mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-25 04:43:33 +00:00
e14ed8232d
modify tidy.xsl to make it generates manually the xml declaration xsl is not able to generate a list of entity otherwise. Remove copyright form included files, they are redudundant anyway and in the end only the vuln.xml file is distribued with entities expanded Rework a bit the entity declaration in order for the document to look great after expansion (as it did before we introduced the expansion mechanism) All validation are now processed direcly on the flattened file. This is based on a patch from mfechner here Submitted by: mfechner Differential Revision: https://reviews.freebsd.org/D28299
5732 lines
202 KiB
XML
5732 lines
202 KiB
XML
<vuln vid="06a12e26-142e-11e0-bea2-0015f2db7bde">
|
|
<topic>webkit-gtk2 -- Multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>webkit-gtk2</name>
|
|
<range><lt>1.2.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gustavo Noronha Silva reports:</p>
|
|
<blockquote cite="http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS">
|
|
<p>The patches to fix the following CVEs are included with help
|
|
from Huzaifa Sidhpurwala from the Red Hat security team.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1791</cvename>
|
|
<cvename>CVE-2010-3812</cvename>
|
|
<cvename>CVE-2010-3813</cvename>
|
|
<cvename>CVE-2010-4197</cvename>
|
|
<cvename>CVE-2010-4198</cvename>
|
|
<cvename>CVE-2010-4204</cvename>
|
|
<cvename>CVE-2010-4206</cvename>
|
|
<cvename>CVE-2010-4577</cvename>
|
|
<url>http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-28</discovery>
|
|
<entry>2010-12-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="14a37474-1383-11e0-8a58-00215c6a37bb">
|
|
<topic>django -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>py23-django</name>
|
|
<name>py24-django</name>
|
|
<name>py25-django</name>
|
|
<name>py26-django</name>
|
|
<name>py27-django</name>
|
|
<name>py30-django</name>
|
|
<name>py31-django</name>
|
|
<range><gt>1.2</gt><lt>1.2.4</lt></range>
|
|
<range><gt>1.1</gt><lt>1.1.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py23-django-devel</name>
|
|
<name>py24-django-devel</name>
|
|
<name>py25-django-devel</name>
|
|
<name>py26-django-devel</name>
|
|
<name>py27-django-devel</name>
|
|
<name>py30-django-devel</name>
|
|
<name>py31-django-devel</name>
|
|
<range><lt>15032,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Django project reports:</p>
|
|
<blockquote cite="http://www.djangoproject.com/weblog/2010/dec/22/security/">
|
|
<p>Today the Django team is issuing multiple releases
|
|
-- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 --
|
|
to remedy two security issues reported to us. All users
|
|
of affected versions of Django are urged to upgrade
|
|
immediately.</p>
|
|
<h3>Information leakage in Django administrative interface</h3>
|
|
<p>The Django administrative interface, django.contrib.admin
|
|
supports filtering of displayed lists of objects by fields
|
|
on the corresponding models, including across database-level
|
|
relationships. This is implemented by passing lookup arguments
|
|
in the querystring portion of the URL, and options on the
|
|
ModelAdmin class allow developers to specify particular
|
|
fields or relationships which will generate automatic links
|
|
for filtering.</p>
|
|
<h3>Denial-of-service attack in password-reset mechanism</h3>
|
|
<p>Django's bundled authentication framework,
|
|
django.contrib.auth, offers views which allow users to
|
|
reset a forgotten password. The reset mechanism involves
|
|
generating a one-time token composed from the user's ID,
|
|
the timestamp of the reset request converted to a base36
|
|
integer, and a hash derived from the user's current password
|
|
hash (which will change once the reset is complete, thus
|
|
invalidating the token).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>45562</bid>
|
|
<bid>45563</bid>
|
|
<url>https://bugzilla.redhat.com/show_bug.cgi?id=665373</url>
|
|
<url>http://secunia.com/advisories/42715/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-22</discovery>
|
|
<entry>2010-12-29</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ff8b419a-0ffa-11e0-becc-0022156e8794">
|
|
<topic>Drupal Views plugin -- cross-site scripting</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal6-views</name>
|
|
<range><lt>2.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Drupal security team reports:</p>
|
|
<blockquote cite="http://drupal.org/node/999380">
|
|
<p>The Views module provides a flexible method for Drupal site
|
|
designers to control how lists and tables of content are
|
|
presented. Under certain circumstances, Views could display
|
|
parts of the page path without escaping, resulting in a
|
|
relected Cross Site Scripting (XSS) vulnerability. An attacker
|
|
could exploit this to gain full administrative access.</p>
|
|
<p>Mitigating factors: This vulnerability only occurs with a
|
|
specific combination of configuration options for a specific
|
|
View, but this combination is used in the default Views
|
|
provided by some additional modules. A malicious user would
|
|
need to get an authenticated administrative user to visit a
|
|
specially crafted URL.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-4521</cvename>
|
|
<url>http://drupal.org/node/999380</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-15</discovery>
|
|
<entry>2010-12-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="584c506d-0e98-11e0-b59b-0050569b2d21">
|
|
<topic>redmine -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>redmine</name>
|
|
<range><lt>1.0.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jean-Philippe Lang reports:</p>
|
|
<blockquote cite="http://www.redmine.org/news/49">
|
|
<p>This release also fixes 3 security issues reported by
|
|
joernchen of Phenoelit:</p>
|
|
<ul>
|
|
<li>logged in users may be able to access private data
|
|
(affected versions: 1.0.x)</li>
|
|
<li>persistent XSS vulnerability in textile formatter
|
|
(affected versions: all previous releases)</li>
|
|
<li>remote command execution in bazaar repository adapter
|
|
(affected versions: 0.9.x, 1.0.x)</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.redmine.org/news/49</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-23</discovery>
|
|
<entry>2010-12-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4bd33bc5-0cd6-11e0-bfa4-001676740879">
|
|
<topic>tor -- remote crash and potential remote code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tor</name>
|
|
<range><lt>0.2.1.28</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>tor-devel</name>
|
|
<range><lt>0.2.2.20-alpha</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Tor Project reports:</p>
|
|
<blockquote cite="http://archives.seul.org/or/announce/Dec-2010/msg00000.html">
|
|
<p>Remotely exploitable bug that could be used to crash instances
|
|
of Tor remotely by overflowing on the heap. Remote-code execution
|
|
hasn't been confirmed, but can't be ruled out. Everyone should
|
|
upgrade.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>45500</bid>
|
|
<cvename>CVE-2010-1676</cvename>
|
|
<freebsdpr>ports/153326</freebsdpr>
|
|
<mlist msgid="20101220135830.GU3300@moria.seul.org">http://archives.seul.org/or/announce/Dec-2010/msg00000.html</mlist>
|
|
<mlist msgid="20101220141526.GS3255@moria.seul.org">http://archives.seul.org/or/talk/Dec-2010/msg00167.html</mlist>
|
|
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.1:/ChangeLog</url>
|
|
<url>https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ChangeLog</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-17</discovery>
|
|
<entry>2010-12-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d560b346-08a2-11e0-bcca-0050568452ac">
|
|
<topic>YUI JavaScript library -- JavaScript injection exploits in Flash components</topic>
|
|
<affects>
|
|
<package>
|
|
<name>yahoo-ui</name>
|
|
<range><lt>2.8.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The YUI team reports:</p>
|
|
<blockquote cite="http://yuilibrary.com/support/2.8.2/">
|
|
<p>A security-related defect was introduced in the YUI 2 Flash
|
|
component infrastructure beginning with the YUI 2.4.0 release.
|
|
This defect allows JavaScript injection exploits to be created
|
|
against domains that host affected YUI .swf files.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-4207</cvename>
|
|
<cvename>CVE-2010-4208</cvename>
|
|
<cvename>CVE-2010-4209</cvename>
|
|
<url>http://www.yuiblog.com/blog/2010/10/25/yui-2-8-2-security-update/</url>
|
|
<url>http://secunia.com/advisories/41955</url>
|
|
<url>http://www.openwall.com/lists/oss-security/2010/11/07/1</url>
|
|
<url>http://yuilibrary.com/support/2.8.2/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-10-25</discovery>
|
|
<entry>2010-12-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2a41233d-10e7-11e0-becc-0022156e8794">
|
|
<topic>php-zip -- multiple Denial of Service vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5-zip</name>
|
|
<range><lt>5.3.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php52-zip</name>
|
|
<range><lt>5.2.15</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The following DoS conditions in Zip extension
|
|
were fixed in PHP 5.3.4 and PHP 5.2.15:</p>
|
|
<ul>
|
|
<li>
|
|
<blockquote cite="http://www.php.net/releases/5_3_4.php">
|
|
<p>Fixed crash in zip extract method (possible
|
|
CWE-170).</p>
|
|
</blockquote>
|
|
</li>
|
|
<li>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3709">
|
|
<p>The ZipArchive::getArchiveComment function
|
|
in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3
|
|
allows context-dependent attackers to cause a denial
|
|
of service (NULL pointer dereference and application
|
|
crash) via a crafted ZIP archive.</p>
|
|
</blockquote>
|
|
</li>
|
|
</ul>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3709</cvename>
|
|
<url>http://www.php.net/releases/5_3_4.php</url>
|
|
<url>http://www.php.net/releases/5_2_15.php</url>
|
|
<url>http://securityreason.com/achievement_securityalert/90</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-13</discovery>
|
|
<entry>2011-01-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c623f058-10e7-11e0-becc-0022156e8794">
|
|
<topic>php-filter -- Denial of Service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5-filter</name>
|
|
<range><lt>5.3.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php52-filter</name>
|
|
<range><lt>5.2.15</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The following DoS condition in filter extension
|
|
was fixed in PHP 5.3.4 and PHP 5.2.15:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3710">
|
|
<p>Stack consumption vulnerability in the filter_var
|
|
function in PHP 5.2.x through 5.2.14 and 5.3.x through
|
|
5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows
|
|
remote attackers to cause a denial of service (memory
|
|
consumption and application crash) via a long e-mail
|
|
address string.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3710</cvename>
|
|
<url>http://www.php.net/releases/5_3_4.php</url>
|
|
<url>http://www.php.net/releases/5_2_15.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-13</discovery>
|
|
<entry>2011-01-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1a0704e7-0edf-11e0-becc-0022156e8794">
|
|
<topic>php-imap -- Denial of Service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5-imap</name>
|
|
<range><lt>5.3.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php52-imap</name>
|
|
<range><lt>5.2.15</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The following DoS condition in IMAP extension
|
|
was fixed in PHP 5.3.4 and PHP 5.2.15:</p>
|
|
<blockquote cite="http://securitytracker.com/alerts/2010/Nov/1024761.html">
|
|
<p>A remote user can send specially crafted IMAP user name
|
|
or password data to trigger a double free memory error
|
|
in 'ext/imap/php_imap.c' and cause the target service
|
|
to crash.</p>
|
|
<p>It may be possible to execute arbitrary code.
|
|
However, code execution was not confirmed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-4150</cvename>
|
|
<url>http://www.php.net/releases/5_3_4.php</url>
|
|
<url>http://www.php.net/releases/5_2_15.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-13</discovery>
|
|
<entry>2011-01-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="da3d381b-0ee6-11e0-becc-0022156e8794">
|
|
<topic>pecl-phar -- format string vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pecl-phar</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Entry for CVE-2010-2094 says:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2094">
|
|
<p>Multiple format string vulnerabilities in the phar
|
|
extension in PHP 5.3 before 5.3.2 allow context-dependent
|
|
attackers to obtain sensitive information (memory
|
|
contents) and possibly execute arbitrary code via a
|
|
crafted phar:// URI that is not properly handled by the
|
|
(1) phar_stream_flush, (2) phar_wrapper_unlink,
|
|
(3) phar_parse_url, or (4) phar_wrapper_open_url functions
|
|
in ext/phar/stream.c; and the (5) phar_wrapper_open_dir
|
|
function in ext/phar/dirstream.c, which triggers errors
|
|
in the php_stream_wrapper_log_error function.</p>
|
|
</blockquote>
|
|
<p>PECL source code for PHAR extension shares the same code,
|
|
so it is vulnerable too.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2094</cvename>
|
|
<url>http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html</url>
|
|
<url>http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.htm</url>
|
|
<url>http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.htm</url>
|
|
<url>http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.htm</url>
|
|
<url>http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-13</discovery>
|
|
<entry>2011-01-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3761df02-0f9c-11e0-becc-0022156e8794">
|
|
<topic>php -- NULL byte poisoning</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5</name>
|
|
<range><lt>5.3.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php52</name>
|
|
<range><lt>5.2.17_12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>PHP-specific version of NULL-byte poisoning was briefly
|
|
described by ShAnKaR:</p>
|
|
<blockquote cite="http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded">
|
|
<p>Poison NULL byte vulnerability for perl CGI applications
|
|
was described in
|
|
<a href="http://artofhacking.com/files/phrack/phrack55/P55-07.TXT">[1]</a>.
|
|
ShAnKaR noted, that same vulnerability also affects
|
|
different PHP applications.</p>
|
|
</blockquote>
|
|
<p>PHP developers report that branch 5.3 received a fix:</p>
|
|
<blockquote cite="http://www.php.net/releases/5_3_4.php">
|
|
<p>Paths with NULL in them (foo\0bar.txt) are now considered
|
|
as invalid (CVE-2006-7243).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2006-7243</cvename>
|
|
<url>http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded</url>
|
|
<url>http://artofhacking.com/files/phrack/phrack55/P55-07.TXT</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-10</discovery>
|
|
<entry>2011-01-13</entry>
|
|
<modified>2012-11-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="73634294-0fa7-11e0-becc-0022156e8794">
|
|
<topic>php -- open_basedir bypass</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5</name>
|
|
<range><lt>5.3.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php52</name>
|
|
<range><lt>5.2.15</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>MITRE reports:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3436">
|
|
<p>fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow
|
|
remote attackers to bypass open_basedir restrictions via
|
|
vectors related to the length of a filename.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>44723</bid>
|
|
<cvename>CVE-2010-3436</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-10</discovery>
|
|
<entry>2011-01-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f3148a05-0fa7-11e0-becc-0022156e8794">
|
|
<topic>php -- corruption of $GLOBALS and $this variables via extract() method</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5</name>
|
|
<range><lt>5.3.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php52</name>
|
|
<range><lt>5.2.15</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Off-by-one error in the sanity validator for the extract()
|
|
method allowed attackers to replace the values of $GLOBALS
|
|
and $this when mode EXTR_OVERWRITE was used.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html</url>
|
|
<url>http://www.php.net/releases/5_2_15.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-10</discovery>
|
|
<entry>2011-01-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6887828f-0229-11e0-b84d-00262d5ed8ee">
|
|
<cancelled/>
|
|
</vuln>
|
|
|
|
<vuln vid="b2a6fc0e-070f-11e0-a6e9-00215c6a37bb">
|
|
<cancelled/>
|
|
</vuln>
|
|
|
|
<vuln vid="1d8ff4a2-0445-11e0-8e32-000f20797ede">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.6.*,1</gt><lt>3.6.13,1</lt></range>
|
|
<range><gt>3.5.*,1</gt><lt>3.5.16,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxul</name>
|
|
<range><gt>1.9.2.*</gt><lt>1.9.2.13</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>3.6.13,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox-devel</name>
|
|
<range><lt>3.5.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><gt>2.0.*</gt><lt>2.0.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><ge>3.1</ge><lt>3.1.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><gt>2.0.*</gt><lt>2.0.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><ge>3.0</ge><lt>3.0.11</lt></range>
|
|
<range><ge>3.1</ge><lt>3.1.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)</p>
|
|
<p>MFSA 2010-75 Buffer overflow while line breaking after document.write with long string</p>
|
|
<p>MFSA 2010-76 Chrome privilege escalation with window.open and isindex element</p>
|
|
<p>MFSA 2010-77 Crash and remote code execution using HTML tags inside a XUL tree</p>
|
|
<p>MFSA 2010-78 Add support for OTS font sanitizer</p>
|
|
<p>MFSA 2010-79 Java security bypass from LiveConnect loaded via data: URL meta refresh</p>
|
|
<p>MFSA 2010-80 Use-after-free error with nsDOMAttribute MutationObserver</p>
|
|
<p>MFSA 2010-81 Integer overflow vulnerability in NewIdArray</p>
|
|
<p>MFSA 2010-82 Incomplete fix for CVE-2010-0179</p>
|
|
<p>MFSA 2010-83 Location bar SSL spoofing using network error page</p>
|
|
<p>MFSA 2010-84 XSS hazard in multiple character encodings</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3766</cvename>
|
|
<cvename>CVE-2010-3767</cvename>
|
|
<cvename>CVE-2010-3768</cvename>
|
|
<cvename>CVE-2010-3769</cvename>
|
|
<cvename>CVE-2010-3770</cvename>
|
|
<cvename>CVE-2010-3771</cvename>
|
|
<cvename>CVE-2010-3772</cvename>
|
|
<cvename>CVE-2010-3773</cvename>
|
|
<cvename>CVE-2010-3774</cvename>
|
|
<cvename>CVE-2010-3775</cvename>
|
|
<cvename>CVE-2010-3776</cvename>
|
|
<cvename>CVE-2010-3777</cvename>
|
|
<cvename>CVE-2010-3778</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-74.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-75.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-76.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-77.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-78.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-79.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-80.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-81.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-82.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-83.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-84.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-12-09</discovery>
|
|
<entry>2010-12-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4ccbd40d-03f7-11e0-bf50-001a926c7637">
|
|
<topic>krb5 -- client impersonation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The MIT Kerberos team reports:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
|
|
<p>MIT krb5 KDC may issue tickets not requested
|
|
by a client, based on an attacker-chosen KrbFastArmoredReq.</p>
|
|
<p>An authenticated remote attacker that controls a legitimate service
|
|
principal could obtain a valid service ticket to itself containing
|
|
valid KDC-generated authorization data for a client whose TGS-REQ it
|
|
has intercepted. The attacker could then use this ticket for
|
|
S4U2Proxy to impersonate the targeted client even if the client
|
|
never authenticated to the subverted service. The vulnerable
|
|
configuration is believed to be rare.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>45122</bid>
|
|
<cvename>CVE-2010-4021</cvename>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
|
|
<url>http://osvdb.org/69607</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-30</discovery>
|
|
<entry>2010-12-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1d193bba-03f6-11e0-bf50-001a926c7637">
|
|
<topic>krb5 -- RFC 3961 key-derivation checksum handling vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><ge>1.8.0</ge><le>1.8.3</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The MIT Kerberos team reports:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
|
|
<p>MIT krb5 (releases incorrectly accepts RFC 3961
|
|
key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH
|
|
and AD-KDC-ISSUED authorization data.</p>
|
|
<p>An authenticated remote attacker that controls a legitimate service
|
|
principal has a 1/256 chance of forging the AD-SIGNEDPATH signature
|
|
if the TGT key is RC4, allowing it to use self-generated "evidence"
|
|
tickets for S4U2Proxy, instead of tickets obtained from the user or
|
|
with S4U2Self. Configurations using RC4 for the TGT key are
|
|
believed to be rare.</p>
|
|
<p>An authenticated remote attacker has a 1/256 chance of forging
|
|
AD-KDC-ISSUED signatures on authdata elements in tickets having
|
|
an RC4 service key, resulting in privilege escalation against
|
|
a service that relies on these signatures. There are no known
|
|
uses of the KDC-ISSUED authdata container at this time.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>45117</bid>
|
|
<cvename>CVE-2010-4020</cvename>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
|
|
<url>http://osvdb.org/69608</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-30</discovery>
|
|
<entry>2010-12-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9f971cea-03f5-11e0-bf50-001a926c7637">
|
|
<topic>krb5 -- unkeyed PAC checksum handling vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The MIT Kerberos team reports:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
|
|
<p>MIT krb5 incorrectly accepts an unkeyed checksum for PAC
|
|
signatures.</p>
|
|
<p>An authenticated remote attacker can forge PACs if using a KDC that
|
|
does not filter client-provided PAC data. This can result in
|
|
privilege escalation against a service that relies on PAC contents
|
|
to make authorization decisions.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>45116</bid>
|
|
<cvename>CVE-2010-1324</cvename>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
|
|
<url>http://osvdb.org/69609</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-30</discovery>
|
|
<entry>2010-12-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0d57c1d9-03f4-11e0-bf50-001a926c7637">
|
|
<topic>krb5 -- multiple checksum handling vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><ge>1.7.0</ge><lt>1.7.2</lt></range>
|
|
<range><ge>1.8.0</ge><le>1.8.3</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The MIT Kerberos team reports:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
|
|
<p>MIT krb incorrectly accepts an unkeyed
|
|
checksum with DES session keys for version 2 (RFC 4121)
|
|
of the GSS-API krb5 mechanism.</p>
|
|
<p>An unauthenticated remote attacker can forge GSS tokens that are
|
|
intended to be integrity-protected but unencrypted, if the targeted
|
|
pre-existing application session uses a DES session key.</p>
|
|
<p>MIT krb5 KDC incorrectly accepts RFC
|
|
3961 key-derivation checksums using RC4 keys when verifying the
|
|
req-checksum in a KrbFastArmoredReq.</p>
|
|
<p>An unauthenticated remote attacker has a 1/256 chance of swapping a
|
|
client-issued KrbFastReq into a different KDC-REQ, if the armor
|
|
key is RC4. The consequences are believed to be minor.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>45116</bid>
|
|
<cvename>CVE-2010-1324</cvename>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
|
|
<url>http://osvdb.org/69609</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-30</discovery>
|
|
<entry>2010-12-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="11bbccbc-03ee-11e0-bcdb-001fc61c2a55">
|
|
<topic>krb5 -- multiple checksum handling vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><ge>1.3.0</ge><lt>1.7.2</lt></range>
|
|
<range><ge>1.8.0</ge><le>1.8.3</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The MIT Kerberos team reports:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt">
|
|
<p>MIT krb5 clients incorrectly accept an unkeyed checksums
|
|
in the SAM-2 preauthentication challenge.</p>
|
|
<p>An unauthenticated remote attacker could alter a SAM-2 challenge,
|
|
affecting the prompt text seen by the user or the kind of response
|
|
sent to the KDC. Under some circumstances, this can negate the
|
|
incremental security benefit of using a single-use authentication
|
|
mechanism token.</p>
|
|
<p>MIT krb5 incorrectly accepts RFC 3961 key-derivation checksums
|
|
using RC4 keys when verifying KRB-SAFE messages.</p>
|
|
<p>An unauthenticated remote attacker has a 1/256 chance of forging
|
|
KRB-SAFE messages in an application protocol if the targeted
|
|
pre-existing session uses an RC4 session key. Few application
|
|
protocols use KRB-SAFE messages.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>45118</bid>
|
|
<cvename>CVE-2010-1323</cvename>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt</url>
|
|
<url>http://osvdb.org/69610</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-30</discovery>
|
|
<entry>2010-12-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ed7fa1b4-ff59-11df-9759-080027284eaa">
|
|
<topic>proftpd -- Compromised source packages backdoor</topic>
|
|
<affects>
|
|
<package>
|
|
<name>proftpd</name>
|
|
<range><eq>1.3.3c_2</eq></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The ProFTPD Project team reports:</p>
|
|
<blockquote cite="http://proftpd.org/">
|
|
<p>The security issue is caused due to the distribution of compromised
|
|
ProFTPD 1.3.3c source code packages via the project's main FTP server
|
|
and all of the mirror servers, which contain a backdoor allowing
|
|
remote root access.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org</url>
|
|
<url>http://secunia.com/advisories/42449</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-28</discovery>
|
|
<entry>2010-12-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="753f8185-5ba9-42a4-be02-3f55ee580093">
|
|
<topic>phpMyAdmin -- XSS attack in database search</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>3.3.8.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>phpMyAdmin211</name>
|
|
<range><lt>2.11.11.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>phpMyAdmin team reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php">
|
|
<p>It was possible to conduct a XSS attack using spoofed request on the
|
|
db search script.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/152685</freebsdpr>
|
|
<freebsdpr>ports/152686</freebsdpr>
|
|
<cvename>CVE-2010-4329</cvename>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2010-8.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-29</discovery>
|
|
<entry>2010-11-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f154a3c7-f7f4-11df-b617-00e0815b8da8">
|
|
<topic>isc-dhcp-server -- Empty link-address denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>isc-dhcp41-server</name>
|
|
<range><ge>4.1.0</ge><lt>4.1.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>ISC reports:</p>
|
|
<blockquote cite="http://www.isc.org/software/dhcp/advisories/cve-2010-3611">
|
|
<p>If the server receives a DHCPv6 packet containing one or more
|
|
Relay-Forward messages, and none of them supply an address in the
|
|
Relay-Forward link-address field, then the server will crash. This
|
|
can be used as a single packet crash attack vector.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3611</cvename>
|
|
<url>http://www.isc.org/software/dhcp/advisories/cve-2010-3611</url>
|
|
<url>http://www.kb.cert.org/vuls/id/102047</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-02</discovery>
|
|
<entry>2010-11-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="373e412e-f748-11df-96cd-0015f2db7bde">
|
|
<topic>OpenTTD -- Denial of service (server/client) via invalid read</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openttd</name>
|
|
<range><ge>1.0.0</ge><lt>1.0.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OpenTTD Team reports:</p>
|
|
<blockquote cite="http://security.openttd.org/en/CVE-2010-4168">
|
|
<p>When a client disconnects, without sending the "quit" or
|
|
"client error" message, the server has a chance of reading and
|
|
writing a just freed piece of memory. The writing can only
|
|
happen while the server is sending the map. Depending on what
|
|
happens directly after freeing the memory there is a chance of
|
|
segmentation fault, and thus a denial of service.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-4168</cvename>
|
|
<url>http://security.openttd.org/en/CVE-2010-4168</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-20</discovery>
|
|
<entry>2010-11-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a3314314-f731-11df-a757-0011098ad87f">
|
|
<topic>horde-base -- XSS: VCARD attachments vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde-base</name>
|
|
<range><lt>3.3.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Horde team reports:</p>
|
|
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/532">
|
|
<p>The major changes compared to Horde version 3.3.10 are:</p>
|
|
<p>* Fixed XSS vulnerability when viewing details of a vCard.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://article.gmane.org/gmane.comp.horde.announce/532</url>
|
|
<url>http://bugs.horde.org/ticket/9357</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-02</discovery>
|
|
<entry>2010-11-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="533d20e7-f71f-11df-9ae1-000bcdf0a03b">
|
|
<topic>proftpd -- remote code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>proftpd</name>
|
|
<range><lt>1.3.3c</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Tippingpoint reports:</p>
|
|
<blockquote cite="http://www.zerodayinitiative.com/advisories/ZDI-10-229/">
|
|
<p>This vulnerability allows remote attackers to execute arbitrary
|
|
code on vulnerable installations of ProFTPD. Authentication is not
|
|
required to exploit this vulnerability.</p>
|
|
<p>The flaw exists within the proftpd server component which
|
|
listens by default on TCP port 21. When reading user input if a
|
|
TELNET_IAC escape sequence is encountered the process
|
|
miscalculates a buffer length counter value allowing a user
|
|
controlled copy of data to a stack buffer. A remote attacker can
|
|
exploit this vulnerability to execute arbitrary code under the
|
|
context of the proftpd process.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>44562</bid>
|
|
<cvename>CVE-2010-4221</cvename>
|
|
<url>http://www.zerodayinitiative.com/advisories/ZDI-10-229/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-11-02</discovery>
|
|
<entry>2010-11-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3042c33a-f237-11df-9d02-0018fe623f2b">
|
|
<topic>openssl -- TLS extension parsing race condition</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openssl</name>
|
|
<range><lt>1.0.0_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>OpenSSL Team reports:</p>
|
|
<blockquote cite="http://openssl.org/news/secadv_20101116.txt">
|
|
<p>Rob Hulswit has found a flaw in the OpenSSL TLS server extension
|
|
code parsing which on affected servers can be exploited in a buffer
|
|
overrun attack.</p>
|
|
<p>Any OpenSSL based TLS server is vulnerable if it is multi-threaded
|
|
and uses OpenSSL's internal caching mechanism. Servers that are
|
|
multi-process and/or disable internal session caching are NOT
|
|
affected.</p>
|
|
<p>In particular the Apache HTTP server (which never uses OpenSSL
|
|
internal caching) and Stunnel (which includes its own workaround)
|
|
are NOT affected.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3864</cvename>
|
|
<url>http://openssl.org/news/secadv_20101116.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-10-08</discovery>
|
|
<entry>2010-11-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="76b597e4-e9c6-11df-9e10-001b2134ef46">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-flashplugin</name>
|
|
<range><lt>9.0r289</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-f8-flashplugin</name>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>10.1r102</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe Product Security Incident Response Team reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-26.html">
|
|
<p>Critical vulnerabilities have been identified in
|
|
Adobe Flash Player 10.1.85.3 and earlier versions for
|
|
Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player
|
|
10.1.95.1 for Android. These vulnerabilities, including
|
|
CVE-2010-3654 referenced in Security Advisory APSA10-05,
|
|
could cause the application to crash and could potentially
|
|
allow an attacker to take control of the affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3636</cvename>
|
|
<cvename>CVE-2010-3637</cvename>
|
|
<cvename>CVE-2010-3638</cvename>
|
|
<cvename>CVE-2010-3639</cvename>
|
|
<cvename>CVE-2010-3640</cvename>
|
|
<cvename>CVE-2010-3641</cvename>
|
|
<cvename>CVE-2010-3642</cvename>
|
|
<cvename>CVE-2010-3643</cvename>
|
|
<cvename>CVE-2010-3644</cvename>
|
|
<cvename>CVE-2010-3645</cvename>
|
|
<cvename>CVE-2010-3646</cvename>
|
|
<cvename>CVE-2010-3647</cvename>
|
|
<cvename>CVE-2010-3648</cvename>
|
|
<cvename>CVE-2010-3649</cvename>
|
|
<cvename>CVE-2010-3650</cvename>
|
|
<cvename>CVE-2010-3652</cvename>
|
|
<cvename>CVE-2010-3654</cvename>
|
|
<cvename>CVE-2010-3676</cvename>
|
|
<url>http://www.adobe.com/support/security/bulletins/apsb10-26.html</url>
|
|
<url>http://www.adobe.com/support/security/advisories/apsa10-05.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-28</discovery>
|
|
<entry>2010-11-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b2eaa7c2-e64a-11df-bc65-0022156e8794">
|
|
<topic>Wireshark -- DoS in the BER-based dissectors</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wireshark</name>
|
|
<range><ge>1.3</ge><lt>1.4.1</lt></range>
|
|
<range><ge>1.0</ge><lt>1.2.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>wireshark-lite</name>
|
|
<range><ge>1.3</ge><lt>1.4.1</lt></range>
|
|
<range><ge>1.0</ge><lt>1.2.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>tshark</name>
|
|
<range><ge>1.3</ge><lt>1.4.1</lt></range>
|
|
<range><ge>1.0</ge><lt>1.2.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>tshark-lite</name>
|
|
<range><ge>1.3</ge><lt>1.4.1</lt></range>
|
|
<range><ge>1.0</ge><lt>1.2.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/41535">
|
|
<p>A vulnerability has been discovered in Wireshark, which can
|
|
be exploited by malicious people to cause a DoS (Denial of
|
|
Service).</p>
|
|
<p>The vulnerability is caused due to an infinite recursion
|
|
error in the "dissect_unknown_ber()" function in
|
|
epan/dissectors/packet-ber.c and can be exploited to cause a
|
|
stack overflow e.g. via a specially crafted SNMP packet.</p>
|
|
<p>The vulnerability is confirmed in version 1.4.0 and
|
|
reported in version 1.2.11 and prior and version 1.4.0 and
|
|
prior.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3445</cvename>
|
|
<url>http://www.wireshark.org/lists/wireshark-announce/201010/msg00002.html</url>
|
|
<url>http://www.wireshark.org/lists/wireshark-announce/201010/msg00001.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-16</discovery>
|
|
<entry>2010-11-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4ab29e12-e787-11df-adfa-00e0815b8da8">
|
|
<topic>Mailman -- cross-site scripting in web interface</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mailman</name>
|
|
<range><lt>2.1.14</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/41265">
|
|
<p>Two vulnerabilities have been reported in Mailman, which
|
|
can be exploited by malicious users to conduct script
|
|
insertion attacks.</p>
|
|
<p>Certain input passed via the list descriptions is not
|
|
properly sanitised before being displayed to the user. This
|
|
can be exploited to insert arbitrary HTML and script code,
|
|
which will be executed in a user's browser session in context
|
|
of an affected site when the malicious data is being
|
|
viewed.</p>
|
|
<p>Successful exploitation requires "list owner" permissions.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>43187</bid>
|
|
<cvename>CVE-2010-3089</cvename>
|
|
<url>http://secunia.com/advisories/41265</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-14</discovery>
|
|
<entry>2010-11-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="96e776c7-e75c-11df-8f26-00151735203a">
|
|
<topic>OTRS -- Multiple XSS and denial of service vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>otrs</name>
|
|
<range><gt>2.3.*</gt><lt>2.4.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>OTRS Security Advisory reports:</p>
|
|
<blockquote cite="http://otrs.org/advisory/OSA-2010-02-en/">
|
|
<ul>
|
|
<li>Multiple Cross Site Scripting issues:
|
|
Missing HTML quoting allows authenticated agents or
|
|
customers to inject HTML tags. This vulnerability
|
|
allows an attacker to inject script code into the OTRS
|
|
web-interface which will be loaded and executed
|
|
in the browsers of system users.</li>
|
|
<li>Possible Denial of Service Attack:
|
|
Perl's regular expressions consume 100% CPU time
|
|
on the server if an agent or customer views an affected
|
|
article. To exploit this vulnerability the malicious user
|
|
needs to send extremely large HTML emails to your
|
|
system address.</li>
|
|
</ul>
|
|
</blockquote>
|
|
<blockquote cite="http://otrs.org/advisory/OSA-2010-03-en/">
|
|
<p>AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails:</p>
|
|
<p>Whenever a customer sends an HTML e-mail and RichText is enabled
|
|
in OTRS, javascript contained in the email can do everything
|
|
in the OTRS agent interface that the agent himself could do.</p>
|
|
<p>Most relevant is that this type of exploit can be used in such
|
|
a way that the agent won't even detect he is being exploited.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2080</cvename>
|
|
<cvename>CVE-2010-4071</cvename>
|
|
<url>http://otrs.org/advisory/OSA-2010-02-en/</url>
|
|
<url>http://otrs.org/advisory/OSA-2010-03-en/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-15</discovery>
|
|
<entry>2010-11-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c223b00d-e272-11df-8e32-000f20797ede">
|
|
<topic>mozilla -- Heap buffer overflow mixing document.write and DOM insertion</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.6.*,1</gt><lt>3.6.12,1</lt></range>
|
|
<range><gt>3.5.*,1</gt><lt>3.5.15,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxul</name>
|
|
<range><gt>1.9.2.*</gt><lt>1.9.2.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>3.6.12,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox-devel</name>
|
|
<range><lt>3.5.15</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.0.10</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>3.1.6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><gt>2.0.*</gt><lt>2.0.10</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><ge>3.0</ge><lt>3.0.10</lt></range>
|
|
<range><ge>3.1</ge><lt>3.1.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3765</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-73.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-10-27</discovery>
|
|
<entry>2010-10-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="aab187d4-e0f3-11df-b1ea-001999392805">
|
|
<topic>opera -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opera</name>
|
|
<range><lt>10.63</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Opera Desktop Team reports:</p>
|
|
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1063/">
|
|
<ul>
|
|
<li>Fixed an issue that allowed cross-domain checks to be bypassed,
|
|
allowing limited data theft using CSS, as reported by Isaac
|
|
Dawson.</li>
|
|
<li>Fixed an issue where manipulating the window could be used to
|
|
spoof the page address.</li>
|
|
<li>Fixed an issue with reloads and redirects that could allow
|
|
spoofing and cross-site scripting.</li>
|
|
<li>Fixed an issue that allowed private video streams to be
|
|
intercepted, as reported by Nirankush Panchbhai of Microsoft
|
|
Vulnerability Research.</li>
|
|
<li>Fixed an issue that caused JavaScript to run in the wrong
|
|
security context after manual interaction.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.opera.com/support/kb/view/971/</url>
|
|
<url>http://www.opera.com/support/kb/view/972/</url>
|
|
<url>http://www.opera.com/support/kb/view/973/</url>
|
|
<url>http://www.opera.com/support/kb/view/974/</url>
|
|
<url>http://www.opera.com/support/kb/view/976/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-10-12</discovery>
|
|
<entry>2010-10-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0ddb57a9-da20-4e99-b048-4366092f3d31">
|
|
<topic>bzip2 -- integer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bzip2</name>
|
|
<range><lt>1.0.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/41452">
|
|
<p>A vulnerability has been reported in bzip2, which can be exploited by
|
|
malicious people to cause a DoS (Denial of Service) or potentially
|
|
compromise a vulnerable system.</p>
|
|
<p>The vulnerability is caused due to an integer overflow in the
|
|
"BZ2_decompress()" function in decompress.c and can be exploited to
|
|
cause a crash or potentially execute arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-10:08.bzip2</freebsdsa>
|
|
<freebsdpr>ports/151364</freebsdpr>
|
|
<cvename>CVE-2010-0405</cvename>
|
|
<bid>43331</bid>
|
|
<mlist>http://www.openwall.com/lists/oss-security/2010/09/21/4</mlist>
|
|
<url>http://secunia.com/advisories/41452</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-21</discovery>
|
|
<entry>2010-10-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="18dc48fe-ca42-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- Integer overflow in bzip2 decompression</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.4</ge><lt>6.4_11</lt></range>
|
|
<range><ge>7.1</ge><lt>7.1_14</lt></range>
|
|
<range><ge>7.3</ge><lt>7.3_3</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0_5</lt></range>
|
|
<range><ge>8.1</ge><lt>8.1_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>When decompressing data, the run-length encoded values are not
|
|
adequately sanity-checked, allowing for an integer overflow.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-10:08.bzip2</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-20</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7a09a8df-ca41-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- Lost mbuf flag resulting in data corruption</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>7.1</ge><lt>7.1_13</lt></range>
|
|
<range><ge>7.3</ge><lt>7.3_2</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>The read-only flag is not correctly copied when a mbuf buffer
|
|
reference is duplicated. When the sendfile(2) system call is used to
|
|
transmit data over the loopback interface, this can result in the
|
|
backing pages for the transmitted file being modified, causing data
|
|
corruption.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-10:07.mbuf</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-13</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0dc91089-ca41-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- Unvalidated input in nfsclient</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>7.2</ge><lt>7.2_8</lt></range>
|
|
<range><ge>7.3</ge><lt>7.3_1</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>The NFS client subsystem fails to correctly validate the length of a
|
|
parameter provided by the user when a filesystem is mounted.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-10:06.nfsclient</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-27</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="768cfe70-ca40-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- OPIE off-by-one stack overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.4</ge><lt>6.4_10</lt></range>
|
|
<range><ge>7.1</ge><lt>7.1_12</lt></range>
|
|
<range><ge>7.2</ge><lt>7.2_8</lt></range>
|
|
<range><ge>7.3</ge><lt>7.3_1</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>A programming error in the OPIE library could allow an off-by-one
|
|
buffer overflow to write a single zero byte beyond the end of an
|
|
on-stack buffer.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-10:05.opie</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-27</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f6eb2279-ca3f-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- Insufficient environment sanitization in jail(8)</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>8.0</ge><lt>8.0_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>The jail(8) utility does not change the current working directory
|
|
while imprisoning. The current working directory can be accessed by
|
|
its descendants.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-10:04.jail</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-27</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="97f09f2f-ca3f-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- ZFS ZIL playback with insecure permissions</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>7.1</ge><lt>7.1_10</lt></range>
|
|
<range><ge>7.2</ge><lt>7.2_6</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>When replaying setattr transaction, the replay code would set the
|
|
attributes with certain insecure defaults, when the logged
|
|
transaction did not touch these attributes.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-10:03.zfs</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-06</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="48103b0a-ca3f-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- ntpd mode 7 denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.3</ge><lt>6.3_15</lt></range>
|
|
<range><ge>6.4</ge><lt>6.4_9</lt></range>
|
|
<range><ge>7.1</ge><lt>7.1_10</lt></range>
|
|
<range><ge>7.2</ge><lt>7.2_6</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>If ntpd receives a mode 7 (MODE_PRIVATE) request or error response
|
|
from a source address not listed in either a 'restrict ... noquery'
|
|
or a 'restrict ... ignore' section it will log the even and send a
|
|
mode 7 error response.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-10:02.ntpd</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-06</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e500b9bf-ca3e-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- BIND named(8) cache poisoning with DNSSEC validation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.3</ge><lt>6.3_15</lt></range>
|
|
<range><ge>6.4</ge><lt>6.4_9</lt></range>
|
|
<range><ge>7.1</ge><lt>7.1_10</lt></range>
|
|
<range><ge>7.2</ge><lt>7.2_6</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>If a client requests DNSSEC records with the Checking Disabled (CD)
|
|
flag set, BIND may cache the unvalidated responses. These responses
|
|
may later be returned to another client that has not set the CD
|
|
flag.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-10:01.bind</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-06</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6e87b696-ca3e-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- Inappropriate directory permissions in freebsd-update(8)</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.3</ge><lt>6.3_14</lt></range>
|
|
<range><ge>6.4</ge><lt>6.4_8</lt></range>
|
|
<range><ge>7.1</ge><lt>7.1_9</lt></range>
|
|
<range><ge>7.2</ge><lt>7.2_5</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>When downloading updates to FreeBSD via 'freebsd-update fetch' or
|
|
'freebsd-update upgrade', the freebsd-update(8) utility copies
|
|
currently installed files into its working directory
|
|
(/var/db/freebsd-update by default) both for the purpose of merging
|
|
changes to configuration files and in order to be able to roll back
|
|
installed updates.</p>
|
|
<p>The default working directory used by freebsd-update(8) is normally
|
|
created during the installation of FreeBSD with permissions which
|
|
allow all local users to see its contents, and freebsd-update(8) does
|
|
not take any steps to restrict access to files stored in said
|
|
directory.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-09:17.freebsd-update</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2009-12-03</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ad08d14b-ca3d-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- Improper environment sanitization in rtld(1)</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>7.1</ge><lt>7.1_9</lt></range>
|
|
<range><ge>7.2</ge><lt>7.2_5</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>When running setuid programs rtld will normally remove potentially
|
|
dangerous environment variables. Due to recent changes in FreeBSD
|
|
environment variable handling code, a corrupt environment may
|
|
result in attempts to unset environment variables failing.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-09:16.rtld</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2009-12-03</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="406779fd-ca3b-11df-aade-0050568f000c">
|
|
<topic>FreeBSD -- SSL protocol flaw</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>6.3</ge><lt>6.3_14</lt></range>
|
|
<range><ge>6.4</ge><lt>6.4_8</lt></range>
|
|
<range><ge>7.1</ge><lt>7.1_9</lt></range>
|
|
<range><ge>7.2</ge><lt>7.2_5</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Problem Description:</h1>
|
|
<p>The SSL version 3 and TLS protocols support session
|
|
renegotiation without cryptographically tying the new
|
|
session parameters to the old parameters.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-09:15.ssl</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2009-12-03</discovery>
|
|
<entry>2010-10-24</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c9a6ae4a-df8b-11df-9573-00262d5ed8ee">
|
|
<topic>monotone -- remote denial of service in default setup</topic>
|
|
<affects>
|
|
<package>
|
|
<name>monotone</name>
|
|
<range><lt>0.48.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The monotone developers report:</p>
|
|
<blockquote cite="http://www.monotone.ca/NEWS">
|
|
<p>Running "mtn ''" or "mtn ls ''" doesn't cause an internal
|
|
error anymore. In monotone 0.48 and earlier this behavior
|
|
could be used to crash a server remotely (but only if it was
|
|
configured to allow execution of remote commands).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/151665</freebsdpr>
|
|
<url>http://www.monotone.ca/NEWS</url>
|
|
<url>http://www.thomaskeller.biz/blog/2010/10/22/monotone-0-48-1-released-please-update-your-servers/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-10-21</discovery>
|
|
<entry>2010-10-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c4f067b9-dc4a-11df-8e32-000f20797ede">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.6.*,1</gt><lt>3.6.11,1</lt></range>
|
|
<range><gt>3.5.*,1</gt><lt>3.5.14,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxul</name>
|
|
<range><gt>1.9.2.*</gt><lt>1.9.2.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>3.6.11,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox-devel</name>
|
|
<range><lt>3.5.14</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><gt>2.0.*</gt><lt>2.0.9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><ge>3.0</ge><lt>3.0.9</lt></range>
|
|
<range><ge>3.1</ge><lt>3.1.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)</p>
|
|
<p>MFSA 2010-65 Buffer overflow and memory corruption using document.write</p>
|
|
<p>MFSA 2010-66 Use-after-free error in nsBarProp</p>
|
|
<p>MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter</p>
|
|
<p>MFSA 2010-68 XSS in gopher parser when parsing hrefs</p>
|
|
<p>MFSA 2010-69 Cross-site information disclosure via modal calls</p>
|
|
<p>MFSA 2010-70 SSL wildcard certificate matching IP addresses</p>
|
|
<p>MFSA 2010-71 Unsafe library loading vulnerabilities</p>
|
|
<p>MFSA 2010-72 Insecure Diffie-Hellman key exchange</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3170</cvename>
|
|
<cvename>CVE-2010-3173</cvename>
|
|
<cvename>CVE-2010-3174</cvename>
|
|
<cvename>CVE-2010-3175</cvename>
|
|
<cvename>CVE-2010-3176</cvename>
|
|
<cvename>CVE-2010-3177</cvename>
|
|
<cvename>CVE-2010-3178</cvename>
|
|
<cvename>CVE-2010-3179</cvename>
|
|
<cvename>CVE-2010-3180</cvename>
|
|
<cvename>CVE-2010-3181</cvename>
|
|
<cvename>CVE-2010-3182</cvename>
|
|
<cvename>CVE-2010-3183</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-64.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-65.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-66.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-67.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-68.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-69.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-70.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-71.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-72.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-10-19</discovery>
|
|
<entry>2010-10-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e5090d2a-dbbe-11df-82f8-0015f2db7bde">
|
|
<topic>Webkit-gtk2 -- Multiple Vulnabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>webkit-gtk2</name>
|
|
<range><lt>1.2.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gustavo Noronha Silva reports:</p>
|
|
<blockquote cite="http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS">
|
|
<p>The patches to fix the following CVEs are included with help from
|
|
Vincent Danen and other members of the Red Hat security team:</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1780</cvename>
|
|
<cvename>CVE-2010-1807</cvename>
|
|
<cvename>CVE-2010-1812</cvename>
|
|
<cvename>CVE-2010-1814</cvename>
|
|
<cvename>CVE-2010-1815</cvename>
|
|
<cvename>CVE-2010-3113</cvename>
|
|
<cvename>CVE-2010-3114</cvename>
|
|
<cvename>CVE-2010-3115</cvename>
|
|
<cvename>CVE-2010-3116</cvename>
|
|
<cvename>CVE-2010-3255</cvename>
|
|
<cvename>CVE-2010-3257</cvename>
|
|
<cvename>CVE-2010-3259</cvename>
|
|
<url>http://gitorious.org/webkitgtk/stable/blobs/master/WebKit/gtk/NEWS</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-10-01</discovery>
|
|
<entry>2010-10-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dd943fbb-d0fe-11df-95a8-00219b0fc4d8">
|
|
<topic>apr -- multiple vunerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apr1</name>
|
|
<range><lt>1.4.2.1.3.10</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apr0</name>
|
|
<range><lt>0.9.19.0.9.19</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/41701">
|
|
<p>Multiple vulnerabilities have been reported in APR-util, which can
|
|
be exploited by malicious people to cause a DoS (Denial of
|
|
Service).</p>
|
|
<p>Two XML parsing vulnerabilities exist in the bundled version of
|
|
expat.</p>
|
|
<p>An error within the "apr_brigade_split_line()" function in
|
|
buckets/apr_brigade.c can be exploited to cause high memory
|
|
consumption.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>43673</bid>
|
|
<cvename>CVE-2009-3560</cvename>
|
|
<cvename>CVE-2009-3720</cvename>
|
|
<cvename>CVE-2010-1623</cvename>
|
|
<url>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</url>
|
|
<url>http://secunia.com/advisories/41701</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-10-02</discovery>
|
|
<entry>2010-10-06</entry>
|
|
<modified>2010-10-20</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="99021f88-ca3c-11df-be21-00e018aa7788">
|
|
<topic>phpmyfaq -- cross site scripting vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpmyfaq</name>
|
|
<range><lt>2.6.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpMyFAQ project reports:</p>
|
|
<blockquote cite="http://www.phpmyfaq.de/advisory_2010-09-28.php">
|
|
<p>The phpMyFAQ Team has learned of a security issue that has been
|
|
discovered in phpMyFAQ 2.6.x: phpMyFAQ doesn't sanitize
|
|
some variables in different pages correctly. With a
|
|
properly crafted URL it is e.g. possible to inject
|
|
JavaScript code into the output of a page, which could
|
|
result in the leakage of domain cookies (f.e. session
|
|
identifiers)..</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/151055</freebsdpr>
|
|
<url>http://www.phpmyfaq.de/advisory_2010-09-28.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-28</discovery>
|
|
<entry>2010-10-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e08c596e-cb28-11df-9c1b-0011098ad87f">
|
|
<topic>horde-gollem -- XSS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde-gollem</name>
|
|
<range><lt>1.1.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Horde team reports:</p>
|
|
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/523">
|
|
<p>The major changes compared to Gollem version H3 (1.1.1) are:</p>
|
|
<p>* Fixed an XSS vulnerability in the file viewer.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://article.gmane.org/gmane.comp.horde.announce/523</url>
|
|
<url>http://git.horde.org/diff.php/gollem/docs/CHANGES?rt=horde&r1=1.114.2.55&r2=1.114.2.59&ty=h</url>
|
|
<url>http://bugs.horde.org/ticket/9191</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-08-21</discovery>
|
|
<entry>2010-09-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6c4db192-cb23-11df-9c1b-0011098ad87f">
|
|
<topic>horde-imp -- XSS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde-imp</name>
|
|
<range><gt>4.2,1</gt><lt>4.3.8,1</lt></range>
|
|
<range><lt>4.3.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Horde team reports:</p>
|
|
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/516">
|
|
<p>Thanks to Naumann IT Security Consulting for reporting the XSS
|
|
vulnerability.</p>
|
|
<p>The major changes compared to IMP version H3 (4.3.7) are:</p>
|
|
<p>* Fixed an XSS vulnerability in the Fetchmail configuration.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://article.gmane.org/gmane.comp.horde.announce/516</url>
|
|
<url>http://git.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.424&r2=1.699.2.430&ty=h</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-28</discovery>
|
|
<entry>2010-09-28</entry>
|
|
<modified>2011-09-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8fc55043-cb1e-11df-9c1b-0011098ad87f">
|
|
<topic>horde-base -- XSS and CSRF vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>horde-base</name>
|
|
<range><lt>3.3.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Horde team reports:</p>
|
|
<blockquote cite="http://article.gmane.org/gmane.comp.horde.announce/515">
|
|
<p>Thanks to Naumann IT Security Consulting for reporting the XSS
|
|
vulnerability.</p>
|
|
<p>Thanks to Secunia for releasing an advisory for the new CSRF
|
|
protection in the preference interface</p>
|
|
<p>The major changes compared to Horde version 3.3.8 are:</p>
|
|
<p>* Fixed XSS vulnerability in util/icon_browser.php.</p>
|
|
<p>* Protected preference forms against CSRF attacks.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://article.gmane.org/gmane.comp.horde.announce/515</url>
|
|
<url>http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.607&r2=1.515.2.620&ty=h</url>
|
|
<url>http://secunia.com/advisories/39860/</url>
|
|
<url>http://holisticinfosec.org/content/view/145/45/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-03</discovery>
|
|
<entry>2010-09-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="80b6d6cc-c970-11df-bb18-0015587e2cc1">
|
|
<topic>openx -- remote code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openx</name>
|
|
<range><lt>2.8.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OpenX project reported:</p>
|
|
<blockquote cite="http://blog.openx.org/09/security-update/">
|
|
<p>It has been brought to our attention that there is a vulnerability
|
|
in the 2.8 downloadable version of OpenX that can result in a server
|
|
running the downloaded version of OpenX being compromised.</p>
|
|
</blockquote>
|
|
<p>This vulnerability exists in the file upload functionality
|
|
and allows attackers to upload and execute PHP code of
|
|
their choice.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://blog.openx.org/09/security-update/</url>
|
|
<url>http://www.h-online.com/security/news/item/Web-sites-distribute-malware-via-hacked-OpenX-servers-1079099.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-14</discovery>
|
|
<entry>2010-09-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e4dac715-c818-11df-a92c-0015587e2cc1">
|
|
<topic>squid -- Denial of service vulnerability in request handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><ge>3.0.1</ge><lt>3.0.25_3</lt></range>
|
|
<range><ge>3.1.0.1</ge><lt>3.1.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Squid security advisory 2010:3 reports:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_3.txt">
|
|
<p>Due to an internal error in string handling Squid is
|
|
vulnerable to a denial of service attack when processing
|
|
specially crafted requests.</p>
|
|
<p>This problem allows any trusted client to perform a
|
|
denial of service attack on the Squid service.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3072</cvename>
|
|
<url>http://www.squid-cache.org/Advisories/SQUID-2010_3.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-08-30</discovery>
|
|
<entry>2010-09-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8a34d9e6-c662-11df-b2e1-001b2134ef46">
|
|
<topic>linux-flashplugin -- remote code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-flashplugin</name>
|
|
<range><lt>9.0r283</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-f8-flashplugin</name>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>10.1r85</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe Product Security Incident Response Team reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/advisories/apsa10-03.html">
|
|
<p>A critical vulnerability exists in Adobe Flash Player
|
|
10.1.82.76 and earlier versions for Windows, Macintosh,
|
|
Linux, Solaris, and Adobe Flash Player 10.1.92.10 for
|
|
Android. This vulnerability also affects Adobe Reader
|
|
9.3.4 and earlier versions for Windows, Macintosh and
|
|
UNIX, and Adobe Acrobat 9.3.4 and earlier versions for
|
|
Windows and Macintosh. This vulnerability (CVE-2010-2884)
|
|
could cause a crash and potentially allow an attacker
|
|
to take control of the affected system. There are
|
|
reports that this vulnerability is being actively
|
|
exploited in the wild against Adobe Flash Player on
|
|
Windows. Adobe is not aware of any attacks exploiting
|
|
this vulnerability against Adobe Reader or Acrobat to
|
|
date.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2884</cvename>
|
|
<url>http://www.adobe.com/support/security/advisories/apsa10-03.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-14</discovery>
|
|
<entry>2010-09-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3ff95dd3-c291-11df-b0dc-00215c6a37bb">
|
|
<topic>django -- cross-site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>py23-django</name>
|
|
<name>py24-django</name>
|
|
<name>py25-django</name>
|
|
<name>py26-django</name>
|
|
<name>py30-django</name>
|
|
<name>py31-django</name>
|
|
<range><gt>1.2</gt><lt>1.2.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py23-django-devel</name>
|
|
<name>py24-django-devel</name>
|
|
<name>py25-django-devel</name>
|
|
<name>py26-django-devel</name>
|
|
<name>py30-django-devel</name>
|
|
<name>py31-django-devel</name>
|
|
<range><lt>13698,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Django project reports:</p>
|
|
<blockquote cite="http://www.djangoproject.com/weblog/2010/sep/08/security-release/">
|
|
<p>The provided template tag for inserting the CSRF
|
|
token into forms -- {% csrf_token %} -- explicitly
|
|
trusts the cookie value, and displays it as-is.
|
|
Thus, an attacker who is able to tamper with the
|
|
value of the CSRF cookie can cause arbitrary content
|
|
to be inserted, unescaped, into the outgoing HTML of
|
|
the form, enabling cross-site scripting (XSS) attacks.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>43116</bid>
|
|
<cvename>CVE-2010-3082</cvename>
|
|
<url>http://xforce.iss.net/xforce/xfdb/61729</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-13</discovery>
|
|
<entry>2010-09-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9bcfd7b6-bcda-11df-9a6a-0015f2db7bde">
|
|
<topic>webkit-gtk2 -- Multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>webkit-gtk2</name>
|
|
<range><lt>1.2.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gustavo Noronha Silva reports:</p>
|
|
<blockquote cite="http://gitorious.org/webkitgtk/stable/commit/9d07fda89aab7105962d933eef32ca15dda610d8">
|
|
<p>With help from Vincent Danen and other members of the Red Hat
|
|
security team, the following CVE's where fixed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1781</cvename>
|
|
<cvename>CVE-2010-1782</cvename>
|
|
<cvename>CVE-2010-1784</cvename>
|
|
<cvename>CVE-2010-1785</cvename>
|
|
<cvename>CVE-2010-1786</cvename>
|
|
<cvename>CVE-2010-1787</cvename>
|
|
<cvename>CVE-2010-1788</cvename>
|
|
<cvename>CVE-2010-1790</cvename>
|
|
<cvename>CVE-2010-1792</cvename>
|
|
<cvename>CVE-2010-1793</cvename>
|
|
<cvename>CVE-2010-2647</cvename>
|
|
<cvename>CVE-2010-2648</cvename>
|
|
<cvename>CVE-2010-3119</cvename>
|
|
<url>http://gitorious.org/webkitgtk/stable/commit/9d07fda89aab7105962d933eef32ca15dda610d8</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-07</discovery>
|
|
<entry>2010-09-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f866d2af-bbba-11df-8a8d-0008743bf21a">
|
|
<topic>vim6 -- heap-based overflow while parsing shell metacharacters</topic>
|
|
<affects>
|
|
<package>
|
|
<name>vim6</name>
|
|
<name>vim6+ruby</name>
|
|
<range><ge>6.2.429</ge><lt>6.3.62</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Description for CVE-2008-3432 says:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432">
|
|
<p>Heap-based buffer overflow in the mch_expand_wildcards
|
|
function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted
|
|
attackers to execute arbitrary code via shell metacharacters
|
|
in filenames, as demonstrated by the netrw.v3 test case.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2008-3432</cvename>
|
|
<url>http://www.openwall.com/lists/oss-security/2008/07/15/4</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2008-07-31</discovery>
|
|
<entry>2010-09-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4a21ce2c-bb13-11df-8e32-000f20797ede">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.6.*,1</gt><lt>3.6.9,1</lt></range>
|
|
<range><gt>3.5.*,1</gt><lt>3.5.12,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxul</name>
|
|
<range><gt>1.9.2.*</gt><lt>1.9.2.9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>3.6.9,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox-devel</name>
|
|
<range><lt>3.5.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><gt>2.0.*</gt><lt>2.0.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><ge>3.0</ge><lt>3.0.7</lt></range>
|
|
<range><ge>3.1</ge><lt>3.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)</p>
|
|
<p>MFSA 2010-50 Frameset integer overflow vulnerability</p>
|
|
<p>MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array</p>
|
|
<p>MFSA 2010-52 Windows XP DLL loading vulnerability</p>
|
|
<p>MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText</p>
|
|
<p>MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection</p>
|
|
<p>MFSA 2010-55 XUL tree removal crash and remote code execution</p>
|
|
<p>MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView</p>
|
|
<p>MFSA 2010-57 Crash and remote code execution in normalizeDocument</p>
|
|
<p>MFSA 2010-58 Crash on Mac using fuzzed font in data: URL</p>
|
|
<p>MFSA 2010-59 SJOW creates scope chains ending in outer object</p>
|
|
<p>MFSA 2010-60 XSS using SJOW scripted function</p>
|
|
<p>MFSA 2010-61 UTF-7 XSS by overriding document charset using object type attribute</p>
|
|
<p>MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS</p>
|
|
<p>MFSA 2010-63 Information leak via XMLHttpRequest statusText</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2762</cvename>
|
|
<cvename>CVE-2010-2763</cvename>
|
|
<cvename>CVE-2010-2764</cvename>
|
|
<cvename>CVE-2010-2765</cvename>
|
|
<cvename>CVE-2010-2766</cvename>
|
|
<cvename>CVE-2010-2767</cvename>
|
|
<cvename>CVE-2010-2768</cvename>
|
|
<cvename>CVE-2010-2769</cvename>
|
|
<cvename>CVE-2010-2770</cvename>
|
|
<cvename>CVE-2010-2760</cvename>
|
|
<cvename>CVE-2010-3131</cvename>
|
|
<cvename>CVE-2010-3166</cvename>
|
|
<cvename>CVE-2010-3167</cvename>
|
|
<cvename>CVE-2010-3168</cvename>
|
|
<cvename>CVE-2010-3169</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-49.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-50.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-51.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-52.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-53.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-54.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-55.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-56.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-57.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-58.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-59.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-60.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-61.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-62.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-63.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-07</discovery>
|
|
<entry>2010-09-08</entry>
|
|
<modified>2010-09-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="67b514c3-ba8f-11df-8f6e-000c29a67389">
|
|
<topic>sudo -- Flaw in Runas group matching</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><ge>1.7.0</ge><lt>1.7.4.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Todd Miller reports:</p>
|
|
<blockquote cite="http://www.sudo.ws/sudo/alerts/runas_group.html">
|
|
<p>Beginning with sudo version 1.7.0 it has been possible to grant
|
|
permission to run a command using a specified group via sudo -g
|
|
option (run as group). A flaw exists in the logic that matches
|
|
Runas groups in the sudoers file when the -u option is also
|
|
specified (run as user). This flaw results in a positive match for
|
|
the user specified via -u so long as the group specified via -g
|
|
is allowed by the sudoers file.</p>
|
|
<p>Exploitation of the flaw requires that Sudo be configured with
|
|
sudoers entries that contain a Runas group. Entries that do not
|
|
contain a Runas group, or only contain a Runas user are not
|
|
affected.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2956</cvename>
|
|
<url>http://www.sudo.ws/sudo/alerts/runas_group.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-09-07</discovery>
|
|
<entry>2010-09-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="29b7e3f4-b6a9-11df-ae63-f255a795cb21">
|
|
<topic>lftp -- multiple HTTP client download filename vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lftp</name>
|
|
<range><lt>4.0.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The get1 command, as used by lftpget, in LFTP before 4.0.6 does
|
|
not properly validate a server-provided filename before determining
|
|
the destination filename of a download, which allows remote servers
|
|
to create or overwrite arbitrary files via a Content-Disposition
|
|
header that suggests a crafted filename, and possibly execute
|
|
arbitrary code as a consequence of writing to a dotfile in a home
|
|
directory.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2251</cvename>
|
|
<url>https://bugzilla.redhat.com/show_bug.cgi?id=591580</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-09</discovery>
|
|
<entry>2010-09-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d754b7d2-b6a7-11df-826c-e464a695cb21">
|
|
<topic>wget -- multiple HTTP client download filename vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wget</name>
|
|
<name>wget-devel</name>
|
|
<range><le>1.12_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>GNU Wget version 1.12 and earlier uses a server-provided filename
|
|
instead of the original URL to determine the destination filename of
|
|
a download, which allows remote servers to create or overwrite
|
|
arbitrary files via a 3xx redirect to a URL with a .wgetrc filename
|
|
followed by a 3xx redirect to a URL with a crafted filename, and
|
|
possibly execute arbitrary code as a consequence of writing to a
|
|
dotfile in a home directory.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2252</cvename>
|
|
<url>https://bugzilla.redhat.com/show_bug.cgi?id=602797</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-09</discovery>
|
|
<entry>2010-09-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3a7c5fc4-b50c-11df-977b-ecc31dd8ad06">
|
|
<topic>p5-libwww -- possibility to remote servers to create file with a .(dot) character</topic>
|
|
<affects>
|
|
<package>
|
|
<name>p5-libwww</name>
|
|
<range><lt>5.835</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>lwp-download in libwww-perl before 5.835 does not reject downloads
|
|
to filenames that begin with a `.' (dot) character, which allows
|
|
remote servers to create or overwrite files via a 3xx redirect to a
|
|
URL with a crafted filename or a Content-Disposition header that
|
|
suggests a crafted filename, and possibly execute arbitrary code as
|
|
a consequence of writing to a dotfile in a home directory.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2253</cvename>
|
|
<url>http://cpansearch.perl.org/src/GAAS/libwww-perl-5.836/Changes</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-09</discovery>
|
|
<entry>2010-08-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="167953a4-b01c-11df-9a98-0015587e2cc1">
|
|
<topic>quagga -- stack overflow and DoS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>quagga</name>
|
|
<range><lt>0.99.17</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Red Hat security team reported two vulnerabilities:</p>
|
|
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/08/24/3">
|
|
<p>A stack buffer overflow flaw was found in the way Quagga's bgpd
|
|
daemon processed Route-Refresh messages. A configured
|
|
Border Gateway Protocol (BGP) peer could send a
|
|
Route-Refresh message with specially-crafted Outbound
|
|
Route Filtering (ORF) record, which would cause the
|
|
master BGP daemon (bgpd) to crash or, possibly, execute
|
|
arbitrary code with the privileges of the user running
|
|
bgpd.</p>
|
|
<p>A NULL pointer dereference flaw was found in the way
|
|
Quagga's bgpd daemon parsed paths of autonomous systems
|
|
(AS). A configured BGP peer could send a BGP update AS
|
|
path request with unknown AS type, which could lead to
|
|
denial of service (bgpd daemon crash).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.openwall.com/lists/oss-security/2010/08/24/3</url>
|
|
<url>http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-08-24</discovery>
|
|
<entry>2010-08-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8cbf4d65-af9a-11df-89b8-00151735203a">
|
|
<topic>bugzilla -- information disclosure, denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bugzilla</name>
|
|
<range><gt>2.17.1</gt><lt>3.6.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Bugzilla Security Advisory reports:</p>
|
|
<blockquote cite="http://www.bugzilla.org/security/3.2.7/">
|
|
<ul>
|
|
<li>Remote Information Disclosure:
|
|
An unprivileged user is normally not allowed to view
|
|
other users' group membership. But boolean charts
|
|
let the user use group-based pronouns, indirectly
|
|
disclosing group membership. This security fix
|
|
restricts the use of pronouns to groups the user
|
|
belongs to.</li>
|
|
<li>Notification Bypass:
|
|
Normally, when a user is impersonated, he receives
|
|
an email informing him that he is being impersonated,
|
|
containing the identity of the impersonator. However,
|
|
it was possible to impersonate a user without this
|
|
notification being sent.</li>
|
|
<li>Remote Information Disclosure:
|
|
An error message thrown by the "Reports" and "Duplicates"
|
|
page confirmed the non-existence of products, thus
|
|
allowing users to guess confidential product names.
|
|
(Note that the "Duplicates" page was not vulnerable
|
|
in Bugzilla 3.6rc1 and above though.)</li>
|
|
<li>Denial of Service:
|
|
If a comment contained the phrases "bug X" or
|
|
"attachment X", where X was an integer larger than the
|
|
maximum 32-bit signed integer size, PostgreSQL would
|
|
throw an error, and any page containing that comment would
|
|
not be viewable. On most Bugzillas, any user can enter
|
|
a comment on any bug, so any user could have used this to
|
|
deny access to one or all bugs. Bugzillas running on
|
|
databases other than PostgreSQL are not affected.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2756</cvename>
|
|
<cvename>CVE-2010-2757</cvename>
|
|
<cvename>CVE-2010-2758</cvename>
|
|
<cvename>CVE-2010-2759</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=417048</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=450013</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=577139</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=519835</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=583690</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-08-05</discovery>
|
|
<entry>2010-08-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b6069837-aadc-11df-82df-0015f2db7bde">
|
|
<topic>OpenTTD -- Denial of service (server) via infinite loop</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openttd</name>
|
|
<range><ge>1.0.1</ge><lt>1.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OpenTTD Team reports:</p>
|
|
<blockquote cite="http://security.openttd.org/en/CVE-2010-2534">
|
|
<p>When multiple commands are queued (at the server) for execution
|
|
in the next game tick and an client joins the server can get into
|
|
an infinite loop. With the default settings triggering this bug
|
|
is difficult (if not impossible), however the larger value of
|
|
the "frame_freq" setting is easier it is to trigger the bug.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2534</cvename>
|
|
<url>http://security.openttd.org/en/CVE-2010-2534</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-27</discovery>
|
|
<entry>2010-08-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="67a1c3ae-ad69-11df-9be6-0015587e2cc1">
|
|
<topic>corkscrew -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>corkscrew</name>
|
|
<range><le>2.0</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The affected corkscrew versions use sscanf calls without proper
|
|
bounds checking. In the authentication file parsing routine
|
|
this can cause an exploitable buffer overflow condition.
|
|
A similar but issue exists in the server response code but
|
|
appears to be non-exploitable.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://people.freebsd.org/~niels/issues/corkscrew-20100821.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-08-21</discovery>
|
|
<entry>2010-08-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="274922b8-ad20-11df-af1f-00e0814cab4e">
|
|
<topic>phpmyadmin -- Several XSS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>3.3.5.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>phpMyAdmin211</name>
|
|
<range><lt>2.11.10.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>phpMyAdmin Team reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php">
|
|
<p>It was possible to conduct a XSS attack using crafted URLs org
|
|
POST parameters on several pages.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-3056</cvename>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-08-09</discovery>
|
|
<entry>2010-08-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="68c7187a-abd2-11df-9be6-0015587e2cc1">
|
|
<topic>slim -- insecure PATH assignment</topic>
|
|
<affects>
|
|
<package>
|
|
<name>slim</name>
|
|
<range><lt>1.3.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SLiM assigns logged on users a PATH in which the current
|
|
working directory ("./") is included. This PATH can allow
|
|
unintentional code execution through planted binaries and
|
|
has therefore been fixed SLiM version 1.3.2.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2945</cvename>
|
|
<url>http://seclists.org/oss-sec/2010/q3/198</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-12</discovery>
|
|
<entry>2010-08-19</entry>
|
|
<modified>2010-08-20</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="34e0316a-aa91-11df-8c2e-001517289bf8">
|
|
<topic>ruby -- UTF-7 encoding XSS vulnerability in WEBrick</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<name>ruby+pthreads</name>
|
|
<name>ruby+pthreads+oniguruma</name>
|
|
<name>ruby+oniguruma</name>
|
|
<range><ge>1.8.*,1</ge><lt>1.8.7.248_3,1</lt></range>
|
|
<range><ge>1.9.*,1</ge><lt>1.9.1.430,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The official ruby site reports:</p>
|
|
<blockquote cite="http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/">
|
|
<p>WEBrick have had a cross-site scripting vulnerability that allows
|
|
an attacker to inject arbitrary script or HTML via a crafted URI.
|
|
This does not affect user agents that strictly implement HTTP/1.1,
|
|
however, some user agents do not.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>40895</bid>
|
|
<cvename>CVE-2010-0541</cvename>
|
|
<url>http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-08-16</discovery>
|
|
<entry>2010-08-17</entry>
|
|
<modified>2010-08-20</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b74a8076-9b1f-11df-9f58-021e8c343e76">
|
|
<topic>isolate -- local root exploit</topic>
|
|
<affects>
|
|
<package>
|
|
<name>isolate</name>
|
|
<range><lt>20100717</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<blockquote cite="http://code.google.com/p/isolate/">
|
|
<p>Isolate currently suffers from some bad security bugs! These
|
|
are local root privilege escalation bugs. Thanks to the helpful
|
|
person who reported them (email Chris if you want credit!).
|
|
We're working to fix them ASAP, but until then, isolate is
|
|
unsafe and you should uninstall it. Sorry!</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/148911</freebsdpr>
|
|
<url>http://code.google.com/p/isolate/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-29</discovery>
|
|
<entry>2010-08-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e7d91a3c-a7c9-11df-870c-00242b513d7c">
|
|
<topic>vlc -- invalid id3v2 tags may lead to invalid memory dereferencing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>vlc</name>
|
|
<range><gt>0.9.0,3</gt><lt>1.1.2_1,3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>VideoLAN project reports:</p>
|
|
<blockquote cite="http://www.videolan.org/security/sa1004.html">
|
|
<p>VLC fails to perform sufficient input validation when trying to
|
|
extract some meta-informations about input media through ID3v2
|
|
tags. In the failure case, VLC attempt dereference an invalid
|
|
memory address, and a crash will ensure.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2937</cvename>
|
|
<url>http://www.videolan.org/security/sa1004.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-29</discovery>
|
|
<entry>2010-08-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e19e74a4-a712-11df-b234-001b2134ef46">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-flashplugin</name>
|
|
<range><lt>9.0r280</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-f8-flashplugin</name>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>10.1r82</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe Product Security Incident Response Team reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-16.html">
|
|
<p>Critical vulnerabilities have been identified in Adobe
|
|
Flash Player version 10.1.53.64 and earlier. These
|
|
vulnerabilities could cause the application to crash and
|
|
could potentially allow an attacker to take control of the
|
|
affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0209</cvename>
|
|
<cvename>CVE-2010-2188</cvename>
|
|
<cvename>CVE-2010-2213</cvename>
|
|
<cvename>CVE-2010-2214</cvename>
|
|
<cvename>CVE-2010-2215</cvename>
|
|
<cvename>CVE-2010-2216</cvename>
|
|
<url>http://www.adobe.com/support/security/bulletins/apsb10-16.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-06</discovery>
|
|
<entry>2010-08-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="71273c4d-a6ec-11df-8a8d-0008743bf21a">
|
|
<topic>opera -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opera</name>
|
|
<range><lt>10.61</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Opera Destkop Team reports:</p>
|
|
<blockquote cite="http://www.opera.com/docs/changelogs/unix/1061/">
|
|
<ul>
|
|
<li>Fixed an issue where heap buffer overflow in HTML5 canvas could
|
|
be used to execute arbitrary code, as reported by Kuzzcc.</li>
|
|
<li>Fixed an issue where unexpected changes in tab focus could be
|
|
used to run programs from the Internet, as reported by Jakob Balle
|
|
and Sven Krewitt of Secunia.</li>
|
|
<li>Fixed an issue where news feed preview could subscribe to feeds
|
|
without interaction, as reported by Alexios Fakos.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.opera.com/support/search/view/966/</url>
|
|
<url>http://www.opera.com/support/search/view/967/</url>
|
|
<url>http://www.opera.com/support/search/view/968/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-08-12</discovery>
|
|
<entry>2010-08-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c2eac2b5-9a7d-11df-8e32-000f20797ede">
|
|
<topic>firefox -- Dangling pointer crash regression from plugin parameter array fix</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.6.*,1</gt><lt>3.6.8,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>3.6.8,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2755</cvename>
|
|
<url>https://www.mozilla.org/security/announce/2010/mfsa2010-48.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-20</discovery>
|
|
<entry>2010-08-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="26e1c48a-9fa7-11df-81b5-00e0814cab4e">
|
|
<topic>Piwik -- Local File Inclusion Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>piwik</name>
|
|
<range><gt>0.6</gt><lt>0.6.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Piwik versions 0.6 through 0.6.3 are vulnerable to arbitrary,
|
|
remote file inclusion using a directory traversal pattern infinite
|
|
a crafted request for a data renderer.</p>
|
|
<blockquote cite="http://secunia.com/advisories/40703">
|
|
<p>A vulnerability has been reported in Piwik, which can before
|
|
exploited by malicious people to disclose potentially
|
|
sensitive information. Input passed to unspecified parameters
|
|
when requesting a data renderer is not properly verified before
|
|
being used to include files. This can be exploited to includes
|
|
arbitrary files from local resources via directory traversal
|
|
attacks.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2786</cvename>
|
|
<url>http://secunia.com/advisories/40703</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-28</discovery>
|
|
<entry>2010-08-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="43024078-9b63-11df-8983-001d60d86f38">
|
|
<topic>libmspack -- infinite loop denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libmspack</name>
|
|
<range><le>0.0.20060920</le></range>
|
|
</package>
|
|
<package>
|
|
<name>cabextract</name>
|
|
<range><lt>1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>There is a denial of service vulnerability in libmspack. The
|
|
libmspack code is built into cabextract, so it is also
|
|
vulnerable.</p>
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/40719/">
|
|
<p>The vulnerability is caused due to an error when copying data
|
|
from an uncompressed block (block type 0) and can be exploited
|
|
to trigger an infinite loop by tricking an application using the
|
|
library into processing specially crafted MS-ZIP archives.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/40719/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-26</discovery>
|
|
<entry>2010-07-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="28a7310f-9855-11df-8d36-001aa0166822">
|
|
<topic>apache -- Remote DoS bug in mod_cache and mod_dav</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><ge>2.2.0</ge><lt>2.2.16</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Apache ChangeLog reports:</p>
|
|
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.2.16">
|
|
<p>mod_dav, mod_cache: Fix Handling of requests without a path segment.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1452</cvename>
|
|
<url>http://www.apache.org/dist/httpd/CHANGES_2.2.16</url>
|
|
<url>https://issues.apache.org/bugzilla/show_bug.cgi?id=49246</url>
|
|
<url>http://svn.apache.org/viewvc?view=revision&revision=966349</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-21</discovery>
|
|
<entry>2010-07-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="827bc2b7-95ed-11df-9160-00e0815b8da8">
|
|
<topic>git -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>git</name>
|
|
<range><ge>1.5.6</ge><lt>1.7.1.1_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Greg Brockman reports:</p>
|
|
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/07/22/1">
|
|
<p>If an attacker were to create a crafted working copy where the
|
|
user runs any git command, the attacker could force execution
|
|
of arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2542</cvename>
|
|
<url>http://git.kernel.org/?p=git/git.git;a=commit;h=3c9d0414ed2db0167e6c828b547be8fc9f88fccc</url>
|
|
<url>http://www.openwall.com/lists/oss-security/2010/07/22/1</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-20</discovery>
|
|
<entry>2010-07-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0502c1cb-8f81-11df-a0bb-0050568452ac">
|
|
<topic>codeigniter -- file upload class vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>codeigniter</name>
|
|
<range><lt>1.7.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Derek Jones reports:</p>
|
|
<blockquote cite="http://codeigniter.com/news/codeigniter_1.7.2_security_patch/">
|
|
<p>A fix has been implemented for a security flaw in
|
|
CodeIgniter 1.7.2. All applications using the File
|
|
Upload class should install the patch to ensure that
|
|
their application is not subject to a vulnerability.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://codeigniter.com/news/codeigniter_1.7.2_security_patch/</url>
|
|
<url>http://www.phpframeworks.com/news/p/16365/codeigniter-1-7-2-security-patch</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-12</discovery>
|
|
<entry>2010-07-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8c2ea875-9499-11df-8e32-000f20797ede">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.6.*,1</gt><lt>3.6.7,1</lt></range>
|
|
<range><gt>3.5.*,1</gt><lt>3.5.11,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>3.6.7,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox-devel</name>
|
|
<range><lt>3.5.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><gt>2.0.*</gt><lt>2.0.6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><ge>3.0</ge><lt>3.0.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)</p>
|
|
<p>MFSA 2010-35 DOM attribute cloning remote code execution vulnerability</p>
|
|
<p>MFSA 2010-36 Use-after-free error in NodeIterator</p>
|
|
<p>MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability</p>
|
|
<p>MFSA 2010-38 Arbitrary code execution using SJOW and fast native function</p>
|
|
<p>MFSA 2010-39 nsCSSValue::Array index integer overflow</p>
|
|
<p>MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability</p>
|
|
<p>MFSA 2010-41 Remote code execution using malformed PNG image</p>
|
|
<p>MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts</p>
|
|
<p>MFSA 2010-43 Same-origin bypass using canvas context</p>
|
|
<p>MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish</p>
|
|
<p>MFSA 2010-45 Multiple location bar spoofing vulnerabilities</p>
|
|
<p>MFSA 2010-46 Cross-domain data theft using CSS</p>
|
|
<p>MFSA 2010-47 Cross-origin data leakage from script filename in error messages</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0654</cvename>
|
|
<cvename>CVE-2010-1205</cvename>
|
|
<cvename>CVE-2010-1206</cvename>
|
|
<cvename>CVE-2010-1207</cvename>
|
|
<cvename>CVE-2010-1208</cvename>
|
|
<cvename>CVE-2010-1209</cvename>
|
|
<cvename>CVE-2010-1210</cvename>
|
|
<cvename>CVE-2010-1211</cvename>
|
|
<cvename>CVE-2010-1212</cvename>
|
|
<cvename>CVE-2010-1213</cvename>
|
|
<cvename>CVE-2010-1214</cvename>
|
|
<cvename>CVE-2010-1215</cvename>
|
|
<cvename>CVE-2010-2751</cvename>
|
|
<cvename>CVE-2010-2752</cvename>
|
|
<cvename>CVE-2010-2753</cvename>
|
|
<cvename>CVE-2010-2754</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-34.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-35.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-36.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-37.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-38.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-39.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-40.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-41.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-42.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-43.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-44.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-45.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-46.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-47.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-20</discovery>
|
|
<entry>2010-07-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9a8fecef-92c0-11df-b140-0015f2db7bde">
|
|
<topic>vte -- Classic terminal title set+query attack</topic>
|
|
<affects>
|
|
<package>
|
|
<name>vte</name>
|
|
<range><lt>0.24.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Kees Cook reports:</p>
|
|
<blockquote cite="http://www.securityfocus.com/archive/1/512388">
|
|
<p>Janne Snabb discovered that applications using VTE, such as
|
|
gnome-terminal, did not correctly filter window and icon title
|
|
request escape codes. If a user were tricked into viewing
|
|
specially crafted output in their terminal, a remote attacker
|
|
could execute arbitrary commands with user privileges.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2713</cvename>
|
|
<url>http://www.securityfocus.com/archive/1/512388</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-15</discovery>
|
|
<entry>2010-07-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="19419b3b-92bd-11df-b140-0015f2db7bde">
|
|
<topic>webkit-gtk2 -- Multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>webkit-gtk2</name>
|
|
<range><lt>1.2.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gustavo Noronha reports:</p>
|
|
<blockquote cite="http://blog.kov.eti.br/?p=116">
|
|
<p>Debian's Michael Gilbert has done a great job going through all
|
|
CVEs released about WebKit, and including patches in the Debian
|
|
package. 1.2.3 includes all of the commits from trunk to fix those,
|
|
too.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1386</cvename>
|
|
<cvename>CVE-2010-1392</cvename>
|
|
<cvename>CVE-2010-1405</cvename>
|
|
<cvename>CVE-2010-1407</cvename>
|
|
<cvename>CVE-2010-1416</cvename>
|
|
<cvename>CVE-2010-1417</cvename>
|
|
<cvename>CVE-2010-1418</cvename>
|
|
<cvename>CVE-2010-1421</cvename>
|
|
<cvename>CVE-2010-1422</cvename>
|
|
<cvename>CVE-2010-1501</cvename>
|
|
<cvename>CVE-2010-1664</cvename>
|
|
<cvename>CVE-2010-1665</cvename>
|
|
<cvename>CVE-2010-1758</cvename>
|
|
<cvename>CVE-2010-1759</cvename>
|
|
<cvename>CVE-2010-1760</cvename>
|
|
<cvename>CVE-2010-1761</cvename>
|
|
<cvename>CVE-2010-1762</cvename>
|
|
<cvename>CVE-2010-1767</cvename>
|
|
<cvename>CVE-2010-1770</cvename>
|
|
<cvename>CVE-2010-1771</cvename>
|
|
<cvename>CVE-2010-1772</cvename>
|
|
<cvename>CVE-2010-1773</cvename>
|
|
<cvename>CVE-2010-1774</cvename>
|
|
<cvename>CVE-2010-2264</cvename>
|
|
<url>http://blog.kov.eti.br/?p=116</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-16</discovery>
|
|
<entry>2010-07-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ba61ce15-8a7b-11df-87ec-0050569b2d21">
|
|
<topic>redmine -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>redmine</name>
|
|
<range><lt>0.9.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Eric Davis reports:</p>
|
|
<blockquote cite="http://www.redmine.org/news/41">
|
|
<p>This security release addresses some security
|
|
vulnerabilities found in the advanced subversion
|
|
integration module (Redmine.pm perl script).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.redmine.org/news/41</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-07-08</discovery>
|
|
<entry>2010-07-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="25ed4ff8-8940-11df-a339-0026189baca3">
|
|
<topic>bogofilter -- heap underrun on malformed base64 input</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bogofilter</name>
|
|
<range><lt>1.2.1_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bogofilter-sqlite</name>
|
|
<range><lt>1.2.1_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bogofilter-tc</name>
|
|
<range><lt>1.2.1_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Julius Plenz reports:</p>
|
|
<blockquote cite="http://www.bogofilter.org/pipermail/bogofilter-dev/2010-June/003475.html">
|
|
<p>I found a bug in the base64_decode function which may cause memory
|
|
corruption when the function is executed on a malformed base64
|
|
encoded string.</p>
|
|
<p>If a string starting with an equal-sign is passed to the
|
|
base64_decode function it triggers a memory corruption that
|
|
in some cases makes bogofilter crash.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2494</cvename>
|
|
<url>http://bogofilter.sourceforge.net/security/bogofilter-SA-2010-01</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-28</discovery>
|
|
<entry>2010-07-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f1331504-8849-11df-89b8-00151735203a">
|
|
<topic>bugzilla -- information disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bugzilla</name>
|
|
<range><gt>2.17.1</gt><lt>3.6.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Bugzilla Security Advisory reports:</p>
|
|
<blockquote cite="http://www.bugzilla.org/security/3.2.6/">
|
|
<ul>
|
|
<li>Normally, information about time-tracking (estimated
|
|
hours, actual hours, hours worked, and deadlines) is
|
|
restricted to users in the "time-tracking group".
|
|
However, any user was able, by crafting their own
|
|
search URL, to search for bugs based using those
|
|
fields as criteria, thus possibly exposing sensitive
|
|
time-tracking information by a user seeing that a bug
|
|
matched their search.</li>
|
|
<li>If $use_suexec was set to "1" in the localconfig file,
|
|
then the localconfig file's permissions were set as
|
|
world-readable by checksetup.pl. This allowed any user
|
|
with local shell access to see the contents of the file,
|
|
including the database password and the site_wide_secret
|
|
variable used for CSRF protection.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1204</cvename>
|
|
<cvename>CVE-2010-0180</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=309952</url>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=561797</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-24</discovery>
|
|
<entry>2010-07-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8685d412-8468-11df-8d45-001d7d9eb79a">
|
|
<topic>kvirc -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kvirc</name>
|
|
<name>kvirc-devel</name>
|
|
<range><lt>4.0.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Two security vulnerabilities have been discovered:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2451">
|
|
<p>Multiple format string vulnerabilities in the DCC functionality
|
|
in KVIrc 3.4 and 4.0 have unspecified impact and remote attack vectors.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2452">
|
|
<p>Directory traversal vulnerability in the DCC functionality
|
|
in KVIrc 3.4 and 4.0 allows remote attackers to overwrite
|
|
arbitrary files via unknown vectors.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-2451</cvename>
|
|
<cvename>CVE-2010-2452</cvename>
|
|
<url>http://lists.omnikron.net/pipermail/kvirc/2010-May/000867.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-17</discovery>
|
|
<entry>2010-06-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="edef3f2f-82cf-11df-bcce-0018f3e2eb82">
|
|
<topic>png -- libpng decompression buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>png</name>
|
|
<range>
|
|
<lt>1.4.3</lt>
|
|
</range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The PNG project describes the problem in an advisory:</p>
|
|
<blockquote cite="http://www.libpng.org/pub/png/libpng.html">
|
|
<p>Several versions of libpng through 1.4.2 (and through 1.2.43
|
|
in the older series) contain a bug whereby progressive
|
|
applications such as web browsers (or the rpng2 demo app included
|
|
in libpng) could receive an extra row of image data beyond the
|
|
height reported in the header, potentially leading to an
|
|
out-of-bounds write to memory (depending on how the application
|
|
is written) and the possibility of execution of an attacker's
|
|
code with the privileges of the libpng user (including remote
|
|
compromise in the case of a libpng-based browser visiting a
|
|
hostile web site).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>41174</bid>
|
|
<cvename>CVE-2010-1205</cvename>
|
|
<url>http://www.libpng.org/pub/png/libpng.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-03-30</discovery>
|
|
<entry>2010-06-28</entry>
|
|
<modified>2010-06-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="66759ce6-7530-11df-9c33-000c29ba66d2">
|
|
<topic>moodle -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>moodle</name>
|
|
<range><lt>1.9.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Moodle release notes report multiple vulnerabilities
|
|
which could allow cross site scripting, XSS attacks,
|
|
unauthorised deletion of attempts in some instances.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://docs.moodle.org/en/Moodle_1.9.9_release_notes</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-08</discovery>
|
|
<entry>2010-06-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1cd87e2a-81e3-11df-81d8-00262d5ed8ee">
|
|
<topic>mDNSResponder -- corrupted stack crash when parsing bad resolv.conf</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mDNSResponder</name>
|
|
<range><le>214</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Juli Mallett reports:</p>
|
|
<blockquote>
|
|
<p>mdnsd will crash on some systems with a corrupt stack and once
|
|
that's fixed it will still leak a file descriptor when parsing
|
|
resolv.conf. The crash is because scanf is used with %10s for a
|
|
buffer that is only 10 chars long. The buffer size needs increased
|
|
to 11 chars to hold the trailing NUL. To fix the leak, an fclose
|
|
needs added.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdpr>ports/147007</freebsdpr>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-26</discovery>
|
|
<entry>2010-06-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="77b9f9bc-7fdf-11df-8a8d-0008743bf21a">
|
|
<topic>opera -- Data URIs can be used to allow cross-site scripting</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opera</name>
|
|
<range><lt>10.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>opera-devel</name>
|
|
<range><le>10.20_2,1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Opera Desktop Team reports:</p>
|
|
<blockquote cite="http://www.opera.com/support/kb/view/955/">
|
|
<p>Data URIs are allowed to run scripts that manipulate
|
|
pages from the site that directly opened them. In some cases, the opening site
|
|
is not correctly detected. In these cases, Data URIs may erroneously be able to
|
|
run scripts so that they interact with sites that did not directly cause them to
|
|
be opened.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.opera.com/support/kb/view/955/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-21</discovery>
|
|
<entry>2010-06-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e02e6a4e-6b26-11df-96b2-0015587e2cc1">
|
|
<topic>cacti -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cacti</name>
|
|
<range><lt>0.8.7f</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Multiple vulnerabilities have been reported to exist in older version of
|
|
Cacti. The release notes of Cacti 0.8.7f summarizes the problems as
|
|
follows:</p>
|
|
<blockquote cite="http://www.cacti.net/release_notes_0_8_7f.php">
|
|
<ul>
|
|
<li>SQL injection and shell escaping issues</li>
|
|
<li>Cross-site scripting issues</li>
|
|
<li>Cacti Graph Viewer SQL injection vulnerability</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html</url>
|
|
<url>http://www.cacti.net/release_notes_0_8_7f.php</url>
|
|
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php</url>
|
|
<url>http://www.vupen.com/english/advisories/2010/1204</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-24</discovery>
|
|
<entry>2010-06-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="99858b7c-7ece-11df-a007-000f20797ede">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.6.*,1</gt><lt>3.6.4,1</lt></range>
|
|
<range><gt>3.5.*,1</gt><lt>3.5.10,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox-devel</name>
|
|
<range><lt>3.5.10</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><gt>2.0.*</gt><lt>2.0.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><ge>3.0</ge><lt>3.0.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-33 User tracking across sites using Math.random()</p>
|
|
<p>MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present</p>
|
|
<p>MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes</p>
|
|
<p>MFSA 2010-30 Integer Overflow in XSLT Node Sorting</p>
|
|
<p>MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal</p>
|
|
<p>MFSA 2010-28 Freed object reuse across plugin instances</p>
|
|
<p>MFSA 2010-27 Use-after-free error in nsCycleCollector::MarkRoots()</p>
|
|
<p>MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)</p>
|
|
<p>MFSA 2010-25 Re-use of freed object due to scope confusion</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2008-5913</cvename>
|
|
<cvename>CVE-2010-0183</cvename>
|
|
<cvename>CVE-2010-1121</cvename>
|
|
<cvename>CVE-2010-1125</cvename>
|
|
<cvename>CVE-2010-1197</cvename>
|
|
<cvename>CVE-2010-1199</cvename>
|
|
<cvename>CVE-2010-1196</cvename>
|
|
<cvename>CVE-2010-1198</cvename>
|
|
<cvename>CVE-2010-1200</cvename>
|
|
<cvename>CVE-2010-1201</cvename>
|
|
<cvename>CVE-2010-1202</cvename>
|
|
<cvename>CVE-2010-1203</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-33.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-32.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-31.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-30.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-29.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-28.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-27.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-26.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-25.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-22</discovery>
|
|
<entry>2010-06-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="25673e6e-786b-11df-a921-0245fb008c0b">
|
|
<topic>ziproxy -- security vulnerability in PNG decoder</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ziproxy</name>
|
|
<range><ge>3.1.0</ge></range>
|
|
<range><lt>3.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Daniel Mealha Cabrita reports:</p>
|
|
<blockquote cite="http://ziproxy.sourceforge.net/#news">
|
|
<p>Fixed security vulnerability (heap-related) in PNG decoder.
|
|
(new bug from 3.1.0)</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://ziproxy.sourceforge.net/#news</url>
|
|
<mlist msgid="201006150731.30474.dancab@gmx.net">http://sourceforge.net/mailarchive/message.php?msg_name=201006150731.30474.dancab%40gmx.net</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-15</discovery>
|
|
<entry>2010-06-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8816bf3a-7929-11df-bcce-0018f3e2eb82">
|
|
<topic>tiff -- Multiple integer overflows</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tiff</name>
|
|
<range><lt>3.9.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-tiff</name>
|
|
<name>linux-f10-tiff</name>
|
|
<range><lt>3.9.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Tielei Wang:</p>
|
|
<blockquote cite="http://www.ocert.org/advisories/ocert-2009-012.html">
|
|
<p>Multiple integer overflows in inter-color spaces conversion
|
|
tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow
|
|
context-dependent attackers to execute arbitrary code via a
|
|
TIFF image with large (1) width and (2) height values, which
|
|
triggers a heap-based buffer overflow in the (a) cvt_whole_image
|
|
function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2009-2347</cvename>
|
|
<url>http://www.remotesensing.org/libtiff/v3.9.4.html</url>
|
|
<url>http://www.ocert.org/advisories/ocert-2009-012.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2009-05-22</discovery>
|
|
<entry>2010-06-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="144e524a-77eb-11df-ae06-001b2134ef46">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-flashplugin</name>
|
|
<range><lt>9.0r277</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-f8-flashplugin</name>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>10.1r53</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe Product Security Incident Response Team reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-14.html">
|
|
<p>Critical vulnerabilities have been identified in Adobe
|
|
Flash Player version 10.0.45.2 and earlier. These
|
|
vulnerabilities could cause the application to crash and
|
|
could potentially allow an attacker to take control of the
|
|
affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2008-4546</cvename>
|
|
<cvename>CVE-2009-3793</cvename>
|
|
<cvename>CVE-2010-1297</cvename>
|
|
<cvename>CVE-2010-2160</cvename>
|
|
<cvename>CVE-2010-2161</cvename>
|
|
<cvename>CVE-2010-2162</cvename>
|
|
<cvename>CVE-2010-2163</cvename>
|
|
<cvename>CVE-2010-2164</cvename>
|
|
<cvename>CVE-2010-2165</cvename>
|
|
<cvename>CVE-2010-2166</cvename>
|
|
<cvename>CVE-2010-2167</cvename>
|
|
<cvename>CVE-2010-2169</cvename>
|
|
<cvename>CVE-2010-2170</cvename>
|
|
<cvename>CVE-2010-2171</cvename>
|
|
<cvename>CVE-2010-2172</cvename>
|
|
<cvename>CVE-2010-2173</cvename>
|
|
<cvename>CVE-2010-2174</cvename>
|
|
<cvename>CVE-2010-2175</cvename>
|
|
<cvename>CVE-2010-2176</cvename>
|
|
<cvename>CVE-2010-2177</cvename>
|
|
<cvename>CVE-2010-2178</cvename>
|
|
<cvename>CVE-2010-2179</cvename>
|
|
<cvename>CVE-2010-2180</cvename>
|
|
<cvename>CVE-2010-2181</cvename>
|
|
<cvename>CVE-2010-2182</cvename>
|
|
<cvename>CVE-2010-2183</cvename>
|
|
<cvename>CVE-2010-2184</cvename>
|
|
<cvename>CVE-2010-2185</cvename>
|
|
<cvename>CVE-2010-2186</cvename>
|
|
<cvename>CVE-2010-2187</cvename>
|
|
<cvename>CVE-2010-2188</cvename>
|
|
<cvename>CVE-2010-2189</cvename>
|
|
<url>http://www.adobe.com/support/security/bulletins/apsb10-14.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2008-10-02</discovery>
|
|
<entry>2010-06-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="313da7dc-763b-11df-bcce-0018f3e2eb82">
|
|
<topic>tiff -- buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tiff</name>
|
|
<range><lt>3.9.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-tiff</name>
|
|
<range><lt>3.9.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Kevin Finisterre reports:</p>
|
|
<blockquote cite="http://support.apple.com/kb/HT4196">
|
|
<p>Multiple integer overflows in the handling of TIFF files may
|
|
result in a heap buffer overflow. Opening a maliciously crafted
|
|
TIFF file may lead to an unexpected application termination or
|
|
arbitrary code execution. The issues are addressed through
|
|
improved bounds checking. Credit to Kevin Finisterre of
|
|
digitalmunition.com for reporting these issues.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1411</cvename>
|
|
<url>http://www.remotesensing.org/libtiff/v3.9.3.html</url>
|
|
<url>http://support.apple.com/kb/HT4196</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-15</discovery>
|
|
<entry>2010-06-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d42e5b66-6ea0-11df-9c8d-00e0815b8da8">
|
|
<topic>sudo -- Secure path vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><lt>1.7.2.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Todd Miller reports:</p>
|
|
<blockquote cite="http://sudo.ws/sudo/alerts/secure_path.html">
|
|
<p>Most versions of the C library function getenv() return the
|
|
first instance of an environment variable to the caller. However,
|
|
some programs, notably the GNU Bourne Again SHell (bash), do
|
|
their own environment parsing and may choose the last instance
|
|
of a variable rather than the first one.</p>
|
|
<p>An attacker may manipulate the environment of the process that
|
|
executes Sudo such that a second PATH variable is present. When
|
|
Sudo runs a bash script, it is this second PATH variable that
|
|
is used by bash, regardless of whether or not Sudo has overwritten
|
|
the first instance of PATH. This may allow an attacker to
|
|
subvert the program being run under Sudo and execute commands
|
|
he/she would not otherwise be allowed to run.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1646</cvename>
|
|
<url>http://sudo.ws/sudo/alerts/secure_path.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-06-02</discovery>
|
|
<entry>2010-06-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b43004b8-6a53-11df-bc7b-0245fb008c0b">
|
|
<topic>ziproxy -- atypical huge picture files vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ziproxy</name>
|
|
<range><lt>3.0.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ziproxy 3.0.1 release fixes a security vulnerability related
|
|
to atypical huge picture files (>4GB of size once expanded).</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>40344</bid>
|
|
<cvename>CVE-2010-1513</cvename>
|
|
<url>http://ziproxy.sourceforge.net/#news</url>
|
|
<url>http://secunia.com/advisories/39941</url>
|
|
<mlist msgid="201005210019.37119.dancab@gmx.net">http://sourceforge.net/mailarchive/message.php?msg_name=201005210019.37119.dancab%40gmx.net</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-20</discovery>
|
|
<entry>2010-05-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fc55e396-6deb-11df-8b8e-000c29ba66d2">
|
|
<topic>mediawiki -- two security vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mediawiki</name>
|
|
<range><lt>1.15.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Two security vulnerabilities were discovered:</p>
|
|
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html">
|
|
<p>Noncompliant CSS parsing behaviour in Internet Explorer
|
|
allows attackers to construct CSS strings which are treated
|
|
as safe by previous versions of MediaWiki, but are decoded
|
|
to unsafe strings by Internet Explorer.</p>
|
|
<p>A CSRF vulnerability was discovered in our login interface.
|
|
Although regular logins are protected as of 1.15.3, it was
|
|
discovered that the account creation and password reset
|
|
reset features were not protected from CSRF. This could lead
|
|
to unauthorised access to private wikis.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://secunia.com/advisories/39922/</url>
|
|
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-28</discovery>
|
|
<entry>2010-06-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fcc39d22-5777-11df-bf33-001a92771ec2">
|
|
<topic>redmine -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>redmine</name>
|
|
<range><lt>0.9.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Redmine release announcement reports that
|
|
several cross side scripting vulnerabilities
|
|
and a potential data disclosure vulnerability have
|
|
been fixed in the latest release.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.redmine.org/news/39</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-01</discovery>
|
|
<entry>2010-05-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="28022228-5a0e-11df-942d-0015587e2cc1">
|
|
<topic>wireshark -- DOCSIS dissector denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wireshark</name>
|
|
<range><le>1.2.6_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A vulnerability found in the DOCSIS dissector can cause
|
|
Wireshark to crash when a malformed packet trace file is
|
|
opened. This means that an attacker will have to trick a
|
|
victim into opening such a trace file before being able
|
|
to crash the application</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1455</cvename>
|
|
<url>http://www.wireshark.org/security/wnpa-sec-2010-03.html</url>
|
|
<url>http://www.wireshark.org/security/wnpa-sec-2010-04.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-05-05</discovery>
|
|
<entry>2010-05-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c0869649-5a0c-11df-942d-0015587e2cc1">
|
|
<topic>piwik -- cross site scripting vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>piwik</name>
|
|
<range><le>0.5.5</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Piwik security advisory reports:</p>
|
|
<blockquote cite="http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/">
|
|
<p>A non-persistent, cross-site scripting vulnerability
|
|
(XSS) was found in Piwik's Login form that reflected
|
|
the form_url parameter without being properly escaped
|
|
or filtered.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1453</cvename>
|
|
<url>http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-15</discovery>
|
|
<entry>2010-05-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7132c842-58e2-11df-8d80-0015587e2cc1">
|
|
<topic>spamass-milter -- remote command execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>spamass-milter</name>
|
|
<range><le>0.3.1_8</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The spamassassin milter plugin contains a vulnerability
|
|
that can allow remote attackers to execute commands on
|
|
affected systems.</p>
|
|
<p>The vulnerability can be exploited trough a special-crafted
|
|
email header when the plugin was started with the '-x'
|
|
(expand) flag.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1132</cvename>
|
|
<url>http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/56732</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-03-07</discovery>
|
|
<entry>2010-05-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="694da5b4-5877-11df-8d80-0015587e2cc1">
|
|
<topic>mediawiki -- authenticated CSRF vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mediawiki</name>
|
|
<range><lt>1.15.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A MediaWiki security announcement reports:</p>
|
|
<blockquote cite="http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html">
|
|
<p>MediaWiki was found to be vulnerable to login CSRF.
|
|
An attacker who controls a user account on the target
|
|
wiki can force the victim to log in as the attacker,
|
|
via a script on an external website.</p>
|
|
<p>If the wiki is configured to allow user scripts, say
|
|
with "$wgAllowUserJs = true" in LocalSettings.php, then
|
|
the attacker can proceed to mount a phishing-style
|
|
attack against the victim to obtain their password.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1150</cvename>
|
|
<url>http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-April/000090.html</url>
|
|
<url>https://bugzilla.wikimedia.org/show_bug.cgi?id=23076</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-07</discovery>
|
|
<entry>2010-05-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0491d15a-5875-11df-8d80-0015587e2cc1">
|
|
<topic>lxr -- multiple XSS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lxr</name>
|
|
<range><le>0.9.6</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dan Rosenberg reports:</p>
|
|
<blockquote cite="http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com">
|
|
<p>There are several cross-site scripting vulnerabilities
|
|
in LXR. These vulnerabilities could allow an attacker
|
|
to execute scripts in a user's browser, steal cookies
|
|
associated with vulnerable domains, redirect the user
|
|
to malicious websites, etc.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2009-4497</cvename>
|
|
<freebsdpr>ports/146337</freebsdpr>
|
|
<url>http://secunia.com/advisories/38117</url>
|
|
<url>http://sourceforge.net/mailarchive/message.php?msg_name=E1NS2s4-0001PE-F2%403bkjzd1.ch3.sourceforge.com</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-05</discovery>
|
|
<entry>2010-05-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="752ce039-5242-11df-9139-00242b513d7c">
|
|
<topic>vlc -- unintended code execution with specially crafted data</topic>
|
|
<affects>
|
|
<package>
|
|
<name>vlc</name>
|
|
<range><lt>1.0.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>VideoLAN project reports:</p>
|
|
<blockquote cite="http://www.videolan.org/security/sa1003.html">
|
|
<p>VLC media player suffers from various vulnerabilities when
|
|
attempting to parse malformatted or overly long byte streams.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>39629</bid>
|
|
<url>http://www.videolan.org/security/sa1003.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-19</discovery>
|
|
<entry>2010-05-01</entry>
|
|
<modified>2010-05-05</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8d10038e-515c-11df-83fb-0015587e2cc1">
|
|
<topic>joomla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>joomla15</name>
|
|
<range><ge>1.5.1</ge><le>1.5.15</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Joomla! reported the following vulnerabilities:</p>
|
|
<blockquote cite="http://developer.joomla.org/security/news/311-20100423-core-negative-values-for-limit-and-offset.html">
|
|
<p>If a user entered a URL with a negative query limit
|
|
or offset, a PHP notice would display revealing information
|
|
about the system..</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/news/310-20100423-core-installer-migration-script.html">
|
|
<p>The migration script in the Joomla! installer does not
|
|
check the file type being uploaded. If the installation
|
|
application is present, an attacker could use it to
|
|
upload malicious files to a server.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/news/309-20100423-core-sessation-fixation.html">
|
|
<p>Session id doesn't get modified when user logs in. A
|
|
remote site may be able to forward a visitor to the
|
|
Joomla! site and set a specific cookie. If the user
|
|
then logs in, the remote site can use that cookie to
|
|
authenticate as that user.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/news/308-20100423-core-password-reset-tokens.html">
|
|
<p>When a user requests a password reset, the reset tokens
|
|
were stored in plain text in the database. While this
|
|
is not a vulnerability in itself, it allows user accounts
|
|
to be compromised if there is an extension on the site
|
|
with an SQL injection vulnerability.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://developer.joomla.org/security/news/308-20100423-core-password-reset-tokens.html</url>
|
|
<url>http://developer.joomla.org/security/news/309-20100423-core-sessation-fixation.html</url>
|
|
<url>http://developer.joomla.org/security/news/310-20100423-core-installer-migration-script.html</url>
|
|
<url>http://developer.joomla.org/security/news/311-20100423-core-negative-values-for-limit-and-offset.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-23</discovery>
|
|
<entry>2010-04-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5198ef84-4fdc-11df-83fb-0015587e2cc1">
|
|
<topic>cacti -- SQL injection and command execution vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cacti</name>
|
|
<range><le>0.8.7e4</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Bonsai information security reports:</p>
|
|
<blockquote cite="http://www.bonsai-sec.com/en/research/vulnerability.php">
|
|
<p>A Vulnerability has been discovered in Cacti, which
|
|
can be exploited by any user to conduct SQL Injection
|
|
attacks. Input passed via the "export_item_id" parameter
|
|
to "templates_export.php" script is not properly sanitized
|
|
before being used in a SQL query.</p>
|
|
</blockquote>
|
|
<p>The same source also reported a command execution
|
|
vulnerability. This second issue can be exploited by
|
|
Cacti users who have the rights to modify device or
|
|
graph configurations.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1431</cvename>
|
|
<freebsdpr>ports/146021</freebsdpr>
|
|
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php</url>
|
|
<url>http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-sql-injection-0104.php</url>
|
|
<url>http://www.debian.org/security/2010/dsa-2039</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-21</discovery>
|
|
<entry>2010-04-24</entry>
|
|
<modified>2013-06-16</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f6429c24-4fc9-11df-83fb-0015587e2cc1">
|
|
<topic>moodle -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>moodle</name>
|
|
<range><lt>1.9.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Moodle release notes report multiple vulnerabilities
|
|
which could allow remote attackers to perform, amongst
|
|
others, cross site scripting, user enumeration and SQL
|
|
injection attacks.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://docs.moodle.org/en/Moodle_1.9.8_release_notes</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-03-25</discovery>
|
|
<entry>2010-04-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3383e706-4fc3-11df-83fb-0015587e2cc1">
|
|
<topic>tomcat -- information disclosure vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tomcat</name>
|
|
<range><gt>5.5.0</gt><lt>5.5.30</lt></range>
|
|
<range><gt>6.0.0</gt><lt>6.0.27</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Apache software foundation reports:</p>
|
|
<blockquote cite="http://seclists.org/bugtraq/2010/Apr/200">
|
|
<p>The "WWW-Authenticate" header for BASIC and DIGEST
|
|
authentication includes a realm name. If a <realm-name>
|
|
element is specified for the application in web.xml it
|
|
will be used. However, a <realm-name> is not
|
|
specified then Tomcat will generate one.</p>
|
|
<p>In some circumstances this can expose the local
|
|
hostname or IP address of the machine running Tomcat.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1157</cvename>
|
|
<freebsdpr>ports/146022</freebsdpr>
|
|
<url>http://seclists.org/bugtraq/2010/Apr/200</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-22</discovery>
|
|
<entry>2010-04-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f6b6beaa-4e0e-11df-83fb-0015587e2cc1">
|
|
<cancelled/>
|
|
</vuln>
|
|
|
|
<vuln vid="86b8b655-4d1a-11df-83fb-0015587e2cc1">
|
|
<topic>krb5 -- KDC double free vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><ge>1.7</ge><lt>1.7.2</lt></range>
|
|
<range><ge>1.8</ge><lt>1.8.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The MIT Kerberos team reports:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt">
|
|
<p>An authenticated remote attacker can crash the KDC by
|
|
inducing the KDC to perform a double free. Under some
|
|
circumstances on some platforms, this could also allow
|
|
malicious code execution.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1320</cvename>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-20</discovery>
|
|
<entry>2010-04-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a4746a86-4c89-11df-83fb-0015587e2cc1">
|
|
<topic>e107 -- code execution and XSS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>e107</name>
|
|
<range><lt>0.7.20</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia Research reported two vulnerabilities in e107:</p>
|
|
<p>The first problem affects installations that have the
|
|
Content Manager plugin enabled. This plugin does not
|
|
sanitize the "content_heading" parameter correctly and
|
|
is therefore vulnerable to a cross site scripting attack.</p>
|
|
<p>The second vulnerability is related to the avatar upload
|
|
functionality. Images containing PHP code can be uploaded
|
|
and executed.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>39540</bid>
|
|
<cvename>CVE-2010-0996</cvename>
|
|
<cvename>CVE-2010-0997</cvename>
|
|
<freebsdpr>ports/145885</freebsdpr>
|
|
<url>http://e107.org/comment.php?comment.news.864</url>
|
|
<url>http://secunia.com/secunia_research/2010-43/</url>
|
|
<url>http://secunia.com/secunia_research/2010-44/</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/57932</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-15</discovery>
|
|
<entry>2010-04-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="09910d76-4c82-11df-83fb-0015587e2cc1">
|
|
<topic>fetchmail -- denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fetchmail</name>
|
|
<range>
|
|
<ge>4.6.3</ge>
|
|
<le>6.3.16</le>
|
|
</range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Fetchmail developer Matthias Andree reported a vulnerability
|
|
that allows remote attackers to crash the application
|
|
when it is runs in verbose mode.</p>
|
|
<blockquote cite="http://gitorious.org/fetchmail/fetchmail/commit/ec06293">
|
|
<p>Fetchmail before release 6.3.17 did not properly
|
|
sanitize external input (mail headers and UID). When a
|
|
multi-character locale (such as UTF-8) was in use, this
|
|
could cause memory exhaustion and thus a denial of
|
|
service.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1167</cvename>
|
|
<freebsdpr>ports/145857</freebsdpr>
|
|
<url>http://gitorious.org/fetchmail/fetchmail/commit/ec06293</url>
|
|
<url>http://seclists.org/oss-sec/2010/q2/76</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-18</discovery>
|
|
<entry>2010-04-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a2c4d3d5-4c7b-11df-83fb-0015587e2cc1">
|
|
<topic>pidgin -- multiple remote denial of service vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pidgin</name>
|
|
<range><lt>2.6.6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libpurple</name>
|
|
<range><lt>2.6.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Three denial of service vulnerabilities where found in
|
|
pidgin and allow remote attackers to crash the application.
|
|
The developers summarized these problems as follows:</p>
|
|
<blockquote cite="http://pidgin.im/news/security/?id=45">
|
|
<p>Pidgin can become unresponsive when displaying large
|
|
numbers of smileys</p>
|
|
</blockquote>
|
|
<blockquote cite="http://pidgin.im/news/security/?id=44">
|
|
<p>Certain nicknames in group chat rooms can trigger a
|
|
crash in Finch</p>
|
|
</blockquote>
|
|
<blockquote cite="http://pidgin.im/news/security/?id=43">
|
|
<p>Failure to validate all fields of an incoming message
|
|
can trigger a crash</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>38294</bid>
|
|
<cvename>CVE-2010-0277</cvename>
|
|
<cvename>CVE-2010-0420</cvename>
|
|
<cvename>CVE-2010-0423</cvename>
|
|
<url>http://pidgin.im/news/security/?id=43</url>
|
|
<url>http://pidgin.im/news/security/?id=44</url>
|
|
<url>http://pidgin.im/news/security/?id=45</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-18</discovery>
|
|
<entry>2010-04-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4fb5d2cd-4c77-11df-83fb-0015587e2cc1">
|
|
<topic>png -- libpng decompression denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>png</name>
|
|
<range>
|
|
<gt>1.2.43</gt>
|
|
<lt>1.4.1</lt>
|
|
</range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A vulnerability in libpng can result in denial of service
|
|
conditions when a remote attacker tricks a victim to open
|
|
a specially-crafted PNG file.</p>
|
|
<p>The PNG project describes the problem in an advisory:</p>
|
|
<blockquote cite="http://libpng.sourceforge.net/ADVISORY-1.4.1.html">
|
|
<p>Because of the efficient compression method used in
|
|
Portable Network Graphics (PNG) files, a small PNG file
|
|
can expand tremendously, acting as a "decompression
|
|
bomb".</p>
|
|
<p>Malformed PNG chunks can consume a large amount of CPU
|
|
and wall-clock time and large amounts of memory, up to
|
|
all memory available on a system</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>38478</bid>
|
|
<certvu>576029</certvu>
|
|
<cvename>CVE-2010-0205</cvename>
|
|
<url>http://libpng.sourceforge.net/ADVISORY-1.4.1.html</url>
|
|
<url>http://secunia.com/advisories/38774</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/56661</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-27</discovery>
|
|
<entry>2010-04-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c8c31c41-49ed-11df-83fb-0015587e2cc1">
|
|
<topic>curl -- libcurl buffer overflow vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>curl</name>
|
|
<range>
|
|
<ge>7.10.5</ge>
|
|
<lt>7.20.0</lt>
|
|
</range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The cURL project reports in a security advisory:</p>
|
|
<blockquote cite="http://curl.haxx.se/docs/adv_20100209.html">
|
|
<p>Using the affected libcurl version to download compressed
|
|
content over HTTP, an application can ask libcurl to
|
|
automatically uncompress data. When doing so, libcurl
|
|
can wrongly send data up to 64K in size to the callback
|
|
which thus is much larger than the documented maximum
|
|
size.</p>
|
|
<p>An application that blindly trusts libcurl's max limit
|
|
for a fixed buffer size or similar is then a possible
|
|
target for a buffer overflow vulnerability.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0734</cvename>
|
|
<url>http://curl.haxx.se/docs/adv_20100209.html</url>
|
|
<url>http://www.debian.org/security/2010/dsa-2023</url>
|
|
<url>http://www.openwall.com/lists/oss-security/2010/02/09/5</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-09</discovery>
|
|
<entry>2010-04-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a04a3c13-4932-11df-83fb-0015587e2cc1">
|
|
<topic>ejabberd -- queue overload denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ejabberd</name>
|
|
<range><lt>2.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Red Hat security response team reports:</p>
|
|
<blockquote cite="http://www.openwall.com/lists/oss-security/2010/01/29/1">
|
|
<p>A remotely exploitable DoS from XMPP client to ejabberd
|
|
server via too many "client2server" messages (causing the
|
|
message queue on the server to get overloaded, leading
|
|
to server crash) has been found.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>38003</bid>
|
|
<cvename>CVE-2010-0305</cvename>
|
|
<url>http://secunia.com/advisories/38337</url>
|
|
<url>http://support.process-one.net/browse/EJAB-1173</url>
|
|
<url>http://www.openwall.com/lists/oss-security/2010/01/29/1</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/56025</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-29</discovery>
|
|
<entry>2010-04-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3b7967f1-49e8-11df-83fb-0015587e2cc1">
|
|
<topic>irssi -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>irssi</name>
|
|
<range><lt>0.8.15</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>zh-irssi</name>
|
|
<range><lt>0.8.15</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>irssi-devel</name>
|
|
<range><lt>20100325</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Two vulnerabilities have found in irssi. The first issue
|
|
could allow man-in-the-middle attacks due to a missing
|
|
comparison of SSL server hostnames and the certificate
|
|
domain names (e.g. CN).</p>
|
|
<p>A second vulnerability, related to the nick matching code,
|
|
could be triggered by remote attackers in order to crash
|
|
an irssi client when leaving a channel.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1155</cvename>
|
|
<cvename>CVE-2010-1156</cvename>
|
|
<url>http://xforce.iss.net/xforce/xfdb/57790</url>
|
|
<url>http://xforce.iss.net/xforce/xfdb/57791</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-16</discovery>
|
|
<entry>2010-04-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a30573dc-4893-11df-a5f9-001641aeabdf">
|
|
<topic>krb5 -- remote denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><le>1.6.3_9</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>An authenticated remote attacker can causing a denial
|
|
of service by using a newer version of the kadmin protocol
|
|
than the server supports.</p>
|
|
<p>The MIT Kerberos team also reports the cause:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt">
|
|
<p>The Kerberos administration daemon (kadmind) can crash
|
|
due to referencing freed memory.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>39247</bid>
|
|
<cvename>CVE-2010-0629</cvename>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-06</discovery>
|
|
<entry>2010-04-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9ac0f9c4-492b-11df-83fb-0015587e2cc1">
|
|
<topic>krb5 -- multiple denial of service vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range>
|
|
<ge>1.7</ge><le>1.7_2</le>
|
|
</range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Two vulnerabilities in krb5 can be used by remote
|
|
attackers in denial of service attacks. The MIT security
|
|
advisories report this as follows:</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt">
|
|
<p>An unauthenticated remote attacker can send an invalid
|
|
request to a KDC process that will cause it to crash
|
|
due to an assertion failure, creating a denial of
|
|
service.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt">
|
|
<p>An unauthenticated remote attacker could cause a GSS-API
|
|
application, including the Kerberos administration
|
|
daemon (kadmind) to crash.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>38260</bid>
|
|
<bid>38904</bid>
|
|
<cvename>CVE-2010-0283</cvename>
|
|
<cvename>CVE-2010-0628</cvename>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt</url>
|
|
<url>http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-16</discovery>
|
|
<entry>2010-04-19</entry>
|
|
<modified>2013-06-16</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5053420c-4935-11df-83fb-0015587e2cc1">
|
|
<topic>mahara -- sql injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mahara</name>
|
|
<range><lt>1.1.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Debian security team reports:</p>
|
|
<blockquote cite="http://www.debian.org/security/2010/dsa-2030">
|
|
<p>It was discovered that mahara, an electronic portfolio,
|
|
weblog, and resume builder is not properly escaping input
|
|
when generating a unique username based on a remote user
|
|
name from a single sign-on application. An attacker can
|
|
use this to compromise the mahara database via crafted
|
|
user names.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>39253</bid>
|
|
<cvename>CVE-2010-0400</cvename>
|
|
<url>http://www.debian.org/security/2010/dsa-2030</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-06</discovery>
|
|
<entry>2010-04-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1a9f678d-48ca-11df-85f8-000c29a67389">
|
|
<topic>sudo -- Privilege escalation with sudoedit</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><lt>1.7.2.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Todd Miller reports:</p>
|
|
<blockquote cite="">
|
|
<p>Sudo's command matching routine expects actual commands to include
|
|
one or more slash ('/') characters. The flaw is that sudo's path
|
|
resolution code did not add a "./" prefix to commands found in the
|
|
current working directory. This creates an ambiguity between a
|
|
"sudoedit" command found in the cwd and the "sudoedit"
|
|
pseudo-command in the sudoers file. As a result, a user may be
|
|
able to run an arbitrary command named "sudoedit" in the current
|
|
working directory. For the attack to be successful, the PATH
|
|
environment variable must include "." and may not include any other
|
|
directory that contains a "sudoedit" command.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1163</cvename>
|
|
<url>http://www.sudo.ws/pipermail/sudo-announce/2010-April/000093.html</url>
|
|
<url>http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-09</discovery>
|
|
<entry>2010-04-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3987c5d1-47a9-11df-a0d5-0016d32f24fb">
|
|
<topic>KDM -- local privilege escalation vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>kdebase</name>
|
|
<range><le>3.5.10_6</le></range>
|
|
</package>
|
|
<package>
|
|
<name>kdebase-workspace</name>
|
|
<range><le>4.3.5_1</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>KDE Security Advisory reports:</p>
|
|
<blockquote cite="http://www.kde.org/info/security/advisory-20100413-1.txt">
|
|
<p>KDM contains a race condition that allows local attackers
|
|
to make arbitrary files on the system world-writeable.
|
|
This can happen while KDM tries to create its control
|
|
socket during user login. A local attacker with a valid
|
|
local account can under certain circumstances make use of
|
|
this vulnerability to execute arbitrary code as root.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0436</cvename>
|
|
<url>http://www.kde.org/info/security/advisory-20100413-1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-13</discovery>
|
|
<entry>2010-04-14</entry>
|
|
<modified>2010-04-14</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="805603a1-3e7a-11df-a5a1-0050568452ac">
|
|
<topic>dojo -- cross-site scripting and other vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dojo</name>
|
|
<range><lt>1.4.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Dojo Toolkit team reports:</p>
|
|
<blockquote cite="http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/">
|
|
<p>Some PHP files did not properly escape input.</p>
|
|
<p>Some files could operate like "open redirects". A bad actor
|
|
could form an URL that looks like it came from a trusted
|
|
site, but the user would be redirected or load content from
|
|
the bad actor's site.</p>
|
|
<p>A file exposed a more serious cross-site scripting
|
|
vulnerability with the possibility of executing code on the
|
|
domain where the file exists.</p>
|
|
<p>The Dojo build process defaulted to copying over tests and
|
|
demos, which are normally not needed and just increased the
|
|
number of files that could be targets of attacks.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/</url>
|
|
<url>http://osdir.com/ml/bugtraq.security/2010-03/msg00133.html</url>
|
|
<url>http://packetstormsecurity.org/1003-exploits/dojo-xss.txt</url>
|
|
<url>http://secunia.com/advisories/38964</url>
|
|
<url>http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-03-11</discovery>
|
|
<entry>2010-04-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8ad1c404-3e78-11df-a5a1-0050568452ac">
|
|
<topic>Zend Framework -- security issues in bundled Dojo library</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ZendFramework</name>
|
|
<range><lt>1.10.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Zend Framework team reports:</p>
|
|
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-07">
|
|
<p>Several files in the bundled Dojo library were identified
|
|
as having potential exploits, and the Dojo team also advised
|
|
disabling or removing any PHP scripts in the Dojo library tree
|
|
when deploying to production.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/</url>
|
|
<url>http://framework.zend.com/security/advisory/ZF2010-07</url>
|
|
<url>http://osdir.com/ml/bugtraq.security/2010-03/msg00133.html</url>
|
|
<url>http://packetstormsecurity.org/1003-exploits/dojo-xss.txt</url>
|
|
<url>http://secunia.com/advisories/38964</url>
|
|
<url>http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-01</discovery>
|
|
<entry>2010-04-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ec8f449f-40ed-11df-9edc-000f20797ede">
|
|
<topic>firefox -- Re-use of freed object due to scope confusion</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.6,1</gt><lt>3.6.3,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2009-25 Re-use of freed object due to scope confusion</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1121</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-25.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-04-01</discovery>
|
|
<entry>2010-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9ccfee39-3c3b-11df-9edc-000f20797ede">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><gt>2.0</gt><lt>2.0.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><ge>3.0</ge><lt>3.0.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.5.*,1</gt><lt>3.5.9,1</lt></range>
|
|
<range><gt>3.*,1</gt><lt>3.0.19,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>3.0.19,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox-devel</name>
|
|
<range><lt>3.5.9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>nss</name>
|
|
<name>linux-f10-nss</name>
|
|
<range><lt>3.12.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy</p>
|
|
<p>MFSA 2010-23 Image src redirect to mailto: URL opens email editor</p>
|
|
<p>MFSA 2010-22 Update NSS to support TLS renegotiation indication</p>
|
|
<p>MFSA 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy</p>
|
|
<p>MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop</p>
|
|
<p>MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray</p>
|
|
<p>MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView</p>
|
|
<p>MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection</p>
|
|
<p>MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0181</cvename>
|
|
<cvename>CVE-2009-3555</cvename>
|
|
<cvename>CVE-2010-0179</cvename>
|
|
<cvename>CVE-2010-0178</cvename>
|
|
<cvename>CVE-2010-0177</cvename>
|
|
<cvename>CVE-2010-0176</cvename>
|
|
<cvename>CVE-2010-0175</cvename>
|
|
<cvename>CVE-2010-0174</cvename>
|
|
<cvename>CVE-2010-0173</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-24.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-23.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-22.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-21.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-20.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-19.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-18.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-17.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-16.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-03-30</discovery>
|
|
<entry>2010-03-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e050119b-3856-11df-b2b2-002170daae37">
|
|
<topic>postgresql -- bitsubstr overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postgresql-server</name>
|
|
<range><ge>7.4</ge><lt>7.4.28</lt></range>
|
|
<range><ge>8.0</ge><lt>8.0.24</lt></range>
|
|
<range><ge>8.1</ge><lt>8.1.20</lt></range>
|
|
<range><ge>8.2</ge><lt>8.2.16</lt></range>
|
|
<range><ge>8.3</ge><lt>8.3.10</lt></range>
|
|
<range><ge>8.4</ge><lt>8.4.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>BugTraq reports:</p>
|
|
<blockquote cite="http://www.securityfocus.com/bid/37973">
|
|
<p>PostgreSQL is prone to a buffer-overflow
|
|
vulnerability because the application fails to
|
|
perform adequate boundary checks on user-supplied
|
|
data.</p>
|
|
<p>Attackers can exploit this issue to execute
|
|
arbitrary code with elevated privileges or
|
|
crash the affected application.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>37973</bid>
|
|
<cvename>CVE-2010-0442</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-27</discovery>
|
|
<entry>2010-03-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c175d72f-3773-11df-8bb8-0211d880e350">
|
|
<topic>gtar -- buffer overflow in rmt client</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gtar</name>
|
|
<range><lt>1.22_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jakob Lell reports:</p>
|
|
<blockquote cite="http://www.agrs.tu-berlin.de/index.php?id=78327">
|
|
<p>The rmt client implementation of GNU Tar/Cpio contains
|
|
a heap-based buffer overflow which possibly allows
|
|
arbitrary code execution.</p>
|
|
<p>The problem can be exploited when using an
|
|
untrusted/compromised rmt server.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description> <references>
|
|
<cvename>CVE-2010-0624</cvename>
|
|
<url>http://www.agrs.tu-berlin.de/index.php?id=78327</url>
|
|
</references> <dates>
|
|
<discovery>2010-03-24</discovery> <entry>2010-03-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5d5ed535-3653-11df-9edc-000f20797ede">
|
|
<topic>firefox -- WOFF heap corruption due to integer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.6,1</gt><lt>3.6.2,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-08 WOFF heap corruption due to integer overflow</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-1028</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-08.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-03-22</discovery>
|
|
<entry>2010-03-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="56cfe192-329f-11df-abb2-000f20797ede">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>1.1.19</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>2.0.0.24</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-07 Fixes for potentially exploitable crashes ported to the legacy branch</p>
|
|
<p>MFSA 2010-06 Scriptable plugin execution in SeaMonkey mail</p>
|
|
<p>MFSA 2009-68 NTLM reflection vulnerability</p>
|
|
<p>MFSA 2009-62 Download filename spoofing with RTL override</p>
|
|
<p>MFSA 2009-59 Heap buffer overflow in string to number conversion</p>
|
|
<p>MFSA 2009-49 TreeColumns dangling pointer vulnerability</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0161</cvename>
|
|
<cvename>CVE-2010-0163</cvename>
|
|
<cvename>CVE-2009-3075</cvename>
|
|
<cvename>CVE-2009-3072</cvename>
|
|
<cvename>CVE-2009-2463</cvename>
|
|
<cvename>CVE-2009-3385</cvename>
|
|
<cvename>CVE-2009-3983</cvename>
|
|
<cvename>CVE-2009-3376</cvename>
|
|
<cvename>CVE-2009-0689</cvename>
|
|
<cvename>CVE-2009-3077</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-07.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-06.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-68.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-62.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-59.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2009/mfsa2009-49.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-03-16</discovery>
|
|
<entry>2010-03-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e39caf05-2d6f-11df-aec2-000c29ba66d2">
|
|
<topic>egroupware -- two vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>egroupware</name>
|
|
<range><lt>1.6.003</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Egroupware Team report:</p>
|
|
<blockquote cite="http://www.egroupware.org/Home?category_id=95&item=93">
|
|
<p>Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
|
|
problems in EGroupware:</p>
|
|
<p>Serious remote command execution (allowing to run arbitrary command
|
|
on the web server by simply issuing a HTTP request!).</p>
|
|
<p>A reflected cross-site scripting (XSS).</p>
|
|
<p>Both require NO valid EGroupware account and work without being logged
|
|
in!</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>38609</bid>
|
|
<url>http://secunia.com/advisories/38859/</url>
|
|
<url>http://www.egroupware.org/Home?category_id=95&item=93</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-03-09</discovery>
|
|
<entry>2010-03-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b3531fe1-2b03-11df-b6db-00248c9b4be7">
|
|
<topic>drupal -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal5</name>
|
|
<range><lt>5.22</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>drupal6</name>
|
|
<range><lt>6.16</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Drupal Team reports:</p>
|
|
<blockquote cite="http://drupal.org/node/731710">
|
|
<p>A user-supplied value is directly output during installation
|
|
allowing a malicious user to craft a URL and perform a cross-site
|
|
scripting attack. The exploit can only be conducted on sites not yet
|
|
installed.</p>
|
|
<p>The API function drupal_goto() is susceptible to a phishing attack.
|
|
An attacker could formulate a redirect in a way that gets the Drupal
|
|
site to send the user to an arbitrarily provided URL. No user
|
|
submitted data will be sent to that URL.</p>
|
|
<p>Locale module and dependent contributed modules do not sanitize the
|
|
display of language codes, native and English language names properly.
|
|
While these usually come from a preselected list, arbitrary
|
|
administrator input is allowed. This vulnerability is mitigated by the
|
|
fact that the attacker must have a role with the 'administer
|
|
languages' permission.</p>
|
|
<p>Under certain circumstances, a user with an open session that is
|
|
blocked can maintain his/her session on the Drupal site, despite being
|
|
blocked.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://drupal.org/node/731710</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-03-03</discovery>
|
|
<entry>2010-03-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="018a84d0-2548-11df-b4a3-00e0815b8da8">
|
|
<topic>sudo -- Privilege escalation with sudoedit</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><lt>1.7.2.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Todd Miller reports:</p>
|
|
<blockquote cite="">
|
|
<p>When sudo performs its command matching, there is a special case
|
|
for pseudo-commands in the sudoers file (currently, the only
|
|
pseudo-command is sudoedit). Unlike a regular command,
|
|
pseudo-commands do not begin with a slash ('/'). The flaw is that
|
|
sudo's the matching code would only check against the list of
|
|
pseudo-commands if the user-specified command also contained no
|
|
slashes. As a result, if the user ran "sudo ./sudoedit" the normal
|
|
matching code path was followed, which uses stat(2) to verify that
|
|
the user-specified command matches the one in sudoers. In this
|
|
case, it would compare the "./sudoedit" specified by the user with
|
|
"sudoedit" from the sudoers file, resulting in a positive
|
|
match.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.sudo.ws/pipermail/sudo-announce/2010-February/000092.html</url>
|
|
<url>http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html</url>
|
|
<url>http://secunia.com/advisories/38659</url>
|
|
<cvename>CVE-2010-0426</cvename>
|
|
<bid>38362</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-29</discovery>
|
|
<entry>2010-03-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c97d7a37-2233-11df-96dd-001b2134ef46">
|
|
<topic>openoffice.org -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openoffice.org</name>
|
|
<range><lt>3.2.0</lt></range>
|
|
<range><ge>3.2.20010101</ge><lt>3.2.20100203</lt></range>
|
|
<range><ge>3.3.20010101</ge><lt>3.3.20100207</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>OpenOffice.org Security Team reports:</p>
|
|
<blockquote cite="http://www.openoffice.org/security/bulletin.html">
|
|
<p>Fixed in OpenOffice.org 3.2</p>
|
|
<p>CVE-2006-4339: Potential vulnerability from 3rd party
|
|
libxml2 libraries</p>
|
|
<p>CVE-2009-0217: Potential vulnerability from 3rd party
|
|
libxmlsec libraries</p>
|
|
<p>CVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable
|
|
version of MSVC Runtime</p>
|
|
<p>CVE-2009-2949: Potential vulnerability related to XPM file
|
|
processing</p>
|
|
<p>CVE-2009-2950: Potential vulnerability related to GIF file
|
|
processing</p>
|
|
<p>CVE-2009-3301/2: Potential vulnerability related to MS-Word
|
|
document processing</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.openoffice.org/security/bulletin.html</url>
|
|
<url>http://www.openoffice.org/security/cves/CVE-2006-4339.html</url>
|
|
<url>http://www.openoffice.org/security/cves/CVE-2009-0217.html</url>
|
|
<url>http://www.openoffice.org/security/cves/CVE-2009-2493.html</url>
|
|
<url>http://www.openoffice.org/security/cves/CVE-2009-2949.html</url>
|
|
<url>http://www.openoffice.org/security/cves/CVE-2009-2950.html</url>
|
|
<url>http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html</url>
|
|
<cvename>CVE-2006-4339</cvename>
|
|
<cvename>CVE-2009-0217</cvename>
|
|
<cvename>CVE-2009-2493</cvename>
|
|
<cvename>CVE-2009-2949</cvename>
|
|
<cvename>CVE-2009-2950</cvename>
|
|
<cvename>CVE-2009-3301</cvename>
|
|
<cvename>CVE-2009-3302</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2006-08-24</discovery>
|
|
<entry>2010-02-25</entry>
|
|
<modified>2010-02-27</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f82c85d8-1c6e-11df-abb2-000f20797ede">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>3.5.*,1</gt><lt>3.5.8,1</lt></range>
|
|
<range><gt>3.*,1</gt><lt>3.0.18,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>3.0.18,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox-devel</name>
|
|
<range><lt>3.5.8</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><gt>2.0.*</gt><lt>2.0.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><ge>3.0</ge><lt>3.0.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2010-05 XSS hazard using SVG document and binary Content-Type</p>
|
|
<p>MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain</p>
|
|
<p>MFSA 2010-03 Use-after-free crash in HTML parser</p>
|
|
<p>MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability</p>
|
|
<p>MFSA 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0159</cvename>
|
|
<cvename>CVE-2010-0160</cvename>
|
|
<cvename>CVE-2009-1571</cvename>
|
|
<cvename>CVE-2009-3988</cvename>
|
|
<cvename>CVE-2010-0162</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-01.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-02.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-03.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-04.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2010/mfsa2010-05.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-17</discovery>
|
|
<entry>2010-02-18</entry>
|
|
<modified>2010-02-28</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1a3bd81f-1b25-11df-bd1a-002170daae37">
|
|
<topic>lighttpd -- denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lighttpd</name>
|
|
<range><lt>1.4.26</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Lighttpd security advisory reports:</p>
|
|
<blockquote cite="http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt">
|
|
<p>If you send the request data very slow (e.g. sleep
|
|
0.01 after each byte), lighttpd will easily use all
|
|
available memory and die (especially for parallel
|
|
requests), allowing a DoS within minutes.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>38036</bid>
|
|
<cvename>CVE-2010-0295</cvename>
|
|
<url>http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-02</discovery>
|
|
<entry>2010-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="81d9dc0c-1988-11df-8e66-0019996bc1f7">
|
|
<topic>squid -- Denial of Service vulnerability in HTCP</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><ge>2.7.1</ge><lt>2.7.7_4</lt></range>
|
|
<range><ge>3.0.1</ge><lt>3.0.24</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Squid security advisory 2010:2 reports:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_2.txt">
|
|
<p>Due to incorrect processing Squid is vulnerable to a
|
|
denial of service attack when receiving specially crafted
|
|
HTCP packets.</p>
|
|
<p>This problem allows any machine to perform a denial
|
|
of service attack on the Squid service when its HTCP port
|
|
is open.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0639</cvename>
|
|
<url>http://www.squid-cache.org/Advisories/SQUID-2010_2.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-12</discovery>
|
|
<entry>2010-02-14</entry>
|
|
<modified>2010-05-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ff6519ad-18e5-11df-9bdd-001b2134ef46">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-flashplugin</name>
|
|
<range><lt>9.0r262</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-f8-flashplugin</name>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>10.0r45</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe Product Security Incident Response Team reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb10-06.html">
|
|
<p>A critical vulnerability has been identified in Adobe
|
|
Flash Player version 10.0.42.34 and earlier. This
|
|
vulnerability (CVE-2010-0186) could subvert the domain sandbox
|
|
and make unauthorized cross-domain requests. This update also
|
|
resolves a potential Denial of Service issue (CVE-2010-0187).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0186</cvename>
|
|
<cvename>CVE-2010-0187</cvename>
|
|
<url>http://www.adobe.com/support/security/bulletins/apsb10-06.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-11</discovery>
|
|
<entry>2010-02-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0a82ac0c-1886-11df-b0d1-0015f2db7bde">
|
|
<topic>gnome-screensaver -- Multiple monitor hotplug issues</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnome-screensaver</name>
|
|
<range><lt>2.28.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ray Strode reports:</p>
|
|
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=609337">
|
|
<p>Under certain circumstances it is possible to circumvent the security of screen
|
|
locking functionality of gnome-screensaver by changing the systems physical
|
|
monitor configuration.</p>
|
|
</blockquote>
|
|
<blockquote cite="https://bugzilla.gnome.org/show_bug.cgi?id=609789">
|
|
<p>gnome-screensaver can lose its keyboard grab when locked, exposing the system
|
|
to intrusion by adding and removing monitors.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0414</cvename>
|
|
<cvename>CVE-2010-0422</cvename>
|
|
<url>https://bugzilla.gnome.org/show_bug.cgi?id=609337</url>
|
|
<url>https://bugzilla.gnome.org/show_bug.cgi?id=609789</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-08</discovery>
|
|
<entry>2010-02-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2a6a966f-1774-11df-b5c1-0026189baca3">
|
|
<topic>fetchmail -- heap overflow on verbose X.509 display</topic>
|
|
<affects>
|
|
<package>
|
|
<name>fetchmail</name>
|
|
<range><ge>6.3.11</ge><lt>6.3.14</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Matthias Andree reports:</p>
|
|
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2010-01.txt">
|
|
<p>In verbose mode, fetchmail prints X.509 certificate subject and
|
|
issuer information to the user, and counts and allocates a malloc()
|
|
buffer for that purpose.</p>
|
|
<p>If the material to be displayed contains characters with high bit
|
|
set and the platform treats the "char" type as signed, this can cause
|
|
a heap buffer overrun because non-printing characters are escaped as
|
|
\xFF..FFnn, where nn is 80..FF in hex.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>38088</bid>
|
|
<cvename>CVE-2010-0562</cvename>
|
|
<url>http://www.fetchmail.info/fetchmail-SA-2010-01.txt</url>
|
|
<mlist msgid="20100205014643.GA25506@merlin.emma.line.org">https://lists.berlios.de/pipermail/fetchmail-announce/2010-February/000073.html</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-04</discovery>
|
|
<entry>2010-02-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="bb0a8795-15dc-11df-bf0a-002170daae37">
|
|
<topic>wireshark -- LWRES vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wireshark</name>
|
|
<name>wireshark-lite</name>
|
|
<range><lt>1.2.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Wireshark project reports:</p>
|
|
<blockquote cite="http://www.wireshark.org/security/wnpa-sec-2010-02.html">
|
|
<p>Babi discovered several buffer overflows in the
|
|
LWRES dissector.</p>
|
|
<p>It may be possible to make Wireshark crash remotely
|
|
or by convincing someone to read a malformed packet
|
|
trace file.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0304</cvename>
|
|
<url>http://secunia.com/advisories/38257/</url>
|
|
<url>http://www.wireshark.org/security/wnpa-sec-2010-02.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-27</discovery>
|
|
<entry>2010-02-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6b575419-14cf-11df-a628-001517351c22">
|
|
<topic>otrs -- SQL injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>otrs</name>
|
|
<range><lt>2.4.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>OTRS Security Advisory reports:</p>
|
|
<blockquote cite="http://otrs.org/advisory/OSA-2010-01-en/">
|
|
<p>Missing security quoting for SQL statements allows agents and
|
|
customers to manipulate SQL queries. So it's possible for
|
|
authenticated users to inject SQL queries
|
|
via string manipulation of statements.</p>
|
|
<p>A malicious user may be able to manipulate SQL queries to read
|
|
or modify records in the database. This way it could also be
|
|
possible to get access to more permissions (e. g. administrator
|
|
permissions).</p>
|
|
<p>To use this vulnerability the malicious user needs to have
|
|
a valid Agent- or Customer-session.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0438</cvename>
|
|
<url>http://otrs.org/advisory/OSA-2010-01-en/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-02-08</discovery>
|
|
<entry>2010-02-08</entry>
|
|
<modified>2010-05-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cae01d7b-110d-11df-955a-00219b0fc4d8">
|
|
<topic>apache -- Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long)</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache</name>
|
|
<range><lt>1.3.42</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_perl</name>
|
|
<range><lt>1.3.42</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+ipv6</name>
|
|
<range><lt>1.3.42</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache_fp</name>
|
|
<range><ge>0</ge></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache</name>
|
|
<range><lt>1.3.42+30.23</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-apache+mod_ssl</name>
|
|
<range><lt>1.3.42</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+ssl</name>
|
|
<range><lt>1.3.42.1.57_2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache+mod_ssl</name>
|
|
<name>apache+mod_ssl+ipv6</name>
|
|
<name>apache+mod_ssl+mod_accel</name>
|
|
<name>apache+mod_ssl+mod_accel+ipv6</name>
|
|
<name>apache+mod_ssl+mod_accel+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_accel+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_deflate</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_deflate+ipv6</name>
|
|
<name>apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6</name>
|
|
<range><lt>1.3.41+2.8.27_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Apache ChangeLog reports:</p>
|
|
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_1.3.42">
|
|
<p>Integer overflow in the ap_proxy_send_fb function in
|
|
proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before
|
|
1.3.42 on 64-bit platforms allows remote origin servers to cause a
|
|
denial of service (daemon crash) or possibly execute arbitrary code
|
|
via a large chunk size that triggers a heap-based buffer overflow.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0010</url>
|
|
<url>http://www.security-database.com/detail.php?alert=CVE-2010-0010</url>
|
|
<url>http://security-tracker.debian.org/tracker/CVE-2010-0010</url>
|
|
<url>http://www.vupen.com/english/Reference-CVE-2010-0010.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2009-06-30</discovery>
|
|
<entry>2010-02-03</entry>
|
|
<modified>2010-02-03</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="296ecb59-0f6b-11df-8bab-0019996bc1f7">
|
|
<topic>squid -- Denial of Service vulnerability in DNS handling</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><ge>2.7.1</ge><lt>2.7.7_3</lt></range>
|
|
<range><ge>3.0.1</ge><lt>3.0.23</lt></range>
|
|
<range><ge>3.1.0.1</ge><lt>3.1.0.15_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Squid security advisory 2010:1 reports:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_1.txt">
|
|
<p>Due to incorrect data validation Squid is vulnerable to a denial
|
|
of service attack when processing specially crafted DNS packets.</p>
|
|
<p>This problem allows any trusted client or external server who can
|
|
determine the squid receiving port to perform a short-term denial
|
|
of service attack on the Squid service.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0308</cvename>
|
|
<url>http://www.squid-cache.org/Advisories/SQUID-2010_1.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-14</discovery>
|
|
<entry>2010-02-01</entry>
|
|
<modified>2010-05-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="696053c6-0f50-11df-a628-001517351c22">
|
|
<topic>bugzilla -- information leak</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bugzilla</name>
|
|
<range><gt>3.3.1</gt><lt>3.4.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Bugzilla Security Advisory reports:</p>
|
|
<blockquote cite="http://www.bugzilla.org/security/3.0.10/">
|
|
<p>When moving a bug from one product to another, an intermediate
|
|
page is displayed letting you select the groups the bug should
|
|
be restricted to in the new product. However, a regression in
|
|
the 3.4.x series made it ignore all groups which are not
|
|
available in both products. As a workaround, you had to move
|
|
the bug to the new product first and then restrict it to the
|
|
desired groups, in two distinct steps, which could make the bug
|
|
temporarily public.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2009-3387</cvename>
|
|
<url>http://www.bugzilla.org/security/3.0.10/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-31</discovery>
|
|
<entry>2010-02-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="192609c8-0c51-11df-82a0-00248c9b4be7">
|
|
<topic>irc-ratbox -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ircd-ratbox</name>
|
|
<range><lt>2.2.9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ircd-ratbox-devel</name>
|
|
<range><lt>3.0.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SecurityFocus reports:</p>
|
|
<blockquote cite="http://www.securityfocus.com/archive/1/509201">
|
|
<p>The first affects the /quote HELP module and allows a user
|
|
to trigger an IRCD crash on some platforms.</p>
|
|
<p>The second affects the /links processing module when the
|
|
flatten_links configuration option is not enabled.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2009-4016</cvename>
|
|
<cvename>CVE-2010-0300</cvename>
|
|
<url>http://www.debian.org/security/2010/dsa-1980</url>
|
|
<url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000890.html</url>
|
|
<url>http://lists.ratbox.org/pipermail/ircd-ratbox/2010-January/000891.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-25</discovery>
|
|
<entry>2010-01-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="848539dc-0458-11df-8dd7-002170daae37">
|
|
<topic>dokuwiki -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dokuwiki</name>
|
|
<range><lt>20091225_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dokuwiki reports:</p>
|
|
<blockquote cite="http://bugs.splitbrain.org/index.php?do=details&task_id=1853">
|
|
<p>The plugin does no checks against cross-site request
|
|
forgeries (CSRF) which can be exploited to e.g. change
|
|
the access control rules by tricking a logged in
|
|
administrator into visiting a malicious web site.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://bugs.splitbrain.org/index.php?do=details&task_id=1847">
|
|
<p>The bug allows listing the names of arbitrary file on
|
|
the webserver - not their contents. This could leak
|
|
private information about wiki pages and server structure.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2010-0288</cvename>
|
|
<cvename>CVE-2010-0287</cvename>
|
|
<cvename>CVE-2010-0289</cvename>
|
|
<url>http://bugs.splitbrain.org/index.php?do=details&task_id=1847</url>
|
|
<url>http://bugs.splitbrain.org/index.php?do=details&task_id=1853</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-17</discovery>
|
|
<entry>2010-01-18</entry>
|
|
<modified>2010-05-02</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c9263916-006f-11df-94cb-0050568452ac">
|
|
<topic>Zend Framework -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ZendFramework</name>
|
|
<range><lt>1.9.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Zend Framework team reports:</p>
|
|
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-06">
|
|
<p>Potential XSS or HTML Injection vector in Zend_Json.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-05">
|
|
<p>Potential XSS vector in Zend_Service_ReCaptcha_MailHide.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-04">
|
|
<p>Potential MIME-type Injection in Zend_File_Transfer
|
|
Executive Summary.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-03">
|
|
<p>Potential XSS vector in Zend_Filter_StripTags when
|
|
comments allowed.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-02">
|
|
<p>Potential XSS vector in Zend_Dojo_View_Helper_Editor.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://framework.zend.com/security/advisory/ZF2010-01">
|
|
<p>Potential XSS vectors due to inconsistent encodings.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://framework.zend.com/security/advisory/ZF2009-02">
|
|
<p>XSS vector in Zend_Filter_StripTags.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://framework.zend.com/security/advisory/ZF2009-01">
|
|
<p>LFI vector in Zend_View::setScriptPath() and render().</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://framework.zend.com/security/advisory/ZF2010-06</url>
|
|
<url>http://framework.zend.com/security/advisory/ZF2010-05</url>
|
|
<url>http://framework.zend.com/security/advisory/ZF2010-04</url>
|
|
<url>http://framework.zend.com/security/advisory/ZF2010-03</url>
|
|
<url>http://framework.zend.com/security/advisory/ZF2010-02</url>
|
|
<url>http://framework.zend.com/security/advisory/ZF2010-01</url>
|
|
<url>http://framework.zend.com/security/advisory/ZF2009-02</url>
|
|
<url>http://framework.zend.com/security/advisory/ZF2009-01</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2009-12-31</discovery>
|
|
<entry>2010-01-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dd8f2394-fd08-11de-b425-00215c6a37bb">
|
|
<topic>powerdns-recursor -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>powerdns-recursor</name>
|
|
<range><lt>3.1.7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>PowerDNS Security Advisory reports:</p>
|
|
<blockquote cite="http://doc.powerdns.com/powerdns-advisory-2010-01.html">
|
|
<p>PowerDNS Recursor up to and including 3.1.7.1 can be
|
|
brought down and probably exploited.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://doc.powerdns.com/powerdns-advisory-2010-02.html">
|
|
<p>PowerDNS Recursor up to and including 3.1.7.1 can be
|
|
spoofed into accepting bogus data</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>37650</bid>
|
|
<bid>37653</bid>
|
|
<cvename>CVE-2009-4010</cvename>
|
|
<cvename>CVE-2009-4009</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2010-01-06</discovery>
|
|
<entry>2010-01-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="56ba8728-f987-11de-b28d-00215c6a37bb">
|
|
<topic>PEAR -- Net_Ping and Net_Traceroute remote arbitrary command injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>pear-Net_Ping</name>
|
|
<range><lt>2.4.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>pear-Net_Traceroute</name>
|
|
<range><lt>0.21.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>PEAR Security Advisory reports:</p>
|
|
<blockquote cite="http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/">
|
|
<p>Multiple remote arbitrary command injections have been
|
|
found in the Net_Ping and Net_Traceroute.</p>
|
|
<p>When input from forms are used directly, the attacker
|
|
could pass variables that would allow him to execute
|
|
remote arbitrary command injections.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>37093</bid>
|
|
<bid>37094</bid>
|
|
<cvename>CVE-2009-4024</cvename>
|
|
<cvename>CVE-2009-4025</cvename>
|
|
<url>http://pear.php.net/advisory20091114-01.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2009-11-14</discovery>
|
|
<entry>2010-01-04</entry>
|
|
</dates>
|
|
</vuln>
|