address vulnerabilities that could cause a crash
and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-3343</cvename>
</references>
<dates>
<discovery>2013-06-11</discovery>
<entry>2013-06-14</entry>
<modified>2013-06-18</modified>
</dates>
</vuln>
<vuln vid="d7a43ee6-d2d5-11e2-9894-002590082ac6">
<topic>owncloud -- Multiple security vulnerabilities</topic>
<affects>
<package>
<name>owncloud</name>
<range><lt>5.0.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The ownCloud development team reports:</p>
<blockquote cite="http://owncloud.org/about/security/advisories/">
<p>oC-SA-2013-019 / CVE-2013-2045: Multiple SQL Injections.
Credit to Mateusz Goik (aliantsoft.pl).</p>
<p>oC-SA-2013-020 / CVE-2013-[2039,2085]: Multiple directory traversals.
Credit to Mateusz Goik (aliantsoft.pl).</p>
<p>oC-SQ-2013-021 / CVE-2013-[2040-2042]: Multiple XSS vulnerabilities.
Credit to Mateusz Goik (aliantsoft.pl) and Kacper R. (http://devilteam.pl).</p>
<p>oC-SA-2013-022 / CVE-2013-2044: Open redirector.
Credit to Mateusz Goik (aliantsoft.pl).</p>
<p>oC-SA-2013-023 / CVE-2013-2047: Password autocompletion.</p>
<p>oC-SA-2013-024 / CVE-2013-2043: Privilege escalation in the calendar application.
Credit to Mateusz Goik (aliantsoft.pl).</p>
<p>oC-SA-2013-025 / CVE-2013-2048: Privilege escalation and CSRF in the API.</p>
<p>oC-SA-2013-026 / CVE-2013-2089: Incomplete blacklist vulnerability.</p>
<p>oC-SA-2013-027 / CVE-2013-2086: CSRF token leakage.</p>
<p>oC-SA-2013-028 / CVE-2013-[2149-2150]: Multiple XSS vulnerabilities.</p>
</blockquote>
</body>
</description>
<references>
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-019/</url>
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-020/</url>
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-021/</url>
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-022/</url>
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-023/</url>
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-024/</url>
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-025/</url>
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-026/</url>
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-027/</url>
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-028/</url>
<cvename>CVE-2013-2039</cvename>
<cvename>CVE-2013-2040</cvename>
<cvename>CVE-2013-2041</cvename>
<cvename>CVE-2013-2042</cvename>
<cvename>CVE-2013-2043</cvename>
<cvename>CVE-2013-2044</cvename>
<cvename>CVE-2013-2045</cvename>
<cvename>CVE-2013-2047</cvename>
<cvename>CVE-2013-2048</cvename>
<cvename>CVE-2013-2085</cvename>
<cvename>CVE-2013-2086</cvename>
<cvename>CVE-2013-2089</cvename>
<cvename>CVE-2013-2149</cvename>
<cvename>CVE-2013-2150</cvename>
</references>
<dates>
<discovery>2013-05-14</discovery>
<entry>2013-06-11</entry>
</dates>
</vuln>
<vuln vid="59e7163c-cf84-11e2-907b-0025905a4770">
<topic>php5 -- Heap based buffer overflow in quoted_printable_encode</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.4.16</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.26</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP development team reports:</p>
<blockquote cite="http://www.php.net/ChangeLog-5.php">
<p>A Heap-based buffer overflow flaw was found in the php
quoted_printable_encode() function. A remote attacker could use
this flaw to cause php to crash or execute arbirary code with the
permission of the user running php</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2110</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=964969</url>
</references>
<dates>
<discovery>2013-06-06</discovery>
<entry>2013-06-07</entry>
</dates>
</vuln>
<vuln vid="72f35727-ce83-11e2-be04-005056a37f68">
<topic>dns/bind9* -- A recursive resolver can be crashed by a query for a malformed zone</topic>
<affects>
<package>
<name>bind99</name>
<range><gt>9.9.3</gt><lt>9.9.3.1</lt></range>
</package>
<package>
<name>bind99-base</name>
<range><gt>9.9.3</gt><lt>9.9.3.1</lt></range>
</package>
<package>
<name>bind98</name>
<range><gt>9.8.5</gt><lt>9.8.5.1</lt></range>
</package>
<package>
<name>bind98-base</name>
<range><gt>9.8.5</gt><lt>9.8.5.1</lt></range>
</package>
<package>
<name>bind96</name>
<range><gt>9.6.3.1.ESV.R9</gt><lt>9.6.3.2.ESV.R9</lt></range>
</package>
<package>
<name>bind96-base</name>
<range><gt>9.6.3.1.ESV.R9</gt><lt>9.6.3.2.ESV.R9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-00967">
<p>A bug has been discovered in the most recent releases of
BIND 9 which has the potential for deliberate exploitation
as a denial-of-service attack. By sending a recursive
resolver a query for a record in a specially malformed zone,
an attacker can cause BIND 9 to exit with a fatal
"RUNTIME_CHECK" error in resolver.c.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-3919</cvename>
</references>
<dates>
<discovery>2013-06-04</discovery>
<entry>2013-06-06</entry>
<modified>2013-06-07</modified>
</dates>
</vuln>
<vuln vid="6b97436c-ce1e-11e2-9cb2-6805ca0b3d42">
<topic>phpMyAdmin -- XSS due to unescaped HTML output in Create View page</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.0</ge><lt>4.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php">
<p>When creating a view with a crafted name and an incorrect
CREATE statement, it is possible to trigger an XSS.</p>
<p>This vulnerability can be triggered only by someone who
logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users from accessing the required
form.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php</url>
<cvename>CVE-2013-3742</cvename>
</references>
<dates>
<discovery>2013-06-05</discovery>
<entry>2013-06-05</entry>
</dates>
</vuln>
<vuln vid="a3c2dee5-cdb9-11e2-b9ce-080027019be0">
<topic>telepathy-gabble -- TLS verification bypass</topic>
<affects>
<package>
<name>telepathy-gabble</name>
<range><lt>0.16.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Simon McVittie reports:</p>
<blockquote cite="http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html">
<p>This release fixes a man-in-the-middle attack.</p>
<p>If you use an unencrypted connection to a "legacy Jabber"
(pre-XMPP) server, this version of Gabble will not connect
until you make one of these configuration changes:</p>
<p>. upgrade the server software to something that supports XMPP 1.0; or</p>
<p>. use an encrypted "old SSL" connection, typically on port 5223
(old-ssl); or</p>
<p>. turn off "Encryption required (TLS/SSL)" (require-encryption).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1431</cvename>
<url>http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html</url>
</references>
<dates>
<discovery>2013-05-27</discovery>
<entry>2013-06-05</entry>
</dates>
</vuln>
<vuln vid="2eebebff-cd3b-11e2-8f09-001b38c3836c">
<topic>xorg -- protocol handling issues in X Window System client libraries</topic>
<affects>
<package>
<name>libX11</name>
<range><lt>1.6.0</lt></range>
</package>
<package>
<name>libXext</name>
<range><lt>1.3.2</lt></range>
</package>
<package>
<name>libXfixes</name>
<range><lt>5.0.1</lt></range>
</package>
<package>
<name>libXi</name>
<range><lt>1.7_1</lt></range>
</package>
<package>
<name>libXinerama</name>
<range><lt>1.1.3</lt></range>
</package>
<package>
<name>libXp</name>
<range><lt>1.0.2</lt></range>
</package>
<package>
<name>libXrandr</name>
<range><lt>1.4.1</lt></range>
</package>
<package>
<name>libXrender</name>
<range><lt>0.9.7_1</lt></range>
</package>
<package>
<name>libXres</name>
<range><lt>1.0.7</lt></range>
</package>
<package>
<name>libXtst</name>
<range><lt>1.2.2</lt></range>
</package>
<package>
<name>libXv</name>
<range><lt>1.0.8</lt></range>
</package>
<package>
<name>libXvMC</name>
<range><lt>1.0.7_1</lt></range>
</package>
<package>
<name>libXxf86dga</name>
<range><lt>1.1.4</lt></range>
</package>
<package>
<name>libdmx</name>
<range><lt>1.1.3</lt></range>
</package>
<package>
<name>libxcb</name>
<range><lt>1.9.1</lt></range>
</package>
<package>
<name>libGL</name>
<range><lt>7.6.1_4</lt></range>
<range><gt>7.8.0</gt><lt>8.0.5_4</lt></range>
</package>
<package>
<name>xf86-video-openchrome</name>
<range><lt>0.3.3</lt></range>
</package>
<package>
<name>libFS</name>
<range><lt>1.0.5</lt></range>
</package>
<package>
<name>libXxf86vm</name>
<range><lt>1.1.3</lt></range>
</package>
<package>
<name>libXt</name>
<range><lt>1.1.4</lt></range>
</package>
<package>
<name>libXcursor</name>
<range><lt>1.1.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>freedesktop.org reports:</p>
<blockquote cite="http://www.x.org/wiki/Development/Security/Advisory-2013-05-23">
<p>Ilja van Sprundel, a security researcher with IOActive, has
discovered a large number of issues in the way various X client
libraries handle the responses they receive from servers, and has
worked with X.Org's security team to analyze, confirm, and fix
these issues.</p>
<p>Most of these issues stem from the client libraries trusting the
server to send correct protocol data, and not verifying that the
values will not overflow or cause other damage. Most of the time X
clients &amp; servers are run by the same user, with the server
more privileged from the clients, so this is not a problem, but
there are scenarios in which a privileged client can be connected
to an unprivileged server, for instance, connecting a setuid X
client (such as a screen lock program) to a virtual X server (such
as Xvfb or Xephyr) which the user has modified to return invalid
data, potentially allowing the user to escalate their privileges.</p>
<p>The vulnerabilities include:</p>
<p>Integer overflows calculating memory needs for replies.</p>
<p>Sign extension issues calculating memory needs for replies.</p>
<p>Buffer overflows due to not validating length or offset values in
replies.</p>
<p>Integer overflows parsing user-specified files.</p>
<p>Unbounded recursion parsing user-specified files.</p>
<p>Memory corruption due to unchecked return values.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1981</cvename>
<cvename>CVE-2013-1982</cvename>
<cvename>CVE-2013-1983</cvename>
<cvename>CVE-2013-1984</cvename>
<cvename>CVE-2013-1985</cvename>
<cvename>CVE-2013-1986</cvename>
<cvename>CVE-2013-1987</cvename>
<cvename>CVE-2013-1988</cvename>
<cvename>CVE-2013-1989</cvename>
<cvename>CVE-2013-1990</cvename>
<cvename>CVE-2013-1991</cvename>
<cvename>CVE-2013-1992</cvename>
<cvename>CVE-2013-1993</cvename>
<cvename>CVE-2013-1994</cvename>
<cvename>CVE-2013-1995</cvename>
<cvename>CVE-2013-1996</cvename>
<cvename>CVE-2013-1997</cvename>
<cvename>CVE-2013-1998</cvename>
<cvename>CVE-2013-1999</cvename>
<cvename>CVE-2013-2000</cvename>
<cvename>CVE-2013-2001</cvename>
<cvename>CVE-2013-2002</cvename>
<cvename>CVE-2013-2003</cvename>
<cvename>CVE-2013-2004</cvename>
<cvename>CVE-2013-2005</cvename>
<cvename>CVE-2013-2062</cvename>
<cvename>CVE-2013-2063</cvename>
<cvename>CVE-2013-2064</cvename>
<cvename>CVE-2013-2066</cvename>
</references>
<dates>
<discovery>2013-05-23</discovery>
<entry>2013-06-04</entry>
</dates>
</vuln>
<vuln vid="e3f64457-cccd-11e2-af76-206a8a720317">
<topic>krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443]</topic>
<affects>
<package>
<name>krb5</name>
<range><le>1.11.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>No advisory has been released yet.</p>
<blockquote cite="http://web.mit.edu/kerberos/www/krb5-1.11/">
<p>schpw.c in the kpasswd service in kadmind in MIT Kerberos 5
(aka krb5) before 1.11.3 does not properly validate UDP packets
before sending responses, which allows remote attackers to cause
a denial of service (CPU and bandwidth consumption) via a forged
packet that triggers a communication loop, as demonstrated by
krb_pingpong.nasl, a related issue to CVE-1999-0103.
[CVE-2002-2443].</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2002-2443</cvename>
<url>http://web.mit.edu/kerberos/www/krb5-1.11/</url>
</references>
<dates>
<discovery>2013-05-10</discovery>
<entry>2013-06-03</entry>
</dates>
</vuln>
<vuln vid="0bf376b7-cc6b-11e2-a424-14dae938ec40">
<topic>net/openafs -- buffer overflow</topic>
<affects>
<package>
<name>openafs</name>
<range><lt>1.6.2.*</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Nickolai Zeldovich reports:</p>
<blockquote cite="http://www.openafs.org/pages/security/OPENAFS-SA-2013-001.txt">
<p>An attacker with the ability to manipulate AFS directory ACLs may
crash the fileserver hosting that volume.
In addition, once a corrupt ACL is placed on a fileserver, its
existence may crash client utilities manipulating ACLs
on that server.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.openafs.org/pages/security/OPENAFS-SA-2013-001.txt</url>
<cvename>CVE-2013-1794</cvename>
</references>
<dates>
<discovery>2013-02-27</discovery>
<entry>2013-06-03</entry>
</dates>
</vuln>
<vuln vid="9dfb63b8-8f36-11e2-b34d-000c2957946c">
<topic>www/mod_security -- NULL pointer dereference DoS</topic>
<affects>
<package>
<name>mod_security</name>
<range><lt>2.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/archive/1/526746">
<p>When ModSecurity receives a request body with a size bigger than the
value set by the "SecRequestBodyInMemoryLimit" and with a "Content-Type"
that has no request body processor mapped to it, ModSecurity will
systematically crash on every call to "forceRequestBodyVariable".</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2765</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765</url>
</references>
<dates>
<discovery>2013-05-27</discovery>
<entry>2013-06-03</entry>
</dates>
</vuln>
<vuln vid="1225549f-ca91-11e2-b3b8-f0def16c5c1b">
<topic>passenger -- security vulnerability</topic>
<affects>
<package>
<name>rubygem-passenger</name>
<range><lt>4.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Phusion reports:</p>
<blockquote cite="http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/">
<p>A denial of service and arbitrary code execution by hijacking temp files. [CVE-2013-2119]</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2119</cvename>
<url>http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/</url>
</references>
<dates>
<discovery>2013-05-29</discovery>
<entry>2013-06-01</entry>
</dates>
</vuln>
<vuln vid="ce502902-ca39-11e2-9673-001e8c75030d">
<topic>devel/subversion -- svnserve remotely triggerable DoS</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.7.0</ge><lt>1.7.10</lt></range>
<range><ge>1.0.0</ge><lt>1.6.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion team reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2013-2112-advisory.txt">
<p>Subversion's svnserve server process may exit when an incoming TCP connection
is closed early in the connection process.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2112</cvename>
</references>
<dates>
<discovery>2013-05-31</discovery>
<entry>2013-05-31</entry>
</dates>
</vuln>
<vuln vid="6d0bf320-ca39-11e2-9673-001e8c75030d">
<topic>devel/subversion -- contrib hook-scripts can allow arbitrary code execution</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.7.0</ge><lt>1.7.10</lt></range>
<range><ge>1.2.0</ge><lt>1.6.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion team reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2013-2088-advisory.txt">
<p>The script contrib/hook-scripts/check-mime-type.pl does not escape
argv arguments to 'svnlook' that start with a hyphen. This could be
used to cause 'svnlook', and hence check-mime-type.pl, to error out.</p>
<p>The script contrib/hook-scripts/svn-keyword-check.pl parses filenames
from the output of 'svnlook changed' and passes them to a further
shell command (equivalent to the 'system()' call of the C standard
library) without escaping them. This could be used to run arbitrary
shell commands in the context of the user whom the pre-commit script
runs as (the user who owns the repository).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2088</cvename>
</references>
<dates>
<discovery>2013-05-31</discovery>
<entry>2013-05-31</entry>
</dates>
</vuln>
<vuln vid="787d21b9-ca38-11e2-9673-001e8c75030d">
<topic>devel/subversion -- fsfs repositories can be corrupted by newline characters in filenames</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.7.0</ge><lt>1.7.10</lt></range>
<range><ge>1.1.0</ge><lt>1.6.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion team reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1968-advisory.txt">
<p>If a filename which contains a newline character (ASCII 0x0a) is
committed to a repository using the FSFS format, the resulting
revision is corrupt.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1968</cvename>
</references>
<dates>
<discovery>2013-05-31</discovery>
<entry>2013-05-31</entry>
</dates>
</vuln>
<vuln vid="0a799a8e-c9d4-11e2-a424-14dae938ec40">
<topic>irc/bitchx -- multiple vulnerabilities</topic>
<affects>
<package>
<name>BitchX</name>
<range><lt>1.2.*,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>bannedit reports:</p>
<blockquote cite="http://www.cvedetails.com/cve/CVE-2007-4584/">
<p>Stack-based buffer overflow in BitchX 1.1 Final allows remote IRC
servers to execute arbitrary code via a long string in a MODE
command, related to the p_mode variable.</p>
</blockquote>
<p>Nico Golde reports:</p>
<blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449149">
<p>There is a security issue in ircii-pana in bitchx' hostname
command. The e_hostname function (commands.c) uses tmpnam to
create a temporary file which is known to be insecure.</p>
</blockquote>
<p>Chris reports:</p>
<blockquote cite="http://secunia.com/advisories/27556">
<p>Chris has reported a vulnerability in the Cypress script for
BitchX, which can be exploited by malicious people to disclose
potentially sensitive information or to compromise a vulnerable
system.</p>
<p>The vulnerability is caused due to malicious code being present
in the modules/mdop.m file. This can be exploited to disclose the
content of various system files or to execute arbitrary shell
commands.</p>
<p>Successful exploitation allows execution of arbitrary code, but
requires the control of the "lsyn.webhop.net" domain.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2007-4584</cvename>
<cvename>CVE-2007-5839</cvename>
<cvename>CVE-2007-5922</cvename>
</references>
<dates>
<discovery>2007-08-28</discovery>
<entry>2013-05-31</entry>
</dates>
</vuln>
<vuln vid="19751e06-c798-11e2-a373-000c29833058">
<topic>znc -- null pointer dereference in webadmin module</topic>
<affects>
<package>
<name>znc</name>
<range><lt>1.0_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>No advisory has been released yet.</p>
<blockquote cite="https://github.com/znc/znc/commit/2bd410ee5570cea127233f1133ea22f25174eb28">
<p>Fix NULL pointer dereference in webadmin.</p>
</blockquote>
</body>
</description>
<references>
<url>https://github.com/znc/znc/commit/2bd410ee5570cea127233f1133ea22f25174eb28</url>
</references>
<dates>
<discovery>2013-05-27</discovery>
<entry>2013-05-28</entry>
</dates>
</vuln>
<vuln vid="6d87c2e9-c64d-11e2-9c22-50465d9ff992">
<topic>socat -- FD leak</topic>
<affects>
<package>
<name>socat</name>
<range><lt>1.7.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Gerhard Rieger reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2013/q2/411">
<p>Under certain circumstances an FD leak occurs and can be misused for
denial of service attacks against socat running in server mode.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-3571</cvename>
<url>http://seclists.org/oss-sec/2013/q2/411</url>
</references>
<dates>
<discovery>2013-05-26</discovery>
<entry>2013-05-26</entry>
</dates>
</vuln>
<vuln vid="79789daa-8af8-4e21-a47f-e8a645752bdb">
<topic>ruby -- Object taint bypassing in DL and Fiddle in Ruby</topic>
<affects>
<package>
<name>ruby19</name>
<range><lt>1.9.3.429,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby Developers report:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/">
<p>There is a vulnerability in DL and Fiddle in Ruby where tainted
strings can be used by system calls regardless of the $SAFE level
set in Ruby.
</p>
<p>Native functions exposed to Ruby with DL or Fiddle do not check the
taint values set on the objects passed in. This can result in
tainted objects being accepted as input when a SecurityError
exception should be raised.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2065</cvename>
<url>http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/</url>
</references>
<dates>
<discovery>2013-05-14</discovery>
<entry>2013-05-26</entry>
</dates>
</vuln>
<vuln vid="4fb45a1c-c5d0-11e2-8400-001b216147b0">
<topic>couchdb -- DOM based Cross-Site Scripting via Futon UI</topic>
<affects>
<package>
<name>couchdb</name>
<range><lt>1.2.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jan Lehnardt reports:</p>
<blockquote cite="http://mail-archives.apache.org/mod_mbox/couchdb-user/201301.mbox/%3C2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org%3E">
<p>Query parameters passed into the browser-based test suite
are not sanitised, and can be used to load external resources.
An attacker may execute JavaScript code in the browser, using
the context of the remote user.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5650</cvename>
<url>http://mail-archives.apache.org/mod_mbox/couchdb-user/201301.mbox/%3C2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org%3E</url>
</references>
<dates>
<discovery>2012-01-14</discovery>
<entry>2013-05-26</entry>
</dates>
</vuln>
<vuln vid="a5b24a6b-c37c-11e2-addb-60a44c524f57">
<topic>otrs -- information disclosure</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>3.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OTRS Project reports:</p>
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/">
<p>An attacker with a valid agent login could manipulate URLs in the ticket split mechanism to see contents of tickets and they are not permitted to see.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-3551</cvename>
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/</url>
</references>
<dates>
<discovery>2013-05-22</discovery>
<entry>2013-05-23</entry>
</dates>
</vuln>
<vuln vid="661bd031-c37d-11e2-addb-60a44c524f57">
<topic>otrs -- XSS vulnerability</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>3.1.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OTRS Project reports:</p>
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-02/">
<p>An attacker with permission to write changes, workorder items or FAQ articles could inject JavaScript code into the articles which would be executed by the browser of other users reading the article.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2637</cvename>
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-02/</url>
</references>
<dates>
<discovery>2013-04-02</discovery>
<entry>2013-05-23</entry>
</dates>
</vuln>
<vuln vid="3a429192-c36a-11e2-97a9-6805ca0b3d42">
<topic>RT -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rt38</name>
<range><ge>3.8</ge><lt>3.8.17</lt></range>
</package>
<package>
<name>rt40</name>
<range><ge>4.0</ge><lt>4.0.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Thomas Sibley reports:</p>
<blockquote cite="http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html">
<p>We discovered a number of security vulnerabilities which
affect both RT 3.8.x and RT 4.0.x. We are releasing RT
versions 3.8.17 and 4.0.13 to resolve these vulnerabilities,
as well as patches which apply atop all released versions of
3.8 and 4.0.</p>
<p>The vulnerabilities addressed by 3.8.17, 4.0.13, and the
below patches include the following:</p>
<p>RT 4.0.0 and above are vulnerable to a limited privilege
escalation leading to unauthorized modification of ticket
data. The DeleteTicket right and any custom lifecycle
transition rights may be bypassed by any user with
ModifyTicket. This vulnerability is assigned
CVE-2012-4733.</p>
<p>RT 3.8.0 and above include a version of bin/rt that uses
semi-predictable names when creating tempfiles. This could
possibly be exploited by a malicious user to overwrite files
with permissions of the user running bin/rt. This
vulnerability is assigned CVE-2013-3368.</p>
<p>RT 3.8.0 and above allow calling of arbitrary Mason
components (without control of arguments) for users who can
see administration pages. This could be used by a malicious
user to run private components which may have negative
side-effects. This vulnerability is assigned
CVE-2013-3369.</p>
<p>RT 3.8.0 and above allow direct requests to private
callback components. Though no callback components ship
with RT, this could be used to exploit an extension or local
callback which uses the arguments passed to it insecurely.
This vulnerability is assigned CVE-2013-3370.</p>
<p>RT 3.8.3 and above are vulnerable to cross-site scripting
(XSS) via attachment filenames. The vector is difficult to
exploit due to parsing requirements. Additionally, RT 4.0.0
and above are vulnerable to XSS via maliciously-crafted
"URLs" in ticket content when RT's "MakeClicky" feature is
configured. Although not believed to be exploitable in the
stock configuration, a patch is also included for RTIR 2.6.x
to add bulletproofing. These vulnerabilities are assigned
CVE-2013-3371.</p>
<p>RT 3.8.0 and above are vulnerable to an HTTP header
injection limited to the value of the Content-Disposition
header. Injection of other arbitrary response headers is
not possible. Some (especially older) browsers may allow
multiple Content-Disposition values which could lead to XSS.
Newer browsers contain security measures to prevent this.
Thank you to Dominic Hargreaves for reporting this
vulnerability. This vulnerability is assigned
CVE-2013-3372.</p>
<p>RT 3.8.0 and above are vulnerable to a MIME header
injection in outgoing email generated by RT. The vectors
via RT's stock templates are resolved by this patchset, but
any custom email templates should be updated to ensure that
values interpolated into mail headers do not contain
newlines. This vulnerability is assigned CVE-2013-3373.</p>
<p>RT 3.8.0 and above are vulnerable to limited session
re-use when using the file-based session store,
Apache::Session::File. RT's default session configuration
only uses Apache::Session::File for Oracle. RT instances
using Oracle may be locally configured to use the
database-backed Apache::Session::Oracle, in which case
sessions are never re-used. The extent of session re-use is
limited to information leaks of certain user preferences and
caches, such as queue names available for ticket creation.
Thank you to Jenny Martin for reporting the problem that
lead to discovery of this vulnerability. This vulnerability
is assigned CVE-2013-3374.</p>
</blockquote>
</body>
</description>
<references>
<url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html</url>
<url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000227.html</url>
<url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000228.html</url>
<cvename>CVE-2012-4733</cvename>
<cvename>CVE-2013-3368</cvename>
<cvename>CVE-2013-3369</cvename>
<cvename>CVE-2013-3370</cvename>
<cvename>CVE-2013-3371</cvename>
<cvename>CVE-2013-3372</cvename>
<cvename>CVE-2013-3373</cvename>
<cvename>CVE-2013-3374</cvename>
</references>
<dates>
<discovery>2013-05-22</discovery>
<entry>2013-05-23</entry>
</dates>
</vuln>
<vuln vid="c72a2494-c08b-11e2-bb21-083e8ed0f47b">
<topic>plib -- stack-based buffer overflow</topic>
<affects>
<package>
<name>plib</name>
<range><lt>1.8.5_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4552">
<p>Stack-based buffer overflow in the error function in
ssg/ssgParser.cxx in PLIB 1.8.5 allows remote attackers to
execute arbitrary code via a crafted 3d model file that
triggers a long error message, as demonstrated by a .ase
file.</p>
</blockquote>
</body>
</description>
<references>
<bid>55839</bid>
<cvename>CVE-2012-4552</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2012/10/29/8</mlist>
</references>
<dates>
<discovery>2012-10-09</discovery>
<entry>2013-05-19</entry>
</dates>
</vuln>
<vuln vid="13bf0602-c08a-11e2-bb21-083e8ed0f47b">
<topic>plib -- buffer overflow</topic>
<affects>
<package>
<name>plib</name>
<range><lt>1.8.5_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="https://secunia.com/advisories/47297">
<p>A vulnerability has been discovered in PLIB, which can be
exploited by malicious people to compromise an application
using the library. The vulnerability is caused due to a
boundary error within the "ulSetError()" function
(src/util/ulError.cxx) when creating the error message,
which can be exploited to overflow a static buffer.</p>
<p>Successful exploitation allows the execution of arbitrary
code but requires that the attacker can e.g. control the
content of an overly long error message passed to the
"ulSetError()" function.</p>
<p>The vulnerability is confirmed in version 1.8.5. Other
versions may also be affected.</p>
<p>Originally reported in TORCS by Andres Gomez.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4620</cvename>
<mlist>http://openwall.com/lists/oss-security/2011/12/21/2</mlist>
</references>
<dates>
<discovery>2011-12-21</discovery>
<entry>2013-05-19</entry>
</dates>
</vuln>
<vuln vid="a0c65049-bddd-11e2-a0f6-001060e06fd4">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.285</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-14.html">
<p>These updates address vulnerabilities that could cause a crash
and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2728</cvename>
<cvename>CVE-2013-3324</cvename>
<cvename>CVE-2013-3325</cvename>
<cvename>CVE-2013-3326</cvename>
<cvename>CVE-2013-3327</cvename>
<cvename>CVE-2013-3328</cvename>
<cvename>CVE-2013-3329</cvename>
<cvename>CVE-2013-3330</cvename>
<cvename>CVE-2013-3331</cvename>
<cvename>CVE-2013-3332</cvename>
<cvename>CVE-2013-3333</cvename>
<cvename>CVE-2013-3334</cvename>
<cvename>CVE-2013-3335</cvename>
</references>
<dates>
<discovery>2013-05-14</discovery>
<entry>2013-05-16</entry>
</dates>
</vuln>
<vuln vid="4a1ca8a4-bd82-11e2-b7a0-d43d7e0c7c02">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>18.0,1</gt><lt>21.0,1</lt></range>
<range><lt>17.0.6,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>17.0.6,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.17.1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>17.0.6</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.17.1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>17.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0
/ rv:17.0.6)</p>
<p>MFSA 2013-42 Privileged access for content level constructor</p>
<p>MFSA 2013-43 File input control has access to full path</p>
<p>MFSA 2013-44 Local privilege escalation through Mozilla
Maintenance Service</p>
<p>MFSA 2013-45 Mozilla Updater fails to update some Windows Registry
entries</p>
<p>MFSA 2013-46 Use-after-free with video and onresize event</p>
<p>MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent</p>
<p>MFSA 2013-48 Memory corruption found using Address Sanitizer</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1942</cvename>
<cvename>CVE-2013-0801</cvename>
<cvename>CVE-2013-1669</cvename>
<cvename>CVE-2013-1670</cvename>
<cvename>CVE-2013-1671</cvename>
<cvename>CVE-2013-1672</cvename>
<cvename>CVE-2013-1674</cvename>
<cvename>CVE-2013-1675</cvename>
<cvename>CVE-2013-1676</cvename>
<cvename>CVE-2013-1677</cvename>
<cvename>CVE-2013-1678</cvename>
<cvename>CVE-2013-1679</cvename>
<cvename>CVE-2013-1680</cvename>
<cvename>CVE-2013-1681</cvename>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-40.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-41.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-42.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-43.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-44.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-45.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-46.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-47.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-48.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2013-05-14</discovery>
<entry>2013-05-15</entry>
<modified>2013-05-21</modified>
</dates>
</vuln>
<vuln vid="efaa4071-b700-11e2-b1b9-f0def16c5c1b">
<topic>nginx -- multiple vulnerabilities</topic>
<affects>
<package>
<name>nginx</name>
<range><ge>1.2.0,1</ge><le>1.2.8,1</le></range>
<range><ge>1.3.0,1</ge><lt>1.4.1,1</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><ge>1.1.4</ge><le>1.2.8</le></range>
<range><ge>1.3.0</ge><lt>1.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The nginx project reports:</p>
<blockquote cite="http://nginx.org/en/security_advisories.html">
<p>A stack-based buffer overflow might occur in a worker process
process while handling a specially crafted request, potentially
resulting in arbitrary code execution. [CVE-2013-2028]</p>
<p>A security problem related to CVE-2013-2028 was identified,
affecting some previous nginx versions if proxy_pass to
untrusted upstream HTTP servers is used.</p>
<p>The problem may lead to a denial of service or a disclosure of a
worker process memory on a specially crafted response from an
upstream proxied server. [CVE-2013-2070]</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2028</cvename>
<cvename>CVE-2013-2070</cvename>
<url>http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html</url>
<url>http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html</url>
</references>
<dates>
<discovery>2013-05-07</discovery>
<entry>2013-05-07</entry>
<modified>2013-05-16</modified>
</dates>
</vuln>
<vuln vid="6ff570cb-b418-11e2-b279-20cf30e32f6d">
<topic>strongSwan -- ECDSA signature verification issue</topic>
<affects>
<package>
<name>strongswan</name>
<range><lt>5.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>strongSwan security team reports:</p>
<blockquote cite="http://www.strongswan.org/blog/2013/04/30/strongswan-5.0.4-released-%28cve-2013-2944%29.html">
<p>If the openssl plugin is used for ECDSA signature verification an empty,
zeroed or otherwise invalid signature is handled as a legitimate one.
Both IKEv1 and IKEv2 are affected.</p>
<p>Affected are only installations that have enabled and loaded the OpenSSL
crypto backend (--enable-openssl). Builds using the default crypto backends
are not affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2944</cvename>
</references>
<dates>
<discovery>2013-04-30</discovery>
<entry>2013-05-03</entry>
</dates>
</vuln>
<vuln vid="622e14b1-b40c-11e2-8441-00e0814cab4e">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>1.514</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory reports:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02">
<p>This advisory announces multiple security vulnerabilities that
were found in Jenkins core.</p>
<ol>
<li>
<p>SECURITY-63 / CVE-2013-2034</p>
<p>This creates a cross-site request forgery (CSRF) vulnerability
on Jenkins master, where an anonymous attacker can trick an
administrator to execute arbitrary code on Jenkins master by
having him open a specifically crafted attack URL.</p>
<p>There's also a related vulnerability where the permission
check on this ability is done imprecisely, which may affect
those who are running Jenkins instances with a custom
authorization strategy plugin.</p>
</li>
<li>
<p>SECURITY-67 / CVE-2013-2033</p>
<p>This creates a cross-site scripting (XSS) vulnerability, where
an attacker with a valid user account on Jenkins can execute
JavaScript in the browser of other users, if those users are
using certain browsers.</p>
</li>
<li>
<p>SECURITY-69 / CVE-2013-2034</p>
<p>This is another CSRF vulnerability that allows an attacker to
cause a deployment of binaries to Maven repositories. This
vulnerability has the same CVE ID as SEUCRITY-63.</p>
</li>
<li>
<p>SECURITY-71 / CVE-2013-1808</p>
<p>This creates a cross-site scripting (XSS) vulnerability.</p>
</li>
</ol>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02</url>
<cvename>CVE-2013-2034</cvename>
<cvename>CVE-2013-2033</cvename>
<cvename>CVE-2013-2034</cvename>
<cvename>CVE-2013-1808</cvename>
</references>
<dates>
<discovery>2013-05-02</discovery>
<entry>2013-05-03</entry>
</dates>
</vuln>
<vuln vid="e66a6e2f-b0d5-11e2-9164-0016e6dcb562">
<topic>FreeBSD -- NFS remote denial of service</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>8.3</ge><lt>8.3_8</lt></range>
<range><ge>9.1</ge><lt>9.1_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13:05.nfsserver.asc">
<p>Insufficient input validation in the NFS server allows an
attacker to cause the underlying file system to treat a
regular file as a directory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-3266</cvename>
<freebsdsa>SA-13:05.nfsserver</freebsdsa>
</references>
<dates>
<discovery>2013-04-21</discovery>
<entry>2013-04-29</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="57df803e-af34-11e2-8d62-6cf0490a8c18">
<topic>Joomla! -- XXS and DDoS vulnerabilities</topic>
<affects>
<package>
<name>joomla</name>
<range><ge>2.0.*</ge><lt>2.5.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The JSST and the Joomla! Security Center report:</p>
<blockquote cite="http://developer.joomla.org/security/80-20130405-core-xss-vulnerability.html">
<h2>[20130405] - Core - XSS Vulnerability</h2>
<p>Inadequate filtering leads to XSS vulnerability in Voting plugin.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/81-20130403-core-xss-vulnerability.html">
<h2>[20130403] - Core - XSS Vulnerability</h2>
<p>Inadequate filtering allows possibility of XSS exploit in some
circumstances.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/82-20130402-core-information-disclosure.html">
<h2>[20130402] - Core - Information Disclosure</h2>
<p>Inadequate permission checking allows unauthorised user to see
permission settings in some circumstances.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/83-20130404-core-xss-vulnerability.html">
<h2>[20130404] - Core - XSS Vulnerability</h2>
<p>Use of old version of Flash-based file uploader leads to XSS
vulnerability.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/84-20130401-core-privilege-escalation.html">
<h2>[20130401] - Core - Privilege Escalation</h2>
<p>Inadequate permission checking allows unauthorised user to delete
private messages.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/85-20130406-core-dos-vulnerability.html">
<h2>[20130406] - Core - DOS Vulnerability</h2>
<p>Object unserialize method leads to possible denial of service
vulnerability.</p>
</blockquote>
<blockquote cite="http://developer.joomla.org/security/86-20130407-core-xss-vulnerability.html">
<h2>[20130407] - Core - XSS Vulnerability</h2>
<p>Inadequate filtering leads to XSS vulnerability in highlighter
plugin</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-3059</cvename>
<cvename>CVE-2013-3058</cvename>
<cvename>CVE-2013-3057</cvename>
<url>http://developer.joomla.org/security/83-20130404-core-xss-vulnerability.html</url>
<cvename>CVE-2013-3056</cvename>
<cvename>CVE-2013-3242</cvename>
<cvename>CVE-2013-3267</cvename>
</references>
<dates>
<discovery>2013-04-24</discovery>
<entry>2013-04-27</entry>
</dates>
</vuln>
<vuln vid="8c8fa44d-ad15-11e2-8cea-6805ca0b3d42">
<topic>phpMyAdmin -- Multiple security vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>3.5</ge><lt>3.5.8.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php">
<p>In some PHP versions, the preg_replace() function can be
tricked into executing arbitrary PHP code on the
server. This is done by passing a crafted argument as the
regular expression, containing a null byte. phpMyAdmin does
not correctly sanitize an argument passed to preg_replace()
when using the "Replace table prefix" feature, opening the
way to this vulnerability..</p>
<p>This vulnerability can be triggered only by someone who
logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users to access the required
form.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php">
<p>phpMyAdmin can be configured to save an export file on
the web server, via its SaveDir directive. With this in
place, it's possible, either via a crafted filename template
or a crafted table name, to save a double extension file
like foobar.php.sql. In turn, an Apache webserver on which
there is no definition for the MIME type "sql" (the default)
will treat this saved file as a ".php" script, leading to
remote code execution.</p>
<p>This vulnerability can be triggered only by someone who
logged in to phpMyAdmin, as the usual token protection
prevents non-logged-in users to access the required
form. Moreover, the SaveDir directive is empty by default,
so a default configuration is not vulnerable. The
$cfg['SaveDir'] directive must be configured, and the server
must be running Apache with mod_mime to be exploitable.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-3238</cvename>
<cvename>CVE-2013-3239</cvename>
</references>
<dates>
<discovery>2013-04-24</discovery>
<entry>2013-04-24</entry>
</dates>
</vuln>
<vuln vid="aeb962f6-ab8d-11e2-b3f5-003067c2616f">
<topic>tinc -- Buffer overflow</topic>
<affects>
<package>
<name>tinc</name>
<range><lt>1.0.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>tinc-vpn.org reports:</p>
<blockquote cite="http://www.tinc-vpn.org/news/">
<p>Drop packets forwarded via TCP if they are too big.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1428</cvename>
</references>
<dates>
<discovery>2013-01-26</discovery>
<entry>2013-04-22</entry>
</dates>
</vuln>
<vuln vid="7280c3f6-a99a-11e2-8cef-6805ca0b3d42">
<topic>phpMyAdmin -- XSS due to unescaped HTML output in GIS visualisation page</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>3.5</ge><lt>3.5.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-1.php">
<p> When modifying a URL parameter with a crafted value it
is possible to trigger an XSS.</p>
<p>These XSS can only be triggered when a valid database is
known and when a valid cookie token is used.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1937</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-1.php</url>
</references>
<dates>
<discovery>2013-04-18</discovery>
<entry>2013-04-20</entry>
</dates>
</vuln>
<vuln vid="a592e991-a919-11e2-ade0-8c705af55518">
<topic>roundcube -- arbitrary file disclosure vulnerability</topic>
<affects>
<package>
<name>roundcube</name>
<range><lt>0.8.6,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RoundCube development team reports:</p>
<blockquote cite="http://lists.roundcube.net/pipermail/dev/2013-March/022337.html">
<p>After getting reports about a possible vulnerability
of Roundcube which allows an attacker to modify its
users preferences in a way that he/she can then read
files from the server, we now published updated packages
as well as patches that fix this security issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1904</cvename>
<url>https://secunia.com/advisories/52806/</url>
</references>
<dates>
<discovery>2013-03-27</discovery>
<entry>2013-04-19</entry>
</dates>
</vuln>
<vuln vid="8ff84335-a7da-11e2-b3f5-003067c2616f">
<topic>jasper -- buffer overflow</topic>
<affects>
<package>
<name>jasper</name>
<range><lt>1.900.1_12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Fedora reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/887409">
<p>JasPer fails to properly decode marker segments and other
sections in malformed JPEG2000 files. Malformed inputs can
cause heap buffer overflows which in turn may result in
execution of attacker-controlled code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-3520</cvename>
<cvename>CVE-2008-3522</cvename>
<cvename>CVE-2011-4516</cvename>
<cvename>CVE-2011-4517</cvename>
<url>http://www.kb.cert.org/vuls/id/887409</url>
</references>
<dates>
<discovery>2011-12-09</discovery>
<entry>2013-04-18</entry>
</dates>
</vuln>
<vuln vid="2070c79a-8e1e-11e2-b34d-000c2957946c">
<topic>ModSecurity -- XML External Entity Processing Vulnerability</topic>
<affects>
<package>
<name>mod_security</name>
<range><gt>2.*</gt><lt>2.7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Positive Technologies has reported a vulnerability in ModSecurity,
which can be exploited by malicious people to disclose potentially
sensitive information or cause a DoS (Denial Of Serice).</p>
<p>The vulnerability is caused due to an error when parsing external
XML entities and can be exploited to e.g. disclose local files or
cause excessive memory and CPU consumption.</p>
<blockquote cite="https://secunia.com/advisories/52847/">
<p>.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1915</cvename>
<url>https://secunia.com/advisories/52847/</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1915</url>
<url>https://bugs.gentoo.org/show_bug.cgi?id=464188</url>
</references>
<dates>
<discovery>2013-04-02</discovery>
<entry>2013-04-16</entry>
</dates>
</vuln>
<vuln vid="a2ff483f-a5c6-11e2-9601-000d601460a4">
<topic>sieve-connect -- TLS hostname verification was not occurring</topic>
<affects>
<package>
<name>sieve-connect</name>
<range><lt>0.85</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>sieve-connect developer Phil Pennock reports:</p>
<blockquote cite="http://mail.globnix.net/pipermail/sieve-connect-announce/2013/000005.html">
<p>sieve-connect was not actually verifying TLS certificate identities
matched the expected hostname.</p>
</blockquote>
</body>
</description>
<references>
<url>http://mail.globnix.net/pipermail/sieve-connect-announce/2013/000005.html</url>
</references>
<dates>
<discovery>2013-04-14</discovery>
<entry>2013-04-15</entry>
</dates>
</vuln>
<vuln vid="15236023-a21b-11e2-a460-208984377b34">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.280</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-12.html">
<p>These updates address vulnerabilities that could cause a crash
and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1383</cvename>
<cvename>CVE-2013-1384</cvename>
<cvename>CVE-2013-1385</cvename>
<cvename>CVE-2013-1386</cvename>
</references>
<dates>
<discovery>2013-04-09</discovery>
<entry>2013-04-10</entry>
</dates>
</vuln>
<vuln vid="db0c4b00-a24c-11e2-9601-000d601460a4">
<topic>rubygem-rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-rails</name>
<range><lt>3.2.13</lt></range>
</package>
<package>
<name>rubygem-actionpack</name>
<range><lt>3.2.13</lt></range>
</package>
<package>
<name>rubygem-activerecord</name>
<range><lt>3.2.13</lt></range>
</package>
<package>
<name>rubygem-activesupport</name>
<range><lt>3.2.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby on Rails team reports:</p>
<blockquote cite="http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/">
<p>Rails versions 3.2.13 has been released. This release
contains important security fixes. It is recommended
users upgrade as soon as possible.</p>
<p>Four vulnerabilities have been discovered and fixed:</p>
<ol>
<li>(CVE-2013-1854) Symbol DoS vulnerability in Active Record</li>
<li>(CVE-2013-1855) XSS vulnerability in sanitize_css in Action Pack</li>
<li>(CVE-2013-1856) XML Parsing Vulnerability affecting JRuby users</li>
<li>(CVE-2013-1857) XSS Vulnerability in the `sanitize` helper of Ruby on Rails</li>
</ol>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1854</cvename>
<cvename>CVE-2013-1856</cvename>
<cvename>CVE-2013-1856</cvename>
<cvename>CVE-2013-1857</cvename>
<url>http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/</url>
<url>https://groups.google.com/forum/#!topic/ruby-security-ann/o0Dsdk2WrQ0</url>
<url>https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8</url>
<url>https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI</url>
<url>https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI</url>
</references>
<dates>
<discovery>2013-03-18</discovery>
<entry>2013-04-10</entry>
</dates>
</vuln>
<vuln vid="1431f2d6-a06e-11e2-b9e0-001636d274f3">
<topic>NVIDIA UNIX driver -- ARGB cursor buffer overflow in "NoScanout" mode</topic>
<affects>
<package>
<name>nvidia-driver</name>
<range><ge>310.14</ge><lt>310.44</lt></range>
<range><ge>195.22</ge><lt>304.88</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVIDIA Unix security team reports:</p>
<blockquote cite="http://nvidia.custhelp.com/app/answers/detail/a_id/3290">
<p>When the NVIDIA driver for the X Window System is operated in
"NoScanout" mode, and an X client installs an ARGB cursor that
is larger than the expected size (64x64 or 256x256, depending on
the driver version), the driver will overflow a buffer. This
can cause a denial of service (e.g., an X server segmentation
fault), or could be exploited to achieve arbitrary code
execution. Because the X server runs as setuid root in many
configurations, an attacker could potentially use this
vulnerability in those configurations to gain root privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0131</cvename>
<url>http://nvidia.custhelp.com/app/answers/detail/a_id/3290</url>
</references>
<dates>
<discovery>2013-03-27</discovery>
<entry>2013-04-08</entry>
</dates>
</vuln>
<vuln vid="cebed39d-9e6f-11e2-b3f5-003067c2616f">
<topic>opera -- moderately severe issue</topic>
<affects>
<package>
<name>opera</name>
<range><lt>12.15</lt></range>
</package>
<package>
<name>opera-devel</name>
<range><lt>12.15</lt></range>
</package>
<package>
<name>linux-opera</name>
<range><lt>12.15</lt></range>
</package>
<package>
<name>linux-opera-devel</name>
<range><lt>12.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera reports:</p>
<blockquote cite="http://www.opera.com/support/kb/view/1042/">
<p>Fixed a moderately severe issue, as reported by Attila Suszte.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/docs/changelogs/unified/1215/</url>
<url>http://www.opera.com/support/kb/view/1046/</url>
<url>http://www.opera.com/support/kb/view/1047/</url>
</references>
<dates>
<discovery>2013-04-04</discovery>
<entry>2014-04-30</entry>
</dates>
</vuln>
<vuln vid="b6beb137-9dc0-11e2-882f-20cf30e32f6d">
<topic>Subversion -- multiple vulnerabilities</topic>
<affects>
<package>
<name>subversion</name>
<range><ge>1.7.0</ge><lt>1.7.9</lt></range>
<range><ge>1.0.0</ge><lt>1.6.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Subversion team reports:</p>
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1845-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module will use excessive
amounts of memory when a large number of properties are set or deleted
on a node.</p>
</blockquote>
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1846-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module will crash when
a LOCK request is made against activity URLs.</p>
</blockquote>
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1847-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module will crash in some
circumstances when a LOCK request is made against a non-existent URL.</p>
</blockquote>
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1849-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module will crash when a
PROPFIND request is made against activity URLs.</p>
</blockquote>
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1884-advisory.txt">
<p>Subversion's mod_dav_svn Apache HTTPD server module will crash when a
log REPORT request receives a limit that is out of the allowed range.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1845</cvename>
<cvename>CVE-2013-1846</cvename>
<cvename>CVE-2013-1847</cvename>
<cvename>CVE-2013-1849</cvename>
<cvename>CVE-2013-1884</cvename>
</references>
<dates>
<discovery>2013-04-05</discovery>
<entry>2013-04-05</entry>
</dates>
</vuln>
<vuln vid="eae8e3cf-9dfe-11e2-ac7f-001fd056c417">
<topic>otrs -- Information disclosure and Data manipulation</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>3.1.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OTRS Project reports:</p>
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/">
<p>An attacker with a valid agent login could manipulate URLs in the
object linking mechanism to see titles of tickets and other objects
that are not obliged to be seen. Furthermore, links to objects without
permission can be placed and removed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2625</cvename>
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/</url>
</references>
<dates>
<discovery>2013-04-02</discovery>
<entry>2013-04-05</entry>
</dates>
</vuln>
<vuln vid="3f332f16-9b6b-11e2-8fe9-08002798f6ff">
<topic>PostgreSQL -- anonymous remote access data corruption vulnerability</topic>
<affects>
<package>
<name>postgresql-server</name>
<range><ge>8.3.0</ge><lt>8.3.21_1</lt></range>
<range><ge>8.4.0</ge><lt>8.4.17</lt></range>
<range><ge>9.0.0</ge><lt>9.0.13</lt></range>
<range><ge>9.1.0</ge><lt>9.1.9</lt></range>
<range><ge>9.2.0</ge><lt>9.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>PostgreSQL project reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1456/">
<p>
The PostgreSQL Global Development Group has released a security
update to all current versions of the PostgreSQL database system,
including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update
fixes a high-exposure security vulnerability in versions 9.0 and
later. All users of the affected versions are strongly urged to apply
the update *immediately*.
</p>
<p>
A major security issue (for versions 9.x only) fixed in this release,
[CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899),
makes it possible for a connection request containing a database name
that begins with "-" to be crafted that can damage or destroy files
within a server's data directory. Anyone with access to the port the
PostgreSQL server listens on can initiate this request. This issue was
discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source
Software Center.
</p>
<p>
Two lesser security fixes are also included in this release:
[CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900),
wherein random numbers generated by contrib/pgcrypto functions may be
easy for another database user to guess (all versions), and
[CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901),
which mistakenly allows an unprivileged user to run commands that
could interfere with in-progress backups (for versions 9.x only).
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1899</cvename>
<cvename>CVE-2013-1900</cvename>
<cvename>CVE-2013-1901</cvename>
</references>
<dates>
<discovery>2013-04-04</discovery>
<entry>2013-04-04</entry>
</dates>
</vuln>
<vuln vid="94976433-9c74-11e2-a9fc-d43d7e0c7c02">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>18.0,1</gt><lt>20.0,1</lt></range>
<range><lt>17.0.5,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>17.0.5,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.17</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>17.0.5</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.17</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>17.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 /
rv:17.0.5)</p>
<p>MFSA 2013-31 Out-of-bounds write in Cairo library</p>
<p>MFSA 2013-32 Privilege escalation through Mozilla Maintenance
Service</p>
<p>MFSA 2013-33 World read and write access to app_tmp directory on
Android</p>
<p>MFSA 2013-34 Privilege escalation through Mozilla Updater</p>
<p>MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux</p>
<p>MFSA 2013-36 Bypass of SOW protections allows cloning of protected
nodes</p>
<p>MFSA 2013-37 Bypass of tab-modal dialog origin disclosure</p>
<p>MFSA 2013-38 Cross-site scripting (XSS) using timed history
navigations</p>
<p>MFSA 2013-39 Memory corruption while rendering grayscale PNG
images</p>
<p>MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0788</cvename>
<cvename>CVE-2013-0789</cvename>
<cvename>CVE-2013-0790</cvename>
<cvename>CVE-2013-0791</cvename>
<cvename>CVE-2013-0792</cvename>
<cvename>CVE-2013-0793</cvename>
<cvename>CVE-2013-0794</cvename>
<cvename>CVE-2013-0795</cvename>
<cvename>CVE-2013-0796</cvename>
<cvename>CVE-2013-0797</cvename>
<cvename>CVE-2013-0798</cvename>
<cvename>CVE-2013-0799</cvename>
<cvename>CVE-2013-0800</cvename>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-30.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-31.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-32.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-33.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-34.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-35.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-36.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-37.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-38.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-39.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-40.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2013-04-02</discovery>
<entry>2013-04-03</entry>
<modified>2013-04-08</modified>
</dates>
</vuln>
<vuln vid="13031d98-9bd1-11e2-a7be-8c705af55518">
<topic>FreeBSD -- BIND remote denial of service</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>9.0</ge><lt>9.0_7</lt></range>
<range><ge>9.1</ge><lt>9.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13:04.bind.asc">
<p>A flaw in a library used by BIND allows an
attacker to deliberately cause excessive memory
consumption by the named(8) process. This
affects both recursive and authoritative
servers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2266</cvename>
<freebsdsa>SA-13:04.bind</freebsdsa>
<url>https://kb.isc.org/article/AA-00871</url>
</references>
<dates>
<discovery>2013-04-02</discovery>
<entry>2013-04-02</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="69bfc852-9bd0-11e2-a7be-8c705af55518">
<topic>FreeBSD -- OpenSSL multiple vulnerabilities</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>8.3</ge><lt>8.3_7</lt></range>
<range><ge>9.0</ge><lt>9.0_7</lt></range>
<range><ge>9.1</ge><lt>9.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13:03.openssl.asc">
<p>A flaw in the OpenSSL handling of OCSP response
verification could be exploited to cause a denial of
service attack.</p>
<p>OpenSSL has a weakness in the handling of CBC
ciphersuites in SSL, TLS and DTLS. The weakness could reveal
plaintext in a timing attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0166</cvename>
<cvename>CVE-2013-0169</cvename>
<freebsdsa>SA-13:03.openssl</freebsdsa>
<url>http://www.openssl.org/news/secadv_20130205.txt</url>
</references>
<dates>
<discovery>2013-04-02</discovery>
<entry>2013-04-02</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="92f30415-9935-11e2-ad4c-080027ef73ec">
<topic>OpenVPN -- potential side-channel/timing attack when comparing HMACs</topic>
<affects>
<package>
<name>openvpn</name>
<range><lt>2.0.9_4</lt></range>
<range><ge>2.1.0</ge><lt>2.2.2_2</lt></range>
<range><ge>2.3.0</ge><lt>2.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenVPN project reports:</p>
<blockquote cite="https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc">
<p>OpenVPN 2.3.0 and earlier running in UDP mode are subject
to chosen ciphertext injection due to a non-constant-time
HMAC comparison function.</p>
</blockquote>
</body>
</description>
<references>
<url>https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc</url>
<cvename>CVE-2013-2061</cvename>
<url>http://www.openwall.com/lists/oss-security/2013/05/06/6</url>
<url>https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee</url>
</references>
<dates>
<discovery>2013-03-19</discovery>
<entry>2013-03-31</entry>
<modified>2013-06-01</modified>
</dates>
</vuln>
<vuln vid="843a4641-9816-11e2-9c51-080027019be0">
<topic>libxml2 -- cpu consumption Dos</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.8.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kurt Seifried reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2013/q1/391">
<p>libxml2 is affected by the expansion of internal entities
(which can be used to consume resources) and external entities
(which can cause a denial of service against other services,
be used to port scan, etc.)..</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0338</cvename>
<cvename>CVE-2013-0339</cvename>
<url>http://seclists.org/oss-sec/2013/q1/391</url>
<url>https://security-tracker.debian.org/tracker/CVE-2013-0338</url>
<url>https://security-tracker.debian.org/tracker/CVE-2013-0339</url>
</references>
<dates>
<discovery>2013-02-21</discovery>
<entry>2013-03-29</entry>
</dates>
</vuln>
<vuln vid="daf0a339-9850-11e2-879e-d43d7e0c7c02">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk11</name>
<range><gt>11.*</gt><lt>11.2.2</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.12.2</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.20.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Buffer Overflow Exploit Through SIP SDP Header</p>
<p>Username disclosure in SIP channel driver</p>
<p>Denial of Service in HTTP server</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2685</cvename>
<cvename>CVE-2013-2686</cvename>
<cvename>CVE-2013-2264</cvename>
<url>http://downloads.asterisk.org/pub/security/AST-2013-001.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2013-002.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2013-003.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2013-03-27</discovery>
<entry>2013-03-29</entry>
</dates>
</vuln>
<vuln vid="7a282e49-95b6-11e2-8433-0800273fe665">
<topic>dns/bind9* -- Malicious Regex Can Cause Memory Exhaustion</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.2.2</lt></range>
</package>
<package>
<name>bind99-base</name>
<range><lt>9.9.2.2</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.4.2</lt></range>
</package>
<package>
<name>bind98-base</name>
<range><lt>9.8.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-00871">
<p>A critical defect in BIND 9 allows an attacker to cause
excessive memory consumption in named or other programs
linked to libdns.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2266</cvename>
</references>
<dates>
<discovery>2013-03-11</discovery>
<entry>2013-03-27</entry>
</dates>
</vuln>
<vuln vid="6adca5e9-95d2-11e2-8549-68b599b52a02">
<topic>firebird -- Remote Stack Buffer Overflow</topic>
<affects>
<package>
<name>firebird25-server</name>
<range><ge>2.5.0</ge><le>2.5.2</le></range>
</package>
<package>
<name>firebird21-server</name>
<range><ge>2.1.0</ge><le>2.1.5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Firebird Project reports:</p>
<blockquote cite="http://tracker.firebirdsql.org/browse/CORE-4058">
<p>The FirebirdSQL server is vulnerable to a stack buffer overflow
that can be triggered when an unauthenticated user sends a
specially crafted packet. The result can lead to remote code
execution as the user which runs the FirebirdSQL server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-2492</cvename>
<url>https://gist.github.com/zeroSteiner/85daef257831d904479c</url>
</references>
<dates>
<discovery>2013-01-31</discovery>
<entry>2013-03-06</entry>
</dates>
</vuln>
<vuln vid="a8818f7f-9182-11e2-9bdf-d48564727302">
<topic>optipng -- use-after-free vulnerability</topic>
<affects>
<package>
<name>optipng</name>
<range><ge>0.7</ge><lt>0.7.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="https://secunia.com/advisories/50654">
<p>A vulnerability has been reported in OptiPNG, which can be
exploited by malicious people to potentially compromise a user's
system.</p>
<p>The vulnerability is caused due to a use-after-free error related
to the palette reduction functionality. No further information is
currently available.</p>
<p>Success exploitation may allow execution of arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4432</cvename>
<url>https://secunia.com/advisories/50654</url>
</references>
<dates>
<discovery>2012-09-16</discovery>
<entry>2013-03-21</entry>
</dates>
</vuln>
<vuln vid="1d23109a-9005-11e2-9602-d43d7e0c7c02">
<topic>php5 -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.4.13</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP development team reports:</p>
<blockquote cite="http://www.php.net/ChangeLog-5.php">
<p>PHP does not validate the relationship between the soap.wsdl_cache_dir
directive and the open_basedir directive, which allows remote attackers to
bypass intended access restrictions by triggering the creation of cached
SOAP WSDL files in an arbitrary directory.</p>
<p>The SOAP parser in PHP allows remote attackers to read arbitrary files
via a SOAP WSDL file containing an XML external entity declaration in
conjunction with an entity reference, related to an XML External Entity
(XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1635</cvename>
<cvename>CVE-2013-1643</cvename>
</references>
<dates>
<discovery>2013-03-04</discovery>
<entry>2013-03-18</entry>
</dates>
</vuln>
<vuln vid="edd201a5-8fc3-11e2-b131-000c299b62e1">
<topic>piwigo -- CSRF/Path Traversal</topic>
<affects>
<package>
<name>piwigo</name>
<range><lt>2.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>High-Tech Bridge Security Research Lab reports:</p>
<blockquote cite="http://piwigo.org/releases/2.4.7">
<p>The CSRF vulnerability exists due to insufficient verification of the
HTTP request origin in "/admin.php" script. A remote attacker can trick
a logged-in administrator to visit a specially crafted webpage and
create arbitrary PHP file on the remote server.</p>
<p>The path traversal vulnerability exists due to insufficient filtration
of user-supplied input in "dl" HTTP GET parameter passed to
"/install.php" script. The script is present on the system after
installation by default, and can be accessed by attacker without any
restrictions.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1468</cvename>
<cvename>CVE-2013-1469</cvename>
<url>http://piwigo.org/bugs/view.php?id=0002843</url>
<url>http://piwigo.org/bugs/view.php?id=0002844</url>
<url>http://dl.packetstormsecurity.net/1302-exploits/piwigo246-traversalxsrf.txt</url>
</references>
<dates>
<discovery>2013-02-06</discovery>
<entry>2013-03-18</entry>
</dates>
</vuln>
<vuln vid="d881d254-70c6-11e2-862d-080027a5ec9a">
<topic>libexif -- multiple remote vulnerabilities</topic>
<affects>
<package>
<name>libexif</name>
<range><lt>0.6.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>libexif project security advisory:</p>
<blockquote cite="http://sourceforge.net/mailarchive/message.php?msg_id=29534027">
<p>A number of remotely exploitable issues were discovered in libexif
and exif, with effects ranging from information leakage to potential
remote code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2812</cvename>
<cvename>CVE-2012-2813</cvename>
<cvename>CVE-2012-2814</cvename>
<cvename>CVE-2012-2836</cvename>
<cvename>CVE-2012-2837</cvename>
<cvename>CVE-2012-2840</cvename>
<cvename>CVE-2012-2841</cvename>
<cvename>CVE-2012-2845</cvename>
<bid>54437</bid>
</references>
<dates>
<discovery>2012-07-12</discovery>
<entry>2013-03-13</entry>
</dates>
</vuln>
<vuln vid="5ff40cb4-8b92-11e2-bdb6-001060e06fd4">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.275</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-09.html">
<p>These updates address vulnerabilities that could cause a crash
and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0646</cvename>
<cvename>CVE-2013-0650</cvename>
<cvename>CVE-2013-1371</cvename>
<cvename>CVE-2013-1375</cvename>
</references>
<dates>
<discovery>2013-03-12</discovery>
<entry>2013-03-12</entry>
</dates>
</vuln>
<vuln vid="cda566a0-2df0-4eb0-b70e-ed7a6fb0ab3c">
<topic>puppet27 and puppet -- multiple vulnerabilities</topic>
<affects>
<package>
<name>puppet</name>
<range><ge>3.0</ge><lt>3.1.1</lt></range>
</package>
<package>
<name>puppet27</name>
<range><ge>2.7</ge><lt>2.7.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Moses Mendoza reports:</p>
<blockquote cite="https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/">
<p>A vulnerability found in Puppet could allow an authenticated client
to cause the master to execute arbitrary code while responding to a
catalog request. Specifically, in order to exploit the
vulnerability, the puppet master must be made to invoke the
'template' or 'inline_template' functions during catalog compilation.
</p>
<p>A vulnerability found in Puppet could allow an authenticated client
to connect to a puppet master and perform unauthorized actions.
Specifically, given a valid certificate and private key, an agent
could retrieve catalogs from the master that it is not authorized
to access or it could poison the puppet master's caches for any
puppet-generated data that supports caching such as catalogs,
nodes, facts, and resources. The extent and severity of this
vulnerability varies depending on the specific configuration of the
master: for example, whether it is using storeconfigs or not, which
version, whether it has access to the cache or not, etc.
</p>
<p>A vulnerability has been found in Puppet which could allow
authenticated clients to execute arbitrary code on agents that have
been configured to accept kick connections. This vulnerability is
not present in the default configuration of puppet agents, but if
they have been configured to listen for incoming connections
('listen=true'), and the agent's auth.conf has been configured to
allow access to the `run` REST endpoint, then a client could
construct an HTTP request which could execute arbitrary code. The
severity of this issue is exacerbated by the fact that puppet
agents typically run as root.
</p>
<p>A vulnerability has been found in Puppet that could allow a client
negotiating a connection to a master to downgrade the master's
SSL protocol to SSLv2. This protocol has been found to contain
design weaknesses. This issue only affects systems running older
versions (pre 1.0.0) of openSSL. Newer versions explicitly disable
SSLv2.
</p>
<p>A vulnerability found in Puppet could allow unauthenticated clients
to send requests to the puppet master which would cause it to load
code unsafely. While there are no reported exploits, this
vulnerability could cause issues like those described in Rails
CVE-2013-0156. This vulnerability only affects puppet masters
running Ruby 1.9.3 and higher.
</p>
<p>This vulnerability affects puppet masters 0.25.0 and above. By
default, auth.conf allows any authenticated node to submit a report
for any other node. This can cause issues with compliance. The
defaults in auth.conf have been changed.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1640</cvename>
<cvename>CVE-2013-1652</cvename>
<cvename>CVE-2013-1653</cvename>
<cvename>CVE-2013-1654</cvename>
<cvename>CVE-2013-1655</cvename>
<cvename>CVE-2013-2275</cvename>
<url>https://puppetlabs.com/security/cve/cve-2013-1640/</url>
<url>https://puppetlabs.com/security/cve/cve-2013-1652/</url>
<url>https://puppetlabs.com/security/cve/cve-2013-1653/</url>
<url>https://puppetlabs.com/security/cve/cve-2013-1654/</url>
<url>https://puppetlabs.com/security/cve/cve-2013-1655/</url>
<url>https://puppetlabs.com/security/cve/cve-2013-2275/</url>
<url>https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/f_gybceSV6E</url>
<url>https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/kgDyaPhHniw</url>
</references>
<dates>
<discovery>2013-03-13</discovery>
<entry>2013-03-13</entry>
</dates>
</vuln>
<vuln vid="04042f95-14b8-4382-a8b9-b30e365776cf">
<topic>puppet26 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>puppet26</name>
<range><ge>2.6</ge><lt>2.6.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Moses Mendoza reports:</p>
<blockquote cite="https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/">
<p>A vulnerability found in Puppet could allow an authenticated client
to cause the master to execute arbitrary code while responding to a
catalog request. Specifically, in order to exploit the
vulnerability, the puppet master must be made to invoke the
'template' or 'inline_template' functions during catalog compilation.
</p>
<p>A vulnerability found in Puppet could allow an authenticated client
to connect to a puppet master and perform unauthorized actions.
Specifically, given a valid certificate and private key, an agent
could retrieve catalogs from the master that it is not authorized
to access or it could poison the puppet master's caches for any
puppet-generated data that supports caching such as catalogs,
nodes, facts, and resources. The extent and severity of this
vulnerability varies depending on the specific configuration of the
master: for example, whether it is using storeconfigs or not, which
version, whether it has access to the cache or not, etc.
</p>
<p>A vulnerability has been found in Puppet that could allow a client
negotiating a connection to a master to downgrade the master's
SSL protocol to SSLv2. This protocol has been found to contain
design weaknesses. This issue only affects systems running older
versions (pre 1.0.0) of openSSL. Newer versions explicitly disable
SSLv2.
</p>
<p>A vulnerability found in Puppet could allow an authenticated client
to execute arbitrary code on a puppet master that is running in the
default configuration, or an agent with `puppet kick` enabled.
Specifically, a properly authenticated and connected puppet agent
could be made to construct an HTTP PUT request for an authorized
report that actually causes the execution of arbitrary code on the
master.
</p>
<p>This vulnerability affects puppet masters 0.25.0 and above. By
default, auth.conf allows any authenticated node to submit a report
for any other node. This can cause issues with compliance. The
defaults in auth.conf have been changed.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1640</cvename>
<cvename>CVE-2013-1652</cvename>
<cvename>CVE-2013-1654</cvename>
<cvename>CVE-2013-2274</cvename>
<cvename>CVE-2013-2275</cvename>
<url>https://puppetlabs.com/security/cve/cve-2013-1640/</url>
<url>https://puppetlabs.com/security/cve/cve-2013-1652/</url>
<url>https://puppetlabs.com/security/cve/cve-2013-1654/</url>
<url>https://puppetlabs.com/security/cve/cve-2013-2274/</url>
<url>https://puppetlabs.com/security/cve/cve-2013-2275/</url>
</references>
<dates>
<discovery>2013-03-13</discovery>
<entry>2013-03-13</entry>
</dates>
</vuln>
<vuln vid="68c1f75b-8824-11e2-9996-c48508086173">
<topic>perl -- denial of service via algorithmic complexity attack on hashing routines</topic>
<affects>
<package>
<name>perl</name>
<name>perl-threaded</name>
<range><lt>5.12.4_5</lt></range>
<range><ge>5.14.0</ge><lt>5.14.2_3</lt></range>
<range><ge>5.16.0</ge><lt>5.16.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Perl developers report:</p>
<blockquote cite="http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html">
<p>In order to prevent an algorithmic complexity attack
against its hashing mechanism, perl will sometimes
recalculate keys and redistribute the contents of a hash.
This mechanism has made perl robust against attacks that
have been demonstrated against other systems.</p>
<p>Research by Yves Orton has recently uncovered a flaw in
the rehashing code which can result in pathological
behavior. This flaw could be exploited to carry out a
denial of service attack against code that uses arbitrary
user input as hash keys.</p>
<p>Because using user-provided strings as hash keys is a
very common operation, we urge users of perl to update their
perl executable as soon as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1667</cvename>
<url>http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html</url>
</references>
<dates>
<discovery>2013-03-04</discovery>
<entry>2013-03-10</entry>
<modified>2016-08-22</modified>
</dates>
</vuln>
<vuln vid="549787c1-8916-11e2-8549-68b599b52a02">
<topic>libpurple -- multiple vulnerabilities</topic>
<affects>
<package>
<name>libpurple</name>
<range><lt>2.10.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pidgin reports:</p>
<blockquote cite="https://developer.pidgin.im/wiki/ChangeLog">
<p>libpurple</p>
<p>Fix a crash when receiving UPnP responses with abnormally long values.</p>
<p>MXit</p>
<p>Fix two bugs where a remote MXit user could possibly specify a local file
path to be written to.</p>
<p>Fix a bug where the MXit server or a man-in-the-middle could potentially
send specially crafted data that could overflow a buffer and lead to a crash
or remote code execution.</p>
<p>Sametime</p>
<p>Fix a crash in Sametime when a malicious server sends us an abnormally long
user ID.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0274</cvename>
<cvename>CVE-2013-0271</cvename>
<cvename>CVE-2013-0272</cvename>
<cvename>CVE-2013-0273</cvename>
<url>https://developer.pidgin.im/wiki/ChangeLog</url>
</references>
<dates>
<discovery>2013-02-13</discovery>
<entry>2013-03-10</entry>
<modified>2013-03-16</modified>
</dates>
</vuln>
<vuln vid="630c8c08-880f-11e2-807f-d43d7e0c7c02">
<topic>mozilla -- use-after-free in HTML Editor</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>18.0,1</gt><lt>19.0.2,1</lt></range>
<range><lt>17.0.3,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>17.0.4,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.16.1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>17.0.4</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.16.1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>17.0.4</lt></range>
<range><lt>10.0.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2013-29 Use-after-free in HTML Editor</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0787</cvename>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-29.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2013-03-07</discovery>
<entry>2013-03-08</entry>
</dates>
</vuln>
<vuln vid="b9a347ac-8671-11e2-b73c-0019d18c446a">
<topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.5.0</ge><lt>4.5.23</lt></range>
<range><ge>4.6.0</ge><lt>4.6.16</lt></range>
<range><ge>4.7.0</ge><lt>4.7.8</lt></range>
<range><ge>6.0.0</ge><lt>6.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo Security Team reports:</p>
<blockquote cite="http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/">
<p>Extbase Framework - Failing to sanitize user input, the Extbase
database abstraction layer is susceptible to SQL Injection. TYPO3
sites which have no Extbase extensions installed are not affected.
Extbase extensions are affected if they use the Query Object Model
and relation values are user generated input. Credits go to Helmut
Hummel and Markus Opahle who discovered and reported the issue.</p>
<p>Access tracking mechanism - Failing to validate user provided
input, the access tracking mechanism allows redirects to arbitrary
URLs. To fix this vulnerability, we had to break existing
behaviour of TYPO3 sites that use the access tracking mechanism
(jumpurl feature) to transform links to external sites. The link
generation has been changed to include a hash that is checked
before redirecting to an external URL. This means that old links
that have been distributed (e.g. by a newsletter) will not work
any more.</p>
</blockquote>
</body>
</description>
<references>
<url>http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/</url>
</references>
<dates>
<discovery>2013-03-06</discovery>
<entry>2013-03-06</entry>
</dates>
</vuln>
<vuln vid="c97219b6-843d-11e2-b131-000c299b62e1">
<topic>stunnel -- Remote Code Execution</topic>
<affects>
<package>
<name>stunnel</name>
<range><ge>4.21</ge><lt>4.55</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michal Trojnara reports:</p>
<blockquote cite="https://www.stunnel.org/CVE-2013-1762.html">
<p>64-bit versions of stunnel with the following conditions:
* NTLM authentication enabled
* CONNECT protocol negotiation enabled
* Configured in SSL client mode
* An attacker that can either control the proxy server specified in
the "connect" option or execute MITM attacks on the TCP session
between stunnel and the proxy</p>
<p>Can be exploited for remote code execution. The code is executed
within the configured chroot directory, with privileges of the
configured user and group.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1762</cvename>
<url>https://www.stunnel.org/CVE-2013-1762.html</url>
</references>
<dates>
<discovery>2013-03-03</discovery>
<entry>2013-03-03</entry>
</dates>
</vuln>
<vuln vid="9c88d8a8-8372-11e2-a010-20cf30e32f6d">
<topic>apache22 -- several vulnerabilities</topic>
<affects>
<package>
<name>apache22</name>
<range><gt>2.2.0</gt><lt>2.2.24</lt></range>
</package>
<package>
<name>apache22-event-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.24</lt></range>
</package>
<package>
<name>apache22-itk-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.24</lt></range>
</package>
<package>
<name>apache22-peruser-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.24</lt></range>
</package>
<package>
<name>apache22-worker-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.24</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Apache HTTP SERVER PROJECT reports:</h1>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_22.html">
<h1>low: XSS due to unescaped hostnames CVE-2012-3499</h1>
<p>Various XSS flaws due to unescaped hostnames and URIs HTML output in
mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.</p>
<h1>moderate: XSS in mod_proxy_balancer CVE-2012-4558</h1>
<p>A XSS flaw affected the mod_proxy_balancer manager interface.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3499</cvename>
<cvename>CVE-2012-4558</cvename>
</references>
<dates>
<discovery>2012-10-07</discovery>
<entry>2013-03-02</entry>
</dates>
</vuln>
<vuln vid="764344fb-8214-11e2-9273-902b343deec9">
<topic>sudo -- Authentication bypass when clock is reset</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.8.6.p7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.sudo.ws/sudo/alerts/epoch_ticket.html">
<p>The flaw may allow someone with physical access to a machine that
is not password-protected to run sudo commands without knowing the
logged in user's password. On systems where sudo is the principal
way of running commands as root, such as on Ubuntu and Mac OS X,
there is a greater chance that the logged in user has run sudo
before and thus that an attack would succeed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1775</cvename>
<url>http://www.sudo.ws/sudo/alerts/epoch_ticket.html</url>
</references>
<dates>
<discovery>2013-02-27</discovery>
<entry>2013-03-01</entry>
</dates>
</vuln>
<vuln vid="82cfd919-8213-11e2-9273-902b343deec9">
<topic>sudo -- Potential bypass of tty_tickets constraints</topic>
<affects>
<package>
<name>sudo</name>
<range><lt>1.8.6.p7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.sudo.ws/sudo/alerts/tty_tickets.html">
<p>A (potentially malicious) program run by a user with sudo access
may be able to bypass the "tty_ticket" constraints. In order for
this to succeed there must exist on the machine a terminal device
that the user has previously authenticated themselves on via sudo
within the last time stamp timeout (5 minutes by default).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1776</cvename>
<url>http://www.sudo.ws/sudo/alerts/tty_tickets.html</url>
</references>
<dates>
<discovery>2013-02-27</discovery>
<entry>2013-03-01</entry>
</dates>
</vuln>
<vuln vid="aa7764af-0b5e-4ddc-bc65-38ad697a484f">
<topic>rubygem-dragonfly -- arbitrary code execution</topic>
<affects>
<package>
<name>rubygem18-dragonfly</name>
<name>rubygem19-dragonfly</name>
<name>rubygem20-dragonfly</name>
<range><lt>0.9.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mark Evans reports:</p>
<blockquote cite="https://groups.google.com/forum/?fromgroups=#!topic/dragonfly-users/3c3WIU3VQTo">
<p>Unfortnately there is a security vulnerability in Dragonfly when
used with Rails which would potentially allow an attacker to run
arbitrary code on a host machine using carefully crafted
requests.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1756</cvename>
</references>
<dates>
<discovery>2013-02-19</discovery>
<entry>2013-02-28</entry>
</dates>
</vuln>
<vuln vid="dbdac023-80e1-11e2-9a29-001060e06fd4">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.273</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb13-08.html">
<p>These updates address vulnerabilities that could cause a crash
and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0504</cvename>
<cvename>CVE-2013-0643</cvename>
<cvename>CVE-2013-0648</cvename>
</references>
<dates>
<discovery>2013-02-26</discovery>
<entry>2013-02-27</entry>
</dates>
</vuln>
<vuln vid="84065569-7fb4-11e2-9c5a-000d601460a4">
<topic>otrs -- XSS vulnerability could lead to remote code execution</topic>
<affects>
<package>
<name>otrs</name>
<range><ge>3.1.*</ge><lt>3.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OTRS Project reports:</p>
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03">
<p>This advisory covers vulnerabilities discovered in the OTRS core
system. This is a variance of the XSS vulnerability, where an attacker
could send a specially prepared HTML email to OTRS which would cause
JavaScript code to be executed in your browser while displaying the
email. In this case this is achieved by using javascript source
attributes with whitespaces.</p>
<p>Affected by this vulnerability are all releases of OTRS 2.4.x up to
and including 2.4.14, 3.0.x up to and including 3.0.16 and 3.1.x up to
and including 3.1.10.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4751</cvename>
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03</url>
</references>
<dates>
<discovery>2012-10-16</discovery>
<entry>2013-02-25</entry>
</dates>
</vuln>
<vuln vid="d60199df-7fb3-11e2-9c5a-000d601460a4">
<topic>otrs -- XSS vulnerability in Firefox and Opera could lead to remote code execution</topic>
<affects>
<package>
<name>otrs</name>
<range><ge>3.1.*</ge><lt>3.1.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OTRS Project reports:</p>
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/">
<p>This advisory covers vulnerabilities discovered in the OTRS core
system. This is a variance of the XSS vulnerability, where an attacker
could send a specially prepared HTML email to OTRS which would cause
JavaScript code to be executed in your browser while displaying the
email in Firefox and Opera. In this case this is achieved with an
invalid HTML structure with nested tags.</p>
<p>Affected by this
vulnerability are all releases of OTRS 2.4.x up to and including
2.4.13, 3.0.x up to and including 3.0.15 and 3.1.x up to and including
3.1.9 in combination with Firefox and Opera.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4600</cvename>
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02</url>
</references>
<dates>
<discovery>2012-08-30</discovery>
<entry>2013-02-25</entry>
</dates>
</vuln>
<vuln vid="b50cbbc0-7fb2-11e2-9c5a-000d601460a4">
<topic>otrs -- XSS vulnerability in Internet Explorer could lead to remote code execution</topic>
<affects>
<package>
<name>otrs</name>
<range><ge>3.1.*</ge><lt>3.1.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OTRS Project reports:</p>
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01">
<p>This advisory covers vulnerabilities discovered in the OTRS core
system. Due to the XSS vulnerability in Internet Explorer an attacker
could send a specially prepared HTML email to OTRS which would cause
JavaScript code to be executed in your Internet Explorer while
displaying the email.</p>
<p>Affected by this vulnerability are all releases of OTRS 2.4.x up to
and including 2.4.12, 3.0.x up to and including 3.0.14 and 3.1.x up to
and including 3.1.8 in combination with Internet Explorer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2582</cvename>
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01</url>
</references>
<dates>
<discovery>2012-08-22</discovery>
<entry>2013-02-25</entry>
</dates>
</vuln>
<vuln vid="844cf3f5-9259-4b3e-ac9e-13ca17333ed7">
<topic>ruby -- DoS vulnerability in REXML</topic>
<affects>
<package>
<name>ruby</name>
<range><ge>1.9,1</ge><lt>1.9.3.392,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby developers report:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/">
<p>Unrestricted entity expansion can lead to a DoS vulnerability in
REXML. (The CVE identifier will be assigned later.) We strongly
recommend to upgrade ruby.
</p>
<p>When reading text nodes from an XML document, the REXML parser can
be coerced in to allocating extremely large string objects which
can consume all of the memory on a machine, causing a denial of
service.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/</url>
</references>
<dates>
<discovery>2013-02-22</discovery>
<entry>2013-02-24</entry>
</dates>
</vuln>
<vuln vid="e1aa3bdd-839a-4a77-8617-cca439a8f9fc">
<topic>rubygem-ruby_parser -- insecure tmp file usage</topic>
<affects>
<package>
<name>rubygem18-ruby_parser</name>
<name>rubygem19-ruby_parser</name>
<name>rubygem20-ruby_parser</name>
<range><lt>3.1.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael Scherer reports:</p>
<blockquote cite="http://seclists.org/oss-sec/2013/q1/393">
<p>This is a relatively minor tmp file usage issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0162</cvename>
</references>
<dates>
<discovery>2013-02-24</discovery>
<entry>2013-02-24</entry>
</dates>
</vuln>
<vuln vid="21c59f5e-7cc5-11e2-9c11-080027a5ec9a">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py26-django</name>
<name>py27-django</name>
<range><ge>1.3</ge><lt>1.3.6</lt></range>
<range><ge>1.4</ge><lt>1.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django Project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2013/feb/19/security/">
<p>These security releases fix four issues: one potential phishing
vector, one denial-of-service vector, an information leakage issue,
and a range of XML vulnerabilities.</p>
<ol>
<li>
<p>Host header poisoning</p>
<p>an attacker could cause Django to generate and display URLs that
link to arbitrary domains. This could be used as part of a phishing
attack. These releases fix this problem by introducing a new
setting, ALLOWED_HOSTS, which specifies a whitelist of domains your
site is known to respond to.</p>
<p>Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to
allow all hosts. This means that to actually fix the security
vulnerability you should define this setting yourself immediately
after upgrading.</p>
</li>
<li>
<p>Formset denial-of-service</p>
<p>an attacker can abuse Django's tracking of the number of forms in
a formset to cause a denial-of-service attack. This has been fixed
by adding a default maximum number of forms of 1,000. You can still
manually specify a bigger max_num, if you wish, but 1,000 should be
enough for anyone.</p>
</li>
<li>
<p>XML attacks</p>
<p>Django's serialization framework was vulnerable to attacks via XML
entity expansion and external references; this is now fixed.
However, if you're parsing arbitrary XML in other parts of your
application, we recommend you look into the defusedxml Python
packages which remedy this anywhere you parse XML, not just via
Django's serialization framework.</p>
</li>
<li>
<p>Data leakage via admin history log</p>
<p>Django's admin interface could expose supposedly-hidden
information via its history log. This has been fixed.</p>
</li>
</ol>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1664</cvename>
<cvename>CVE-2013-1665</cvename>
<cvename>CVE-2013-0305</cvename>
<cvename>CVE-2013-0306</cvename>
<bid>58022</bid>
<bid>58061</bid>
</references>
<dates>
<discovery>2013-02-21</discovery>
<entry>2013-02-24</entry>
</dates>
</vuln>
<vuln vid="f54584bc-7d2b-11e2-9bd1-206a8a720317">
<topic>krb5 -- null pointer dereference in the KDC PKINIT code [CVE-2013-1415]</topic>
<affects>
<package>
<name>krb5</name>
<range><le>1.11</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>No advisory has been released yet.</p>
<blockquote cite="http://web.mit.edu/kerberos/www/krb5-1.11/">
<p>Fix a null pointer dereference in the KDC PKINIT code [CVE-2013-1415].</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1415</cvename>
<url>http://web.mit.edu/kerberos/www/krb5-1.11/</url>
</references>
<dates>
<discovery>2013-02-21</discovery>
<entry>2013-02-22</entry>
</dates>
</vuln>
<vuln vid="3c90e093-7c6e-11e2-809b-6c626d99876c">
<topic>FreeBSD -- glob(3) related resource exhaustion</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_12</lt></range>
<range><ge>8.3</ge><lt>8.3_6</lt></range>
<range><ge>9.0</ge><lt>9.0_6</lt></range>
<range><ge>9.1</ge><lt>9.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13:02.libc.asc">
<p>GLOB_LIMIT is supposed to limit the number of paths to prevent against
memory or CPU attacks. The implementation however is insufficient.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-13:02.libc</freebsdsa>
<cvename>CVE-2010-2632</cvename>
</references>
<dates>
<discovery>2013-02-19</discovery>
<entry>2013-02-21</entry>
<modified>2016-08-09</modified>
</dates>
</vuln>
<vuln vid="4671cdc9-7c6d-11e2-809b-6c626d99876c">
<topic>FreeBSD -- BIND remote DoS with deliberately crafted DNS64 query</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>9.0</ge><lt>9.0_6</lt></range>
<range><ge>9.1</ge><lt>9.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13:01.bind.asc">
<p>Due to a software defect a crafted query can cause named(8) to crash
with an assertion failure.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-13:01.bind</freebsdsa>
<cvename>CVE-2012-5688</cvename>
</references>
<dates>
<discovery>2013-02-19</discovery>
<entry>2013-02-21</entry>
</dates>
</vuln>
<vuln vid="a4d71e4c-7bf4-11e2-84cd-d43d7e0c7c02">
<topic>drupal7 -- Denial of service</topic>
<affects>
<package>
<name>drupal7</name>
<range><lt>7.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team reports:</p>
<blockquote cite="https://drupal.org/SA-CORE-2013-002">
<p>Drupal core's Image module allows for the on-demand generation
of image derivatives. This capability can be abused by requesting
a large number of new derivatives which can fill up the server disk
space, and which can cause a very high CPU load. Either of these
effects may lead to the site becoming unavailable or unresponsive.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0316</cvename>
<url>https://drupal.org/SA-CORE-2013-002</url>
</references>
<dates>
<discovery>2013-02-20</discovery>
<entry>2013-02-21</entry>
</dates>
</vuln>
<vuln vid="58c15292-7b61-11e2-95da-001e8c1a8a0e">
<topic>nss-pam-ldapd -- file descriptor buffer overflow</topic>
<affects>
<package>
<name>nss-pam-ldapd</name>
<range><lt>0.8.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Garth Mollett reports:</p>
<blockquote cite="http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288">
<p>A file descriptor overflow issue in the use of FD_SET()
in nss-pam-ldapd can lead to a stack-based buffer overflow.
An attacker could, under some circumstances, use this flaw
to cause a process that has the NSS or PAM module loaded to
crash or potentially execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0288</cvename>
</references>
<dates>
<discovery>2013-02-18</discovery>
<entry>2013-02-20</entry>
</dates>
</vuln>
<vuln vid="1c8a039b-7b23-11e2-b17b-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<name>de-bugzilla</name>
<name>ru-bugzilla</name>
<name>ja-bugzilla</name>
<range><ge>3.6.0</ge><lt>3.6.13</lt></range>
<range><ge>4.0.0</ge><lt>4.0.10</lt></range>
<range><ge>4.2.0</ge><lt>4.2.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>A Bugzilla Security Advisory reports:</h1>
<blockquote cite="http://www.bugzilla.org/security/3.6.12/">
<h1>Cross-Site Scripting</h1>
<p>When viewing a single bug report, which is the default,
the bug ID is validated and rejected if it is invalid.
But when viewing several bug reports at once, which is
specified by the format=multiple parameter, invalid bug
IDs can go through and are sanitized in the HTML page
itself. But when an invalid page format is passed to the
CGI script, the wrong HTML page is called and data are not
correctly sanitized, which can lead to XSS.</p>
<h1>Information Leak</h1>
<p>When running a query in debug mode, the generated SQL
query used to collect the data is displayed. The way this
SQL query is built permits the user to determine if some
confidential field value (such as a product name) exists.
This problem only affects Bugzilla 4.0.9 and older. Newer
releases are not affected by this issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0785</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=842038</url>
<cvename>CVE-2013-0786</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=824399</url>
</references>
<dates>
<discovery>2013-02-19</discovery>
<entry>2013-02-20</entry>
<modified>2013-03-31</modified>
</dates>
</vuln>
<vuln vid="e3f0374a-7ad6-11e2-84cd-d43d7e0c7c02">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>18.0,1</gt><lt>19.0,1</lt></range>
<range><lt>17.0.3,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>17.0.3,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.16</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>17.0.3</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.16</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>17.0.3</lt></range>
<range><lt>10.0.12</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 /
rv:17.0.3)</p>
<p>MFSA 2013-22 Out-of-bounds read in image rendering</p>
<p>MFSA 2013-23 Wrapped WebIDL objects can be wrapped again</p>
<p>MFSA 2013-24 Web content bypass of COW and SOW security wrappers</p>
<p>MFSA 2013-25 Privacy leak in JavaScript Workers</p>
<p>MFSA 2013-26 Use-after-free in nsImageLoadingContent</p>
<p>MFSA 2013-27 Phishing on HTTPS connection through malicious proxy</p>
<p>MFSA 2013-28 Use-after-free, out of bounds read, and buffer
overflow issues found using Address Sanitizer</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0765</cvename>
<cvename>CVE-2013-0772</cvename>
<cvename>CVE-2013-0773</cvename>
<cvename>CVE-2013-0774</cvename>
<cvename>CVE-2013-0775</cvename>
<cvename>CVE-2013-0776</cvename>
<cvename>CVE-2013-0783</cvename>
<cvename>CVE-2013-0784</cvename>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-20.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-21.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-22.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-23.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-24.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-25.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-26.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-27.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2013-02-19</discovery>
<entry>2013-02-19</entry>
<modified>2013-02-20</modified>
</dates>
</vuln>
<vuln vid="fcfdabb7-f14d-4e61-a7d5-cfefb4b99b15">
<topic>Ruby Rack Gem -- Multiple Issues</topic>
<affects>
<package>
<name>rubygem18-rack</name>
<range><lt>1.4.5</lt></range>
</package>
<package>
<name>rubygem19-rack</name>
<range><lt>1.4.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Rack developers report:</p>
<blockquote cite="http://www.ruby-forum.com/topic/4410659">
<p>Today we are proud to announce the release of Rack 1.4.5.</p>
<p>Fix CVE-2013-0263, timing attack against Rack::Session::Cookie</p>
<p>Fix CVE-2013-0262, symlink path traversal in Rack::File</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0262</cvename>
<cvename>CVE-2013-0263</cvename>
</references>
<dates>
<discovery>2013-02-08</discovery>
<entry>2013-02-17</entry>
</dates>
</vuln>
<vuln vid="beab40bf-c1ca-4d2b-ad46-2f14bac8a968">
<topic>Ruby Activemodel Gem -- Circumvention of attr_protected</topic>
<affects>
<package>
<name>rubygem18-activemodel</name>
<range><lt>3.2.12</lt></range>
</package>
<package>
<name>rubygem19-activemodel</name>
<range><lt>3.2.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Aaron Patterson reports:</p>
<blockquote cite="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/AFBKNY7VSH8">
<p>The attr_protected method allows developers to specify a blacklist
of model attributes which users should not be allowed to assign to.
By using a specially crafted request, attackers could circumvent
this protection and alter values that were meant to be protected.</p>
<p>All users running an affected release should either upgrade or use
one of the work arounds immediately. Users should also consider
switching from attr_protected to the whitelist method
attr_accessible which is not vulnerable to this attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0276</cvename>
</references>
<dates>
<discovery>2013-02-11</discovery>
<entry>2013-02-17</entry>
</dates>
</vuln>
<vuln vid="7fe5b84a-78eb-11e2-8441-00e0814cab4e">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>1.501</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory reports:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16">
<p>This advisory announces multiple security vulnerabilities that
were found in Jenkins core.</p>
<ol>
<li>One of the vulnerabilities allows cross-site request
forgery (CSRF) attacks on Jenkins master, which causes an user
to make unwanted actions on Jenkins. Another vulnerability
enables cross-site scripting (XSS) attacks, which has the similar
consequence. Another vulnerability allowed an attacker to bypass
the CSRF protection mechanism in place, thereby mounting more CSRF
attackes. These attacks allow an attacker without direct access to
Jenkins to mount an attack.</li>
<li>In the fourth vulnerability, a malicious user of Jenkins can trick
Jenkins into building jobs that he does not have direct access to.</li>
<li>And lastly, a vulnerability allows a malicious user of Jenkins to
mount a denial of service attack by feeding a carefully crafted
payload to Jenkins.</li>
</ol>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16</url>
</references>
<dates>
<discovery>2013-02-16</discovery>
<entry>2013-02-17</entry>
</dates>
</vuln>
<vuln vid="f7809d9e-6af0-11e2-8e32-080027d768d3">
<topic>poweradmin -- multiple XSS vulnerabilities</topic>
<affects>
<package>
<name>poweradmin</name>
<range><lt>2.1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Multiple cross-site scripting (XSS) vulnerabilities</p>
<blockquote cite="https://www.poweradmin.org/trac/ticket/468">
<p>Multiple scripts are vulnerable to XSS attacks.</p>
</blockquote>
</body>
</description>
<references>
<bid>55619</bid>
<url>http://packetstormsecurity.com/files/116698/Poweradmin-Cross-Site-Scripting.html</url>
</references>
<dates>
<discovery>2012-01-12</discovery>
<entry>2013-02-16</entry>
</dates>
</vuln>
<vuln vid="c79eb109-a754-45d7-b552-a42099eb2265">
<topic>Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON</topic>
<affects>
<package>
<name>ruby</name>
<range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range>
</package>
<package>
<name>rubygem18-json</name>
<range><lt>1.7.7</lt></range>
</package>
<package>
<name>rubygem19-json</name>
<range><lt>1.7.7</lt></range>
</package>
<package>
<name>rubygem18-json_pure</name>
<range><lt>1.7.7</lt></range>
</package>
<package>
<name>rubygem19-json_pure</name>
<range><lt>1.7.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Aaron Patterson reports:</p>
<blockquote cite="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58">
<p>When parsing certain JSON documents, the JSON gem can be coerced in
to creating Ruby symbols in a target system. Since Ruby symbols
are not garbage collected, this can result in a denial of service
attack.</p>
<p>The same technique can be used to create objects in a target system
that act like internal objects. These "act alike" objects can be
used to bypass certain security mechanisms and can be used as a
spring board for SQL injection attacks in Ruby on Rails.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0269</cvename>
</references>
<dates>
<discovery>2013-02-11</discovery>
<entry>2013-02-16</entry>
</dates>
</vuln>
<vuln vid="d3e96508-056b-4259-88ad-50dc8d1978a6">
<topic>Ruby -- XSS exploit of RDoc documentation generated by rdoc</topic>
<affects>
<package>
<name>ruby</name>
<range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range>
</package>
<package>
<name>rubygem18-rdoc</name>
<range><lt>3.12.1</lt></range>
</package>
<package>
<name>rubygem19-rdoc</name>
<range><lt>3.12.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby developers report:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/">
<p>RDoc documentation generated by rdoc bundled with ruby are
vulnerable to an XSS exploit. All ruby users are recommended to
update ruby to newer version which includes security-fixed RDoc. If
you are publishing RDoc documentation generated by rdoc, you are
recommended to apply a patch for the documentaion or re-generate it
with security-fixed RDoc.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0256</cvename>
</references>
<dates>
<discovery>2013-02-06</discovery>
<entry>2013-02-16</entry>
</dates>
</vuln>
<vuln vid="414e6a41-7204-11e2-8599-001060e06fd4">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.262</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb13-04.html">
<p>These updates address vulnerabilities that could cause a crash
and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0633</cvename>
<cvename>CVE-2013-0634</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb13-04.html</url>
</references>
<dates>
<discovery>2013-02-07</discovery>
<entry>2013-02-08</entry>
</dates>
</vuln>
<vuln vid="00b0d8cd-7097-11e2-98d9-003067c2616f">
<topic>OpenSSL -- TLS 1.1, 1.2 denial of service</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.1_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL security team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20130205.txt">
<p>A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1
and TLS 1.2 on AES-NI supporting platforms can be exploited in a
DoS attack.</p>
<p>A flaw in the OpenSSL handling of OCSP response verification can
be exploited in a denial of service attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2686</cvename>
<cvename>CVE-2013-0166</cvename>
<cvename>CVE-2013-0169</cvename>
<url>http://www.openssl.org/news/secadv_20120510.txt</url>
</references>
<dates>
<discovery>2013-02-05</discovery>
<entry>2013-02-06</entry>
</dates>
</vuln>
<vuln vid="8c773d7f-6cbb-11e2-b242-c8600054b392">
<topic>mysql/mariadb/percona server -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mysql-server</name>
<range><ge>5.1</ge><lt>5.1.67</lt></range>
<range><ge>5.5</ge><lt>5.5.29</lt></range>
</package>
<package>
<name>mariadb-server</name>
<range><ge>5.3</ge><lt>5.3.12</lt></range>
<range><ge>5.5</ge><lt>5.5.29</lt></range>
</package>
<package>
<name>percona-server</name>
<range><ge>5.5</ge><lt>5.5.29.29.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ORACLE reports:</p>
<blockquote cite="http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html">
<p>Multiple SQL injection vulnerabilities in the replication code</p>
<p>Stack-based buffer overflow</p>
<p>Heap-based buffer overflow</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4414</cvename>
<cvename>CVE-2012-5611</cvename>
<cvename>CVE-2012-5612</cvename>
<cvename>CVE-2012-5615</cvename>
<cvename>CVE-2012-5627</cvename>
<url>https://mariadb.atlassian.net/browse/MDEV-4029</url>
<url>https://mariadb.atlassian.net/browse/MDEV-MDEV-729</url>
<url>https://mariadb.atlassian.net/browse/MDEV-MDEV-729</url>
<url>http://www.mysqlperformanceblog.com/2013/01/23/announcing-percona-server-5-5-29-29-4/</url>
</references>
<dates>
<discovery>2012-12-01</discovery>
<entry>2013-02-01</entry>
</dates>
</vuln>
<vuln vid="ea0f45e2-6c4b-11e2-98d9-003067c2616f">
<topic>opera -- execution of arbitrary code</topic>
<affects>
<package>
<name>opera</name>
<name>opera-devel</name>
<name>linux-opera</name>
<name>linux-opera-devel</name>
<range><lt>12.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera reports:</p>
<blockquote cite="http://www.opera.com/support/kb/view/1042/">
<p>Particular DOM event manipulations can cause Opera to crash. In
some cases, this crash might occur in a way that allows execution
of arbitrary code. To inject code, additional techniques would
have to be employed.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/1042/</url>
<url>http://www.opera.com/support/kb/view/1043/</url>
</references>
<dates>
<discovery>2013-01-30</discovery>
<entry>2013-02-01</entry>
</dates>
</vuln>
<vuln vid="2ea6ce3d-6afd-11e2-9d4e-bcaec524bf84">
<topic>upnp -- multiple vulnerabilities</topic>
<affects>
<package>
<name>upnp</name>
<range><lt>1.6.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Project changelog reports:</p>
<blockquote cite="http://pupnp.sourceforge.net/ChangeLog">
<p>This patch addresses three possible buffer overflows in
function unique_service_name().The three issues have the
folowing CVE numbers:</p>
<ul>
<li>CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf</li>
<li>CVE-2012-5959 Issue #4: Stack buffer overflow of Event-&gt;UDN</li>
<li>CVE-2012-5960 Issue #8: Stack buffer overflow of Event-&gt;UDN</li>
</ul>
<p>Notice that the following issues have already been dealt by
previous work:</p>
<ul>
<li>CVE-2012-5961 Issue #1: Stack buffer overflow of Evt-&gt;UDN</li>
<li>CVE-2012-5962 Issue #3: Stack buffer overflow of Evt-&gt;DeviceType</li>
<li>CVE-2012-5963 Issue #5: Stack buffer overflow of Event-&gt;UDN</li>
<li>CVE-2012-5964 Issue #6: Stack buffer overflow of Event-&gt;DeviceType</li>
<li>CVE-2012-5965 Issue #7: Stack buffer overflow of Event-&gt;DeviceType</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5958</cvename>
<cvename>CVE-2012-5959</cvename>
<cvename>CVE-2012-5960</cvename>
<cvename>CVE-2012-5961</cvename>
<cvename>CVE-2012-5962</cvename>
<cvename>CVE-2012-5963</cvename>
<cvename>CVE-2012-5964</cvename>
<cvename>CVE-2012-5965</cvename>
</references>
<dates>
<discovery>2012-11-21</discovery>
<entry>2013-01-30</entry>
</dates>
</vuln>
<vuln vid="559e00b7-6a4d-11e2-b6b0-10bf48230856">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.5.1,1</lt></range>
</package>
<package>
<name>zh-wordpress-zh_CN</name>
<range><lt>3.5.1</lt></range>
</package>
<package>
<name>zh-wordpress-zh_TW</name>
<range><lt>3.5.1</lt></range>
</package>
<package>
<name>de-wordpress</name>
<range><lt>3.5.1</lt></range>
</package>
<package>
<name>ja-wordpress</name>
<range><lt>3.5.1</lt></range>
</package>
<package>
<name>ru-wordpress</name>
<range><lt>3.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wordpress reports:</p>
<blockquote cite="http://wordpress.org/news/2013/01/wordpress-3-5-1/">
<p>WordPress 3.5.1 also addresses the following security issues:</p>
<ul>
<li>A server-side request forgery vulnerability and remote port
scanning using pingbacks. This vulnerability, which could
potentially be used to expose information and compromise a
site, affects all previous WordPress versions. This was fixed
by the WordPress security team. We'd like to thank security
researchers <a href="http://codeseekah.com/">Gennady
Kovshenin</a> and <a href="http://www.ethicalhack3r.co.uk/">Ryan
Dewhurst</a> for reviewing our work.</li>
<li>Two instances of cross-site scripting via shortcodes and post
content. These issues were discovered by Jon Cave of the WordPress
security team.</li>
<li>A cross-site scripting vulnerability in the external library
Plupload. Thanks to the Moxiecode team for working with us on
this, and for releasing Plupload 1.5.5 to address this issue.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0235</cvename>
<cvename>CVE-2013-0236</cvename>
<cvename>CVE-2013-0237</cvename>
</references>
<dates>
<discovery>2013-01-24</discovery>
<entry>2013-01-29</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="3886cafe-668c-11e2-94b8-1c4bd681f0cf">
<topic>django-cms -- XSS Vulnerability</topic>
<affects>
<package>
<name>py-django-cms</name>
<range><lt>2.3.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Cross-site scripting (XSS) vulnerability</p>
<blockquote cite="https://www.django-cms.org/en/blog/2012/12/04/2-3-5-security-release/">
<p>Jonas Obrist reports: The security issue allows users with limited
admin access to elevate their privileges through XSS injection
using the page_attribute template tag. Only users with admin access
and the permission to edit at least one django CMS page object
could exploit this vulnerability. Websites that do not use the
page_attribute template tag are not affected.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.django-cms.org/en/blog/2012/12/04/2-3-5-security-release/</url>
</references>
<dates>
<discovery>2012-12-04</discovery>
<entry>2013-01-25</entry>
</dates>
</vuln>
<vuln vid="1827f213-633e-11e2-8d93-c8600054b392">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal6</name>
<range><lt>6.28</lt></range>
</package>
<package>
<name>drupal7</name>
<range><lt>7.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team reports:</p>
<blockquote cite="https://drupal.org/SA-CORE-2013-001">
<p>Cross-site scripting (Various core and contributed modules)</p>
<p>Access bypass (Book module printer friendly version)</p>
<p>Access bypass (Image module)</p>
</blockquote>
</body>
</description>
<references>
<url>https://drupal.org/SA-CORE-2013-001</url>
</references>
<dates>
<discovery>2013-01-16</discovery>
<entry>2013-01-20</entry>
</dates>
</vuln>
<vuln vid="1b9b199f-5efd-11e2-a1ee-c48508086173">
<topic>ettercap -- buffer overflow in target list parsing</topic>
<affects>
<package>
<name>ettercap</name>
<range><lt>0.7.4.1</lt></range>
<range><ge>0.7.5</ge><lt>0.7.5.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Host target list parsing routine in ettercap
0.7.4-series prior to 0.7.4.1 and 0.7.5-series
is prone to the stack-based buffer overflow that
may lead to the code execution with the privileges
of the ettercap process.</p>
<p>In order to trigger this vulnerability, user or service
that use ettercap should be tricked to pass the crafted list
of targets via the "-j" option.</p>
</body>
</description>
<references>
<cvename>CVE-2013-0722</cvename>
<url>http://www.exploit-db.com/exploits/23945/</url>
<url>https://secunia.com/advisories/51731/</url>
</references>
<dates>
<discovery>2013-01-07</discovery>
<entry>2013-01-16</entry>
</dates>
</vuln>
<vuln vid="d5e0317e-5e45-11e2-a113-c48508086173">
<topic>java 7.x -- security manager bypass</topic>
<affects>
<package>
<name>openjdk7</name>
<range><gt>0</gt></range>
</package>
<package>
<name>linux-sun-jdk</name>
<range><ge>7.0</ge><lt>7.11</lt></range>
</package>
<package>
<name>linux-sun-jre</name>
<range><ge>7.0</ge><lt>7.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/625617">
<p>Java 7 Update 10 and earlier versions of Java 7 contain a
vulnerability that can allow a remote, unauthenticated
attacker to execute arbitrary code on a vulnerable
system.</p>
<p>The Java JRE plug-in provides its own Security Manager.
Typically, a web applet runs with a security manager
provided by the browser or Java Web Start plugin. Oracle's
document states, "If there is a security manager already
installed, this method first calls the security manager's
checkPermission method with a
RuntimePermission("setSecurityManager") permission to ensure
it's safe to replace the existing security manager. This may
result in throwing a SecurityException".</p>
<p>By leveraging the vulnerability in the Java Management
Extensions (JMX) MBean components, unprivileged Java code
can access restricted classes. By using that vulnerability
in conjunction with a second vulnerability involving the
Reflection API and the invokeWithArguments method of the
MethodHandle class, an untrusted Java applet can escalate
its privileges by calling the the setSecurityManager()
function to allow full privileges, without requiring code
signing. Oracle Java 7 update 10 and earlier Java 7 versions
are affected. The invokeWithArguments method was introduced
with Java 7, so therefore Java 6 is not affected.</p>
<p>This vulnerability is being attacked in the wild, and is
reported to be incorporated into exploit kits. Exploit code
for this vulnerability is also publicly available.</p>
</blockquote>
<p>Esteban Guillardoy from Immunity Inc. additionally clarifies
on the recursive reflection exploitation technique:</p>
<blockquote cite="https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf">
<p>The real issue is in the native
sun.reflect.Reflection.getCallerClass method.</p>
<p>We can see the following information in the Reflection
source code:</p>
<p>Returns the class of the method realFramesToSkip frames
up the stack (zero-based), ignoring frames associated with
java.lang.reflect.Method.invoke() and its
implementation.</p>
<p>So what is happening here is that they forgot to skip the
frames related to the new Reflection API and only the old
reflection API is taken into account.</p>
</blockquote>
<p>This exploit does not only affect Java applets, but every
piece of software that relies on the Java Security Manager for
sandboxing executable code is affected: malicious code can
totally disable Security Manager.</p>
<p>For users who are running native Web browsers with enabled
Java plugin, the workaround is to remove the java/icedtea-web
port and restart all browser instances.</p>
<p>For users who are running Linux Web browser flavors, the
workaround is either to disable the Java plugin in browser
or to upgrade linux-sun-* packages to the non-vulnerable
version.</p>
<p>It is not recommended to run untrusted applets using
appletviewer, since this may lead to the execution of the
malicious code on vulnerable versions on JDK/JRE.</p>
</body>
</description>
<references>
<cvename>CVE-2013-0433</cvename>
<certvu>625617</certvu>
<url>http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html</url>
<url>https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf</url>
</references>
<dates>
<discovery>2013-01-10</discovery>
<entry>2013-01-14</entry>
</dates>
</vuln>
<vuln vid="97c22a94-5b8b-11e2-b131-000c299b62e1">
<topic>nagios -- buffer overflow in history.cgi</topic>
<affects>
<package>
<name>nagios</name>
<range><lt>3.4.3_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>full disclosure reports:</p>
<blockquote cite="http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html">
<p>history.cgi is vulnerable to a buffer overflow due to the use of
sprintf with user supplied data that has not been restricted in size.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-6096</cvename>
<url>http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html</url>
<url>http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&amp;revision=2547</url>
</references>
<dates>
<discovery>2012-12-21</discovery>
<entry>2013-01-10</entry>
</dates>
</vuln>
<vuln vid="a4ed6632-5aa9-11e2-8fcb-c8600054b392">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>17.0.2,1</lt></range>
<range><lt>10.0.12,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>17.0.2,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.15</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>17.0.2</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.15</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>17.0.2</lt></range>
<range><lt>10.0.12</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.12</lt></range>
</package>
<package>
<name>ca_root_nss</name>
<range><lt>3.14.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/
rv:10.0.12 / rv:17.0.2)</p>
<p>MFSA 2013-02 Use-after-free and buffer overflow issues found using
Address Sanitizer</p>
<p>MFSA 2013-03 Buffer Overflow in Canvas</p>
<p>MFSA 2013-04 URL spoofing in addressbar during page loads</p>
<p>MFSA 2013-05 Use-after-free when displaying table with many
columns and column groups</p>
<p>MFSA 2013-06 Touch events are shared across iframes</p>
<p>MFSA 2013-07 Crash due to handling of SSL on threads</p>
<p>MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during
garbage collection</p>
<p>MFSA 2013-09 Compartment mismatch with quickstubs returned values</p>
<p>MFSA 2013-10 Event manipulation in plugin handler to bypass
same-origin policy</p>
<p>MFSA 2013-11 Address space layout leaked in XBL objects</p>
<p>MFSA 2013-12 Buffer overflow in Javascript string concatenation</p>
<p>MFSA 2013-13 Memory corruption in XBL with XML bindings containing
SVG</p>
<p>MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing
prototype</p>
<p>MFSA 2013-15 Privilege escalation through plugin objects</p>
<p>MFSA 2013-16 Use-after-free in serializeToStream</p>
<p>MFSA 2013-17 Use-after-free in ListenerManager</p>
<p>MFSA 2013-18 Use-after-free in Vibrate</p>
<p>MFSA 2013-19 Use-after-free in Javascript Proxy objects</p>
<p>MFSA 2013-20 Mis-issued TURKTRUST certificates</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5829</cvename>
<cvename>CVE-2013-0743</cvename>
<cvename>CVE-2013-0744</cvename>
<cvename>CVE-2013-0745</cvename>
<cvename>CVE-2013-0746</cvename>
<cvename>CVE-2013-0747</cvename>
<cvename>CVE-2013-0748</cvename>
<cvename>CVE-2013-0749</cvename>
<cvename>CVE-2013-0750</cvename>
<cvename>CVE-2013-0751</cvename>
<cvename>CVE-2013-0752</cvename>
<cvename>CVE-2013-0753</cvename>
<cvename>CVE-2013-0754</cvename>
<cvename>CVE-2013-0755</cvename>
<cvename>CVE-2013-0756</cvename>
<cvename>CVE-2013-0757</cvename>
<cvename>CVE-2013-0758</cvename>
<cvename>CVE-2013-0759</cvename>
<cvename>CVE-2013-0760</cvename>
<cvename>CVE-2013-0761</cvename>
<cvename>CVE-2013-0762</cvename>
<cvename>CVE-2013-0763</cvename>
<cvename>CVE-2013-0764</cvename>
<cvename>CVE-2013-0766</cvename>
<cvename>CVE-2013-0767</cvename>
<cvename>CVE-2013-0768</cvename>
<cvename>CVE-2013-0769</cvename>
<cvename>CVE-2013-0770</cvename>
<cvename>CVE-2013-0771</cvename>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-01.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-02.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-03.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-04.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-05.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-06.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-07.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-08.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-09.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-10.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-11.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-12.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-13.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-14.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-15.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-16.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-17.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-18.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-19.html</url>
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-20.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2013-01-08</discovery>
<entry>2013-01-09</entry>
</dates>
</vuln>
<vuln vid="ca5d3272-59e3-11e2-853b-00262d5ed8ee">
<topic>rubygem-rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-rails</name>
<range><lt>3.2.11</lt></range>
</package>
<package>
<name>rubygem-actionpack</name>
<range><lt>3.2.11</lt></range>
</package>
<package>
<name>rubygem-activerecord</name>
<range><lt>3.2.11</lt></range>
</package>
<package>
<name>rubygem-activesupport</name>
<range><lt>3.2.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby on Rails team reports:</p>
<blockquote cite="http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/">
<p>Two high-risk vulnerabilities have been discovered:</p>
<p>(CVE-2013-0155) There is a vulnerability when Active Record is
used in conjunction with JSON parameter parsing.</p>
<p>Due to the way Active Record interprets parameters in combination
with the way that JSON parameters are parsed, it is possible for an
attacker to issue unexpected database queries with "IS NULL" or
empty "WHERE" clauses. This issue does not let an attacker insert
arbitrary values into an SQL query, however they can cause the
query to check for NULL or eliminate a WHERE clause when most users
would not expect it.</p>
<p>(CVE-2013-0156) There are multiple weaknesses in the parameter
parsing code for Ruby on Rails which allows attackers to bypass
authentication systems, inject arbitrary SQL, inject and execute
arbitrary code, or perform a DoS attack on a Rails application.</p>
<p>The parameter parsing code of Ruby on Rails allows applications to
automatically cast values from strings to certain data types.
Unfortunately the type casting code supported certain conversions
which were not suitable for performing on user-provided data
including creating Symbols and parsing YAML. These unsuitable
conversions can be used by an attacker to compromise a Rails
application.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-0155</cvename>
<cvename>CVE-2013-0156</cvename>
<url>http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/</url>
<url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/t1WFuuQyavI</url>
<url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/61bkgvnSGTQ</url>
</references>
<dates>
<discovery>2013-01-08</discovery>
<entry>2013-01-08</entry>
</dates>
</vuln>
<vuln vid="b4051b52-58fa-11e2-853b-00262d5ed8ee">
<topic>rubygem-rails -- SQL injection vulnerability</topic>
<affects>
<package>
<name>rubygem-rails</name>
<range><lt>3.2.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ruby on Rails team reports:</p>
<blockquote cite="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM">
<p>There is a SQL injection vulnerability in Active Record in ALL
versions. Due to the way dynamic finders in Active Record extract
options from method parameters, a method parameter can mistakenly
be used as a scope. Carefully crafted requests can use the scope
to inject arbitrary SQL.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5664</cvename>
<url>https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM</url>
</references>
<dates>
<discovery>2013-01-02</discovery>
<entry>2013-01-07</entry>
</dates>
</vuln>
<vuln vid="3a65d33b-5950-11e2-b66b-00e0814cab4e">
<topic>jenkins -- HTTP access to the server to retrieve the master cryptographic key</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>1.498</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory reports:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04">
<p>This advisory announces a security vulnerability that was found
in Jenkins core.</p>
<p>An attacker can then use this master cryptographic key to mount
remote code execution attack against the Jenkins master, or
impersonate arbitrary users in making REST API calls.</p>
<p>There are several factors that mitigate some of these problems
that may apply to specific installations.</p>
<ul>
<li>The particular attack vector is only applicable on Jenkins
instances that have slaves attached to them, and allow
anonymous read access.</li>
<li>Jenkins allows users to re-generate the API tokens. Those
re-generated API tokens cannot be impersonated by the
attacker.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04</url>
</references>
<dates>
<discovery>2013-01-04</discovery>
<entry>2013-01-08</entry>
</dates>
</vuln>
<vuln vid="1b769b72-582b-11e2-b66b-00e0814cab4e">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>django</name>
<range><lt>1.4.3</lt></range>
</package>
<package>
<name>django13</name>
<range><lt>1.3.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django Project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2012/dec/10/security/">
<ol>
<li>
<p>Host header poisoning</p>
<p>Several earlier Django security releases focused on the issue of
poisoning the HTTP Host header, causing Django to generate URLs
pointing to arbitrary, potentially-malicious domains.</p>
<p>In response to further input received and reports of continuing
issues following the previous release, we're taking additional
steps to tighten Host header validation. Rather than attempt to
accommodate all features HTTP supports here, Django's Host header
validation attempts to support a smaller, but far more common, subset:</p>
<ul>
<li>Hostnames must consist of characters [A-Za-z0-9] plus hyphen
('-') or dot ('.').</li>
<li>IP addresses -- both IPv4 and IPv6 -- are permitted.</li>
<li>Port, if specified, is numeric.</li>
</ul>
<p>Any deviation from this will now be rejected, raising the exception
django.core.exceptions.SuspiciousOperation.</p>
</li>
<li>
<p>Redirect poisoning</p>
<p>Also following up on a previous issue: in July of this year, we made
changes to Django's HTTP redirect classes, performing additional
validation of the scheme of the URL to redirect to (since, both
within Django's own supplied applications and many third-party
applications, accepting a user-supplied redirect target is a common
pattern).</p>
<p>Since then, two independent audits of the code turned up further
potential problems. So, similar to the Host-header issue, we are
taking steps to provide tighter validation in response to reported
problems (primarily with third-party applications, but to a certain
extent also within Django itself). This comes in two parts:</p>
<ol>
<li>A new utility function, django.utils.http.is_safe_url, is
added; this function takes a URL and a hostname, and checks
that the URL is either relative, or if absolute matches the
supplied hostname. This function is intended for use whenever
user-supplied redirect targets are accepted, to ensure that
such redirects cannot lead to arbitrary third-party sites.</li>
<li>All of Django's own built-in views -- primarily in the
authentication system -- which allow user-supplied redirect
targets now use is_safe_url to validate the supplied URL.</li>
</ol>
</li>
</ol>
</blockquote>
</body>
</description>
<references>
<url>https://www.djangoproject.com/weblog/2012/dec/10/security/</url>
</references>
<dates>
<discovery>2012-12-10</discovery>
<entry>2013-01-06</entry>
</dates>
</vuln>
<vuln vid="1ae613c3-5728-11e2-9483-14dae938ec40">
<topic>freetype -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>freetype2</name>
<range><lt>2.4.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The FreeType Project reports:</p>
<blockquote cite="http://sourceforge.net/projects/freetype/files/freetype2/2.4.11/README/view">
<p>Some vulnerabilities in the BDF implementation have been fixed.
Users of this font format should upgrade.</p>
</blockquote>
</body>
</description>
<references>
<url>http://sourceforge.net/projects/freetype/files/freetype2/2.4.11/README/view</url>
</references>
<dates>
<discovery>2012-12-20</discovery>
<entry>2013-01-05</entry>
</dates>
</vuln>
<vuln vid="a264b1b0-5726-11e2-9483-14dae938ec40">
<topic>moinmoin -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.9.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MoinMoin developers report the following vulnerabilities
as fixed in version 1.9.6:</p>
<blockquote cite="http://hg.moinmo.in/moin/1.9/raw-file/1.9.6/docs/CHANGES">
<ul>
<li>remote code execution vulnerability in
twikidraw/anywikidraw action,</li>
<li>path traversal vulnerability in AttachFile action,</li>
<li>XSS issue, escape page name in rss link.</li>
</ul>
</blockquote>
<p>CVE entries at MITRE furher clarify:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-6081">
<p>Multiple unrestricted file upload vulnerabilities in the
(1) twikidraw (action/twikidraw.py) and (2) anywikidraw
(action/anywikidraw.py) actions in MoinMoin before 1.9.6
allow remote authenticated users with write permissions to
execute arbitrary code by uploading a file with an
executable extension, then accessing it via a direct request
to the file in an unspecified directory, as exploited in the
wild in July 2012.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-6080">
<p>Directory traversal vulnerability in the
_do_attachment_move function in the AttachFile action
(action/AttachFile.py) in MoinMoin 1.9.3 through 1.9.5
allows remote attackers to overwrite arbitrary files via a
.. (dot dot) in a file name.</p>
</blockquote>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-6082">
<p>Cross-site scripting (XSS) vulnerability in the rsslink
function in theme/__init__.py in MoinMoin 1.9.5 allows
remote attackers to inject arbitrary web script or HTML
via the page name in a rss link.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-6081</cvename>
<cvename>CVE-2012-6080</cvename>
<cvename>CVE-2012-6082</cvename>
<url>http://hg.moinmo.in/moin/1.9/raw-file/1.9.6/docs/CHANGES</url>
<url>http://www.debian.org/security/2012/dsa-2593</url>
</references>
<dates>
<discovery>2012-12-29</discovery>
<entry>2013-01-05</entry>
<modified>2013-01-06</modified>
</dates>
</vuln>
<vuln vid="f7c87a8a-55d5-11e2-a255-c8600054b392">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk11</name>
<range><gt>11.*</gt><lt>11.1.2</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.11.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.19.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Crashes due to large stack allocations when using TCP</p>
<p>Denial of Service Through Exploitation of Device State Caching</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5976</cvename>
<cvename>CVE-2012-5977</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-014.html</url>
<url>http://downloads.digium.com/pub/security/AST-2012-015.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2013-01-02</discovery>
<entry>2013-01-03</entry>
</dates>
</vuln>
<vuln vid="4108cc57-54d7-11e2-9483-14dae938ec40">
<topic>ircd-ratbox and charybdis -- remote DoS vulnerability</topic>
<affects>
<package>
<name>ircd-ratbox</name>
<range><gt>2.*</gt><lt>3.0.8</lt></range>
</package>
<package>
<name>charybdis</name>
<range><lt>3.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>atheme.org reports:</p>
<blockquote cite="http://www.ratbox.org/ASA-2012-12-31.txt">
<p>All versions of Charybdis are vulnerable to a remotely-triggered
crash bug caused by code originating from ircd-ratbox 2.0.
(Incidentally, this means all versions since ircd-ratbox 2.0 are
also vulnerable.)</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.ratbox.org/ASA-2012-12-31.txt</url>
</references>
<dates>
<discovery>2012-12-31</discovery>
<entry>2013-01-02</entry>
</dates>
</vuln>
Reference in New Issue View Git Blame Copy Permalink