mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-25 04:43:33 +00:00
e14ed8232d
modify tidy.xsl to make it generates manually the xml declaration xsl is not able to generate a list of entity otherwise. Remove copyright form included files, they are redudundant anyway and in the end only the vuln.xml file is distribued with entities expanded Rework a bit the entity declaration in order for the document to look great after expansion (as it did before we introduced the expansion mechanism) All validation are now processed direcly on the flattened file. This is based on a patch from mfechner here Submitted by: mfechner Differential Revision: https://reviews.freebsd.org/D28299
8077 lines
289 KiB
XML
8077 lines
289 KiB
XML
<vuln vid="3e33a0bb-6b2f-11e3-b042-20cf30e32f6d">
|
|
<topic>OpenX -- SQL injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openx</name>
|
|
<range><lt>3.0.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Revive reports:</p>
|
|
<blockquote cite="http://www.revive-adserver.com/security/revive-sa-2013-001/">
|
|
<p>An SQL-injection vulnerability was recently discovered and reported
|
|
to the Revive Adserver team by Florian Sander. The vulnerability is
|
|
known to be already exploited to gain unauthorised access to the
|
|
application using brute force mechanisms, however other kind of
|
|
attacks might be possible and/or already in use. The risk is rated
|
|
to be critical as the most common end goal of the attackers is to
|
|
spread malware to the visitors of all the websites and ad networks
|
|
that the ad server is being used on.</p>
|
|
<p>The vulnerability is also present and exploitable in OpenX Source
|
|
2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.revive-adserver.com/security/revive-sa-2013-001/</url>
|
|
<url>http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/</url>
|
|
<cvename>CVE-2013-7149</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-12-20</discovery>
|
|
<entry>2013-12-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4e1f4abc-6837-11e3-9cda-3c970e169bc2">
|
|
<topic>cURL library -- cert name check ignore with GnuTLS</topic>
|
|
<affects>
|
|
<package>
|
|
<name>curl</name>
|
|
<range><ge>7.21.4</ge><lt>7.33.0_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>cURL project reports:</p>
|
|
<blockquote cite="http://curl.haxx.se/docs/adv_20131217.html">
|
|
<p>libcurl is vulnerable to a case of missing out the checking
|
|
of the certificate CN or SAN name field when the digital
|
|
signature verification is turned off.</p>
|
|
<p>libcurl offers two separate and independent options for
|
|
verifying a server's TLS certificate. CURLOPT_SSL_VERIFYPEER
|
|
and CURLOPT_SSL_VERIFYHOST. The first one tells libcurl to
|
|
verify the trust chain using a CA cert bundle, while the
|
|
second tells libcurl to make sure that the name fields in
|
|
the server certificate meets the criteria. Both options are
|
|
enabled by default.</p>
|
|
<p>This flaw had the effect that when an application disabled
|
|
CURLOPT_SSL_VERIFYPEER, libcurl mistakenly also skipped the
|
|
CURLOPT_SSL_VERIFYHOST check. Applications can disable
|
|
CURLOPT_SSL_VERIFYPEER and still achieve security by doing
|
|
the check on its own using other means.</p>
|
|
<p>The curl command line tool is not affected by this problem
|
|
as it either enables both options or disables both at the
|
|
same time.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://curl.haxx.se/docs/adv_20131217.html</url>
|
|
<cvename>CVE-2013-6422</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-12-17</discovery>
|
|
<entry>2013-12-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2e5715f8-67f7-11e3-9811-b499baab0cbe">
|
|
<topic>gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><lt>1.4.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>gnupg1</name>
|
|
<range><lt>1.4.16</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Werner Koch reports:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html">
|
|
<p>CVE-2013-4576 has been assigned to this security bug.</p>
|
|
<p>The paper describes two attacks. The first attack allows
|
|
to distinguish keys: An attacker is able to notice which key is
|
|
currently used for decryption. This is in general not a problem but
|
|
may be used to reveal the information that a message, encrypted to a
|
|
commonly not used key, has been received by the targeted machine. We
|
|
do not have a software solution to mitigate this attack.</p>
|
|
<p>The second attack is more serious. It is an adaptive
|
|
chosen ciphertext attack to reveal the private key. A possible
|
|
scenario is that the attacker places a sensor (for example a standard
|
|
smartphone) in the vicinity of the targeted machine. That machine is
|
|
assumed to do unattended RSA decryption of received mails, for example
|
|
by using a mail client which speeds up browsing by opportunistically
|
|
decrypting mails expected to be read soon. While listening to the
|
|
acoustic emanations of the targeted machine, the smartphone will send
|
|
new encrypted messages to that machine and re-construct the private
|
|
key bit by bit. A 4096 bit RSA key used on a laptop can be revealed
|
|
within an hour.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4576</cvename>
|
|
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-12-18</discovery>
|
|
<entry>2013-12-18</entry>
|
|
<modified>2014-04-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0c39bafc-6771-11e3-868f-0025905a4771">
|
|
<topic>asterisk -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>asterisk10</name>
|
|
<range><lt>10.12.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>asterisk11</name>
|
|
<range><lt>11.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>asterisk18</name>
|
|
<range><lt>1.8.24.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Asterisk project reports:</p>
|
|
<blockquote cite="https://www.asterisk.org/security">
|
|
<p>A 16 bit SMS message that contains an odd message length value will
|
|
cause the message decoding loop to run forever. The message buffer is
|
|
not on the stack but will be overflowed resulting in corrupted memory
|
|
and an immediate crash.</p>
|
|
<p>External control protocols, such as the Asterisk Manager Interface,
|
|
often have the ability to get and set channel variables; this allows
|
|
the execution of dialplan functions. Dialplan functions within
|
|
Asterisk are incredibly powerful, which is wonderful for building
|
|
applications using Asterisk. But during the read or write execution,
|
|
certain diaplan functions do much more. For example, reading the SHELL()
|
|
function can execute arbitrary commands on the system Asterisk is
|
|
running on. Writing to the FILE() function can change any file that
|
|
Asterisk has write access to. When these functions are executed from an
|
|
external protocol, that execution could result in a privilege escalation.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-7100</cvename>
|
|
<url>http://downloads.asterisk.org/pub/security/AST-2013-006.pdf</url>
|
|
<url>http://downloads.asterisk.org/pub/security/AST-2013-007.pdf</url>
|
|
<url>https://www.asterisk.org/security</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-12-16</discovery>
|
|
<entry>2013-12-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3b86583a-66a7-11e3-868f-0025905a4771">
|
|
<topic>phpmyfaq -- arbitrary PHP code execution vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpmyfaq</name>
|
|
<range><lt>2.8.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpMyFAQ team reports:</p>
|
|
<blockquote cite="http://www.phpmyfaq.de/advisory_2013-11-26.php">
|
|
<p>Secunia noticed while analysing the advisory that authenticated
|
|
users with "Right to add attachments" are able to exploit an already
|
|
publicly known issue in the bundled Ajax File Manager of phpMyFAQ version
|
|
2.8.3, which leads to arbitrary PHP code execution for authenticated
|
|
users with the permission "Right to add attachments".</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://en.securitylab.ru/lab/PT-2013-41</url>
|
|
<url>http://www.phpmyfaq.de/advisory_2013-11-26.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-11-26</discovery>
|
|
<entry>2013-12-16</entry>
|
|
<modified>2013-12-17</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="44d0f8dc-6607-11e3-bb11-0025900931f8">
|
|
<topic>zabbix -- shell command injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zabbix2-agent</name>
|
|
<range><lt>2.0.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Recurity Labs Team project reports:</p>
|
|
<blockquote cite="https://support.zabbix.com/browse/ZBX-7479">
|
|
<p>Zabbix agent is vulnerable to remote command execution
|
|
from the Zabbix server in some cases.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-6824</cvename>
|
|
<url>https://support.zabbix.com/browse/ZBX-7479</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-12-03</discovery>
|
|
<entry>2013-12-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="47b4e713-6513-11e3-868f-0025905a4771">
|
|
<topic>PHP5 -- memory corruption in openssl_x509_parse()</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5</name>
|
|
<range><ge>5.4.0</ge><lt>5.4.23</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php53</name>
|
|
<range><lt>5.3.28</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php55</name>
|
|
<range><ge>5.5.0</ge><lt>5.5.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Stefan Esser reports:</p>
|
|
<blockquote cite="https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html">
|
|
<p>The PHP function openssl_x509_parse() uses a helper function
|
|
called asn1_time_to_time_t() to convert timestamps from ASN1
|
|
string format into integer timestamp values. The parser within
|
|
this helper function is not binary safe and can therefore be
|
|
tricked to write up to five NUL bytes outside of an allocated
|
|
buffer.</p>
|
|
<p>This problem can be triggered by x509 certificates that contain
|
|
NUL bytes in their notBefore and notAfter timestamp fields and
|
|
leads to a memory corruption that might result in arbitrary
|
|
code execution.</p>
|
|
<p>Depending on how openssl_x509_parse() is used within a PHP
|
|
application the attack requires either a malicious cert signed
|
|
by a compromised/malicious CA or can be carried out with a
|
|
self-signed cert.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-6420</cvename>
|
|
<url>https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-12-13</discovery>
|
|
<entry>2013-12-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dd116b19-64b3-11e3-868f-0025905a4771">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>25.0,1</gt><lt>26.0,1</lt></range>
|
|
<range><lt>24.2.0,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>26.0,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.23</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>24.2.0</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><lt>2.23</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>24.2.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2013-116 JPEG information leak</p>
|
|
<p>MFSA 2013-105 Application Installation doorhanger persists on
|
|
navigation</p>
|
|
<p>MFSA 2013-106 Character encoding cross-origin XSS attack</p>
|
|
<p>MFSA 2013-107 Sandbox restrictions not applied to nested object
|
|
elements</p>
|
|
<p>MFSA 2013-108 Use-after-free in event listeners</p>
|
|
<p>MFSA 2013-109 Use-after-free during Table Editing</p>
|
|
<p>MFSA 2013-110 Potential overflow in JavaScript binary search
|
|
algorithms</p>
|
|
<p>MFSA 2013-111 Segmentation violation when replacing ordered list
|
|
elements</p>
|
|
<p>MFSA 2013-112 Linux clipboard information disclosure though
|
|
selection paste</p>
|
|
<p>MFSA 2013-113 Trust settings for built-in roots ignored during EV
|
|
certificate validation</p>
|
|
<p>MFSA 2013-114 Use-after-free in synthetic mouse movement</p>
|
|
<p>MFSA 2013-115 GetElementIC typed array stubs can be generated
|
|
outside observed typesets</p>
|
|
<p>MFSA 2013-116 JPEG information leak</p>
|
|
<p>MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-5609</cvename>
|
|
<cvename>CVE-2013-5610</cvename>
|
|
<cvename>CVE-2013-5611</cvename>
|
|
<cvename>CVE-2013-5612</cvename>
|
|
<cvename>CVE-2013-5613</cvename>
|
|
<cvename>CVE-2013-5614</cvename>
|
|
<cvename>CVE-2013-5615</cvename>
|
|
<cvename>CVE-2013-5616</cvename>
|
|
<cvename>CVE-2013-5618</cvename>
|
|
<cvename>CVE-2013-5619</cvename>
|
|
<cvename>CVE-2013-6629</cvename>
|
|
<cvename>CVE-2013-6630</cvename>
|
|
<cvename>CVE-2013-6671</cvename>
|
|
<cvename>CVE-2013-6672</cvename>
|
|
<cvename>CVE-2013-6673</cvename>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-104.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-105.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-106.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-107.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-108.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-109.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-110.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-111.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-112.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-113.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-114.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-115.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-116.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-117.html</url>
|
|
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-12-09</discovery>
|
|
<entry>2013-12-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="613e45d1-6154-11e3-9b62-000c292e4fd8">
|
|
<topic>samba -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba34</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba35</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba36</name>
|
|
<range><gt>3.6.*</gt><lt>3.6.22</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba4</name>
|
|
<range><gt>4.0.*</gt><lt>4.0.13</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba41</name>
|
|
<range><gt>4.1.*</gt><lt>4.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Samba project reports:</p>
|
|
<blockquote cite="http://www.samba.org/samba/latest_news.html#4.1.3">
|
|
<p>These are security releases in order to address CVE-2013-4408
|
|
(DCE-RPC fragment length field is incorrectly checked) and CVE-2012-6150
|
|
(pam_winbind login without require_membership_of restrictions).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-6150</cvename>
|
|
<cvename>CVE-2013-4408</cvename>
|
|
<url>http://www.samba.org/samba/security/CVE-2012-6150</url>
|
|
<url>http://www.samba.org/samba/security/CVE-2013-4408</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-06-12</discovery>
|
|
<entry>2013-12-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6a806960-3016-44ed-8575-8614a7cb57c7">
|
|
<topic>rails -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rubygem-actionmailer</name>
|
|
<range><lt>3.2.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-actionpack</name>
|
|
<range><lt>3.2.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-activemodel</name>
|
|
<range><lt>3.2.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-activerecord</name>
|
|
<range><lt>3.2.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-activeresource</name>
|
|
<range><lt>3.2.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-activesupport</name>
|
|
<range><lt>3.2.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-rails</name>
|
|
<range><lt>3.2.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-railties</name>
|
|
<range><lt>3.2.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-actionpack4</name>
|
|
<range><lt>4.0.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-activesupport4</name>
|
|
<range><lt>4.0.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Rails weblog:</p>
|
|
<blockquote cite="http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/">
|
|
<p>Rails 3.2.16 and 4.0.2 have been released! These two
|
|
releases contain important security fixes, so please upgrade
|
|
as soon as possible! In order to make upgrading as smooth as
|
|
possible, we've only included commits directly related to
|
|
each security issue.</p>
|
|
<p>The security fixes in 3.2.16 are:</p>
|
|
<ul>
|
|
<li>CVE-2013-4491</li>
|
|
<li>CVE-2013-6414</li>
|
|
<li>CVE-2013-6415</li>
|
|
<li>CVE-2013-6417</li>
|
|
</ul>
|
|
<p>The security fixes in 4.0.2 are:</p>
|
|
<ul>
|
|
<li>CVE-2013-4491</li>
|
|
<li>CVE-2013-6414</li>
|
|
<li>CVE-2013-6415</li>
|
|
<li>CVE-2013-6416</li>
|
|
<li>CVE-2013-6417</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4491</cvename>
|
|
<cvename>CVE-2013-6414</cvename>
|
|
<cvename>CVE-2013-6415</cvename>
|
|
<cvename>CVE-2013-6416</cvename>
|
|
<cvename>CVE-2013-6417</cvename>
|
|
<url>http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-12-03</discovery>
|
|
<entry>2013-12-08</entry>
|
|
<modified>2014-04-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d9649816-5e0d-11e3-8d23-3c970e169bc2">
|
|
<topic>drupal -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal6</name>
|
|
<range><lt>6.29</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>drupal7</name>
|
|
<range><lt>7.24</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Drupal Security Team reports:</p>
|
|
<blockquote cite="https://drupal.org/SA-CORE-2013-003">
|
|
<p>Multiple vulnerabilities were fixed in the supported Drupal
|
|
core versions 6 and 7.</p>
|
|
<ul>
|
|
<li>Multiple vulnerabilities due to optimistic cross-site
|
|
request forgery protection (Form API validation - Drupal 6
|
|
and 7)</li>
|
|
<li>Multiple vulnerabilities due to weakness in pseudorandom
|
|
number generation using mt_rand() (Form API, OpenID and
|
|
random password generation - Drupal 6 and 7)</li>
|
|
<li>Code execution prevention (Files directory .htaccess for
|
|
Apache - Drupal 6 and 7)</li>
|
|
<li>Access bypass (Security token validation - Drupal 6 and 7)</li>
|
|
<li>Cross-site scripting (Image module - Drupal 7)</li>
|
|
<li>Cross-site scripting (Color module - Drupal 7)</li>
|
|
<li>Open redirect (Overlay module - Drupal 7)</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://drupal.org/SA-CORE-2013-003</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-11-20</discovery>
|
|
<entry>2013-12-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4158c57e-5d39-11e3-bc1e-6cf0490a8c18">
|
|
<topic>Joomla! -- Core XSS Vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>joomla2</name>
|
|
<range><ge>2.5.*</ge><le>2.5.14</le></range>
|
|
</package>
|
|
<package>
|
|
<name>joomla3</name>
|
|
<range><ge>3.0.*</ge><le>3.1.5</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The JSST and the Joomla! Security Center report:</p>
|
|
<blockquote cite="http://developer.joomla.org/security/570-core-xss-20131101.html">
|
|
<h2>[20131101] Core XSS Vulnerability</h2>
|
|
<p>Inadequate filtering leads to XSS vulnerability in com_contact.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/571-core-xss-20131102.html">
|
|
<h2>[20131102] Core XSS Vulnerability</h2>
|
|
<p>Inadequate filtering leads to XSS vulnerability in com_contact, com_weblinks, com_newsfeeds.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/572-core-xss-20131103.html">
|
|
<h2>[20131103] Core XSS Vulnerability</h2>
|
|
<p>Inadequate filtering leads to XSS vulnerability in com_contact.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://developer.joomla.org/security/570-core-xss-20131101.html</url>
|
|
<url>http://developer.joomla.org/security/571-core-xss-20131102.html</url>
|
|
<url>http://developer.joomla.org/security/572-core-xss-20131103.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-11-01</discovery>
|
|
<entry>2013-12-04</entry>
|
|
<modified>2014-04-23</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d2073237-5b52-11e3-80f7-c86000cbc6ec">
|
|
<topic>OpenTTD -- Denial of service using forcefully crashed aircrafts</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openttd</name>
|
|
<range><ge>0.3.6</ge><lt>1.3.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OpenTTD Team reports:</p>
|
|
<blockquote cite="https://security.openttd.org/en/CVE-2013-6411">
|
|
<p>The problem is caused by incorrectly handling the fact that
|
|
the aircraft circling the corner airport will be outside of the
|
|
bounds of the map. In the 'out of fuel' crash code the height
|
|
of the tile under the aircraft is determined. In this case
|
|
that means a tile outside of the allocated map array, which
|
|
could occasionally trigger invalid reads.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-6411</cvename>
|
|
<url>https://security.openttd.org/en/CVE-2013-6411</url>
|
|
<url>http://bugs.openttd.org/task/5820</url>
|
|
<url>http://vcs.openttd.org/svn/changeset/26134</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-11-28</discovery>
|
|
<entry>2013-11-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="620cf713-5a99-11e3-878d-20cf30e32f6d">
|
|
<topic>monitorix -- serious bug in the built-in HTTP server</topic>
|
|
<affects>
|
|
<package>
|
|
<name>monitorix</name>
|
|
<range><lt>3.3.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Monitorix Project reports:</p>
|
|
<blockquote cite="http://www.monitorix.org/news.html#N331">
|
|
<p>A serious bug in the built-in HTTP server. It was discovered that the
|
|
handle_request() routine did not properly perform input sanitization
|
|
which led into a number of security vulnerabilities. An unauthenticated,
|
|
remote attacker could exploit this flaw to execute arbitrary commands on
|
|
the remote host. All users still using older versions are advised to
|
|
upgrade to this version, which resolves this issue.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.monitorix.org/news.html#N331</url>
|
|
<url>https://github.com/mikaku/Monitorix/issues/30</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-11-21</discovery>
|
|
<entry>2013-12-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e3244a7b-5603-11e3-878d-20cf30e32f6d">
|
|
<topic>subversion -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>subversion</name>
|
|
<range><ge>1.4.0</ge><lt>1.7.14</lt></range>
|
|
<range><ge>1.8.0</ge><lt>1.8.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Subversion Project reports:</p>
|
|
<blockquote cite="http://subversion.apache.org/security/">
|
|
<p>mod_dontdothat does not restrict requests from serf based clients</p>
|
|
<p>mod_dontdothat allows you to block update REPORT requests against certain
|
|
paths in the repository. It expects the paths in the REPORT request
|
|
to be absolute URLs. Serf based clients send relative URLs instead
|
|
of absolute URLs in many cases. As a result these clients are not blocked
|
|
as configured by mod_dontdothat.</p>
|
|
<p>mod_dav_svn assertion triggered by non-canonical URLs in autoversioning commits</p>
|
|
<p>When SVNAutoversioning is enabled via SVNAutoversioning on
|
|
commits can be made by single HTTP requests such as MKCOL and
|
|
PUT. If Subversion is built with assertions enabled any such
|
|
requests that have non-canonical URLs, such as URLs with a
|
|
trailing /, may trigger an assert. An assert will cause the
|
|
Apache process to abort.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4505</cvename>
|
|
<cvename>CVE-2013-4558</cvename>
|
|
<url>http://subversion.apache.org/security/CVE-2013-4505-advisory.txt</url>
|
|
<url>http://subversion.apache.org/security/CVE-2013-4558-advisory.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-11-15</discovery>
|
|
<entry>2013-11-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="742eb9e4-e3cb-4f5a-b94e-0e9a39420600">
|
|
<topic>ruby-gems -- Algorithmic Complexity Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby19-gems</name>
|
|
<range><lt>1.8.27</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby20-gems</name>
|
|
<range><lt>1.8.27</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby Gem developers report:</p>
|
|
<blockquote cite="http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html">
|
|
<p>The patch for CVE-2013-4363 was insufficiently verified so the
|
|
combined regular expression for verifying gem version remains
|
|
vulnerable following CVE-2013-4363.</p>
|
|
<p>RubyGems validates versions with a regular expression that is
|
|
vulnerable to denial of service due to backtracking. For specially
|
|
crafted RubyGems versions attackers can cause denial of service
|
|
through CPU consumption.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4363</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-09-24</discovery>
|
|
<entry>2013-11-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="54237182-9635-4a8b-92d7-33bfaeed84cd">
|
|
<topic>ruby-gems -- Algorithmic Complexity Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby19-gems</name>
|
|
<range><lt>1.8.26</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby20-gems</name>
|
|
<range><lt>1.8.26</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby Gem developers report:</p>
|
|
<blockquote cite="http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html">
|
|
<p>RubyGems validates versions with a regular expression that is
|
|
vulnerable to denial of service due to backtracking. For specially
|
|
crafted RubyGems versions attackers can cause denial of service
|
|
through CPU consumption.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4287</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-09-09</discovery>
|
|
<entry>2013-11-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cc9043cf-7f7a-426e-b2cc-8d1980618113">
|
|
<topic>ruby -- Heap Overflow in Floating Point Parsing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby19</name>
|
|
<range><lt>1.9.3.484,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby20</name>
|
|
<range><lt>2.0.0.353,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby developers report:</p>
|
|
<blockquote cite="https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/">
|
|
<p>Any time a string is converted to a floating point value, a
|
|
specially crafted string can cause a heap overflow. This can lead
|
|
to a denial of service attack via segmentation faults and possibly
|
|
arbitrary code execution. Any program that converts input of
|
|
unknown origin to floating point values (especially common when
|
|
accepting JSON) are vulnerable.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/</url>
|
|
<url>https://www.ruby-lang.org/en/news/2013/11/22/ruby-2-0-0-p353-is-released/</url>
|
|
<cvename>CVE-2013-4164</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-11-22</discovery>
|
|
<entry>2013-11-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="479efd57-516e-11e3-9b62-000c292e4fd8">
|
|
<topic>samba -- Private key in key.pem world readable</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba4</name>
|
|
<range><gt>4.0.*</gt><lt>4.0.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba41</name>
|
|
<range><gt>4.1.*</gt><lt>4.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Samba project reports:</p>
|
|
<blockquote cite="http://www.samba.org/samba/security/CVE-2013-4476">
|
|
<p>Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is
|
|
provided over SSL, uses world-readable permissions for a private key,
|
|
which allows local users to obtain sensitive information by reading the
|
|
key file, as demonstrated by access to the local filesystem on an AD
|
|
domain controller.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4476</cvename>
|
|
<url>http://www.samba.org/samba/security/CVE-2013-4476</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-12</discovery>
|
|
<entry>2013-11-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a4f08579-516c-11e3-9b62-000c292e4fd8">
|
|
<topic>samba -- ACLs are not checked on opening an alternate data stream on a file or directory</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba34</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba35</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba36</name>
|
|
<range><gt>3.6.*</gt><lt>3.6.20</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba4</name>
|
|
<range><gt>4.0.*</gt><lt>4.0.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba41</name>
|
|
<range><gt>4.1.*</gt><lt>4.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Samba project reports:</p>
|
|
<blockquote cite="http://www.samba.org/samba/security/CVE-2013-4475">
|
|
<p>Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
|
|
3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
|
|
file or directory ACL when opening an alternate data stream.</p>
|
|
<p>According to the SMB1 and SMB2+ protocols the ACL on an underlying
|
|
file or directory should control what access is allowed to alternate
|
|
data streams that are associated with the file or directory.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4475</cvename>
|
|
<url>http://www.samba.org/samba/security/CVE-2013-4475</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-12</discovery>
|
|
<entry>2013-11-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="94b6264a-5140-11e3-8b22-f0def16c5c1b">
|
|
<topic>nginx -- Request line parsing vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nginx</name>
|
|
<range><ge>0.8.41</ge><lt>1.4.4,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>nginx-devel</name>
|
|
<range><ge>0.8.41</ge><lt>1.5.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The nginx project reports:</p>
|
|
<blockquote cite="http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html">
|
|
<p>Ivan Fratric of the Google Security Team discovered a bug in nginx, which might
|
|
allow an attacker to bypass security restrictions in certain configurations by
|
|
using a specially crafted request, or might have potential other impact
|
|
(CVE-2013-4547).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4547</cvename>
|
|
<url>http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-11-19</discovery>
|
|
<entry>2013-11-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="adcbdba2-4c27-11e3-9848-98fc11cdc4f5">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>11.2r202.327</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-26.html">
|
|
<p>These updates address vulnerabilities that could cause a crash
|
|
and potentially allow an attacker to take control of the affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-5329</cvename>
|
|
<cvename>CVE-2013-5330</cvename>
|
|
<url>http://www.adobe.com/support/security/bulletins/apsb13-26.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-11-12</discovery>
|
|
<entry>2013-11-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5709d244-4873-11e3-8a46-000d601460a4">
|
|
<topic>OpenSSH -- Memory corruption in sshd</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openssh-portable</name>
|
|
<range><ge>6.2.p2,1</ge><lt>6.4.p1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>openssh-portable-base</name>
|
|
<range><ge>6.2.p2,1</ge><lt>6.4.p1,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OpenSSH development team reports:</p>
|
|
<blockquote cite="http://www.openssh.com/txt/gcmrekey.adv">
|
|
<p>A memory corruption vulnerability exists in the post-
|
|
authentication sshd process when an AES-GCM cipher
|
|
(aes128-gcm@openssh.com or aes256-gcm@openssh.com) is
|
|
selected during kex exchange.</p>
|
|
<p>If exploited, this vulnerability might permit code execution
|
|
with the privileges of the authenticated user and may
|
|
therefore allow bypassing restricted shell/command
|
|
configurations.</p>
|
|
<p>Either upgrade to 6.4 or disable AES-GCM in the server
|
|
configuration. The following sshd_config option will disable
|
|
AES-GCM while leaving other ciphers active:</p>
|
|
<p>Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.openssh.com/txt/gcmrekey.adv</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-11-07</discovery>
|
|
<entry>2013-11-08</entry>
|
|
<modified>2013-11-13</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f969bad7-46fc-11e3-b6ee-00269ee29e57">
|
|
<topic>Quassel IRC -- SQL injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>quassel</name>
|
|
<range><lt>0.9.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Quassel IRC developers report:</p>
|
|
<blockquote cite="http://www.quassel-irc.org/node/120">
|
|
<p>SQL injection vulnerability in Quassel IRC before 0.9.1,
|
|
when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used,
|
|
allows remote attackers to execute arbitrary SQL commands via
|
|
a \ (backslash) in a message.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4422</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-10-07</discovery>
|
|
<entry>2013-11-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="81f866ad-41a4-11e3-a4af-0025905a4771">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><lt>24.1.0,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>25.0,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.22</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>24.1.0</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><lt>2.22</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>24.1.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p> MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 /
|
|
rv:24.1 / rv:17.0.10)</p>
|
|
<p> MFSA 2013-94 Spoofing addressbar though SELECT element</p>
|
|
<p> MFSA 2013-95 Access violation with XSLT and uninitialized data</p>
|
|
<p> MFSA 2013-96 Improperly initialized memory and overflows in some
|
|
JavaScript functions</p>
|
|
<p> MFSA 2013-97 Writing to cycle collected object during image
|
|
decoding</p>
|
|
<p> MFSA 2013-98 Use-after-free when updating offline cache</p>
|
|
<p> MFSA 2013-99 Security bypass of PDF.js checks using iframes</p>
|
|
<p> MFSA 2013-100 Miscellaneous use-after-free issues found through
|
|
ASAN fuzzing</p>
|
|
<p> MFSA 2013-101 Memory corruption in workers</p>
|
|
<p> MFSA 2013-102 Use-after-free in HTML document templates</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1739</cvename>
|
|
<cvename>CVE-2013-5590</cvename>
|
|
<cvename>CVE-2013-5591</cvename>
|
|
<cvename>CVE-2013-5592</cvename>
|
|
<cvename>CVE-2013-5593</cvename>
|
|
<cvename>CVE-2013-5595</cvename>
|
|
<cvename>CVE-2013-5596</cvename>
|
|
<cvename>CVE-2013-5597</cvename>
|
|
<cvename>CVE-2013-5598</cvename>
|
|
<cvename>CVE-2013-5599</cvename>
|
|
<cvename>CVE-2013-5600</cvename>
|
|
<cvename>CVE-2013-5601</cvename>
|
|
<cvename>CVE-2013-5602</cvename>
|
|
<cvename>CVE-2013-5603</cvename>
|
|
<cvename>CVE-2013-5604</cvename>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-93.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-94.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-95.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-96.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-97.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-98.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-99.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-100.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-101.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-102.html</url>
|
|
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-10-29</discovery>
|
|
<entry>2013-10-30</entry>
|
|
<modified>2013-10-31</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4e23644c-cb93-4f83-9e20-5bc07ad9b39f">
|
|
<topic>mod_pagespeed -- critical cross-site scripting (XSS) vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_pagespeed</name>
|
|
<range><lt>1.2.24.2,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>mod_pagespeed developers report:</p>
|
|
<blockquote cite="https://groups.google.com/forum/#!msg/mod-pagespeed-announce/oo015UHRxMc/JcAuf1hE8L8J">
|
|
<p>Various versions of mod_pagespeed are subject to critical
|
|
cross-site scripting (XSS) vulnerability, CVE-2013-6111. This
|
|
permits a hostile third party to execute JavaScript in users'
|
|
browsers in context of the domain running mod_pagespeed, which
|
|
could permit theft of users' cookies or data on the site.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-6111</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-10-04</discovery>
|
|
<entry>2013-10-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cd082cc6-1548-4b8d-a3aa-a007be611a29">
|
|
<cancelled/>
|
|
</vuln>
|
|
|
|
<vuln vid="9065b930-3d8b-11e3-bd1a-e840f2096bd0">
|
|
<topic>gnutls -- denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnutls3</name>
|
|
<range><lt>3.1.16</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Salvatore Bonaccorso reports:</p>
|
|
<blockquote cite="http://www.gnutls.org/security.html#GNUTLS-SA-2013-3">
|
|
<p>This vulnerability affects the DANE library of gnutls 3.1.x and
|
|
gnutls 3.2.x. A server that returns more 4 DANE entries could
|
|
corrupt the memory of a requesting client.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4466</cvename>
|
|
<url>http://www.gnutls.org/security.html#GNUTLS-SA-2013-3</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-10-25</discovery>
|
|
<entry>2013-10-25</entry>
|
|
<modified>2013-11-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9a57c607-3cab-11e3-b4d9-bcaec565249c">
|
|
<topic>xorg-server -- use-after-free</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xorg-server</name>
|
|
<range><ge>1.7.0</ge><lt>1.7.7_11</lt></range>
|
|
<range><ge>1.12.0</ge><lt>1.12.4_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Alan Coopersmith reports:</p>
|
|
<blockquote cite="http://lists.x.org/archives/xorg-announce/2013-October/002332.html">
|
|
<p>Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org
|
|
security team in which an authenticated X client can cause an X
|
|
server to use memory after it was freed, potentially leading to
|
|
crash and/or memory corruption.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4396</cvename>
|
|
<url>http://lists.x.org/archives/xorg-announce/2013-October/002332.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-10-08</discovery>
|
|
<entry>2013-10-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c0f122e2-3897-11e3-a084-3c970e169bc2">
|
|
<topic>pycrypto -- PRNG reseed race condition</topic>
|
|
<affects>
|
|
<package>
|
|
<name>py26-pycrypto</name>
|
|
<range><lt>2.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py27-pycrypto</name>
|
|
<range><lt>2.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py31-pycrypto</name>
|
|
<range><lt>2.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py32-pycrypto</name>
|
|
<range><lt>2.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py33-pycrypto</name>
|
|
<range><lt>2.6.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Dwayne Litzenberger reports:</p>
|
|
<blockquote cite="http://lists.dlitz.net/pipermail/pycrypto/2013q4/000702.html">
|
|
<p>In PyCrypto before v2.6.1, the Crypto.Random pseudo-random
|
|
number generator (PRNG) exhibits a race condition that may cause
|
|
it to generate the same 'random' output in multiple processes that
|
|
are forked from each other. Depending on the application, this
|
|
could reveal sensitive information or cryptographic keys to remote
|
|
attackers.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1445</cvename>
|
|
<url>http://lists.dlitz.net/pipermail/pycrypto/2013q4/000702.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-10-17</discovery>
|
|
<entry>2013-10-19</entry>
|
|
<modified>2014-04-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="043d3a78-f245-4938-9bc7-3d0d35dd94bf">
|
|
<topic>wordpress -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>zh-wordpress-zh_CN</name>
|
|
<range><lt>3.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>zh-wordpress-zh_TW</name>
|
|
<range><lt>3.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-wordpress</name>
|
|
<range><lt>3.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ja-wordpress</name>
|
|
<range><lt>3.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-wordpress</name>
|
|
<range><lt>3.6.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>wordpress</name>
|
|
<range><lt>3.6.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The wordpress development team reports:</p>
|
|
<blockquote cite="http://wordpress.org/news/2013/09/wordpress-3-6-1/">
|
|
<ul>
|
|
<li>Block unsafe PHP unserialization that could occur in limited
|
|
situations and setups, which can lead to remote code
|
|
execution.</li>
|
|
<li>Prevent a user with an Author role, using a specially crafted
|
|
request, from being able to create a post "written by" another
|
|
user.</li>
|
|
<li>Fix insufficient input validation that could result in
|
|
redirecting or leading a user to another website.</li>
|
|
</ul>
|
|
<p>Additionally, we've adjusted security restrictions around file
|
|
uploads to mitigate the potential for cross-site scripting.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4338</cvename>
|
|
<cvename>CVE-2013-4339</cvename>
|
|
<cvename>CVE-2013-4340</cvename>
|
|
<cvename>CVE-2013-5738</cvename>
|
|
<cvename>CVE-2013-5739</cvename>
|
|
<url>http://wordpress.org/news/2013/09/wordpress-3-6-1/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-09-11</discovery>
|
|
<entry>2013-10-19</entry>
|
|
<modified>2014-04-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="206f9826-a06d-4927-9a85-771c37010b32">
|
|
<topic>node.js -- DoS Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>node</name>
|
|
<range><lt>0.10.21</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>node-devel</name>
|
|
<range><lt>0.11.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>node.js developers report</p>
|
|
<blockquote cite="http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/">
|
|
<p>This release contains a security fix for the http server implementation, please upgrade as soon as possible.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-10-19</discovery>
|
|
<entry>2013-10-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e135f0c9-375f-11e3-80b7-20cf30e32f6d">
|
|
<topic>bugzilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bugzilla</name>
|
|
<range><ge>4.0.0</ge><lt>4.0.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bugzilla40</name>
|
|
<range><ge>4.0.0</ge><lt>4.0.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bugzilla42</name>
|
|
<range><ge>4.2.0</ge><lt>4.2.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bugzilla44</name>
|
|
<range><ge>4.4</ge><lt>4.4.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>A Bugzilla Security Advisory reports:</h1>
|
|
<blockquote cite="http://www.bugzilla.org/security/4.0.10/">
|
|
<h1>Cross-Site Request Forgery</h1>
|
|
<p>When a user submits changes to a bug right after another
|
|
user did, a midair collision page is displayed to inform
|
|
the user about changes recently made. This page contains
|
|
a token which can be used to validate the changes if the
|
|
user decides to submit his changes anyway. A regression
|
|
in Bugzilla 4.4 caused this token to be recreated if a
|
|
crafted URL was given, even when no midair collision page
|
|
was going to be displayed, allowing an attacker to bypass
|
|
the token check and abuse a user to commit changes on his
|
|
behalf.</p>
|
|
<h1>Cross-Site Request Forgery</h1>
|
|
<p>When an attachment is edited, a token is generated to
|
|
validate changes made by the user. Using a crafted URL,
|
|
an attacker could force the token to be recreated,
|
|
allowing him to bypass the token check and abuse a user
|
|
to commit changes on his behalf.</p>
|
|
<h1>Cross-Site Scripting</h1>
|
|
<p>Some parameters passed to editflagtypes.cgi were not
|
|
correctly filtered in the HTML page, which could lead
|
|
to XSS.</p>
|
|
<h1>Cross-Site Scripting</h1>
|
|
<p>Due to an incomplete fix for CVE-2012-4189, some
|
|
incorrectly filtered field values in tabular reports
|
|
could lead to XSS.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1733</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=911593</url>
|
|
<cvename>CVE-2013-1734</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=913904</url>
|
|
<cvename>CVE-2013-1742</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=924802</url>
|
|
<cvename>CVE-2013-1743</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=924932</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-10-16</discovery>
|
|
<entry>2013-10-17</entry>
|
|
<modified>2014-04-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8c9b48d1-3715-11e3-a624-00262d8b701d">
|
|
<topic>dropbear -- exposure of sensitive information, DoS</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dropbear</name>
|
|
<range><ge>2012.55</ge><lt>2013.59</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Dropbear project reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/55173/">
|
|
<p>A weakness and a vulnerability have been reported in Dropbear
|
|
SSH Server, which can be exploited by malicious people to disclose
|
|
certain sensitive information and cause a DoS.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>62958</bid>
|
|
<bid>62993</bid>
|
|
<cvename>CVE-2013-4421</cvename>
|
|
<cvename>CVE-2013-4434</cvename>
|
|
<url>http://secunia.com/advisories/55173</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-08</discovery>
|
|
<!-- discovery>2013-10-03</discovery -->
|
|
<entry>2013-10-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9003b500-31e3-11e3-b0d0-20cf30e32f6d">
|
|
<topic>mod_fcgid -- possible heap buffer overwrite</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ap22-mod_fcgid</name>
|
|
<range><lt>2.3.9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ap24-mod_fcgid</name>
|
|
<range><lt>2.3.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Apache Project reports:</p>
|
|
<blockquote cite="https://mail-archives.apache.org/mod_mbox/httpd-cvs/201309.mbox/%3C20130929174048.13B962388831@eris.apache.org%3E">
|
|
<p>Fix possible heap buffer overwrite.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4365</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-09-29</discovery>
|
|
<entry>2013-10-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="749b5587-2da1-11e3-b1a9-b499baab0cbe">
|
|
<topic>gnupg -- possible infinite recursion in the compressed packet parser</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><lt>1.4.15</lt></range>
|
|
<range><ge>2.0.0</ge><lt>2.0.22</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Werner Koch reports:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000333.html">
|
|
<p>Special crafted input data may be used to cause a denial of service
|
|
against GPG (GnuPG's OpenPGP part) and some other OpenPGP
|
|
implementations. All systems using GPG to process incoming data are
|
|
affected..</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4402</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-10-05</discovery>
|
|
<entry>2013-10-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5c34664f-2c2b-11e3-87c2-00215af774f0">
|
|
<topic>xinetd -- ignores user and group directives for TCPMUX services</topic>
|
|
<affects>
|
|
<package>
|
|
<name>xinetd</name>
|
|
<range><lt>2.3.15_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>xinetd would execute configured TCPMUX services without dropping
|
|
privilege to match the service configuration allowing the service to
|
|
run with same privilege as the xinetd process (root).</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4342</cvename>
|
|
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678</url>
|
|
<url>https://bugzilla.redhat.com/show_bug.cgi?id=1006100</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2005-08-23</discovery>
|
|
<entry>2013-10-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ccefac3e-2aed-11e3-af10-000c29789cb5">
|
|
<topic>polarssl -- Timing attack against protected RSA-CRT implementation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>polarssl</name>
|
|
<range><lt>1.2.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>PolarSSL Project reports:</p>
|
|
<blockquote cite="https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05">
|
|
<p>The researchers Cyril Arnaud and Pierre-Alain Fouque
|
|
investigated the PolarSSL RSA implementation and discovered
|
|
a bias in the implementation of the Montgomery multiplication
|
|
that we used. For which they then show that it can be used to
|
|
mount an attack on the RSA key. Although their test attack is
|
|
done on a local system, there seems to be enough indication
|
|
that this can properly be performed from a remote system as
|
|
well.</p>
|
|
<p>All versions prior to PolarSSL 1.2.9 and 1.3.0 are affected
|
|
if a third party can send arbitrary handshake messages to your
|
|
server.</p>
|
|
<p>If correctly executed, this attack reveals the entire private
|
|
RSA key after a large number of attack messages (> 600.000 on
|
|
a local machine) are sent to show the timing differences.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-5915</cvename>
|
|
<url>https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05</url>
|
|
<url>https://polarssl.org/tech-updates/releases/polarssl-1.2.9-released</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-10-01</discovery>
|
|
<entry>2013-10-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e1f99d59-81aa-4662-bf62-c1076f5016c8">
|
|
<topic>py-graphite-web -- Multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>py26-graphite-web</name>
|
|
<range><ge>0.9.5</ge><lt>0.9.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py27-graphite-web</name>
|
|
<range><ge>0.9.5</ge><lt>0.9.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py31-graphite-web</name>
|
|
<range><ge>0.9.5</ge><lt>0.9.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py32-graphite-web</name>
|
|
<range><ge>0.9.5</ge><lt>0.9.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py33-graphite-web</name>
|
|
<range><ge>0.9.5</ge><lt>0.9.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Graphite developers report:</p>
|
|
<blockquote cite="http://graphite.readthedocs.org/en/0.9.11/releases/0_9_11.html">
|
|
<p>This release contains several security fixes for cross-site
|
|
scripting (XSS) as well as a fix for a remote-execution exploit in
|
|
graphite-web (CVE-2013-5903).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-5093</cvename>
|
|
<url>https://github.com/rapid7/metasploit-framework/pull/2260</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-08-21</discovery>
|
|
<entry>2013-09-30</entry>
|
|
<modified>2014-04-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="05dc6efa-2370-11e3-95b7-00e0814cab4e">
|
|
<topic>django -- denial-of-service via large passwords</topic>
|
|
<affects>
|
|
<package>
|
|
<name>py26-django</name>
|
|
<range><ge>1.5</ge><lt>1.5.4</lt></range>
|
|
<range><ge>1.4</ge><lt>1.4.8</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py27-django</name>
|
|
<range><ge>1.5</ge><lt>1.5.4</lt></range>
|
|
<range><ge>1.4</ge><lt>1.4.8</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py26-django-devel</name>
|
|
<range><lt>20130922,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py27-django-devel</name>
|
|
<range><lt>20130922,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Django project reports:</p>
|
|
<blockquote cite="https://www.djangoproject.com/weblog/2013/sep/15/security/">
|
|
<p>These releases address a denial-of-service attack against Django's
|
|
authentication framework. All users of Django are encouraged to
|
|
upgrade immediately.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1443</cvename>
|
|
<url>https://www.djangoproject.com/weblog/2013/sep/15/security/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-09-15</discovery>
|
|
<entry>2013-09-22</entry>
|
|
<modified>2014-04-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b72bad1c-20ed-11e3-be06-000c29ee3065">
|
|
<topic>FreeBSD -- Cross-mount links between nullfs(5) mounts</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>9.1</ge><lt>9.1_7</lt></range>
|
|
<range><ge>8.4</ge><lt>8.4_4</lt></range>
|
|
<range><ge>8.3</ge><lt>8.3_11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem Description:</p>
|
|
<p>The nullfs(5) implementation of the VOP_LINK(9) VFS
|
|
operation does not check whether the source and target of
|
|
the link are both in the same nullfs instance. It is
|
|
therefore possible to create a hardlink from a location in
|
|
one nullfs instance to a file in another, as long as the
|
|
underlying (source) filesystem is the same.</p>
|
|
<p>Impact:</p>
|
|
<p>If multiple nullfs views into the same filesystem are
|
|
mounted in different locations, a user with read access to
|
|
one of these views and write access to another will be able
|
|
to create a hard link from the latter to a file in the
|
|
former, even though they are, from the user's perspective,
|
|
different filesystems. The user may thereby gain write
|
|
access to files which are nominally on a read-only
|
|
filesystem.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-5710</cvename>
|
|
<freebsdsa>SA-13:13.nullfs</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-09-10</discovery>
|
|
<entry>2013-09-19</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4d87d357-202c-11e3-be06-000c29ee3065">
|
|
<topic>FreeBSD -- Insufficient credential checks in network ioctl(2)</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>9.1</ge><lt>9.1_7</lt></range>
|
|
<range><ge>8.4</ge><lt>8.4_4</lt></range>
|
|
<range><ge>8.3</ge><lt>8.3_11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem Description:</p>
|
|
<p>As is commonly the case, the IPv6 and ATM network layer
|
|
ioctl request handlers are written in such a way that an
|
|
unrecognized request is passed on unmodified to the link
|
|
layer, which will either handle it or return an error
|
|
code.</p>
|
|
<p>Network interface drivers, however, assume that the
|
|
SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and
|
|
SIOCSIFNETMASK requests have been handled at the network
|
|
layer, and therefore do not perform input validation or
|
|
verify the caller's credentials. Typical link-layer actions
|
|
for these requests may include marking the interface as "up"
|
|
and resetting the underlying hardware.</p>
|
|
<p>Impact:</p>
|
|
<p>An unprivileged user with the ability to run arbitrary code
|
|
can cause any network interface in the system to perform the
|
|
link layer actions associated with a SIOCSIFADDR,
|
|
SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl
|
|
request; or trigger a kernel panic by passing a specially
|
|
crafted address structure which causes a network interface
|
|
driver to dereference an invalid pointer.</p>
|
|
<p>Although this has not been confirmed, the possibility that
|
|
an attacker may be able to execute arbitrary code in kernel
|
|
context cannot be ruled out.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-5691</cvename>
|
|
<freebsdsa>SA-13:12.ifioctl</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-09-10</discovery>
|
|
<entry>2013-09-19</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7dfed67b-20aa-11e3-b8d8-0025905a4771">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>18.0,1</gt><lt>24.0,1</lt></range>
|
|
<range><lt>17.0.9,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>17.0.9,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.21</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>17.0.9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><lt>2.21</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><lt>24.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p> MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 /
|
|
rv:17.0.9)</p>
|
|
<p> MFSA 2013-77 Improper state in HTML5 Tree Builder with templates</p>
|
|
<p> MFSA 2013-78 Integer overflow in ANGLE library</p>
|
|
<p> MFSA 2013-79 Use-after-free in Animation Manager during stylesheet
|
|
cloning</p>
|
|
<p> MFSA 2013-80 NativeKey continues handling key messages after
|
|
widget is destroyed</p>
|
|
<p> MFSA 2013-81 Use-after-free with select element</p>
|
|
<p> MFSA 2013-82 Calling scope for new Javascript objects can lead to
|
|
memory corruption</p>
|
|
<p> MFSA 2013-83 Mozilla Updater does not lock MAR file after
|
|
signature verification</p>
|
|
<p> MFSA 2013-84 Same-origin bypass through symbolic links</p>
|
|
<p> MFSA 2013-85 Uninitialized data in IonMonkey</p>
|
|
<p> MFSA 2013-86 WebGL Information disclosure through OS X NVIDIA
|
|
graphic drivers</p>
|
|
<p> MFSA 2013-87 Shared object library loading from writable location</p>
|
|
<p> MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes</p>
|
|
<p> MFSA 2013-89 Buffer overflow with multi-column, lists, and floats</p>
|
|
<p> MFSA 2013-90 Memory corruption involving scrolling</p>
|
|
<p> MFSA 2013-91 User-defined properties on DOM proxies get the wrong
|
|
"this" object</p>
|
|
<p> MFSA 2013-92 GC hazard with default compartments and frame chain
|
|
restoration</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1718</cvename>
|
|
<cvename>CVE-2013-1719</cvename>
|
|
<cvename>CVE-2013-1720</cvename>
|
|
<cvename>CVE-2013-1721</cvename>
|
|
<cvename>CVE-2013-1722</cvename>
|
|
<cvename>CVE-2013-1723</cvename>
|
|
<cvename>CVE-2013-1724</cvename>
|
|
<cvename>CVE-2013-1725</cvename>
|
|
<cvename>CVE-2013-1726</cvename>
|
|
<cvename>CVE-2013-1727</cvename>
|
|
<cvename>CVE-2013-1728</cvename>
|
|
<cvename>CVE-2013-1729</cvename>
|
|
<cvename>CVE-2013-1730</cvename>
|
|
<cvename>CVE-2013-1731</cvename>
|
|
<cvename>CVE-2013-1732</cvename>
|
|
<cvename>CVE-2013-1735</cvename>
|
|
<cvename>CVE-2013-1736</cvename>
|
|
<cvename>CVE-2013-1737</cvename>
|
|
<cvename>CVE-2013-1738</cvename>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-76.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-77.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-78.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-79.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-80.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-81.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-82.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-83.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-84.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-85.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-86.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-87.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-88.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-89.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-90.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-91.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-92.html</url>
|
|
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-08-17</discovery>
|
|
<entry>2013-08-18</entry>
|
|
<modified>2013-09-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5bd6811f-1c75-11e3-ba72-98fc11cdc4f5">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>11.2r202.310</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-21.html">
|
|
<p>These updates address vulnerabilities that could cause a crash
|
|
and potentially allow an attacker to take control of the affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-3361</cvename>
|
|
<cvename>CVE-2013-3362</cvename>
|
|
<cvename>CVE-2013-3363</cvename>
|
|
<cvename>CVE-2013-5324</cvename>
|
|
<url>http://www.adobe.com/support/security/bulletins/apsb13-21.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-09-10</discovery>
|
|
<entry>2013-09-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a851b305-1bc3-11e3-95b7-00e0814cab4e">
|
|
<topic>django -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>py26-django</name>
|
|
<range><ge>1.5</ge><lt>1.5.3</lt></range>
|
|
<range><ge>1.4</ge><lt>1.4.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py27-django</name>
|
|
<range><ge>1.5</ge><lt>1.5.3</lt></range>
|
|
<range><ge>1.4</ge><lt>1.4.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py26-django-devel</name>
|
|
<range><lt>20130912,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>py27-django-devel</name>
|
|
<range><lt>20130912,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Django project reports:</p>
|
|
<blockquote cite="https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/">
|
|
<p>These releases address a directory-traversal vulnerability in one
|
|
of Django's built-in template tags. While this issue requires some
|
|
fairly specific factors to be exploitable, we encourage all users
|
|
of Django to upgrade promptly.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4315</cvename>
|
|
<url>https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-09-10</discovery>
|
|
<entry>2013-09-12</entry>
|
|
<modified>2014-04-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f8a913cc-1322-11e3-8ffa-20cf30e32f6d">
|
|
<topic>svnserve is vulnerable to a local privilege escalation vulnerability via symlink attack.</topic>
|
|
<affects>
|
|
<package>
|
|
<name>subversion</name>
|
|
<range><ge>1.4.0</ge><lt>1.6.23_2</lt></range>
|
|
<range><ge>1.7.0</ge><lt>1.7.13</lt></range>
|
|
<range><ge>1.8.0</ge><lt>1.8.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Subversion Project reports:</p>
|
|
<blockquote cite="http://subversion.apache.org/security/CVE-2013-4277-advisory.txt">
|
|
<p>svnserve takes a --pid-file option which creates a file containing the
|
|
process id it is running as. It does not take steps to ensure that the file
|
|
it has been directed at is not a symlink. If the pid file is in a directory
|
|
writeable by unprivileged users, the destination could be replaced by a
|
|
symlink allowing for privilege escalation. svnserve does not create a pid
|
|
file by default.</p>
|
|
<p>All versions are only vulnerable when the --pid-file=ARG option is used.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4277</cvename>
|
|
<url>http://subversion.apache.org/security/CVE-2013-4277-advisory.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-08-30</discovery>
|
|
<entry>2013-09-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b3b8d491-0fbb-11e3-8c50-1c6f65c11ee6">
|
|
<topic>cacti -- allow remote attackers to execute arbitrary SQL commands</topic>
|
|
<affects>
|
|
<package>
|
|
<name>cacti</name>
|
|
<range><lt>0.8.8b</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Cacti release reports:</p>
|
|
<blockquote cite="http://www.cacti.net/release_notes_0_8_8b.php">
|
|
<p>Multiple security vulnerabilities have been fixed:</p>
|
|
<ul>
|
|
<li>SQL injection vulnerabilities</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1434</cvename>
|
|
<cvename>CVE-2013-1435</cvename>
|
|
<url>http://www.cacti.net/release_notes_0_8_8b.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-08-06</discovery>
|
|
<entry>2013-08-29</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fd2bf3b5-1001-11e3-ba94-0025905a4771">
|
|
<topic>asterisk -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>asterisk11</name>
|
|
<range><gt>11.*</gt><lt>11.5.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>asterisk10</name>
|
|
<range><gt>10.*</gt><lt>10.12.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>asterisk18</name>
|
|
<range><gt>1.8.*</gt><lt>1.8.21.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Asterisk project reports:</p>
|
|
<blockquote cite="https://www.asterisk.org/security">
|
|
<p>Remote Crash From Late Arriving SIP ACK With SDP</p>
|
|
<p>Remote Crash when Invalid SDP is sent in SIP Request</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-5641</cvename>
|
|
<cvename>CVE-2013-5642</cvename>
|
|
<url>http://downloads.asterisk.org/pub/security/AST-2013-004.html</url>
|
|
<url>http://downloads.asterisk.org/pub/security/AST-2013-005.html</url>
|
|
<url>https://www.asterisk.org/security</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-08-27</discovery>
|
|
<entry>2013-08-28</entry>
|
|
<modified>2013-08-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4d087b35-0990-11e3-a9f4-bcaec565249c">
|
|
<topic>gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gstreamer-ffmpeg</name>
|
|
<range><lt>0.10.13_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<blockquote cite="http://libav.org/releases/libav-0.7.7.changelog">
|
|
<p>Bundled version of libav in gstreamer-ffmpeg contains a number of
|
|
vulnerabilities.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2011-3892</cvename>
|
|
<cvename>CVE-2011-3893</cvename>
|
|
<cvename>CVE-2011-3895</cvename>
|
|
<cvename>CVE-2011-3929</cvename>
|
|
<cvename>CVE-2011-3936</cvename>
|
|
<cvename>CVE-2011-3937</cvename>
|
|
<cvename>CVE-2011-3940</cvename>
|
|
<cvename>CVE-2011-3945</cvename>
|
|
<cvename>CVE-2011-3947</cvename>
|
|
<cvename>CVE-2011-3951</cvename>
|
|
<cvename>CVE-2011-3952</cvename>
|
|
<cvename>CVE-2011-4031</cvename>
|
|
<cvename>CVE-2011-4351</cvename>
|
|
<cvename>CVE-2011-4352</cvename>
|
|
<cvename>CVE-2011-4353</cvename>
|
|
<cvename>CVE-2011-4364</cvename>
|
|
<cvename>CVE-2011-4579</cvename>
|
|
<cvename>CVE-2012-0848</cvename>
|
|
<cvename>CVE-2012-0850</cvename>
|
|
<cvename>CVE-2012-0851</cvename>
|
|
<cvename>CVE-2012-0852</cvename>
|
|
<cvename>CVE-2012-0853</cvename>
|
|
<cvename>CVE-2012-0858</cvename>
|
|
<cvename>CVE-2012-0947</cvename>
|
|
<cvename>CVE-2012-2772</cvename>
|
|
<cvename>CVE-2012-2775</cvename>
|
|
<cvename>CVE-2012-2777</cvename>
|
|
<cvename>CVE-2012-2779</cvename>
|
|
<cvename>CVE-2012-2783</cvename>
|
|
<cvename>CVE-2012-2784</cvename>
|
|
<cvename>CVE-2012-2786</cvename>
|
|
<cvename>CVE-2012-2787</cvename>
|
|
<cvename>CVE-2012-2788</cvename>
|
|
<cvename>CVE-2012-2790</cvename>
|
|
<cvename>CVE-2012-2791</cvename>
|
|
<cvename>CVE-2012-2793</cvename>
|
|
<cvename>CVE-2012-2794</cvename>
|
|
<cvename>CVE-2012-2798</cvename>
|
|
<cvename>CVE-2012-2800</cvename>
|
|
<cvename>CVE-2012-2801</cvename>
|
|
<cvename>CVE-2012-2803</cvename>
|
|
<cvename>CVE-2012-5144</cvename>
|
|
<url>http://libav.org/releases/libav-0.7.7.changelog</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-08-20</discovery>
|
|
<entry>2013-08-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="689c2bf7-0701-11e3-9a25-002590860428">
|
|
<topic>GnuPG and Libgcrypt -- side-channel attack vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libgcrypt</name>
|
|
<range><lt>1.5.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-f10-libgcrypt</name>
|
|
<range><lt>1.5.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Werner Koch of the GNU project reports:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html">
|
|
<p>Noteworthy changes in version 1.5.3:</p>
|
|
<p>Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys...</p>
|
|
<p>Note that Libgcrypt is used by GnuPG 2.x and thus this release fixes the above
|
|
problem. The fix for GnuPG less than 2.0 can be found in the just released GnuPG
|
|
1.4.14.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4242</cvename>
|
|
<url>http://eprint.iacr.org/2013/448</url>
|
|
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html</url>
|
|
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-18</discovery>
|
|
<entry>2013-08-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2b2f6092-0694-11e3-9e8e-000c29f6ae42">
|
|
<topic>puppet -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>puppet</name>
|
|
<range><ge>2.7</ge><lt>2.7.23</lt></range>
|
|
<range><ge>3.0</ge><lt>3.2.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Puppet Labs reports:</p>
|
|
<blockquote cite="http://puppetlabs.com/security/cve/cve-2013-4761/">
|
|
<p>By using the `resource_type` service, an attacker could
|
|
cause puppet to load arbitrary Ruby files from the puppet
|
|
master node's file system. While this behavior is not
|
|
enabled by default, `auth.conf` settings could be modified
|
|
to allow it. The exploit requires local file system access
|
|
to the Puppet Master.</p>
|
|
<p>Puppet Module Tool (PMT) did not correctly control
|
|
permissions of modules it installed, instead transferring
|
|
permissions that existed when the module was built.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4761</cvename>
|
|
<cvename>CVE-2013-4956</cvename>
|
|
<url>http://puppetlabs.com/security/cve/cve-2013-4761/</url>
|
|
<url>http://puppetlabs.com/security/cve/cve-2013-4956/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-05</discovery>
|
|
<entry>2013-08-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9a0a892e-05d8-11e3-ba09-000c29784fd1">
|
|
<topic>lcms2 -- Null Pointer Dereference Denial of Service Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>lcms2</name>
|
|
<range><lt>2.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mageia security team reports:</p>
|
|
<blockquote cite="http://advisories.mageia.org/MGASA-2013-0240.html">
|
|
<p>It was discovered that Little CMS did not properly verify certain
|
|
memory allocations. If a user or automated system using Little CMS
|
|
were tricked into opening a specially crafted file, an attacker
|
|
could cause Little CMS to crash (CVE-2013-4160).
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4160</cvename>
|
|
<url>http://advisories.mageia.org/MGASA-2013-0240.html</url>
|
|
<url>https://bugs.mageia.org/show_bug.cgi?id=10816</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-22</discovery>
|
|
<entry>2013-08-15</entry>
|
|
<modified>2013-08-19</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="72bf9e21-03df-11e3-bd8d-080027ef73ec">
|
|
<topic>polarssl -- denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>polarssl</name>
|
|
<range><lt>1.2.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Paul Bakker reports:</p>
|
|
<blockquote cite="https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03">
|
|
<p>A bug in the logic of the parsing of PEM encoded certificates in
|
|
x509parse_crt() can result in an infinite loop, thus hogging processing
|
|
power.</p>
|
|
<p>While parsing a Certificate message during the SSL/TLS handshake,
|
|
PolarSSL extracts the presented certificates and sends them on to
|
|
be parsed. As the RFC specifies that the certificates in the
|
|
Certificate message are always X.509 certificates in DER format,
|
|
bugs in the decoding of PEM certificates should normally not be
|
|
triggerable via the SSL/TLS handshake.</p>
|
|
<p>Versions of PolarSSL prior to 1.1.7 in the 1.1 branch and prior
|
|
to 1.2.8 in the 1.2 branch call the generic x509parse_crt()
|
|
function for parsing during the handshake. x509parse_crt() is a
|
|
generic functions that wraps parsing of both PEM-encoded and
|
|
DER-formatted certificates. As a result it is possible to craft
|
|
a Certificate message that includes a PEM encoded certificate in
|
|
the Certificate message that triggers the infinite loop.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4623</cvename>
|
|
<url>https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-03</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-21</discovery>
|
|
<entry>2013-08-13</entry>
|
|
<modified>2013-08-15</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e21c7c7a-0116-11e3-9e83-3c970e169bc2">
|
|
<topic>samba -- denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>samba34</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba35</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba36</name>
|
|
<range><gt>3.6.*</gt><lt>3.6.17</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>samba4</name>
|
|
<range><gt>4.0.*</gt><lt>4.0.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Samba project reports:</p>
|
|
<blockquote cite="http://www.samba.org/samba/security/CVE-2013-4124">
|
|
<p>All current released versions of Samba are vulnerable to
|
|
a denial of service on an authenticated or guest connection.
|
|
A malformed packet can cause the smbd server to loop the CPU
|
|
performing memory allocations and preventing any further service.</p>
|
|
<p>A connection to a file share, or a local account is needed
|
|
to exploit this problem, either authenticated or unauthenticated
|
|
if guest connections are allowed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4124</cvename>
|
|
<url>http://www.samba.org/samba/security/CVE-2013-4124</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-08-05</discovery>
|
|
<entry>2013-08-09</entry>
|
|
<modified>2013-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0998e79d-0055-11e3-905b-0025905a4771">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>18.0,1</gt><lt>23.0,1</lt></range>
|
|
<range><lt>17.0.8,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>17.0.8,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.20</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>17.0.8</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><lt>2.20</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><gt>11.0</gt><lt>17.0.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 /
|
|
rv:17.0.8)</p>
|
|
<p>MFSA 2013-64 Use after free mutating DOM during SetBody</p>
|
|
<p>MFSA 2013-65 Buffer underflow when generating CRMF requests</p>
|
|
<p>MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and
|
|
Mozilla Updater</p>
|
|
<p>MFSA 2013-67 Crash during WAV audio file decoding</p>
|
|
<p>MFSA 2013-68 Document URI misrepresentation and masquerading</p>
|
|
<p>MFSA 2013-69 CRMF requests allow for code execution and XSS
|
|
attacks</p>
|
|
<p>MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes</p>
|
|
<p>MFSA 2013-71 Further Privilege escalation through Mozilla Updater</p>
|
|
<p>MFSA 2013-72 Wrong principal used for validating URI for some
|
|
Javascript components</p>
|
|
<p>MFSA 2013-73 Same-origin bypass with web workers and
|
|
XMLHttpRequest</p>
|
|
<p>MFSA 2013-74 Firefox full and stub installer DLL hijacking</p>
|
|
<p>MFSA 2013-75 Local Java applets may read contents of local file
|
|
system</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1701</cvename>
|
|
<cvename>CVE-2013-1702</cvename>
|
|
<cvename>CVE-2013-1704</cvename>
|
|
<cvename>CVE-2013-1705</cvename>
|
|
<cvename>CVE-2013-1706</cvename>
|
|
<cvename>CVE-2013-1707</cvename>
|
|
<cvename>CVE-2013-1708</cvename>
|
|
<cvename>CVE-2013-1709</cvename>
|
|
<cvename>CVE-2013-1710</cvename>
|
|
<cvename>CVE-2013-1711</cvename>
|
|
<cvename>CVE-2013-1712</cvename>
|
|
<cvename>CVE-2013-1713</cvename>
|
|
<cvename>CVE-2013-1714</cvename>
|
|
<cvename>CVE-2013-1715</cvename>
|
|
<cvename>CVE-2013-1717</cvename>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-63.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-64.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-65.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-66.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-67.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-68.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-69.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-70.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-71.html</url>
|
|
<url>https://www.mozilla.org/security/announce/2013/mfsa2013-72.html</url>
|
|
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-08-06</discovery>
|
|
<entry>2013-08-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4b448a96-ff73-11e2-b28d-080027ef73ec">
|
|
<topic>PuTTY -- Four security holes in versions before 0.63</topic>
|
|
<affects>
|
|
<package>
|
|
<name>putty</name>
|
|
<range><lt>0.63</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Simon Tatham reports:</p>
|
|
<blockquote cite="http://lists.tartarus.org/pipermail/putty-announce/2013/000018.html">
|
|
<p>This [0.63] release fixes multiple security holes in previous versions of
|
|
PuTTY, which can allow an SSH-2 server to make PuTTY overrun or
|
|
underrun buffers and crash. [...]
|
|
</p><p>
|
|
These vulnerabilities can be triggered before host key verification,
|
|
which means that you are not even safe if you trust the server you
|
|
<em>think</em> you're connecting to, since it could be spoofed over the
|
|
network and the host key check would not detect this before the attack
|
|
could take place.
|
|
</p><p>
|
|
Additionally, when PuTTY authenticated with a user's private key, the
|
|
private key or information equivalent to it was accidentally kept in
|
|
PuTTY's memory for the rest of its run, where it could be retrieved by
|
|
other processes reading PuTTY's memory, or written out to swap files
|
|
or crash dumps. This release fixes that as well.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4206</cvename>
|
|
<cvename>CVE-2013-4207</cvename>
|
|
<cvename>CVE-2013-4208</cvename>
|
|
<cvename>CVE-2013-4852</cvename>
|
|
<mlist msgid="E1V6lUs-0007kP-40@atreus.tartarus.org">http://lists.tartarus.org/pipermail/putty-announce/2013/000018.html</mlist>
|
|
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html</url>
|
|
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html</url>
|
|
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html</url>
|
|
<url>http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-signature-stringlen.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-08</discovery>
|
|
<entry>2013-08-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e6839625-fdfa-11e2-9430-20cf30e32f6d">
|
|
<topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic>
|
|
<affects>
|
|
<package>
|
|
<name>typo3</name>
|
|
<range><ge>4.5.0</ge><lt>4.5.29</lt></range>
|
|
<range><ge>4.7.0</ge><lt>4.7.14</lt></range>
|
|
<range><ge>6.1.0</ge><lt>6.1.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Typo Security Team reports:</p>
|
|
<blockquote cite="http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-002/">
|
|
<p>It has been discovered that TYPO3 Core is vulnerable to
|
|
Cross-Site Scripting and Remote Code Execution.</p>
|
|
<p>TYPO3 bundles flash files for video and audio playback. Old
|
|
versions of FlowPlayer and flashmedia are susceptible to
|
|
Cross-Site Scripting. No authentication is required to exploit
|
|
this vulnerability.</p>
|
|
<p>The file upload component and the File Abstraction Layer are
|
|
failing to check for denied file extensions, which allows
|
|
authenticated editors (even with limited permissions) to
|
|
upload php files with arbitrary code, which can then be
|
|
executed in web server's context.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2011-3642</cvename>
|
|
<cvename>CVE-2013-1464</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-30</discovery>
|
|
<entry>2013-08-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="17326fd5-fcfb-11e2-9bb9-6805ca0b3d42">
|
|
<topic>phpMyAdmin -- clickJacking protection can be bypassed</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><lt>4.0.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpMyAdmin development team reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php">
|
|
<p> phpMyAdmin has a number of mechanisms to avoid a
|
|
clickjacking attack, however these mechanisms either work
|
|
only in modern browser versions, or can be bypassed.</p>
|
|
<p>"We have no solution for 3.5.x, due to the proposed
|
|
solution requiring JavaScript. We don't want to introduce a
|
|
dependency to JavaScript in the 3.5.x family."</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-08-04</discovery>
|
|
<entry>2013-08-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f4a0212f-f797-11e2-9bb9-6805ca0b3d42">
|
|
<topic>phpMyAdmin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><ge>4.0</ge><lt>4.0.4.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>phpMyAdmin35</name>
|
|
<range><ge>3.5</ge><lt>3.5.8.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpMyAdmin development team reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php">
|
|
<p>XSS due to unescaped HTML Output when executing a SQL query.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php">
|
|
<p>5 XSS vulnerabilities in setup, chart display, process
|
|
list, and logo link.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php">
|
|
<p>If a crafted version.json would be presented, an XSS
|
|
could be introduced.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php">
|
|
<p>Full path disclosure vulnerabilities.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php">
|
|
<p> XSS vulnerability when a text to link transformation is
|
|
used.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php">
|
|
<p>Self-XSS due to unescaped HTML output in schema
|
|
export.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php">
|
|
<p>SQL injection vulnerabilities, producing a privilege
|
|
escalation (control user).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php</url>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php</url>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php</url>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php</url>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php</url>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php</url>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php</url>
|
|
<url>http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.5.8.2/phpMyAdmin-3.5.8.2-notes.html/view</url>
|
|
<url>http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.4.2/phpMyAdmin-4.0.4.2-notes.html/view</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-28</discovery>
|
|
<entry>2013-07-28</entry>
|
|
<modified>2013-07-29</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="049332d2-f6e1-11e2-82f3-000c29ee3065">
|
|
<topic>wordpress -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wordpress</name>
|
|
<range><lt>3.5.2,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>zh-wordpress-zh_CN</name>
|
|
<range><lt>3.5.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>zh-wordpress-zh_TW</name>
|
|
<range><lt>3.5.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-wordpress</name>
|
|
<range><lt>3.5.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ja-wordpress</name>
|
|
<range><lt>3.5.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-wordpress</name>
|
|
<range><lt>3.5.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The wordpress development team reports:</p>
|
|
<blockquote cite="https://wordpress.org/news/2013/06/wordpress-3-5-2/">
|
|
<ul>
|
|
<li>Blocking server-side request forgery attacks, which could
|
|
potentially enable an attacker to gain access to a site</li>
|
|
<li>Disallow contributors from improperly publishing posts</li>
|
|
<li>An update to the SWFUpload external library to fix cross-site
|
|
scripting vulnerabilities</li>
|
|
<li>Prevention of a denial of service attack, affecting sites
|
|
using password-protected posts</li>
|
|
<li>An update to an external TinyMCE library to fix a cross-site
|
|
scripting vulnerability</li>
|
|
<li>Multiple fixes for cross-site scripting</li>
|
|
<li>Avoid disclosing a full file path when a upload fails</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2199</cvename>
|
|
<cvename>CVE-2013-2200</cvename>
|
|
<cvename>CVE-2013-2201</cvename>
|
|
<cvename>CVE-2013-2202</cvename>
|
|
<cvename>CVE-2013-2203</cvename>
|
|
<cvename>CVE-2013-2204</cvename>
|
|
<cvename>CVE-2013-2205</cvename>
|
|
<url>https://wordpress.org/news/2013/06/wordpress-3-5-2/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-21</discovery>
|
|
<entry>2013-07-27</entry>
|
|
<modified>2014-04-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7943e521-f648-11e2-8607-3c970e169bc2">
|
|
<topic>bind -- denial of service vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bind99</name>
|
|
<range><gt>9.9.3</gt><lt>9.9.3.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind99-base</name>
|
|
<range><gt>9.9.3</gt><lt>9.9.3.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind98</name>
|
|
<range><gt>9.8.5</gt><lt>9.8.5.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind98-base</name>
|
|
<range><gt>9.8.5</gt><lt>9.8.5.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>9.0</ge><lt>9.1_5</lt></range>
|
|
<range><ge>8.4</ge><lt>8.4_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>ISC reports:</p>
|
|
<blockquote cite="https://kb.isc.org/article/AA-01015/0">
|
|
<p>A specially crafted query that includes malformed
|
|
rdata can cause named to terminate with an assertion
|
|
failure while rejecting the malformed query.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4854</cvename>
|
|
<freebsdsa>SA-13:07.bind</freebsdsa>
|
|
<url>https://kb.isc.org/article/AA-01015/0</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-26</discovery>
|
|
<entry>2013-07-26</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="80771b89-f57b-11e2-bf21-b499baab0cbe">
|
|
<topic>gnupg -- side channel attack on RSA secret keys</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gnupg</name>
|
|
<range><lt>1.4.14</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>A Yarom and Falkner paper reports:</p>
|
|
<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html">
|
|
<p>Flush+Reload is a cache side-channel attack that monitors access to
|
|
data in shared pages. In this paper we demonstrate how to use the
|
|
attack to extract private encryption keys from GnuPG. The high
|
|
resolution and low noise of the Flush+Reload attack enables a spy
|
|
program to recover over 98% of the bits of the private key in a
|
|
single decryption or signing round. Unlike previous attacks, the
|
|
attack targets the last level L3 cache. Consequently, the spy
|
|
program and the victim do not need to share the execution core of
|
|
the CPU. The attack is not limited to a traditional OS and can be
|
|
used in a virtualised environment, where it can attack programs
|
|
executing in a different VM.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://eprint.iacr.org/2013/448</url>
|
|
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-18</discovery>
|
|
<entry>2013-07-25</entry>
|
|
<modified>2013-07-26</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c4d412c8-f4d1-11e2-b86c-000c295229d5">
|
|
<topic>openafs -- single-DES cell-wide key brute force vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openafs</name>
|
|
<range><lt>1.6.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>OpenAFS Project reports:</p>
|
|
<blockquote cite="http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt">
|
|
<p>The small size of the DES key space permits an attacker to brute
|
|
force a cell's service key and then forge traffic from any user
|
|
within the cell. The key space search can be performed in under 1
|
|
day at a cost of around $100 using publicly available services.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4134</cvename>
|
|
<url>http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt</url>
|
|
<url>http://openafs.org/pages/security/how-to-rekey.txt</url>
|
|
<url>http://openafs.org/pages/security/install-rxkad-k5-1.6.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-24</discovery>
|
|
<entry>2013-07-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2ae24334-f2e6-11e2-8346-001e8c75030d">
|
|
<topic>subversion -- remotely triggerable "Assertion failed" DoS vulnerability or read overflow.</topic>
|
|
<affects>
|
|
<package>
|
|
<name>subversion</name>
|
|
<range><ge>1.8.0</ge><lt>1.8.1</lt></range>
|
|
<range><ge>1.7.0</ge><lt>1.7.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Subversion Project reports:</p>
|
|
<blockquote cite="http://subversion.apache.org/security/CVE-2013-4131-advisory.txt">
|
|
<p>Subversion's mod_dav_svn Apache HTTPD server module will trigger an assertion
|
|
on some requests made against a revision root. This can lead to a DoS.
|
|
If assertions are disabled it will trigger a read overflow which may cause a
|
|
SEGFAULT (or equivalent) or undefined behavior.</p>
|
|
<p>Commit access is required to exploit this.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4131</cvename>
|
|
<url>http://subversion.apache.org/security/CVE-2013-4131-advisory.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-19</discovery>
|
|
<entry>2013-07-24</entry>
|
|
<modified>2013-07-25</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2fbfd455-f2d0-11e2-8a46-000d601460a4">
|
|
<topic>suPHP -- Privilege escalation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>suphp</name>
|
|
<range><lt>0.7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>suPHP developer Sebastian Marsching reports:</p>
|
|
<blockquote cite="https://lists.marsching.com/pipermail/suphp/2013-May/002552.html">
|
|
<p>When the suPHP_PHPPath was set, mod_suphp would use the specified PHP
|
|
executable to pretty-print PHP source files (MIME type
|
|
x-httpd-php-source or application/x-httpd-php-source).</p>
|
|
<p>However, it would not sanitize the environment. Thus a user that was
|
|
allowed to use the SetEnv directive in a .htaccess file (AllowOverride
|
|
FileInfo) could make PHP load a malicious configuration file (e.g.
|
|
loading malicious extensions).</p>
|
|
<p>As the PHP process for highlighting the source file was run with the
|
|
privileges of the user Apache HTTPd was running as, a local attacker
|
|
could probably execute arbitrary code with the privileges of this user.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://lists.marsching.com/pipermail/suphp/2013-May/002552.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-20</discovery>
|
|
<entry>2013-07-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ca4d63fb-f15c-11e2-b183-20cf30e32f6d">
|
|
<topic>apache24 -- several vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache24</name>
|
|
<range><lt>2.4.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Apache HTTP SERVER PROJECT reports:</p>
|
|
<blockquote cite="http://www.apache.org/dist/httpd/Announcement2.4.html">
|
|
<p>mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn
|
|
with the source href (sent as part of the request body as XML) pointing
|
|
to a URI that is not configured for DAV will trigger a segfault.</p>
|
|
<p>mod_session_dbd: Make sure that dirty flag is respected when saving
|
|
sessions, and ensure the session ID is changed each time the session
|
|
changes. This changes the format of the updatesession SQL statement.
|
|
Existing configurations must be changed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1896</cvename>
|
|
<cvename>CVE-2013-2249</cvename>
|
|
<url>http://www.apache.org/dist/httpd/Announcement2.4.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-11</discovery>
|
|
<entry>2013-07-20</entry>
|
|
<modified>2013-07-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9b037a0d-ef2c-11e2-b4a0-8c705af55518">
|
|
<topic>gallery -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>gallery3</name>
|
|
<range><lt>3.0.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Red Hat Security Response Team reports:</p>
|
|
<blockquote cite="http://www.openwall.com/lists/oss-security/2013/07/04/7">
|
|
<p>Gallery upstream has released 3.0.9 version, correcting two
|
|
security flaws:</p>
|
|
<p>Issue #1 - Improper stripping of URL fragments in flowplayer
|
|
SWF file might lead to reply attacks (a different flaw than
|
|
CVE-2013-2138).</p>
|
|
<p>Issue #2 - gallery3: Multiple information exposure flaws in
|
|
data rest core module.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2240</cvename>
|
|
<cvename>CVE-2013-2241</cvename>
|
|
<url>http://sourceforge.net/apps/trac/gallery/ticket/2073</url>
|
|
<url>https://bugzilla.redhat.com/show_bug.cgi?id=981197</url>
|
|
<url>http://sourceforge.net/apps/trac/gallery/ticket/2074</url>
|
|
<url>https://bugzilla.redhat.com/show_bug.cgi?id=981198</url>
|
|
<url>http://galleryproject.org/gallery_3_0_9</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-28</discovery>
|
|
<entry>2013-07-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="31b145f2-d9d3-49a9-8023-11cf742205dc">
|
|
<topic>PHP5 -- Heap corruption in XML parser</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php53</name>
|
|
<range><lt>5.3.27</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The PHP development team reports:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113">
|
|
<p>ext/xml/xml.c in PHP before 5.3.27 does not properly
|
|
consider parsing depth, which allows remote attackers to
|
|
cause a denial of service (heap memory corruption) or
|
|
possibly have unspecified other impact via a crafted
|
|
document that is processed by the xml_parse_into_struct
|
|
function.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4113</cvename>
|
|
<url>https://bugs.php.net/bug.php?id=65236</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-10</discovery>
|
|
<entry>2013-07-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5def3175-f3f9-4476-ba40-b46627cc638c">
|
|
<topic>PHP5 -- Integer overflow in Calendar module</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5</name>
|
|
<range><ge>5.4.0</ge><lt>5.4.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php53</name>
|
|
<range><lt>5.3.26</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The PHP development team reports:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4635">
|
|
<p>Integer overflow in the SdnToJewish function in jewish.c
|
|
in the Calendar component in PHP before 5.3.26 and 5.4.x
|
|
before 5.4.16 allows context-dependent attackers to cause a
|
|
denial of service (application hang) via a large argument to
|
|
the jdtojewish function.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4635</cvename>
|
|
<url>https://bugs.php.net/bug.php?id=64895</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-22</discovery>
|
|
<entry>2013-07-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="df428c01-ed91-11e2-9466-98fc11cdc4f5">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>11.2r202.297</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-17.html">
|
|
<p>These updates address vulnerabilities that could cause a crash
|
|
and potentially allow an attacker to take control of the affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-3344</cvename>
|
|
<cvename>CVE-2013-3345</cvename>
|
|
<cvename>CVE-2013-3347</cvename>
|
|
<url>http://www.adobe.com/support/security/bulletins/apsb13-17.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-09</discovery>
|
|
<entry>2013-07-15</entry>
|
|
<modified>2013-07-18</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="30a04ab4-ed7b-11e2-8643-8c705af55518">
|
|
<topic>squid -- denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>squid</name>
|
|
<range><ge>3.2</ge><lt>3.2.12</lt></range>
|
|
<range><ge>3.3</ge><lt>3.3.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Squid project reports:</p>
|
|
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2013_3.txt">
|
|
<p>Due to incorrect data validation Squid is vulnerable to a
|
|
denial of service attack when processing specially crafted
|
|
HTTP requests</p>
|
|
<p>This problem allows any client who can generate HTTP requests
|
|
to perform a denial of service attack on the Squid service.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4123</cvename>
|
|
<url>http://www.squid-cache.org/Advisories/SQUID-2013_3.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-13</discovery>
|
|
<entry>2013-07-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="04320e7d-ea66-11e2-a96e-60a44c524f57">
|
|
<topic>libzrtpcpp -- multiple security vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libzrtpcpp</name>
|
|
<range><lt>2.3.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mark Dowd reports:</p>
|
|
<blockquote cite="http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html">
|
|
<p>Vulnerability 1. Remote Heap Overflow: If an attacker sends a
|
|
packet larger than 1024 bytes that gets stored temporarily (which
|
|
occurs many times - such as when sending a ZRTP Hello packet), a
|
|
heap overflow will occur, leading to potential arbitrary code
|
|
execution on the vulnerable host.</p>
|
|
<p>Vulnerability 2. Multiple Stack Overflows: ZRTPCPP contains
|
|
multiple stack overflows that arise when preparing a response
|
|
to a client's ZRTP Hello packet.</p>
|
|
<p>Vulnerability 3. Information Leaking / Out of Bounds Reads:
|
|
The ZRTPCPP library performs very little validation regarding the
|
|
expected size of a packet versus the actual amount of data
|
|
received. This can lead to both information leaking and out
|
|
of bounds data reads (usually resulting in a crash).
|
|
Information leaking can be performed for example by sending
|
|
a malformed ZRTP Ping packet.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2221</cvename>
|
|
<cvename>CVE-2013-2222</cvename>
|
|
<cvename>CVE-2013-2223</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-27</discovery>
|
|
<entry>2013-07-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ebd877b9-7ef4-4375-b1fd-c67780581898">
|
|
<topic>ruby -- Hostname check bypassing vulnerability in SSL client</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby19</name>
|
|
<range><lt>1.9.3.448,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ruby18</name>
|
|
<range><lt>1.8.7.374,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby Developers report:</p>
|
|
<blockquote cite="http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/">
|
|
<p>Ruby's SSL client implements hostname identity check but it does
|
|
not properly handle hostnames in the certificate that contain null
|
|
bytes.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4073</cvename>
|
|
<url>http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-27</discovery>
|
|
<entry>2013-07-11</entry>
|
|
<modified>2013-09-24</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e3e788aa-e9fd-11e2-a96e-60a44c524f57">
|
|
<topic>otrs -- Sql Injection + Xss Issue</topic>
|
|
<affects>
|
|
<package>
|
|
<name>otrs</name>
|
|
<range><lt>3.2.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OTRS Project reports:</p>
|
|
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-05/">
|
|
<p>An attacker with a valid agent login could manipulate URLs leading to SQL injection. An attacker with a valid agent login could manipulate URLs in the ITSM ConfigItem search, leading to a JavaScript code injection (XSS) problem.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4717</cvename>
|
|
<cvename>CVE-2013-4718</cvename>
|
|
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-05/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-07-09</discovery>
|
|
<entry>2013-07-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f3d24aee-e5ad-11e2-b183-20cf30e32f6d">
|
|
<topic>apache22 -- several vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache22</name>
|
|
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache22-event-mpm</name>
|
|
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache22-itk-mpm</name>
|
|
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache22-peruser-mpm</name>
|
|
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache22-worker-mpm</name>
|
|
<range><gt>2.2.0</gt><lt>2.2.25</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Apache HTTP SERVER PROJECT reports:</h1>
|
|
<blockquote cite="http://www.apache.org/dist/httpd/CHANGES_2.2.25">
|
|
<p>The mod_rewrite module in the Apache HTTP Server 2.2.x before
|
|
2.2.25 writes data to a log file without sanitizing
|
|
non-printable characters, which might allow remote attackers to
|
|
execute arbitrary commands via an HTTP request containing an
|
|
escape sequence for a terminal emulator.</p>
|
|
<p>mod_dav: Sending a MERGE request against a URI handled by
|
|
mod_dav_svn with the source href (sent as part of the request
|
|
body as XML) pointing to a URI that is not configured for DAV
|
|
will trigger a segfault.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1862</cvename>
|
|
<cvename>CVE-2013-1896</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-21</discovery>
|
|
<entry>2013-07-05</entry>
|
|
<modified>2013-07-10</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1b93f6fe-e1c1-11e2-948d-6805ca0b3d42">
|
|
<topic>phpMyAdmin -- Global variable scope injection</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><ge>4.0</ge><lt>4.0.4.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpMyAdmin development team reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php">
|
|
<p>The import.php script was vulnerable to GLOBALS variable
|
|
injection. Therefore, an attacker could manipulate any
|
|
configuration parameter.</p>
|
|
<p>This vulnerability can be triggered only by someone who
|
|
logged in to phpMyAdmin, as the usual token protection
|
|
prevents non-logged-in users from accessing the required
|
|
form.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php</url>
|
|
<cvename>CVE-2013-4729</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-30</discovery>
|
|
<entry>2013-06-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="81da673e-dfe1-11e2-9389-08002798f6ff">
|
|
<topic>apache-xml-security-c -- heap overflow during XPointer evaluation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache-xml-security-c</name>
|
|
<range><lt>1.7.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Apache Software Foundation reports:</p>
|
|
<blockquote cite="http://santuario.apache.org/secadv.data/CVE-2013-2210.txt">
|
|
<p>The attempted fix to address CVE-2013-2154 introduced the
|
|
possibility of a heap overflow, possibly leading to arbitrary code
|
|
execution, in the processing of malformed XPointer expressions in the
|
|
XML Signature Reference processing code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2210</cvename>
|
|
<url>http://santuario.apache.org/secadv.data/CVE-2013-2210.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-27</discovery>
|
|
<entry>2013-06-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b3fcb387-de4b-11e2-b1c6-0025905a4771">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>18.0,1</gt><lt>22.0,1</lt></range>
|
|
<range><lt>17.0.7,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>17.0.7,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.19</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>17.0.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><lt>2.19</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><gt>11.0</gt><lt>17.0.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)</p>
|
|
<p>Title: Memory corruption found using Address Sanitizer</p>
|
|
<p>Privileged content access and execution via XBL</p>
|
|
<p>Arbitrary code execution within Profiler</p>
|
|
<p>Execution of unmapped memory through onreadystatechange</p>
|
|
<p>Data in the body of XHR HEAD requests leads to CSRF attacks</p>
|
|
<p>SVG filters can lead to information disclosure</p>
|
|
<p>PreserveWrapper has inconsistent behavior</p>
|
|
<p>Sandbox restrictions not applied to nested frame elements</p>
|
|
<p>X-Frame-Options ignored when using server push with multi-part
|
|
responses</p>
|
|
<p>XrayWrappers can be bypassed to run user defined methods in a
|
|
privileged context</p>
|
|
<p>getUserMedia permission dialog incorrectly displays location</p>
|
|
<p>Homograph domain spoofing in .com, .net and .name</p>
|
|
<p>Inaccessible updater can lead to local privilege escalation</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1682</cvename>
|
|
<cvename>CVE-2013-1683</cvename>
|
|
<cvename>CVE-2013-1684</cvename>
|
|
<cvename>CVE-2013-1685</cvename>
|
|
<cvename>CVE-2013-1686</cvename>
|
|
<cvename>CVE-2013-1687</cvename>
|
|
<cvename>CVE-2013-1688</cvename>
|
|
<cvename>CVE-2013-1690</cvename>
|
|
<cvename>CVE-2013-1692</cvename>
|
|
<cvename>CVE-2013-1693</cvename>
|
|
<cvename>CVE-2013-1694</cvename>
|
|
<cvename>CVE-2013-1695</cvename>
|
|
<cvename>CVE-2013-1696</cvename>
|
|
<cvename>CVE-2013-1697</cvename>
|
|
<cvename>CVE-2013-1698</cvename>
|
|
<cvename>CVE-2013-1699</cvename>
|
|
<cvename>CVE-2013-1700</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-49.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-50.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-51.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-52.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-53.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-54.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-55.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-56.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-57.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-58.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-59.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-60.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-61.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-62.html</url>
|
|
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-25</discovery>
|
|
<entry>2013-06-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="01cf67b3-dc3b-11e2-a6cd-c48508086173">
|
|
<topic>cURL library -- heap corruption in curl_easy_unescape</topic>
|
|
<affects>
|
|
<package>
|
|
<name>curl</name>
|
|
<range><ge>7.7</ge><lt>7.24.0_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>cURL developers report:</p>
|
|
<blockquote cite="http://curl.haxx.se/docs/adv_20130622.html">
|
|
<p>libcurl is vulnerable to a case of bad checking of the
|
|
input data which may lead to heap corruption.</p>
|
|
<p>The function curl_easy_unescape() decodes URL-encoded
|
|
strings to raw binary data. URL-encoded octets are
|
|
represented with %HH combinations where HH is a two-digit
|
|
hexadecimal number. The decoded string is written to an
|
|
allocated memory area that the function returns to the
|
|
caller.</p>
|
|
<p>The function takes a source string and a length
|
|
parameter, and if the length provided is 0 the function will
|
|
instead use strlen() to figure out how much data to
|
|
parse.</p>
|
|
<p>The "%HH" parser wrongly only considered the case where a
|
|
zero byte would terminate the input. If a length-limited
|
|
buffer was passed in which ended with a '%' character which
|
|
was followed by two hexadecimal digits outside of the buffer
|
|
libcurl was allowed to parse alas without a terminating
|
|
zero, libcurl would still parse that sequence as well. The
|
|
counter for remaining data to handle would then be decreased
|
|
too much and wrap to become a very large integer and the
|
|
copying would go on too long and the destination buffer that
|
|
is allocated on the heap would get overwritten.</p>
|
|
<p>We consider it unlikely that programs allow user-provided
|
|
strings unfiltered into this function. Also, only the not
|
|
zero-terminated input string use case is affected by this
|
|
flaw. Exploiting this flaw for gain is probably possible for
|
|
specific circumstances but we consider the general risk for
|
|
this to be low.</p>
|
|
<p>The curl command line tool is not affected by this
|
|
problem as it doesn't use this function.</p>
|
|
<p>There are no known exploits available at this time.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2174</cvename>
|
|
<url>http://curl.haxx.se/docs/adv_20130622.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-22</discovery>
|
|
<entry>2013-06-23</entry>
|
|
<modified>2013-07-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b162b218-c547-4ba2-ae31-6fdcb61bc763">
|
|
<topic>puppet -- Unauthenticated Remote Code Execution Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>puppet</name>
|
|
<range><ge>2.7</ge><lt>2.7.22</lt></range>
|
|
<range><ge>3.0</ge><lt>3.2.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Puppet Developers report:</p>
|
|
<blockquote cite="http://puppetlabs.com/security/cve/cve-2013-3567/">
|
|
<p>When making REST api calls, the puppet master takes YAML from an
|
|
untrusted client, deserializes it, and then calls methods on the
|
|
resulting object. A YAML payload can be crafted to cause the
|
|
deserialization to construct an instance of any class available in
|
|
the ruby process, which allows an attacker to execute code
|
|
contained in the payload.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-3567</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-13</discovery>
|
|
<entry>2013-06-22</entry>
|
|
<modified>2013-08-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8b97d289-d8cf-11e2-a1f5-60a44c524f57">
|
|
<topic>otrs -- information disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>otrs</name>
|
|
<range><lt>3.2.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OTRS Project reports:</p>
|
|
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/">
|
|
<p>An attacker with a valid agent login could manipulate URLs in the ticket
|
|
watch mechanism to see contents of tickets they are not permitted to see.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-4088</cvename>
|
|
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-18</discovery>
|
|
<entry>2013-06-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="abef280d-d829-11e2-b71c-8c705af55518">
|
|
<topic>FreeBSD -- Privilege escalation via mmap</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>9.0</ge><lt>9.1_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13%3a06.mmap.asc">
|
|
<p>Due to insufficient permission checks in the virtual memory
|
|
system, a tracing process (such as a debugger) may be able to
|
|
modify portions of the traced process's address space to which
|
|
the traced process itself does not have write access.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2171</cvename>
|
|
<freebsdsa>SA-13:06.mmap</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-18</discovery>
|
|
<entry>2013-06-18</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="279e5f4b-d823-11e2-928e-08002798f6ff">
|
|
<topic>apache-xml-security-c -- heap overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache-xml-security-c</name>
|
|
<range><lt>1.7.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Apache Software Foundation reports:</p>
|
|
<blockquote cite="http://santuario.apache.org/secadv.data/CVE-2013-2156.txt">
|
|
<p>A heap overflow exists in the processing of the PrefixList
|
|
attribute optionally used in conjunction with Exclusive
|
|
Canonicalization, potentially allowing arbitary code execution.
|
|
If verification of the signature occurs prior to actual evaluation of a
|
|
signing key, this could be exploited by an unauthenticated attacker.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2156</cvename>
|
|
<url>http://santuario.apache.org/secadv.data/CVE-2013-2156.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-18</discovery>
|
|
<entry>2013-06-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="80af2677-d6c0-11e2-8f5e-001966155bea">
|
|
<topic>tor -- guard discovery</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tor-devel</name>
|
|
<range><lt>0.2.4.13.a_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Tor Project reports:</p>
|
|
<blockquote cite="https://gitweb.torproject.org/tor.git/commit/2a95f3171681ee53c97ccba9d80f4454b462aaa7">
|
|
<p>Disable middle relay queue overfill detection code due to possible guard discovery attack</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://trac.torproject.org/projects/tor/ticket/9072</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-15</discovery>
|
|
<entry>2013-06-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4e9e410b-d462-11e2-8d57-080027019be0">
|
|
<topic>dbus -- local dos</topic>
|
|
<affects>
|
|
<package>
|
|
<name>dbus</name>
|
|
<range><lt>1.6.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Simon McVittie reports:</p>
|
|
<blockquote cite="http://lists.freedesktop.org/archives/dbus/2013-June/015696.html">
|
|
<p>Alexandru Cornea discovered a vulnerability in libdbus caused
|
|
by an implementation bug in _dbus_printf_string_upper_bound().
|
|
This vulnerability can be exploited by a local user to crash
|
|
system services that use libdbus, causing denial of service.
|
|
It is platform-specific: x86-64 Linux is known to be affected.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2168</cvename>
|
|
<url>http://lists.freedesktop.org/archives/dbus/2013-June/015696.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-13</discovery>
|
|
<entry>2013-06-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fce67546-d2e7-11e2-a9bf-98fc11cdc4f5">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>11.2r202.291</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-16.html">
|
|
<p>These updates address vulnerabilities that could cause a crash
|
|
and potentially allow an attacker to take control of the affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-3343</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-11</discovery>
|
|
<entry>2013-06-14</entry>
|
|
<modified>2013-06-18</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d7a43ee6-d2d5-11e2-9894-002590082ac6">
|
|
<topic>owncloud -- Multiple security vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>owncloud</name>
|
|
<range><lt>5.0.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The ownCloud development team reports:</p>
|
|
<blockquote cite="http://owncloud.org/about/security/advisories/">
|
|
<p>oC-SA-2013-019 / CVE-2013-2045: Multiple SQL Injections.
|
|
Credit to Mateusz Goik (aliantsoft.pl).</p>
|
|
<p>oC-SA-2013-020 / CVE-2013-[2039,2085]: Multiple directory traversals.
|
|
Credit to Mateusz Goik (aliantsoft.pl).</p>
|
|
<p>oC-SQ-2013-021 / CVE-2013-[2040-2042]: Multiple XSS vulnerabilities.
|
|
Credit to Mateusz Goik (aliantsoft.pl) and Kacper R. (http://devilteam.pl).</p>
|
|
<p>oC-SA-2013-022 / CVE-2013-2044: Open redirector.
|
|
Credit to Mateusz Goik (aliantsoft.pl).</p>
|
|
<p>oC-SA-2013-023 / CVE-2013-2047: Password autocompletion.</p>
|
|
<p>oC-SA-2013-024 / CVE-2013-2043: Privilege escalation in the calendar application.
|
|
Credit to Mateusz Goik (aliantsoft.pl).</p>
|
|
<p>oC-SA-2013-025 / CVE-2013-2048: Privilege escalation and CSRF in the API.</p>
|
|
<p>oC-SA-2013-026 / CVE-2013-2089: Incomplete blacklist vulnerability.</p>
|
|
<p>oC-SA-2013-027 / CVE-2013-2086: CSRF token leakage.</p>
|
|
<p>oC-SA-2013-028 / CVE-2013-[2149-2150]: Multiple XSS vulnerabilities.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-019/</url>
|
|
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-020/</url>
|
|
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-021/</url>
|
|
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-022/</url>
|
|
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-023/</url>
|
|
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-024/</url>
|
|
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-025/</url>
|
|
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-026/</url>
|
|
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-027/</url>
|
|
<url>http://owncloud.org/about/security/advisories/oC-SA-2013-028/</url>
|
|
<cvename>CVE-2013-2039</cvename>
|
|
<cvename>CVE-2013-2040</cvename>
|
|
<cvename>CVE-2013-2041</cvename>
|
|
<cvename>CVE-2013-2042</cvename>
|
|
<cvename>CVE-2013-2043</cvename>
|
|
<cvename>CVE-2013-2044</cvename>
|
|
<cvename>CVE-2013-2045</cvename>
|
|
<cvename>CVE-2013-2047</cvename>
|
|
<cvename>CVE-2013-2048</cvename>
|
|
<cvename>CVE-2013-2085</cvename>
|
|
<cvename>CVE-2013-2086</cvename>
|
|
<cvename>CVE-2013-2089</cvename>
|
|
<cvename>CVE-2013-2149</cvename>
|
|
<cvename>CVE-2013-2150</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-14</discovery>
|
|
<entry>2013-06-11</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="59e7163c-cf84-11e2-907b-0025905a4770">
|
|
<topic>php5 -- Heap based buffer overflow in quoted_printable_encode</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5</name>
|
|
<range><lt>5.4.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php53</name>
|
|
<range><lt>5.3.26</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The PHP development team reports:</p>
|
|
<blockquote cite="http://www.php.net/ChangeLog-5.php">
|
|
<p>A Heap-based buffer overflow flaw was found in the php
|
|
quoted_printable_encode() function. A remote attacker could use
|
|
this flaw to cause php to crash or execute arbirary code with the
|
|
permission of the user running php</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2110</cvename>
|
|
<url>https://bugzilla.redhat.com/show_bug.cgi?id=964969</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-06</discovery>
|
|
<entry>2013-06-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="72f35727-ce83-11e2-be04-005056a37f68">
|
|
<topic>dns/bind9* -- A recursive resolver can be crashed by a query for a malformed zone</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bind99</name>
|
|
<range><gt>9.9.3</gt><lt>9.9.3.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind99-base</name>
|
|
<range><gt>9.9.3</gt><lt>9.9.3.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind98</name>
|
|
<range><gt>9.8.5</gt><lt>9.8.5.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind98-base</name>
|
|
<range><gt>9.8.5</gt><lt>9.8.5.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind96</name>
|
|
<range><gt>9.6.3.1.ESV.R9</gt><lt>9.6.3.2.ESV.R9</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind96-base</name>
|
|
<range><gt>9.6.3.1.ESV.R9</gt><lt>9.6.3.2.ESV.R9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>ISC reports:</p>
|
|
<blockquote cite="https://kb.isc.org/article/AA-00967">
|
|
<p>A bug has been discovered in the most recent releases of
|
|
BIND 9 which has the potential for deliberate exploitation
|
|
as a denial-of-service attack. By sending a recursive
|
|
resolver a query for a record in a specially malformed zone,
|
|
an attacker can cause BIND 9 to exit with a fatal
|
|
"RUNTIME_CHECK" error in resolver.c.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-3919</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-04</discovery>
|
|
<entry>2013-06-06</entry>
|
|
<modified>2013-06-07</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6b97436c-ce1e-11e2-9cb2-6805ca0b3d42">
|
|
<topic>phpMyAdmin -- XSS due to unescaped HTML output in Create View page</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><ge>4.0</ge><lt>4.0.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpMyAdmin development team reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php">
|
|
<p>When creating a view with a crafted name and an incorrect
|
|
CREATE statement, it is possible to trigger an XSS.</p>
|
|
<p>This vulnerability can be triggered only by someone who
|
|
logged in to phpMyAdmin, as the usual token protection
|
|
prevents non-logged-in users from accessing the required
|
|
form.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-6.php</url>
|
|
<cvename>CVE-2013-3742</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-06-05</discovery>
|
|
<entry>2013-06-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a3c2dee5-cdb9-11e2-b9ce-080027019be0">
|
|
<topic>telepathy-gabble -- TLS verification bypass</topic>
|
|
<affects>
|
|
<package>
|
|
<name>telepathy-gabble</name>
|
|
<range><lt>0.16.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Simon McVittie reports:</p>
|
|
<blockquote cite="http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html">
|
|
<p>This release fixes a man-in-the-middle attack.</p>
|
|
<p>If you use an unencrypted connection to a "legacy Jabber"
|
|
(pre-XMPP) server, this version of Gabble will not connect
|
|
until you make one of these configuration changes:</p>
|
|
<p>. upgrade the server software to something that supports XMPP 1.0; or</p>
|
|
<p>. use an encrypted "old SSL" connection, typically on port 5223
|
|
(old-ssl); or</p>
|
|
<p>. turn off "Encryption required (TLS/SSL)" (require-encryption).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1431</cvename>
|
|
<url>http://lists.freedesktop.org/archives/telepathy/2013-May/006449.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-27</discovery>
|
|
<entry>2013-06-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2eebebff-cd3b-11e2-8f09-001b38c3836c">
|
|
<topic>xorg -- protocol handling issues in X Window System client libraries</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libX11</name>
|
|
<range><lt>1.6.0</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXext</name>
|
|
<range><lt>1.3.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXfixes</name>
|
|
<range><lt>5.0.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXi</name>
|
|
<range><lt>1.7_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXinerama</name>
|
|
<range><lt>1.1.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXp</name>
|
|
<range><lt>1.0.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXrandr</name>
|
|
<range><lt>1.4.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXrender</name>
|
|
<range><lt>0.9.7_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXres</name>
|
|
<range><lt>1.0.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXtst</name>
|
|
<range><lt>1.2.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXv</name>
|
|
<range><lt>1.0.8</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXvMC</name>
|
|
<range><lt>1.0.7_1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXxf86dga</name>
|
|
<range><lt>1.1.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libdmx</name>
|
|
<range><lt>1.1.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxcb</name>
|
|
<range><lt>1.9.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libGL</name>
|
|
<range><lt>7.6.1_4</lt></range>
|
|
<range><gt>7.8.0</gt><lt>8.0.5_4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>xf86-video-openchrome</name>
|
|
<range><lt>0.3.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libFS</name>
|
|
<range><lt>1.0.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXxf86vm</name>
|
|
<range><lt>1.1.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXt</name>
|
|
<range><lt>1.1.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libXcursor</name>
|
|
<range><lt>1.1.14</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>freedesktop.org reports:</p>
|
|
<blockquote cite="http://www.x.org/wiki/Development/Security/Advisory-2013-05-23">
|
|
<p>Ilja van Sprundel, a security researcher with IOActive, has
|
|
discovered a large number of issues in the way various X client
|
|
libraries handle the responses they receive from servers, and has
|
|
worked with X.Org's security team to analyze, confirm, and fix
|
|
these issues.</p>
|
|
<p>Most of these issues stem from the client libraries trusting the
|
|
server to send correct protocol data, and not verifying that the
|
|
values will not overflow or cause other damage. Most of the time X
|
|
clients & servers are run by the same user, with the server
|
|
more privileged from the clients, so this is not a problem, but
|
|
there are scenarios in which a privileged client can be connected
|
|
to an unprivileged server, for instance, connecting a setuid X
|
|
client (such as a screen lock program) to a virtual X server (such
|
|
as Xvfb or Xephyr) which the user has modified to return invalid
|
|
data, potentially allowing the user to escalate their privileges.</p>
|
|
<p>The vulnerabilities include:</p>
|
|
<p>Integer overflows calculating memory needs for replies.</p>
|
|
<p>Sign extension issues calculating memory needs for replies.</p>
|
|
<p>Buffer overflows due to not validating length or offset values in
|
|
replies.</p>
|
|
<p>Integer overflows parsing user-specified files.</p>
|
|
<p>Unbounded recursion parsing user-specified files.</p>
|
|
<p>Memory corruption due to unchecked return values.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1981</cvename>
|
|
<cvename>CVE-2013-1982</cvename>
|
|
<cvename>CVE-2013-1983</cvename>
|
|
<cvename>CVE-2013-1984</cvename>
|
|
<cvename>CVE-2013-1985</cvename>
|
|
<cvename>CVE-2013-1986</cvename>
|
|
<cvename>CVE-2013-1987</cvename>
|
|
<cvename>CVE-2013-1988</cvename>
|
|
<cvename>CVE-2013-1989</cvename>
|
|
<cvename>CVE-2013-1990</cvename>
|
|
<cvename>CVE-2013-1991</cvename>
|
|
<cvename>CVE-2013-1992</cvename>
|
|
<cvename>CVE-2013-1993</cvename>
|
|
<cvename>CVE-2013-1994</cvename>
|
|
<cvename>CVE-2013-1995</cvename>
|
|
<cvename>CVE-2013-1996</cvename>
|
|
<cvename>CVE-2013-1997</cvename>
|
|
<cvename>CVE-2013-1998</cvename>
|
|
<cvename>CVE-2013-1999</cvename>
|
|
<cvename>CVE-2013-2000</cvename>
|
|
<cvename>CVE-2013-2001</cvename>
|
|
<cvename>CVE-2013-2002</cvename>
|
|
<cvename>CVE-2013-2003</cvename>
|
|
<cvename>CVE-2013-2004</cvename>
|
|
<cvename>CVE-2013-2005</cvename>
|
|
<cvename>CVE-2013-2062</cvename>
|
|
<cvename>CVE-2013-2063</cvename>
|
|
<cvename>CVE-2013-2064</cvename>
|
|
<cvename>CVE-2013-2066</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-23</discovery>
|
|
<entry>2013-06-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e3f64457-cccd-11e2-af76-206a8a720317">
|
|
<topic>krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443]</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><le>1.11.2</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>No advisory has been released yet.</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/www/krb5-1.11/">
|
|
<p>schpw.c in the kpasswd service in kadmind in MIT Kerberos 5
|
|
(aka krb5) before 1.11.3 does not properly validate UDP packets
|
|
before sending responses, which allows remote attackers to cause
|
|
a denial of service (CPU and bandwidth consumption) via a forged
|
|
packet that triggers a communication loop, as demonstrated by
|
|
krb_pingpong.nasl, a related issue to CVE-1999-0103.
|
|
[CVE-2002-2443].</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2002-2443</cvename>
|
|
<url>http://web.mit.edu/kerberos/www/krb5-1.11/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-10</discovery>
|
|
<entry>2013-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0bf376b7-cc6b-11e2-a424-14dae938ec40">
|
|
<topic>net/openafs -- buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openafs</name>
|
|
<range><lt>1.6.2.*</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Nickolai Zeldovich reports:</p>
|
|
<blockquote cite="http://www.openafs.org/pages/security/OPENAFS-SA-2013-001.txt">
|
|
<p>An attacker with the ability to manipulate AFS directory ACLs may
|
|
crash the fileserver hosting that volume.
|
|
In addition, once a corrupt ACL is placed on a fileserver, its
|
|
existence may crash client utilities manipulating ACLs
|
|
on that server.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.openafs.org/pages/security/OPENAFS-SA-2013-001.txt</url>
|
|
<cvename>CVE-2013-1794</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-27</discovery>
|
|
<entry>2013-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9dfb63b8-8f36-11e2-b34d-000c2957946c">
|
|
<topic>www/mod_security -- NULL pointer dereference DoS</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_security</name>
|
|
<range><lt>2.7.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>SecurityFocus reports:</p>
|
|
<blockquote cite="http://www.securityfocus.com/archive/1/526746">
|
|
<p>When ModSecurity receives a request body with a size bigger than the
|
|
value set by the "SecRequestBodyInMemoryLimit" and with a "Content-Type"
|
|
that has no request body processor mapped to it, ModSecurity will
|
|
systematically crash on every call to "forceRequestBodyVariable".</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2765</cvename>
|
|
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-27</discovery>
|
|
<entry>2013-06-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1225549f-ca91-11e2-b3b8-f0def16c5c1b">
|
|
<topic>passenger -- security vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rubygem-passenger</name>
|
|
<range><lt>4.0.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Phusion reports:</p>
|
|
<blockquote cite="http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/">
|
|
<p>A denial of service and arbitrary code execution by hijacking temp files. [CVE-2013-2119]</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2119</cvename>
|
|
<url>http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-29</discovery>
|
|
<entry>2013-06-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ce502902-ca39-11e2-9673-001e8c75030d">
|
|
<topic>devel/subversion -- svnserve remotely triggerable DoS</topic>
|
|
<affects>
|
|
<package>
|
|
<name>subversion</name>
|
|
<range><ge>1.7.0</ge><lt>1.7.10</lt></range>
|
|
<range><ge>1.0.0</ge><lt>1.6.23</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Subversion team reports:</p>
|
|
<blockquote cite="http://subversion.apache.org/security/CVE-2013-2112-advisory.txt">
|
|
<p>Subversion's svnserve server process may exit when an incoming TCP connection
|
|
is closed early in the connection process.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2112</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-31</discovery>
|
|
<entry>2013-05-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6d0bf320-ca39-11e2-9673-001e8c75030d">
|
|
<topic>devel/subversion -- contrib hook-scripts can allow arbitrary code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>subversion</name>
|
|
<range><ge>1.7.0</ge><lt>1.7.10</lt></range>
|
|
<range><ge>1.2.0</ge><lt>1.6.23</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Subversion team reports:</p>
|
|
<blockquote cite="http://subversion.apache.org/security/CVE-2013-2088-advisory.txt">
|
|
<p>The script contrib/hook-scripts/check-mime-type.pl does not escape
|
|
argv arguments to 'svnlook' that start with a hyphen. This could be
|
|
used to cause 'svnlook', and hence check-mime-type.pl, to error out.</p>
|
|
<p>The script contrib/hook-scripts/svn-keyword-check.pl parses filenames
|
|
from the output of 'svnlook changed' and passes them to a further
|
|
shell command (equivalent to the 'system()' call of the C standard
|
|
library) without escaping them. This could be used to run arbitrary
|
|
shell commands in the context of the user whom the pre-commit script
|
|
runs as (the user who owns the repository).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2088</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-31</discovery>
|
|
<entry>2013-05-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="787d21b9-ca38-11e2-9673-001e8c75030d">
|
|
<topic>devel/subversion -- fsfs repositories can be corrupted by newline characters in filenames</topic>
|
|
<affects>
|
|
<package>
|
|
<name>subversion</name>
|
|
<range><ge>1.7.0</ge><lt>1.7.10</lt></range>
|
|
<range><ge>1.1.0</ge><lt>1.6.23</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Subversion team reports:</p>
|
|
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1968-advisory.txt">
|
|
<p>If a filename which contains a newline character (ASCII 0x0a) is
|
|
committed to a repository using the FSFS format, the resulting
|
|
revision is corrupt.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1968</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-31</discovery>
|
|
<entry>2013-05-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="0a799a8e-c9d4-11e2-a424-14dae938ec40">
|
|
<topic>irc/bitchx -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>BitchX</name>
|
|
<range><lt>1.2.*,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>bannedit reports:</p>
|
|
<blockquote cite="http://www.cvedetails.com/cve/CVE-2007-4584/">
|
|
<p>Stack-based buffer overflow in BitchX 1.1 Final allows remote IRC
|
|
servers to execute arbitrary code via a long string in a MODE
|
|
command, related to the p_mode variable.</p>
|
|
</blockquote>
|
|
<p>Nico Golde reports:</p>
|
|
<blockquote cite="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449149">
|
|
<p>There is a security issue in ircii-pana in bitchx' hostname
|
|
command. The e_hostname function (commands.c) uses tmpnam to
|
|
create a temporary file which is known to be insecure.</p>
|
|
</blockquote>
|
|
<p>Chris reports:</p>
|
|
<blockquote cite="http://secunia.com/advisories/27556">
|
|
<p>Chris has reported a vulnerability in the Cypress script for
|
|
BitchX, which can be exploited by malicious people to disclose
|
|
potentially sensitive information or to compromise a vulnerable
|
|
system.</p>
|
|
|
|
<p>The vulnerability is caused due to malicious code being present
|
|
in the modules/mdop.m file. This can be exploited to disclose the
|
|
content of various system files or to execute arbitrary shell
|
|
commands.</p>
|
|
|
|
<p>Successful exploitation allows execution of arbitrary code, but
|
|
requires the control of the "lsyn.webhop.net" domain.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2007-4584</cvename>
|
|
<cvename>CVE-2007-5839</cvename>
|
|
<cvename>CVE-2007-5922</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2007-08-28</discovery>
|
|
<entry>2013-05-31</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="19751e06-c798-11e2-a373-000c29833058">
|
|
<topic>znc -- null pointer dereference in webadmin module</topic>
|
|
<affects>
|
|
<package>
|
|
<name>znc</name>
|
|
<range><lt>1.0_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>No advisory has been released yet.</p>
|
|
<blockquote cite="https://github.com/znc/znc/commit/2bd410ee5570cea127233f1133ea22f25174eb28">
|
|
<p>Fix NULL pointer dereference in webadmin.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://github.com/znc/znc/commit/2bd410ee5570cea127233f1133ea22f25174eb28</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-27</discovery>
|
|
<entry>2013-05-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6d87c2e9-c64d-11e2-9c22-50465d9ff992">
|
|
<topic>socat -- FD leak</topic>
|
|
<affects>
|
|
<package>
|
|
<name>socat</name>
|
|
<range><lt>1.7.2.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Gerhard Rieger reports:</p>
|
|
<blockquote cite="http://seclists.org/oss-sec/2013/q2/411">
|
|
<p>Under certain circumstances an FD leak occurs and can be misused for
|
|
denial of service attacks against socat running in server mode.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-3571</cvename>
|
|
<url>http://seclists.org/oss-sec/2013/q2/411</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-26</discovery>
|
|
<entry>2013-05-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="79789daa-8af8-4e21-a47f-e8a645752bdb">
|
|
<topic>ruby -- Object taint bypassing in DL and Fiddle in Ruby</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby19</name>
|
|
<range><lt>1.9.3.429,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby Developers report:</p>
|
|
<blockquote cite="http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/">
|
|
<p>There is a vulnerability in DL and Fiddle in Ruby where tainted
|
|
strings can be used by system calls regardless of the $SAFE level
|
|
set in Ruby.
|
|
</p>
|
|
<p>Native functions exposed to Ruby with DL or Fiddle do not check the
|
|
taint values set on the objects passed in. This can result in
|
|
tainted objects being accepted as input when a SecurityError
|
|
exception should be raised.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2065</cvename>
|
|
<url>http://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-14</discovery>
|
|
<entry>2013-05-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4fb45a1c-c5d0-11e2-8400-001b216147b0">
|
|
<topic>couchdb -- DOM based Cross-Site Scripting via Futon UI</topic>
|
|
<affects>
|
|
<package>
|
|
<name>couchdb</name>
|
|
<range><lt>1.2.1,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jan Lehnardt reports:</p>
|
|
<blockquote cite="http://mail-archives.apache.org/mod_mbox/couchdb-user/201301.mbox/%3C2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org%3E">
|
|
<p>Query parameters passed into the browser-based test suite
|
|
are not sanitised, and can be used to load external resources.
|
|
An attacker may execute JavaScript code in the browser, using
|
|
the context of the remote user.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-5650</cvename>
|
|
<url>http://mail-archives.apache.org/mod_mbox/couchdb-user/201301.mbox/%3C2FFF2FD7-8EAF-4EBF-AFDA-5AEB6EAC853F@apache.org%3E</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-01-14</discovery>
|
|
<entry>2013-05-26</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a5b24a6b-c37c-11e2-addb-60a44c524f57">
|
|
<topic>otrs -- information disclosure</topic>
|
|
<affects>
|
|
<package>
|
|
<name>otrs</name>
|
|
<range><lt>3.2.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OTRS Project reports:</p>
|
|
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/">
|
|
<p>An attacker with a valid agent login could manipulate URLs in the ticket split mechanism to see contents of tickets and they are not permitted to see.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-3551</cvename>
|
|
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-22</discovery>
|
|
<entry>2013-05-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="661bd031-c37d-11e2-addb-60a44c524f57">
|
|
<topic>otrs -- XSS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>otrs</name>
|
|
<range><lt>3.1.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OTRS Project reports:</p>
|
|
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-02/">
|
|
<p>An attacker with permission to write changes, workorder items or FAQ articles could inject JavaScript code into the articles which would be executed by the browser of other users reading the article.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2637</cvename>
|
|
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-02/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-02</discovery>
|
|
<entry>2013-05-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3a429192-c36a-11e2-97a9-6805ca0b3d42">
|
|
<topic>RT -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rt38</name>
|
|
<range><ge>3.8</ge><lt>3.8.17</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rt40</name>
|
|
<range><ge>4.0</ge><lt>4.0.13</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Thomas Sibley reports:</p>
|
|
<blockquote cite="http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html">
|
|
<p>We discovered a number of security vulnerabilities which
|
|
affect both RT 3.8.x and RT 4.0.x. We are releasing RT
|
|
versions 3.8.17 and 4.0.13 to resolve these vulnerabilities,
|
|
as well as patches which apply atop all released versions of
|
|
3.8 and 4.0.</p>
|
|
<p>The vulnerabilities addressed by 3.8.17, 4.0.13, and the
|
|
below patches include the following:</p>
|
|
<p>RT 4.0.0 and above are vulnerable to a limited privilege
|
|
escalation leading to unauthorized modification of ticket
|
|
data. The DeleteTicket right and any custom lifecycle
|
|
transition rights may be bypassed by any user with
|
|
ModifyTicket. This vulnerability is assigned
|
|
CVE-2012-4733.</p>
|
|
<p>RT 3.8.0 and above include a version of bin/rt that uses
|
|
semi-predictable names when creating tempfiles. This could
|
|
possibly be exploited by a malicious user to overwrite files
|
|
with permissions of the user running bin/rt. This
|
|
vulnerability is assigned CVE-2013-3368.</p>
|
|
<p>RT 3.8.0 and above allow calling of arbitrary Mason
|
|
components (without control of arguments) for users who can
|
|
see administration pages. This could be used by a malicious
|
|
user to run private components which may have negative
|
|
side-effects. This vulnerability is assigned
|
|
CVE-2013-3369.</p>
|
|
<p>RT 3.8.0 and above allow direct requests to private
|
|
callback components. Though no callback components ship
|
|
with RT, this could be used to exploit an extension or local
|
|
callback which uses the arguments passed to it insecurely.
|
|
This vulnerability is assigned CVE-2013-3370.</p>
|
|
<p>RT 3.8.3 and above are vulnerable to cross-site scripting
|
|
(XSS) via attachment filenames. The vector is difficult to
|
|
exploit due to parsing requirements. Additionally, RT 4.0.0
|
|
and above are vulnerable to XSS via maliciously-crafted
|
|
"URLs" in ticket content when RT's "MakeClicky" feature is
|
|
configured. Although not believed to be exploitable in the
|
|
stock configuration, a patch is also included for RTIR 2.6.x
|
|
to add bulletproofing. These vulnerabilities are assigned
|
|
CVE-2013-3371.</p>
|
|
<p>RT 3.8.0 and above are vulnerable to an HTTP header
|
|
injection limited to the value of the Content-Disposition
|
|
header. Injection of other arbitrary response headers is
|
|
not possible. Some (especially older) browsers may allow
|
|
multiple Content-Disposition values which could lead to XSS.
|
|
Newer browsers contain security measures to prevent this.
|
|
Thank you to Dominic Hargreaves for reporting this
|
|
vulnerability. This vulnerability is assigned
|
|
CVE-2013-3372.</p>
|
|
<p>RT 3.8.0 and above are vulnerable to a MIME header
|
|
injection in outgoing email generated by RT. The vectors
|
|
via RT's stock templates are resolved by this patchset, but
|
|
any custom email templates should be updated to ensure that
|
|
values interpolated into mail headers do not contain
|
|
newlines. This vulnerability is assigned CVE-2013-3373.</p>
|
|
<p>RT 3.8.0 and above are vulnerable to limited session
|
|
re-use when using the file-based session store,
|
|
Apache::Session::File. RT's default session configuration
|
|
only uses Apache::Session::File for Oracle. RT instances
|
|
using Oracle may be locally configured to use the
|
|
database-backed Apache::Session::Oracle, in which case
|
|
sessions are never re-used. The extent of session re-use is
|
|
limited to information leaks of certain user preferences and
|
|
caches, such as queue names available for ticket creation.
|
|
Thank you to Jenny Martin for reporting the problem that
|
|
lead to discovery of this vulnerability. This vulnerability
|
|
is assigned CVE-2013-3374.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html</url>
|
|
<url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000227.html</url>
|
|
<url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000228.html</url>
|
|
<cvename>CVE-2012-4733</cvename>
|
|
<cvename>CVE-2013-3368</cvename>
|
|
<cvename>CVE-2013-3369</cvename>
|
|
<cvename>CVE-2013-3370</cvename>
|
|
<cvename>CVE-2013-3371</cvename>
|
|
<cvename>CVE-2013-3372</cvename>
|
|
<cvename>CVE-2013-3373</cvename>
|
|
<cvename>CVE-2013-3374</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-22</discovery>
|
|
<entry>2013-05-23</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c72a2494-c08b-11e2-bb21-083e8ed0f47b">
|
|
<topic>plib -- stack-based buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>plib</name>
|
|
<range><lt>1.8.5_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>CVE reports:</p>
|
|
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4552">
|
|
<p>Stack-based buffer overflow in the error function in
|
|
ssg/ssgParser.cxx in PLIB 1.8.5 allows remote attackers to
|
|
execute arbitrary code via a crafted 3d model file that
|
|
triggers a long error message, as demonstrated by a .ase
|
|
file.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>55839</bid>
|
|
<cvename>CVE-2012-4552</cvename>
|
|
<mlist>http://www.openwall.com/lists/oss-security/2012/10/29/8</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-10-09</discovery>
|
|
<entry>2013-05-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="13bf0602-c08a-11e2-bb21-083e8ed0f47b">
|
|
<topic>plib -- buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>plib</name>
|
|
<range><lt>1.8.5_4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="https://secunia.com/advisories/47297">
|
|
<p>A vulnerability has been discovered in PLIB, which can be
|
|
exploited by malicious people to compromise an application
|
|
using the library. The vulnerability is caused due to a
|
|
boundary error within the "ulSetError()" function
|
|
(src/util/ulError.cxx) when creating the error message,
|
|
which can be exploited to overflow a static buffer.</p>
|
|
<p>Successful exploitation allows the execution of arbitrary
|
|
code but requires that the attacker can e.g. control the
|
|
content of an overly long error message passed to the
|
|
"ulSetError()" function.</p>
|
|
<p>The vulnerability is confirmed in version 1.8.5. Other
|
|
versions may also be affected.</p>
|
|
<p>Originally reported in TORCS by Andres Gomez.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2011-4620</cvename>
|
|
<mlist>http://openwall.com/lists/oss-security/2011/12/21/2</mlist>
|
|
</references>
|
|
<dates>
|
|
<discovery>2011-12-21</discovery>
|
|
<entry>2013-05-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a0c65049-bddd-11e2-a0f6-001060e06fd4">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>11.2r202.285</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-14.html">
|
|
<p>These updates address vulnerabilities that could cause a crash
|
|
and potentially allow an attacker to take control of the affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2728</cvename>
|
|
<cvename>CVE-2013-3324</cvename>
|
|
<cvename>CVE-2013-3325</cvename>
|
|
<cvename>CVE-2013-3326</cvename>
|
|
<cvename>CVE-2013-3327</cvename>
|
|
<cvename>CVE-2013-3328</cvename>
|
|
<cvename>CVE-2013-3329</cvename>
|
|
<cvename>CVE-2013-3330</cvename>
|
|
<cvename>CVE-2013-3331</cvename>
|
|
<cvename>CVE-2013-3332</cvename>
|
|
<cvename>CVE-2013-3333</cvename>
|
|
<cvename>CVE-2013-3334</cvename>
|
|
<cvename>CVE-2013-3335</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-14</discovery>
|
|
<entry>2013-05-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4a1ca8a4-bd82-11e2-b7a0-d43d7e0c7c02">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>18.0,1</gt><lt>21.0,1</lt></range>
|
|
<range><lt>17.0.6,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>17.0.6,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.17.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>17.0.6</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><lt>2.17.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><gt>11.0</gt><lt>17.0.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0
|
|
/ rv:17.0.6)</p>
|
|
<p>MFSA 2013-42 Privileged access for content level constructor</p>
|
|
<p>MFSA 2013-43 File input control has access to full path</p>
|
|
<p>MFSA 2013-44 Local privilege escalation through Mozilla
|
|
Maintenance Service</p>
|
|
<p>MFSA 2013-45 Mozilla Updater fails to update some Windows Registry
|
|
entries</p>
|
|
<p>MFSA 2013-46 Use-after-free with video and onresize event</p>
|
|
<p>MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent</p>
|
|
<p>MFSA 2013-48 Memory corruption found using Address Sanitizer</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-1942</cvename>
|
|
<cvename>CVE-2013-0801</cvename>
|
|
<cvename>CVE-2013-1669</cvename>
|
|
<cvename>CVE-2013-1670</cvename>
|
|
<cvename>CVE-2013-1671</cvename>
|
|
<cvename>CVE-2013-1672</cvename>
|
|
<cvename>CVE-2013-1674</cvename>
|
|
<cvename>CVE-2013-1675</cvename>
|
|
<cvename>CVE-2013-1676</cvename>
|
|
<cvename>CVE-2013-1677</cvename>
|
|
<cvename>CVE-2013-1678</cvename>
|
|
<cvename>CVE-2013-1679</cvename>
|
|
<cvename>CVE-2013-1680</cvename>
|
|
<cvename>CVE-2013-1681</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-40.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-41.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-42.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-43.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-44.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-45.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-46.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-47.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-48.html</url>
|
|
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-14</discovery>
|
|
<entry>2013-05-15</entry>
|
|
<modified>2013-05-21</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="efaa4071-b700-11e2-b1b9-f0def16c5c1b">
|
|
<topic>nginx -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nginx</name>
|
|
<range><ge>1.2.0,1</ge><le>1.2.8,1</le></range>
|
|
<range><ge>1.3.0,1</ge><lt>1.4.1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>nginx-devel</name>
|
|
<range><ge>1.1.4</ge><le>1.2.8</le></range>
|
|
<range><ge>1.3.0</ge><lt>1.5.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The nginx project reports:</p>
|
|
<blockquote cite="http://nginx.org/en/security_advisories.html">
|
|
<p>A stack-based buffer overflow might occur in a worker process
|
|
process while handling a specially crafted request, potentially
|
|
resulting in arbitrary code execution. [CVE-2013-2028]</p>
|
|
<p>A security problem related to CVE-2013-2028 was identified,
|
|
affecting some previous nginx versions if proxy_pass to
|
|
untrusted upstream HTTP servers is used.</p>
|
|
<p>The problem may lead to a denial of service or a disclosure of a
|
|
worker process memory on a specially crafted response from an
|
|
upstream proxied server. [CVE-2013-2070]</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2028</cvename>
|
|
<cvename>CVE-2013-2070</cvename>
|
|
<url>http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html</url>
|
|
<url>http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-07</discovery>
|
|
<entry>2013-05-07</entry>
|
|
<modified>2013-05-16</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6ff570cb-b418-11e2-b279-20cf30e32f6d">
|
|
<topic>strongSwan -- ECDSA signature verification issue</topic>
|
|
<affects>
|
|
<package>
|
|
<name>strongswan</name>
|
|
<range><lt>5.0.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>strongSwan security team reports:</p>
|
|
<blockquote cite="http://www.strongswan.org/blog/2013/04/30/strongswan-5.0.4-released-%28cve-2013-2944%29.html">
|
|
<p>If the openssl plugin is used for ECDSA signature verification an empty,
|
|
zeroed or otherwise invalid signature is handled as a legitimate one.
|
|
Both IKEv1 and IKEv2 are affected.</p>
|
|
<p>Affected are only installations that have enabled and loaded the OpenSSL
|
|
crypto backend (--enable-openssl). Builds using the default crypto backends
|
|
are not affected.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2944</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-30</discovery>
|
|
<entry>2013-05-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="622e14b1-b40c-11e2-8441-00e0814cab4e">
|
|
<topic>jenkins -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jenkins</name>
|
|
<range><lt>1.514</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jenkins Security Advisory reports:</p>
|
|
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02">
|
|
<p>This advisory announces multiple security vulnerabilities that
|
|
were found in Jenkins core.</p>
|
|
<ol>
|
|
<li>
|
|
<p>SECURITY-63 / CVE-2013-2034</p>
|
|
<p>This creates a cross-site request forgery (CSRF) vulnerability
|
|
on Jenkins master, where an anonymous attacker can trick an
|
|
administrator to execute arbitrary code on Jenkins master by
|
|
having him open a specifically crafted attack URL.</p>
|
|
<p>There's also a related vulnerability where the permission
|
|
check on this ability is done imprecisely, which may affect
|
|
those who are running Jenkins instances with a custom
|
|
authorization strategy plugin.</p>
|
|
</li>
|
|
<li>
|
|
<p>SECURITY-67 / CVE-2013-2033</p>
|
|
<p>This creates a cross-site scripting (XSS) vulnerability, where
|
|
an attacker with a valid user account on Jenkins can execute
|
|
JavaScript in the browser of other users, if those users are
|
|
using certain browsers.</p>
|
|
</li>
|
|
<li>
|
|
<p>SECURITY-69 / CVE-2013-2034</p>
|
|
<p>This is another CSRF vulnerability that allows an attacker to
|
|
cause a deployment of binaries to Maven repositories. This
|
|
vulnerability has the same CVE ID as SEUCRITY-63.</p>
|
|
</li>
|
|
<li>
|
|
<p>SECURITY-71 / CVE-2013-1808</p>
|
|
<p>This creates a cross-site scripting (XSS) vulnerability.</p>
|
|
</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02</url>
|
|
<cvename>CVE-2013-2034</cvename>
|
|
<cvename>CVE-2013-2033</cvename>
|
|
<cvename>CVE-2013-2034</cvename>
|
|
<cvename>CVE-2013-1808</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-05-02</discovery>
|
|
<entry>2013-05-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e66a6e2f-b0d5-11e2-9164-0016e6dcb562">
|
|
<topic>FreeBSD -- NFS remote denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>8.3</ge><lt>8.3_8</lt></range>
|
|
<range><ge>9.1</ge><lt>9.1_3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13:05.nfsserver.asc">
|
|
<p>Insufficient input validation in the NFS server allows an
|
|
attacker to cause the underlying file system to treat a
|
|
regular file as a directory.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-3266</cvename>
|
|
<freebsdsa>SA-13:05.nfsserver</freebsdsa>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-21</discovery>
|
|
<entry>2013-04-29</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="57df803e-af34-11e2-8d62-6cf0490a8c18">
|
|
<topic>Joomla! -- XXS and DDoS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>joomla</name>
|
|
<range><ge>2.0.*</ge><lt>2.5.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The JSST and the Joomla! Security Center report:</p>
|
|
<blockquote cite="http://developer.joomla.org/security/80-20130405-core-xss-vulnerability.html">
|
|
<h2>[20130405] - Core - XSS Vulnerability</h2>
|
|
<p>Inadequate filtering leads to XSS vulnerability in Voting plugin.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/81-20130403-core-xss-vulnerability.html">
|
|
<h2>[20130403] - Core - XSS Vulnerability</h2>
|
|
<p>Inadequate filtering allows possibility of XSS exploit in some
|
|
circumstances.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/82-20130402-core-information-disclosure.html">
|
|
<h2>[20130402] - Core - Information Disclosure</h2>
|
|
<p>Inadequate permission checking allows unauthorised user to see
|
|
permission settings in some circumstances.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/83-20130404-core-xss-vulnerability.html">
|
|
<h2>[20130404] - Core - XSS Vulnerability</h2>
|
|
<p>Use of old version of Flash-based file uploader leads to XSS
|
|
vulnerability.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/84-20130401-core-privilege-escalation.html">
|
|
<h2>[20130401] - Core - Privilege Escalation</h2>
|
|
<p>Inadequate permission checking allows unauthorised user to delete
|
|
private messages.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/85-20130406-core-dos-vulnerability.html">
|
|
<h2>[20130406] - Core - DOS Vulnerability</h2>
|
|
<p>Object unserialize method leads to possible denial of service
|
|
vulnerability.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://developer.joomla.org/security/86-20130407-core-xss-vulnerability.html">
|
|
<h2>[20130407] - Core - XSS Vulnerability</h2>
|
|
<p>Inadequate filtering leads to XSS vulnerability in highlighter
|
|
plugin</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-3059</cvename>
|
|
<cvename>CVE-2013-3058</cvename>
|
|
<cvename>CVE-2013-3057</cvename>
|
|
<url>http://developer.joomla.org/security/83-20130404-core-xss-vulnerability.html</url>
|
|
<cvename>CVE-2013-3056</cvename>
|
|
<cvename>CVE-2013-3242</cvename>
|
|
<cvename>CVE-2013-3267</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-24</discovery>
|
|
<entry>2013-04-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8c8fa44d-ad15-11e2-8cea-6805ca0b3d42">
|
|
<topic>phpMyAdmin -- Multiple security vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><ge>3.5</ge><lt>3.5.8.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpMyAdmin development team reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php">
|
|
<p>In some PHP versions, the preg_replace() function can be
|
|
tricked into executing arbitrary PHP code on the
|
|
server. This is done by passing a crafted argument as the
|
|
regular expression, containing a null byte. phpMyAdmin does
|
|
not correctly sanitize an argument passed to preg_replace()
|
|
when using the "Replace table prefix" feature, opening the
|
|
way to this vulnerability..</p>
|
|
<p>This vulnerability can be triggered only by someone who
|
|
logged in to phpMyAdmin, as the usual token protection
|
|
prevents non-logged-in users to access the required
|
|
form.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php">
|
|
<p>phpMyAdmin can be configured to save an export file on
|
|
the web server, via its SaveDir directive. With this in
|
|
place, it's possible, either via a crafted filename template
|
|
or a crafted table name, to save a double extension file
|
|
like foobar.php.sql. In turn, an Apache webserver on which
|
|
there is no definition for the MIME type "sql" (the default)
|
|
will treat this saved file as a ".php" script, leading to
|
|
remote code execution.</p>
|
|
<p>This vulnerability can be triggered only by someone who
|
|
logged in to phpMyAdmin, as the usual token protection
|
|
prevents non-logged-in users to access the required
|
|
form. Moreover, the SaveDir directive is empty by default,
|
|
so a default configuration is not vulnerable. The
|
|
$cfg['SaveDir'] directive must be configured, and the server
|
|
must be running Apache with mod_mime to be exploitable.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-3238</cvename>
|
|
<cvename>CVE-2013-3239</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-24</discovery>
|
|
<entry>2013-04-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="aeb962f6-ab8d-11e2-b3f5-003067c2616f">
|
|
<topic>tinc -- Buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>tinc</name>
|
|
<range><lt>1.0.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>tinc-vpn.org reports:</p>
|
|
<blockquote cite="http://www.tinc-vpn.org/news/">
|
|
<p>Drop packets forwarded via TCP if they are too big.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1428</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-26</discovery>
|
|
<entry>2013-04-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7280c3f6-a99a-11e2-8cef-6805ca0b3d42">
|
|
<topic>phpMyAdmin -- XSS due to unescaped HTML output in GIS visualisation page</topic>
|
|
<affects>
|
|
<package>
|
|
<name>phpMyAdmin</name>
|
|
<range><ge>3.5</ge><lt>3.5.8</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The phpMyAdmin development team reports:</p>
|
|
<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-1.php">
|
|
<p> When modifying a URL parameter with a crafted value it
|
|
is possible to trigger an XSS.</p>
|
|
<p>These XSS can only be triggered when a valid database is
|
|
known and when a valid cookie token is used.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1937</cvename>
|
|
<url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-1.php</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-18</discovery>
|
|
<entry>2013-04-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a592e991-a919-11e2-ade0-8c705af55518">
|
|
<topic>roundcube -- arbitrary file disclosure vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>roundcube</name>
|
|
<range><lt>0.8.6,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>RoundCube development team reports:</p>
|
|
<blockquote cite="http://lists.roundcube.net/pipermail/dev/2013-March/022337.html">
|
|
<p>After getting reports about a possible vulnerability
|
|
of Roundcube which allows an attacker to modify its
|
|
users preferences in a way that he/she can then read
|
|
files from the server, we now published updated packages
|
|
as well as patches that fix this security issue.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1904</cvename>
|
|
<url>https://secunia.com/advisories/52806/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-27</discovery>
|
|
<entry>2013-04-19</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8ff84335-a7da-11e2-b3f5-003067c2616f">
|
|
<topic>jasper -- buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jasper</name>
|
|
<range><lt>1.900.1_12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Fedora reports:</p>
|
|
<blockquote cite="http://www.kb.cert.org/vuls/id/887409">
|
|
<p>JasPer fails to properly decode marker segments and other
|
|
sections in malformed JPEG2000 files. Malformed inputs can
|
|
cause heap buffer overflows which in turn may result in
|
|
execution of attacker-controlled code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2008-3520</cvename>
|
|
<cvename>CVE-2008-3522</cvename>
|
|
<cvename>CVE-2011-4516</cvename>
|
|
<cvename>CVE-2011-4517</cvename>
|
|
<url>http://www.kb.cert.org/vuls/id/887409</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2011-12-09</discovery>
|
|
<entry>2013-04-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2070c79a-8e1e-11e2-b34d-000c2957946c">
|
|
<topic>ModSecurity -- XML External Entity Processing Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mod_security</name>
|
|
<range><gt>2.*</gt><lt>2.7.3</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Positive Technologies has reported a vulnerability in ModSecurity,
|
|
which can be exploited by malicious people to disclose potentially
|
|
sensitive information or cause a DoS (Denial Of Serice).</p>
|
|
<p>The vulnerability is caused due to an error when parsing external
|
|
XML entities and can be exploited to e.g. disclose local files or
|
|
cause excessive memory and CPU consumption.</p>
|
|
<blockquote cite="https://secunia.com/advisories/52847/">
|
|
<p>.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1915</cvename>
|
|
<url>https://secunia.com/advisories/52847/</url>
|
|
<url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1915</url>
|
|
<url>https://bugs.gentoo.org/show_bug.cgi?id=464188</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-02</discovery>
|
|
<entry>2013-04-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a2ff483f-a5c6-11e2-9601-000d601460a4">
|
|
<topic>sieve-connect -- TLS hostname verification was not occurring</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sieve-connect</name>
|
|
<range><lt>0.85</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>sieve-connect developer Phil Pennock reports:</p>
|
|
<blockquote cite="http://mail.globnix.net/pipermail/sieve-connect-announce/2013/000005.html">
|
|
<p>sieve-connect was not actually verifying TLS certificate identities
|
|
matched the expected hostname.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://mail.globnix.net/pipermail/sieve-connect-announce/2013/000005.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-14</discovery>
|
|
<entry>2013-04-15</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="15236023-a21b-11e2-a460-208984377b34">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>11.2r202.280</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-12.html">
|
|
<p>These updates address vulnerabilities that could cause a crash
|
|
and potentially allow an attacker to take control of the affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1383</cvename>
|
|
<cvename>CVE-2013-1384</cvename>
|
|
<cvename>CVE-2013-1385</cvename>
|
|
<cvename>CVE-2013-1386</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-09</discovery>
|
|
<entry>2013-04-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="db0c4b00-a24c-11e2-9601-000d601460a4">
|
|
<topic>rubygem-rails -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rubygem-rails</name>
|
|
<range><lt>3.2.13</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-actionpack</name>
|
|
<range><lt>3.2.13</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-activerecord</name>
|
|
<range><lt>3.2.13</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-activesupport</name>
|
|
<range><lt>3.2.13</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby on Rails team reports:</p>
|
|
<blockquote cite="http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/">
|
|
<p>Rails versions 3.2.13 has been released. This release
|
|
contains important security fixes. It is recommended
|
|
users upgrade as soon as possible.</p>
|
|
<p>Four vulnerabilities have been discovered and fixed:</p>
|
|
<ol>
|
|
<li>(CVE-2013-1854) Symbol DoS vulnerability in Active Record</li>
|
|
<li>(CVE-2013-1855) XSS vulnerability in sanitize_css in Action Pack</li>
|
|
<li>(CVE-2013-1856) XML Parsing Vulnerability affecting JRuby users</li>
|
|
<li>(CVE-2013-1857) XSS Vulnerability in the `sanitize` helper of Ruby on Rails</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1854</cvename>
|
|
<cvename>CVE-2013-1856</cvename>
|
|
<cvename>CVE-2013-1856</cvename>
|
|
<cvename>CVE-2013-1857</cvename>
|
|
<url>http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/</url>
|
|
<url>https://groups.google.com/forum/#!topic/ruby-security-ann/o0Dsdk2WrQ0</url>
|
|
<url>https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8</url>
|
|
<url>https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI</url>
|
|
<url>https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-18</discovery>
|
|
<entry>2013-04-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1431f2d6-a06e-11e2-b9e0-001636d274f3">
|
|
<topic>NVIDIA UNIX driver -- ARGB cursor buffer overflow in "NoScanout" mode</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nvidia-driver</name>
|
|
<range><ge>310.14</ge><lt>310.44</lt></range>
|
|
<range><ge>195.22</ge><lt>304.88</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>NVIDIA Unix security team reports:</p>
|
|
<blockquote cite="http://nvidia.custhelp.com/app/answers/detail/a_id/3290">
|
|
<p>When the NVIDIA driver for the X Window System is operated in
|
|
"NoScanout" mode, and an X client installs an ARGB cursor that
|
|
is larger than the expected size (64x64 or 256x256, depending on
|
|
the driver version), the driver will overflow a buffer. This
|
|
can cause a denial of service (e.g., an X server segmentation
|
|
fault), or could be exploited to achieve arbitrary code
|
|
execution. Because the X server runs as setuid root in many
|
|
configurations, an attacker could potentially use this
|
|
vulnerability in those configurations to gain root privileges.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0131</cvename>
|
|
<url>http://nvidia.custhelp.com/app/answers/detail/a_id/3290</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-27</discovery>
|
|
<entry>2013-04-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cebed39d-9e6f-11e2-b3f5-003067c2616f">
|
|
<topic>opera -- moderately severe issue</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opera</name>
|
|
<range><lt>12.15</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>opera-devel</name>
|
|
<range><lt>12.15</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-opera</name>
|
|
<range><lt>12.15</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-opera-devel</name>
|
|
<range><lt>12.15</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Opera reports:</p>
|
|
<blockquote cite="http://www.opera.com/support/kb/view/1042/">
|
|
<p>Fixed a moderately severe issue, as reported by Attila Suszte.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.opera.com/docs/changelogs/unified/1215/</url>
|
|
<url>http://www.opera.com/support/kb/view/1046/</url>
|
|
<url>http://www.opera.com/support/kb/view/1047/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-04</discovery>
|
|
<entry>2014-04-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b6beb137-9dc0-11e2-882f-20cf30e32f6d">
|
|
<topic>Subversion -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>subversion</name>
|
|
<range><ge>1.7.0</ge><lt>1.7.9</lt></range>
|
|
<range><ge>1.0.0</ge><lt>1.6.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Subversion team reports:</p>
|
|
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1845-advisory.txt">
|
|
<p>Subversion's mod_dav_svn Apache HTTPD server module will use excessive
|
|
amounts of memory when a large number of properties are set or deleted
|
|
on a node.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1846-advisory.txt">
|
|
<p>Subversion's mod_dav_svn Apache HTTPD server module will crash when
|
|
a LOCK request is made against activity URLs.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1847-advisory.txt">
|
|
<p>Subversion's mod_dav_svn Apache HTTPD server module will crash in some
|
|
circumstances when a LOCK request is made against a non-existent URL.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1849-advisory.txt">
|
|
<p>Subversion's mod_dav_svn Apache HTTPD server module will crash when a
|
|
PROPFIND request is made against activity URLs.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://subversion.apache.org/security/CVE-2013-1884-advisory.txt">
|
|
<p>Subversion's mod_dav_svn Apache HTTPD server module will crash when a
|
|
log REPORT request receives a limit that is out of the allowed range.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1845</cvename>
|
|
<cvename>CVE-2013-1846</cvename>
|
|
<cvename>CVE-2013-1847</cvename>
|
|
<cvename>CVE-2013-1849</cvename>
|
|
<cvename>CVE-2013-1884</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-05</discovery>
|
|
<entry>2013-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="eae8e3cf-9dfe-11e2-ac7f-001fd056c417">
|
|
<topic>otrs -- Information disclosure and Data manipulation</topic>
|
|
<affects>
|
|
<package>
|
|
<name>otrs</name>
|
|
<range><lt>3.1.14</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OTRS Project reports:</p>
|
|
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/">
|
|
<p>An attacker with a valid agent login could manipulate URLs in the
|
|
object linking mechanism to see titles of tickets and other objects
|
|
that are not obliged to be seen. Furthermore, links to objects without
|
|
permission can be placed and removed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2625</cvename>
|
|
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-02</discovery>
|
|
<entry>2013-04-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3f332f16-9b6b-11e2-8fe9-08002798f6ff">
|
|
<topic>PostgreSQL -- anonymous remote access data corruption vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>postgresql-server</name>
|
|
<range><ge>8.3.0</ge><lt>8.3.21_1</lt></range>
|
|
<range><ge>8.4.0</ge><lt>8.4.17</lt></range>
|
|
<range><ge>9.0.0</ge><lt>9.0.13</lt></range>
|
|
<range><ge>9.1.0</ge><lt>9.1.9</lt></range>
|
|
<range><ge>9.2.0</ge><lt>9.2.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>PostgreSQL project reports:</p>
|
|
<blockquote cite="http://www.postgresql.org/about/news/1456/">
|
|
<p>
|
|
The PostgreSQL Global Development Group has released a security
|
|
update to all current versions of the PostgreSQL database system,
|
|
including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update
|
|
fixes a high-exposure security vulnerability in versions 9.0 and
|
|
later. All users of the affected versions are strongly urged to apply
|
|
the update *immediately*.
|
|
</p>
|
|
<p>
|
|
A major security issue (for versions 9.x only) fixed in this release,
|
|
[CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899),
|
|
makes it possible for a connection request containing a database name
|
|
that begins with "-" to be crafted that can damage or destroy files
|
|
within a server's data directory. Anyone with access to the port the
|
|
PostgreSQL server listens on can initiate this request. This issue was
|
|
discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source
|
|
Software Center.
|
|
</p>
|
|
<p>
|
|
Two lesser security fixes are also included in this release:
|
|
[CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900),
|
|
wherein random numbers generated by contrib/pgcrypto functions may be
|
|
easy for another database user to guess (all versions), and
|
|
[CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901),
|
|
which mistakenly allows an unprivileged user to run commands that
|
|
could interfere with in-progress backups (for versions 9.x only).
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1899</cvename>
|
|
<cvename>CVE-2013-1900</cvename>
|
|
<cvename>CVE-2013-1901</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-04</discovery>
|
|
<entry>2013-04-04</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="94976433-9c74-11e2-a9fc-d43d7e0c7c02">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>18.0,1</gt><lt>20.0,1</lt></range>
|
|
<range><lt>17.0.5,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>17.0.5,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.17</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>17.0.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><lt>2.17</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><gt>11.0</gt><lt>17.0.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2013-30 Miscellaneous memory safety hazards (rv:20.0 /
|
|
rv:17.0.5)</p>
|
|
<p>MFSA 2013-31 Out-of-bounds write in Cairo library</p>
|
|
<p>MFSA 2013-32 Privilege escalation through Mozilla Maintenance
|
|
Service</p>
|
|
<p>MFSA 2013-33 World read and write access to app_tmp directory on
|
|
Android</p>
|
|
<p>MFSA 2013-34 Privilege escalation through Mozilla Updater</p>
|
|
<p>MFSA 2013-35 WebGL crash with Mesa graphics driver on Linux</p>
|
|
<p>MFSA 2013-36 Bypass of SOW protections allows cloning of protected
|
|
nodes</p>
|
|
<p>MFSA 2013-37 Bypass of tab-modal dialog origin disclosure</p>
|
|
<p>MFSA 2013-38 Cross-site scripting (XSS) using timed history
|
|
navigations</p>
|
|
<p>MFSA 2013-39 Memory corruption while rendering grayscale PNG
|
|
images</p>
|
|
<p>MFSA 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0788</cvename>
|
|
<cvename>CVE-2013-0789</cvename>
|
|
<cvename>CVE-2013-0790</cvename>
|
|
<cvename>CVE-2013-0791</cvename>
|
|
<cvename>CVE-2013-0792</cvename>
|
|
<cvename>CVE-2013-0793</cvename>
|
|
<cvename>CVE-2013-0794</cvename>
|
|
<cvename>CVE-2013-0795</cvename>
|
|
<cvename>CVE-2013-0796</cvename>
|
|
<cvename>CVE-2013-0797</cvename>
|
|
<cvename>CVE-2013-0798</cvename>
|
|
<cvename>CVE-2013-0799</cvename>
|
|
<cvename>CVE-2013-0800</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-30.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-31.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-32.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-33.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-34.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-35.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-36.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-37.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-38.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-39.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-40.html</url>
|
|
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-02</discovery>
|
|
<entry>2013-04-03</entry>
|
|
<modified>2013-04-08</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="13031d98-9bd1-11e2-a7be-8c705af55518">
|
|
<topic>FreeBSD -- BIND remote denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>9.0</ge><lt>9.0_7</lt></range>
|
|
<range><ge>9.1</ge><lt>9.1_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13:04.bind.asc">
|
|
<p>A flaw in a library used by BIND allows an
|
|
attacker to deliberately cause excessive memory
|
|
consumption by the named(8) process. This
|
|
affects both recursive and authoritative
|
|
servers.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2266</cvename>
|
|
<freebsdsa>SA-13:04.bind</freebsdsa>
|
|
<url>https://kb.isc.org/article/AA-00871</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-02</discovery>
|
|
<entry>2013-04-02</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="69bfc852-9bd0-11e2-a7be-8c705af55518">
|
|
<topic>FreeBSD -- OpenSSL multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>8.3</ge><lt>8.3_7</lt></range>
|
|
<range><ge>9.0</ge><lt>9.0_7</lt></range>
|
|
<range><ge>9.1</ge><lt>9.1_2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13:03.openssl.asc">
|
|
<p>A flaw in the OpenSSL handling of OCSP response
|
|
verification could be exploited to cause a denial of
|
|
service attack.</p>
|
|
<p>OpenSSL has a weakness in the handling of CBC
|
|
ciphersuites in SSL, TLS and DTLS. The weakness could reveal
|
|
plaintext in a timing attack.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0166</cvename>
|
|
<cvename>CVE-2013-0169</cvename>
|
|
<freebsdsa>SA-13:03.openssl</freebsdsa>
|
|
<url>http://www.openssl.org/news/secadv_20130205.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-04-02</discovery>
|
|
<entry>2013-04-02</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="92f30415-9935-11e2-ad4c-080027ef73ec">
|
|
<topic>OpenVPN -- potential side-channel/timing attack when comparing HMACs</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openvpn</name>
|
|
<range><lt>2.0.9_4</lt></range>
|
|
<range><ge>2.1.0</ge><lt>2.2.2_2</lt></range>
|
|
<range><ge>2.3.0</ge><lt>2.3.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OpenVPN project reports:</p>
|
|
<blockquote cite="https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc">
|
|
<p>OpenVPN 2.3.0 and earlier running in UDP mode are subject
|
|
to chosen ciphertext injection due to a non-constant-time
|
|
HMAC comparison function.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc</url>
|
|
<cvename>CVE-2013-2061</cvename>
|
|
<url>http://www.openwall.com/lists/oss-security/2013/05/06/6</url>
|
|
<url>https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-19</discovery>
|
|
<entry>2013-03-31</entry>
|
|
<modified>2013-06-01</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="843a4641-9816-11e2-9c51-080027019be0">
|
|
<topic>libxml2 -- cpu consumption Dos</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libxml2</name>
|
|
<range><lt>2.8.0</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Kurt Seifried reports:</p>
|
|
<blockquote cite="http://seclists.org/oss-sec/2013/q1/391">
|
|
<p>libxml2 is affected by the expansion of internal entities
|
|
(which can be used to consume resources) and external entities
|
|
(which can cause a denial of service against other services,
|
|
be used to port scan, etc.)..</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0338</cvename>
|
|
<cvename>CVE-2013-0339</cvename>
|
|
<url>http://seclists.org/oss-sec/2013/q1/391</url>
|
|
<url>https://security-tracker.debian.org/tracker/CVE-2013-0338</url>
|
|
<url>https://security-tracker.debian.org/tracker/CVE-2013-0339</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-21</discovery>
|
|
<entry>2013-03-29</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="daf0a339-9850-11e2-879e-d43d7e0c7c02">
|
|
<topic>asterisk -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>asterisk11</name>
|
|
<range><gt>11.*</gt><lt>11.2.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>asterisk10</name>
|
|
<range><gt>10.*</gt><lt>10.12.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>asterisk18</name>
|
|
<range><gt>1.8.*</gt><lt>1.8.20.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Asterisk project reports:</p>
|
|
<blockquote cite="https://www.asterisk.org/security">
|
|
<p>Buffer Overflow Exploit Through SIP SDP Header</p>
|
|
<p>Username disclosure in SIP channel driver</p>
|
|
<p>Denial of Service in HTTP server</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2685</cvename>
|
|
<cvename>CVE-2013-2686</cvename>
|
|
<cvename>CVE-2013-2264</cvename>
|
|
<url>http://downloads.asterisk.org/pub/security/AST-2013-001.html</url>
|
|
<url>http://downloads.asterisk.org/pub/security/AST-2013-002.html</url>
|
|
<url>http://downloads.asterisk.org/pub/security/AST-2013-003.html</url>
|
|
<url>https://www.asterisk.org/security</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-27</discovery>
|
|
<entry>2013-03-29</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7a282e49-95b6-11e2-8433-0800273fe665">
|
|
<topic>dns/bind9* -- Malicious Regex Can Cause Memory Exhaustion</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bind99</name>
|
|
<range><lt>9.9.2.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind99-base</name>
|
|
<range><lt>9.9.2.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind98</name>
|
|
<range><lt>9.8.4.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>bind98-base</name>
|
|
<range><lt>9.8.4.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>ISC reports:</p>
|
|
<blockquote cite="https://kb.isc.org/article/AA-00871">
|
|
<p>A critical defect in BIND 9 allows an attacker to cause
|
|
excessive memory consumption in named or other programs
|
|
linked to libdns.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2266</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-11</discovery>
|
|
<entry>2013-03-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="6adca5e9-95d2-11e2-8549-68b599b52a02">
|
|
<topic>firebird -- Remote Stack Buffer Overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firebird25-server</name>
|
|
<range><ge>2.5.0</ge><le>2.5.2</le></range>
|
|
</package>
|
|
<package>
|
|
<name>firebird21-server</name>
|
|
<range><ge>2.1.0</ge><le>2.1.5</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Firebird Project reports:</p>
|
|
<blockquote cite="http://tracker.firebirdsql.org/browse/CORE-4058">
|
|
<p>The FirebirdSQL server is vulnerable to a stack buffer overflow
|
|
that can be triggered when an unauthenticated user sends a
|
|
specially crafted packet. The result can lead to remote code
|
|
execution as the user which runs the FirebirdSQL server.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-2492</cvename>
|
|
<url>https://gist.github.com/zeroSteiner/85daef257831d904479c</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-31</discovery>
|
|
<entry>2013-03-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a8818f7f-9182-11e2-9bdf-d48564727302">
|
|
<topic>optipng -- use-after-free vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>optipng</name>
|
|
<range><ge>0.7</ge><lt>0.7.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Secunia reports:</p>
|
|
<blockquote cite="https://secunia.com/advisories/50654">
|
|
<p>A vulnerability has been reported in OptiPNG, which can be
|
|
exploited by malicious people to potentially compromise a user's
|
|
system.</p>
|
|
<p>The vulnerability is caused due to a use-after-free error related
|
|
to the palette reduction functionality. No further information is
|
|
currently available.</p>
|
|
<p>Success exploitation may allow execution of arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-4432</cvename>
|
|
<url>https://secunia.com/advisories/50654</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-09-16</discovery>
|
|
<entry>2013-03-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1d23109a-9005-11e2-9602-d43d7e0c7c02">
|
|
<topic>php5 -- Multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>php5</name>
|
|
<range><lt>5.4.13</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>php53</name>
|
|
<range><lt>5.3.23</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The PHP development team reports:</p>
|
|
<blockquote cite="http://www.php.net/ChangeLog-5.php">
|
|
<p>PHP does not validate the relationship between the soap.wsdl_cache_dir
|
|
directive and the open_basedir directive, which allows remote attackers to
|
|
bypass intended access restrictions by triggering the creation of cached
|
|
SOAP WSDL files in an arbitrary directory.</p>
|
|
<p>The SOAP parser in PHP allows remote attackers to read arbitrary files
|
|
via a SOAP WSDL file containing an XML external entity declaration in
|
|
conjunction with an entity reference, related to an XML External Entity
|
|
(XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1635</cvename>
|
|
<cvename>CVE-2013-1643</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-04</discovery>
|
|
<entry>2013-03-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="edd201a5-8fc3-11e2-b131-000c299b62e1">
|
|
<topic>piwigo -- CSRF/Path Traversal</topic>
|
|
<affects>
|
|
<package>
|
|
<name>piwigo</name>
|
|
<range><lt>2.4.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>High-Tech Bridge Security Research Lab reports:</p>
|
|
<blockquote cite="http://piwigo.org/releases/2.4.7">
|
|
<p>The CSRF vulnerability exists due to insufficient verification of the
|
|
HTTP request origin in "/admin.php" script. A remote attacker can trick
|
|
a logged-in administrator to visit a specially crafted webpage and
|
|
create arbitrary PHP file on the remote server.</p>
|
|
<p>The path traversal vulnerability exists due to insufficient filtration
|
|
of user-supplied input in "dl" HTTP GET parameter passed to
|
|
"/install.php" script. The script is present on the system after
|
|
installation by default, and can be accessed by attacker without any
|
|
restrictions.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1468</cvename>
|
|
<cvename>CVE-2013-1469</cvename>
|
|
<url>http://piwigo.org/bugs/view.php?id=0002843</url>
|
|
<url>http://piwigo.org/bugs/view.php?id=0002844</url>
|
|
<url>http://dl.packetstormsecurity.net/1302-exploits/piwigo246-traversalxsrf.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-06</discovery>
|
|
<entry>2013-03-18</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d881d254-70c6-11e2-862d-080027a5ec9a">
|
|
<topic>libexif -- multiple remote vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libexif</name>
|
|
<range><lt>0.6.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>libexif project security advisory:</p>
|
|
<blockquote cite="http://sourceforge.net/mailarchive/message.php?msg_id=29534027">
|
|
<p>A number of remotely exploitable issues were discovered in libexif
|
|
and exif, with effects ranging from information leakage to potential
|
|
remote code execution.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-2812</cvename>
|
|
<cvename>CVE-2012-2813</cvename>
|
|
<cvename>CVE-2012-2814</cvename>
|
|
<cvename>CVE-2012-2836</cvename>
|
|
<cvename>CVE-2012-2837</cvename>
|
|
<cvename>CVE-2012-2840</cvename>
|
|
<cvename>CVE-2012-2841</cvename>
|
|
<cvename>CVE-2012-2845</cvename>
|
|
<bid>54437</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-07-12</discovery>
|
|
<entry>2013-03-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="5ff40cb4-8b92-11e2-bdb6-001060e06fd4">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>11.2r202.275</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="http://www.adobe.com/support/security/bulletins/apsb13-09.html">
|
|
<p>These updates address vulnerabilities that could cause a crash
|
|
and potentially allow an attacker to take control of the affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0646</cvename>
|
|
<cvename>CVE-2013-0650</cvename>
|
|
<cvename>CVE-2013-1371</cvename>
|
|
<cvename>CVE-2013-1375</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-12</discovery>
|
|
<entry>2013-03-12</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="cda566a0-2df0-4eb0-b70e-ed7a6fb0ab3c">
|
|
<topic>puppet27 and puppet -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>puppet</name>
|
|
<range><ge>3.0</ge><lt>3.1.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>puppet27</name>
|
|
<range><ge>2.7</ge><lt>2.7.21</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Moses Mendoza reports:</p>
|
|
<blockquote cite="https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/">
|
|
<p>A vulnerability found in Puppet could allow an authenticated client
|
|
to cause the master to execute arbitrary code while responding to a
|
|
catalog request. Specifically, in order to exploit the
|
|
vulnerability, the puppet master must be made to invoke the
|
|
'template' or 'inline_template' functions during catalog compilation.
|
|
</p>
|
|
<p>A vulnerability found in Puppet could allow an authenticated client
|
|
to connect to a puppet master and perform unauthorized actions.
|
|
Specifically, given a valid certificate and private key, an agent
|
|
could retrieve catalogs from the master that it is not authorized
|
|
to access or it could poison the puppet master's caches for any
|
|
puppet-generated data that supports caching such as catalogs,
|
|
nodes, facts, and resources. The extent and severity of this
|
|
vulnerability varies depending on the specific configuration of the
|
|
master: for example, whether it is using storeconfigs or not, which
|
|
version, whether it has access to the cache or not, etc.
|
|
</p>
|
|
<p>A vulnerability has been found in Puppet which could allow
|
|
authenticated clients to execute arbitrary code on agents that have
|
|
been configured to accept kick connections. This vulnerability is
|
|
not present in the default configuration of puppet agents, but if
|
|
they have been configured to listen for incoming connections
|
|
('listen=true'), and the agent's auth.conf has been configured to
|
|
allow access to the `run` REST endpoint, then a client could
|
|
construct an HTTP request which could execute arbitrary code. The
|
|
severity of this issue is exacerbated by the fact that puppet
|
|
agents typically run as root.
|
|
</p>
|
|
<p>A vulnerability has been found in Puppet that could allow a client
|
|
negotiating a connection to a master to downgrade the master's
|
|
SSL protocol to SSLv2. This protocol has been found to contain
|
|
design weaknesses. This issue only affects systems running older
|
|
versions (pre 1.0.0) of openSSL. Newer versions explicitly disable
|
|
SSLv2.
|
|
</p>
|
|
<p>A vulnerability found in Puppet could allow unauthenticated clients
|
|
to send requests to the puppet master which would cause it to load
|
|
code unsafely. While there are no reported exploits, this
|
|
vulnerability could cause issues like those described in Rails
|
|
CVE-2013-0156. This vulnerability only affects puppet masters
|
|
running Ruby 1.9.3 and higher.
|
|
</p>
|
|
<p>This vulnerability affects puppet masters 0.25.0 and above. By
|
|
default, auth.conf allows any authenticated node to submit a report
|
|
for any other node. This can cause issues with compliance. The
|
|
defaults in auth.conf have been changed.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1640</cvename>
|
|
<cvename>CVE-2013-1652</cvename>
|
|
<cvename>CVE-2013-1653</cvename>
|
|
<cvename>CVE-2013-1654</cvename>
|
|
<cvename>CVE-2013-1655</cvename>
|
|
<cvename>CVE-2013-2275</cvename>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-1640/</url>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-1652/</url>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-1653/</url>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-1654/</url>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-1655/</url>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-2275/</url>
|
|
<url>https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/f_gybceSV6E</url>
|
|
<url>https://groups.google.com/forum/?fromgroups=#!topic/puppet-announce/kgDyaPhHniw</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-13</discovery>
|
|
<entry>2013-03-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="04042f95-14b8-4382-a8b9-b30e365776cf">
|
|
<topic>puppet26 -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>puppet26</name>
|
|
<range><ge>2.6</ge><lt>2.6.18</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Moses Mendoza reports:</p>
|
|
<blockquote cite="https://puppetlabs.com/blog/security-updates-new-releases-of-puppet-and-puppet-enterprise/">
|
|
<p>A vulnerability found in Puppet could allow an authenticated client
|
|
to cause the master to execute arbitrary code while responding to a
|
|
catalog request. Specifically, in order to exploit the
|
|
vulnerability, the puppet master must be made to invoke the
|
|
'template' or 'inline_template' functions during catalog compilation.
|
|
</p>
|
|
<p>A vulnerability found in Puppet could allow an authenticated client
|
|
to connect to a puppet master and perform unauthorized actions.
|
|
Specifically, given a valid certificate and private key, an agent
|
|
could retrieve catalogs from the master that it is not authorized
|
|
to access or it could poison the puppet master's caches for any
|
|
puppet-generated data that supports caching such as catalogs,
|
|
nodes, facts, and resources. The extent and severity of this
|
|
vulnerability varies depending on the specific configuration of the
|
|
master: for example, whether it is using storeconfigs or not, which
|
|
version, whether it has access to the cache or not, etc.
|
|
</p>
|
|
<p>A vulnerability has been found in Puppet that could allow a client
|
|
negotiating a connection to a master to downgrade the master's
|
|
SSL protocol to SSLv2. This protocol has been found to contain
|
|
design weaknesses. This issue only affects systems running older
|
|
versions (pre 1.0.0) of openSSL. Newer versions explicitly disable
|
|
SSLv2.
|
|
</p>
|
|
<p>A vulnerability found in Puppet could allow an authenticated client
|
|
to execute arbitrary code on a puppet master that is running in the
|
|
default configuration, or an agent with `puppet kick` enabled.
|
|
Specifically, a properly authenticated and connected puppet agent
|
|
could be made to construct an HTTP PUT request for an authorized
|
|
report that actually causes the execution of arbitrary code on the
|
|
master.
|
|
</p>
|
|
<p>This vulnerability affects puppet masters 0.25.0 and above. By
|
|
default, auth.conf allows any authenticated node to submit a report
|
|
for any other node. This can cause issues with compliance. The
|
|
defaults in auth.conf have been changed.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1640</cvename>
|
|
<cvename>CVE-2013-1652</cvename>
|
|
<cvename>CVE-2013-1654</cvename>
|
|
<cvename>CVE-2013-2274</cvename>
|
|
<cvename>CVE-2013-2275</cvename>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-1640/</url>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-1652/</url>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-1654/</url>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-2274/</url>
|
|
<url>https://puppetlabs.com/security/cve/cve-2013-2275/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-13</discovery>
|
|
<entry>2013-03-13</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="68c1f75b-8824-11e2-9996-c48508086173">
|
|
<topic>perl -- denial of service via algorithmic complexity attack on hashing routines</topic>
|
|
<affects>
|
|
<package>
|
|
<name>perl</name>
|
|
<name>perl-threaded</name>
|
|
<range><lt>5.12.4_5</lt></range>
|
|
<range><ge>5.14.0</ge><lt>5.14.2_3</lt></range>
|
|
<range><ge>5.16.0</ge><lt>5.16.2_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Perl developers report:</p>
|
|
<blockquote cite="http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html">
|
|
<p>In order to prevent an algorithmic complexity attack
|
|
against its hashing mechanism, perl will sometimes
|
|
recalculate keys and redistribute the contents of a hash.
|
|
This mechanism has made perl robust against attacks that
|
|
have been demonstrated against other systems.</p>
|
|
<p>Research by Yves Orton has recently uncovered a flaw in
|
|
the rehashing code which can result in pathological
|
|
behavior. This flaw could be exploited to carry out a
|
|
denial of service attack against code that uses arbitrary
|
|
user input as hash keys.</p>
|
|
<p>Because using user-provided strings as hash keys is a
|
|
very common operation, we urge users of perl to update their
|
|
perl executable as soon as possible.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1667</cvename>
|
|
<url>http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-04</discovery>
|
|
<entry>2013-03-10</entry>
|
|
<modified>2016-08-22</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="549787c1-8916-11e2-8549-68b599b52a02">
|
|
<topic>libpurple -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>libpurple</name>
|
|
<range><lt>2.10.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Pidgin reports:</p>
|
|
<blockquote cite="https://developer.pidgin.im/wiki/ChangeLog">
|
|
<p>libpurple</p>
|
|
<p>Fix a crash when receiving UPnP responses with abnormally long values.</p>
|
|
<p>MXit</p>
|
|
<p>Fix two bugs where a remote MXit user could possibly specify a local file
|
|
path to be written to.</p>
|
|
<p>Fix a bug where the MXit server or a man-in-the-middle could potentially
|
|
send specially crafted data that could overflow a buffer and lead to a crash
|
|
or remote code execution.</p>
|
|
<p>Sametime</p>
|
|
<p>Fix a crash in Sametime when a malicious server sends us an abnormally long
|
|
user ID.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0274</cvename>
|
|
<cvename>CVE-2013-0271</cvename>
|
|
<cvename>CVE-2013-0272</cvename>
|
|
<cvename>CVE-2013-0273</cvename>
|
|
<url>https://developer.pidgin.im/wiki/ChangeLog</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-13</discovery>
|
|
<entry>2013-03-10</entry>
|
|
<modified>2013-03-16</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="630c8c08-880f-11e2-807f-d43d7e0c7c02">
|
|
<topic>mozilla -- use-after-free in HTML Editor</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>18.0,1</gt><lt>19.0.2,1</lt></range>
|
|
<range><lt>17.0.3,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>17.0.4,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.16.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>17.0.4</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><lt>2.16.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><gt>11.0</gt><lt>17.0.4</lt></range>
|
|
<range><lt>10.0.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2013-29 Use-after-free in HTML Editor</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0787</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-29.html</url>
|
|
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-07</discovery>
|
|
<entry>2013-03-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b9a347ac-8671-11e2-b73c-0019d18c446a">
|
|
<topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic>
|
|
<affects>
|
|
<package>
|
|
<name>typo3</name>
|
|
<range><ge>4.5.0</ge><lt>4.5.23</lt></range>
|
|
<range><ge>4.6.0</ge><lt>4.6.16</lt></range>
|
|
<range><ge>4.7.0</ge><lt>4.7.8</lt></range>
|
|
<range><ge>6.0.0</ge><lt>6.0.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Typo Security Team reports:</p>
|
|
<blockquote cite="http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/">
|
|
<p>Extbase Framework - Failing to sanitize user input, the Extbase
|
|
database abstraction layer is susceptible to SQL Injection. TYPO3
|
|
sites which have no Extbase extensions installed are not affected.
|
|
Extbase extensions are affected if they use the Query Object Model
|
|
and relation values are user generated input. Credits go to Helmut
|
|
Hummel and Markus Opahle who discovered and reported the issue.</p>
|
|
<p>Access tracking mechanism - Failing to validate user provided
|
|
input, the access tracking mechanism allows redirects to arbitrary
|
|
URLs. To fix this vulnerability, we had to break existing
|
|
behaviour of TYPO3 sites that use the access tracking mechanism
|
|
(jumpurl feature) to transform links to external sites. The link
|
|
generation has been changed to include a hash that is checked
|
|
before redirecting to an external URL. This means that old links
|
|
that have been distributed (e.g. by a newsletter) will not work
|
|
any more.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2013-001/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-06</discovery>
|
|
<entry>2013-03-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c97219b6-843d-11e2-b131-000c299b62e1">
|
|
<topic>stunnel -- Remote Code Execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>stunnel</name>
|
|
<range><ge>4.21</ge><lt>4.55</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Michal Trojnara reports:</p>
|
|
<blockquote cite="https://www.stunnel.org/CVE-2013-1762.html">
|
|
<p>64-bit versions of stunnel with the following conditions:
|
|
* NTLM authentication enabled
|
|
* CONNECT protocol negotiation enabled
|
|
* Configured in SSL client mode
|
|
* An attacker that can either control the proxy server specified in
|
|
the "connect" option or execute MITM attacks on the TCP session
|
|
between stunnel and the proxy</p>
|
|
<p>Can be exploited for remote code execution. The code is executed
|
|
within the configured chroot directory, with privileges of the
|
|
configured user and group.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1762</cvename>
|
|
<url>https://www.stunnel.org/CVE-2013-1762.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-03-03</discovery>
|
|
<entry>2013-03-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="9c88d8a8-8372-11e2-a010-20cf30e32f6d">
|
|
<topic>apache22 -- several vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>apache22</name>
|
|
<range><gt>2.2.0</gt><lt>2.2.24</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache22-event-mpm</name>
|
|
<range><gt>2.2.0</gt><lt>2.2.24</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache22-itk-mpm</name>
|
|
<range><gt>2.2.0</gt><lt>2.2.24</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache22-peruser-mpm</name>
|
|
<range><gt>2.2.0</gt><lt>2.2.24</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>apache22-worker-mpm</name>
|
|
<range><gt>2.2.0</gt><lt>2.2.24</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>Apache HTTP SERVER PROJECT reports:</h1>
|
|
<blockquote cite="http://httpd.apache.org/security/vulnerabilities_22.html">
|
|
<h1>low: XSS due to unescaped hostnames CVE-2012-3499</h1>
|
|
<p>Various XSS flaws due to unescaped hostnames and URIs HTML output in
|
|
mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.</p>
|
|
<h1>moderate: XSS in mod_proxy_balancer CVE-2012-4558</h1>
|
|
<p>A XSS flaw affected the mod_proxy_balancer manager interface.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-3499</cvename>
|
|
<cvename>CVE-2012-4558</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-10-07</discovery>
|
|
<entry>2013-03-02</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="764344fb-8214-11e2-9273-902b343deec9">
|
|
<topic>sudo -- Authentication bypass when clock is reset</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><lt>1.8.6.p7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Todd Miller reports:</p>
|
|
<blockquote cite="http://www.sudo.ws/sudo/alerts/epoch_ticket.html">
|
|
<p>The flaw may allow someone with physical access to a machine that
|
|
is not password-protected to run sudo commands without knowing the
|
|
logged in user's password. On systems where sudo is the principal
|
|
way of running commands as root, such as on Ubuntu and Mac OS X,
|
|
there is a greater chance that the logged in user has run sudo
|
|
before and thus that an attack would succeed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1775</cvename>
|
|
<url>http://www.sudo.ws/sudo/alerts/epoch_ticket.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-27</discovery>
|
|
<entry>2013-03-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="82cfd919-8213-11e2-9273-902b343deec9">
|
|
<topic>sudo -- Potential bypass of tty_tickets constraints</topic>
|
|
<affects>
|
|
<package>
|
|
<name>sudo</name>
|
|
<range><lt>1.8.6.p7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Todd Miller reports:</p>
|
|
<blockquote cite="http://www.sudo.ws/sudo/alerts/tty_tickets.html">
|
|
<p>A (potentially malicious) program run by a user with sudo access
|
|
may be able to bypass the "tty_ticket" constraints. In order for
|
|
this to succeed there must exist on the machine a terminal device
|
|
that the user has previously authenticated themselves on via sudo
|
|
within the last time stamp timeout (5 minutes by default).</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1776</cvename>
|
|
<url>http://www.sudo.ws/sudo/alerts/tty_tickets.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-27</discovery>
|
|
<entry>2013-03-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="aa7764af-0b5e-4ddc-bc65-38ad697a484f">
|
|
<topic>rubygem-dragonfly -- arbitrary code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rubygem18-dragonfly</name>
|
|
<name>rubygem19-dragonfly</name>
|
|
<name>rubygem20-dragonfly</name>
|
|
<range><lt>0.9.14</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Mark Evans reports:</p>
|
|
<blockquote cite="https://groups.google.com/forum/?fromgroups=#!topic/dragonfly-users/3c3WIU3VQTo">
|
|
<p>Unfortnately there is a security vulnerability in Dragonfly when
|
|
used with Rails which would potentially allow an attacker to run
|
|
arbitrary code on a host machine using carefully crafted
|
|
requests.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1756</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-19</discovery>
|
|
<entry>2013-02-28</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="dbdac023-80e1-11e2-9a29-001060e06fd4">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>11.2r202.273</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb13-08.html">
|
|
<p>These updates address vulnerabilities that could cause a crash
|
|
and potentially allow an attacker to take control of the affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0504</cvename>
|
|
<cvename>CVE-2013-0643</cvename>
|
|
<cvename>CVE-2013-0648</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-26</discovery>
|
|
<entry>2013-02-27</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="84065569-7fb4-11e2-9c5a-000d601460a4">
|
|
<topic>otrs -- XSS vulnerability could lead to remote code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>otrs</name>
|
|
<range><ge>3.1.*</ge><lt>3.1.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OTRS Project reports:</p>
|
|
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03">
|
|
<p>This advisory covers vulnerabilities discovered in the OTRS core
|
|
system. This is a variance of the XSS vulnerability, where an attacker
|
|
could send a specially prepared HTML email to OTRS which would cause
|
|
JavaScript code to be executed in your browser while displaying the
|
|
email. In this case this is achieved by using javascript source
|
|
attributes with whitespaces.</p>
|
|
<p>Affected by this vulnerability are all releases of OTRS 2.4.x up to
|
|
and including 2.4.14, 3.0.x up to and including 3.0.16 and 3.1.x up to
|
|
and including 3.1.10.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-4751</cvename>
|
|
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-10-16</discovery>
|
|
<entry>2013-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d60199df-7fb3-11e2-9c5a-000d601460a4">
|
|
<topic>otrs -- XSS vulnerability in Firefox and Opera could lead to remote code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>otrs</name>
|
|
<range><ge>3.1.*</ge><lt>3.1.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OTRS Project reports:</p>
|
|
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/">
|
|
<p>This advisory covers vulnerabilities discovered in the OTRS core
|
|
system. This is a variance of the XSS vulnerability, where an attacker
|
|
could send a specially prepared HTML email to OTRS which would cause
|
|
JavaScript code to be executed in your browser while displaying the
|
|
email in Firefox and Opera. In this case this is achieved with an
|
|
invalid HTML structure with nested tags.</p>
|
|
<p>Affected by this
|
|
vulnerability are all releases of OTRS 2.4.x up to and including
|
|
2.4.13, 3.0.x up to and including 3.0.15 and 3.1.x up to and including
|
|
3.1.9 in combination with Firefox and Opera.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-4600</cvename>
|
|
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-08-30</discovery>
|
|
<entry>2013-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b50cbbc0-7fb2-11e2-9c5a-000d601460a4">
|
|
<topic>otrs -- XSS vulnerability in Internet Explorer could lead to remote code execution</topic>
|
|
<affects>
|
|
<package>
|
|
<name>otrs</name>
|
|
<range><ge>3.1.*</ge><lt>3.1.9</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The OTRS Project reports:</p>
|
|
<blockquote cite="http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01">
|
|
<p>This advisory covers vulnerabilities discovered in the OTRS core
|
|
system. Due to the XSS vulnerability in Internet Explorer an attacker
|
|
could send a specially prepared HTML email to OTRS which would cause
|
|
JavaScript code to be executed in your Internet Explorer while
|
|
displaying the email.</p>
|
|
<p>Affected by this vulnerability are all releases of OTRS 2.4.x up to
|
|
and including 2.4.12, 3.0.x up to and including 3.0.14 and 3.1.x up to
|
|
and including 3.1.8 in combination with Internet Explorer.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-2582</cvename>
|
|
<url>http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-08-22</discovery>
|
|
<entry>2013-02-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="844cf3f5-9259-4b3e-ac9e-13ca17333ed7">
|
|
<topic>ruby -- DoS vulnerability in REXML</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<range><ge>1.9,1</ge><lt>1.9.3.392,1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby developers report:</p>
|
|
<blockquote cite="http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/">
|
|
<p>Unrestricted entity expansion can lead to a DoS vulnerability in
|
|
REXML. (The CVE identifier will be assigned later.) We strongly
|
|
recommend to upgrade ruby.
|
|
</p>
|
|
<p>When reading text nodes from an XML document, the REXML parser can
|
|
be coerced in to allocating extremely large string objects which
|
|
can consume all of the memory on a machine, causing a denial of
|
|
service.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-22</discovery>
|
|
<entry>2013-02-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e1aa3bdd-839a-4a77-8617-cca439a8f9fc">
|
|
<topic>rubygem-ruby_parser -- insecure tmp file usage</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rubygem18-ruby_parser</name>
|
|
<name>rubygem19-ruby_parser</name>
|
|
<name>rubygem20-ruby_parser</name>
|
|
<range><lt>3.1.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Michael Scherer reports:</p>
|
|
<blockquote cite="http://seclists.org/oss-sec/2013/q1/393">
|
|
<p>This is a relatively minor tmp file usage issue.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0162</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-24</discovery>
|
|
<entry>2013-02-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="21c59f5e-7cc5-11e2-9c11-080027a5ec9a">
|
|
<topic>django -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>py26-django</name>
|
|
<name>py27-django</name>
|
|
<range><ge>1.3</ge><lt>1.3.6</lt></range>
|
|
<range><ge>1.4</ge><lt>1.4.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Django Project reports:</p>
|
|
<blockquote cite="https://www.djangoproject.com/weblog/2013/feb/19/security/">
|
|
<p>These security releases fix four issues: one potential phishing
|
|
vector, one denial-of-service vector, an information leakage issue,
|
|
and a range of XML vulnerabilities.</p>
|
|
<ol>
|
|
<li>
|
|
<p>Host header poisoning</p>
|
|
<p>an attacker could cause Django to generate and display URLs that
|
|
link to arbitrary domains. This could be used as part of a phishing
|
|
attack. These releases fix this problem by introducing a new
|
|
setting, ALLOWED_HOSTS, which specifies a whitelist of domains your
|
|
site is known to respond to.</p>
|
|
<p>Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to
|
|
allow all hosts. This means that to actually fix the security
|
|
vulnerability you should define this setting yourself immediately
|
|
after upgrading.</p>
|
|
</li>
|
|
<li>
|
|
<p>Formset denial-of-service</p>
|
|
<p>an attacker can abuse Django's tracking of the number of forms in
|
|
a formset to cause a denial-of-service attack. This has been fixed
|
|
by adding a default maximum number of forms of 1,000. You can still
|
|
manually specify a bigger max_num, if you wish, but 1,000 should be
|
|
enough for anyone.</p>
|
|
</li>
|
|
<li>
|
|
<p>XML attacks</p>
|
|
<p>Django's serialization framework was vulnerable to attacks via XML
|
|
entity expansion and external references; this is now fixed.
|
|
However, if you're parsing arbitrary XML in other parts of your
|
|
application, we recommend you look into the defusedxml Python
|
|
packages which remedy this anywhere you parse XML, not just via
|
|
Django's serialization framework.</p>
|
|
</li>
|
|
<li>
|
|
<p>Data leakage via admin history log</p>
|
|
<p>Django's admin interface could expose supposedly-hidden
|
|
information via its history log. This has been fixed.</p>
|
|
</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1664</cvename>
|
|
<cvename>CVE-2013-1665</cvename>
|
|
<cvename>CVE-2013-0305</cvename>
|
|
<cvename>CVE-2013-0306</cvename>
|
|
<bid>58022</bid>
|
|
<bid>58061</bid>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-21</discovery>
|
|
<entry>2013-02-24</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f54584bc-7d2b-11e2-9bd1-206a8a720317">
|
|
<topic>krb5 -- null pointer dereference in the KDC PKINIT code [CVE-2013-1415]</topic>
|
|
<affects>
|
|
<package>
|
|
<name>krb5</name>
|
|
<range><le>1.11</le></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>No advisory has been released yet.</p>
|
|
<blockquote cite="http://web.mit.edu/kerberos/www/krb5-1.11/">
|
|
<p>Fix a null pointer dereference in the KDC PKINIT code [CVE-2013-1415].</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-1415</cvename>
|
|
<url>http://web.mit.edu/kerberos/www/krb5-1.11/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-21</discovery>
|
|
<entry>2013-02-22</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3c90e093-7c6e-11e2-809b-6c626d99876c">
|
|
<topic>FreeBSD -- glob(3) related resource exhaustion</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>7.4</ge><lt>7.4_12</lt></range>
|
|
<range><ge>8.3</ge><lt>8.3_6</lt></range>
|
|
<range><ge>9.0</ge><lt>9.0_6</lt></range>
|
|
<range><ge>9.1</ge><lt>9.1_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description:</p>
|
|
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13:02.libc.asc">
|
|
<p>GLOB_LIMIT is supposed to limit the number of paths to prevent against
|
|
memory or CPU attacks. The implementation however is insufficient.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-13:02.libc</freebsdsa>
|
|
<cvename>CVE-2010-2632</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-19</discovery>
|
|
<entry>2013-02-21</entry>
|
|
<modified>2016-08-09</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4671cdc9-7c6d-11e2-809b-6c626d99876c">
|
|
<topic>FreeBSD -- BIND remote DoS with deliberately crafted DNS64 query</topic>
|
|
<affects>
|
|
<package>
|
|
<name>FreeBSD</name>
|
|
<range><ge>9.0</ge><lt>9.0_6</lt></range>
|
|
<range><ge>9.1</ge><lt>9.1_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Problem description:</p>
|
|
<blockquote cite="http://www.freebsd.org/security/advisories/FreeBSD-SA-13:01.bind.asc">
|
|
<p>Due to a software defect a crafted query can cause named(8) to crash
|
|
with an assertion failure.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<freebsdsa>SA-13:01.bind</freebsdsa>
|
|
<cvename>CVE-2012-5688</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-19</discovery>
|
|
<entry>2013-02-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a4d71e4c-7bf4-11e2-84cd-d43d7e0c7c02">
|
|
<topic>drupal7 -- Denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal7</name>
|
|
<range><lt>7.19</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Drupal Security Team reports:</p>
|
|
<blockquote cite="https://drupal.org/SA-CORE-2013-002">
|
|
<p>Drupal core's Image module allows for the on-demand generation
|
|
of image derivatives. This capability can be abused by requesting
|
|
a large number of new derivatives which can fill up the server disk
|
|
space, and which can cause a very high CPU load. Either of these
|
|
effects may lead to the site becoming unavailable or unresponsive.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0316</cvename>
|
|
<url>https://drupal.org/SA-CORE-2013-002</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-20</discovery>
|
|
<entry>2013-02-21</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="58c15292-7b61-11e2-95da-001e8c1a8a0e">
|
|
<topic>nss-pam-ldapd -- file descriptor buffer overflow</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nss-pam-ldapd</name>
|
|
<range><lt>0.8.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Garth Mollett reports:</p>
|
|
<blockquote cite="http://arthurdejong.org/nss-pam-ldapd/CVE-2013-0288">
|
|
<p>A file descriptor overflow issue in the use of FD_SET()
|
|
in nss-pam-ldapd can lead to a stack-based buffer overflow.
|
|
An attacker could, under some circumstances, use this flaw
|
|
to cause a process that has the NSS or PAM module loaded to
|
|
crash or potentially execute arbitrary code.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0288</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-18</discovery>
|
|
<entry>2013-02-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1c8a039b-7b23-11e2-b17b-20cf30e32f6d">
|
|
<topic>bugzilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>bugzilla</name>
|
|
<name>de-bugzilla</name>
|
|
<name>ru-bugzilla</name>
|
|
<name>ja-bugzilla</name>
|
|
<range><ge>3.6.0</ge><lt>3.6.13</lt></range>
|
|
<range><ge>4.0.0</ge><lt>4.0.10</lt></range>
|
|
<range><ge>4.2.0</ge><lt>4.2.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<h1>A Bugzilla Security Advisory reports:</h1>
|
|
<blockquote cite="http://www.bugzilla.org/security/3.6.12/">
|
|
<h1>Cross-Site Scripting</h1>
|
|
<p>When viewing a single bug report, which is the default,
|
|
the bug ID is validated and rejected if it is invalid.
|
|
But when viewing several bug reports at once, which is
|
|
specified by the format=multiple parameter, invalid bug
|
|
IDs can go through and are sanitized in the HTML page
|
|
itself. But when an invalid page format is passed to the
|
|
CGI script, the wrong HTML page is called and data are not
|
|
correctly sanitized, which can lead to XSS.</p>
|
|
<h1>Information Leak</h1>
|
|
<p>When running a query in debug mode, the generated SQL
|
|
query used to collect the data is displayed. The way this
|
|
SQL query is built permits the user to determine if some
|
|
confidential field value (such as a product name) exists.
|
|
This problem only affects Bugzilla 4.0.9 and older. Newer
|
|
releases are not affected by this issue.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0785</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=842038</url>
|
|
<cvename>CVE-2013-0786</cvename>
|
|
<url>https://bugzilla.mozilla.org/show_bug.cgi?id=824399</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-19</discovery>
|
|
<entry>2013-02-20</entry>
|
|
<modified>2013-03-31</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="e3f0374a-7ad6-11e2-84cd-d43d7e0c7c02">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>18.0,1</gt><lt>19.0,1</lt></range>
|
|
<range><lt>17.0.3,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>17.0.3,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>17.0.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><lt>2.16</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><gt>11.0</gt><lt>17.0.3</lt></range>
|
|
<range><lt>10.0.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxul</name>
|
|
<range><gt>1.9.2.*</gt><lt>10.0.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 /
|
|
rv:17.0.3)</p>
|
|
<p>MFSA 2013-22 Out-of-bounds read in image rendering</p>
|
|
<p>MFSA 2013-23 Wrapped WebIDL objects can be wrapped again</p>
|
|
<p>MFSA 2013-24 Web content bypass of COW and SOW security wrappers</p>
|
|
<p>MFSA 2013-25 Privacy leak in JavaScript Workers</p>
|
|
<p>MFSA 2013-26 Use-after-free in nsImageLoadingContent</p>
|
|
<p>MFSA 2013-27 Phishing on HTTPS connection through malicious proxy</p>
|
|
<p>MFSA 2013-28 Use-after-free, out of bounds read, and buffer
|
|
overflow issues found using Address Sanitizer</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0765</cvename>
|
|
<cvename>CVE-2013-0772</cvename>
|
|
<cvename>CVE-2013-0773</cvename>
|
|
<cvename>CVE-2013-0774</cvename>
|
|
<cvename>CVE-2013-0775</cvename>
|
|
<cvename>CVE-2013-0776</cvename>
|
|
<cvename>CVE-2013-0783</cvename>
|
|
<cvename>CVE-2013-0784</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-20.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-21.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-22.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-23.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-24.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-25.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-26.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-27.html</url>
|
|
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-19</discovery>
|
|
<entry>2013-02-19</entry>
|
|
<modified>2013-02-20</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="fcfdabb7-f14d-4e61-a7d5-cfefb4b99b15">
|
|
<topic>Ruby Rack Gem -- Multiple Issues</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rubygem18-rack</name>
|
|
<range><lt>1.4.5</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem19-rack</name>
|
|
<range><lt>1.4.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Rack developers report:</p>
|
|
<blockquote cite="http://www.ruby-forum.com/topic/4410659">
|
|
<p>Today we are proud to announce the release of Rack 1.4.5.</p>
|
|
<p>Fix CVE-2013-0263, timing attack against Rack::Session::Cookie</p>
|
|
<p>Fix CVE-2013-0262, symlink path traversal in Rack::File</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0262</cvename>
|
|
<cvename>CVE-2013-0263</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-08</discovery>
|
|
<entry>2013-02-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="beab40bf-c1ca-4d2b-ad46-2f14bac8a968">
|
|
<topic>Ruby Activemodel Gem -- Circumvention of attr_protected</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rubygem18-activemodel</name>
|
|
<range><lt>3.2.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem19-activemodel</name>
|
|
<range><lt>3.2.12</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Aaron Patterson reports:</p>
|
|
<blockquote cite="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/AFBKNY7VSH8">
|
|
<p>The attr_protected method allows developers to specify a blacklist
|
|
of model attributes which users should not be allowed to assign to.
|
|
By using a specially crafted request, attackers could circumvent
|
|
this protection and alter values that were meant to be protected.</p>
|
|
<p>All users running an affected release should either upgrade or use
|
|
one of the work arounds immediately. Users should also consider
|
|
switching from attr_protected to the whitelist method
|
|
attr_accessible which is not vulnerable to this attack.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0276</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-11</discovery>
|
|
<entry>2013-02-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="7fe5b84a-78eb-11e2-8441-00e0814cab4e">
|
|
<topic>jenkins -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jenkins</name>
|
|
<range><lt>1.501</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jenkins Security Advisory reports:</p>
|
|
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16">
|
|
<p>This advisory announces multiple security vulnerabilities that
|
|
were found in Jenkins core.</p>
|
|
<ol>
|
|
<li>One of the vulnerabilities allows cross-site request
|
|
forgery (CSRF) attacks on Jenkins master, which causes an user
|
|
to make unwanted actions on Jenkins. Another vulnerability
|
|
enables cross-site scripting (XSS) attacks, which has the similar
|
|
consequence. Another vulnerability allowed an attacker to bypass
|
|
the CSRF protection mechanism in place, thereby mounting more CSRF
|
|
attackes. These attacks allow an attacker without direct access to
|
|
Jenkins to mount an attack.</li>
|
|
<li>In the fourth vulnerability, a malicious user of Jenkins can trick
|
|
Jenkins into building jobs that he does not have direct access to.</li>
|
|
<li>And lastly, a vulnerability allows a malicious user of Jenkins to
|
|
mount a denial of service attack by feeding a carefully crafted
|
|
payload to Jenkins.</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-16</discovery>
|
|
<entry>2013-02-17</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f7809d9e-6af0-11e2-8e32-080027d768d3">
|
|
<topic>poweradmin -- multiple XSS vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>poweradmin</name>
|
|
<range><lt>2.1.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Multiple cross-site scripting (XSS) vulnerabilities</p>
|
|
<blockquote cite="https://www.poweradmin.org/trac/ticket/468">
|
|
<p>Multiple scripts are vulnerable to XSS attacks.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<bid>55619</bid>
|
|
<url>http://packetstormsecurity.com/files/116698/Poweradmin-Cross-Site-Scripting.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-01-12</discovery>
|
|
<entry>2013-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="c79eb109-a754-45d7-b552-a42099eb2265">
|
|
<topic>Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem18-json</name>
|
|
<range><lt>1.7.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem19-json</name>
|
|
<range><lt>1.7.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem18-json_pure</name>
|
|
<range><lt>1.7.7</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem19-json_pure</name>
|
|
<range><lt>1.7.7</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Aaron Patterson reports:</p>
|
|
<blockquote cite="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58">
|
|
<p>When parsing certain JSON documents, the JSON gem can be coerced in
|
|
to creating Ruby symbols in a target system. Since Ruby symbols
|
|
are not garbage collected, this can result in a denial of service
|
|
attack.</p>
|
|
<p>The same technique can be used to create objects in a target system
|
|
that act like internal objects. These "act alike" objects can be
|
|
used to bypass certain security mechanisms and can be used as a
|
|
spring board for SQL injection attacks in Ruby on Rails.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0269</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-11</discovery>
|
|
<entry>2013-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d3e96508-056b-4259-88ad-50dc8d1978a6">
|
|
<topic>Ruby -- XSS exploit of RDoc documentation generated by rdoc</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ruby</name>
|
|
<range><ge>1.9,1</ge><lt>1.9.3.385,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem18-rdoc</name>
|
|
<range><lt>3.12.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem19-rdoc</name>
|
|
<range><lt>3.12.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby developers report:</p>
|
|
<blockquote cite="http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/">
|
|
<p>RDoc documentation generated by rdoc bundled with ruby are
|
|
vulnerable to an XSS exploit. All ruby users are recommended to
|
|
update ruby to newer version which includes security-fixed RDoc. If
|
|
you are publishing RDoc documentation generated by rdoc, you are
|
|
recommended to apply a patch for the documentaion or re-generate it
|
|
with security-fixed RDoc.
|
|
</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0256</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-06</discovery>
|
|
<entry>2013-02-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="414e6a41-7204-11e2-8599-001060e06fd4">
|
|
<topic>linux-flashplugin -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>linux-f10-flashplugin</name>
|
|
<range><lt>11.2r202.262</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Adobe reports:</p>
|
|
<blockquote cite="https://www.adobe.com/support/security/bulletins/apsb13-04.html">
|
|
<p>These updates address vulnerabilities that could cause a crash
|
|
and potentially allow an attacker to take control of the affected system.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0633</cvename>
|
|
<cvename>CVE-2013-0634</cvename>
|
|
<url>https://www.adobe.com/support/security/bulletins/apsb13-04.html</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-07</discovery>
|
|
<entry>2013-02-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="00b0d8cd-7097-11e2-98d9-003067c2616f">
|
|
<topic>OpenSSL -- TLS 1.1, 1.2 denial of service</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openssl</name>
|
|
<range><lt>1.0.1_6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>OpenSSL security team reports:</p>
|
|
<blockquote cite="http://www.openssl.org/news/secadv_20130205.txt">
|
|
<p>A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1
|
|
and TLS 1.2 on AES-NI supporting platforms can be exploited in a
|
|
DoS attack.</p>
|
|
<p>A flaw in the OpenSSL handling of OCSP response verification can
|
|
be exploited in a denial of service attack.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-2686</cvename>
|
|
<cvename>CVE-2013-0166</cvename>
|
|
<cvename>CVE-2013-0169</cvename>
|
|
<url>http://www.openssl.org/news/secadv_20120510.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-02-05</discovery>
|
|
<entry>2013-02-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="8c773d7f-6cbb-11e2-b242-c8600054b392">
|
|
<topic>mysql/mariadb/percona server -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>mysql-server</name>
|
|
<range><ge>5.1</ge><lt>5.1.67</lt></range>
|
|
<range><ge>5.5</ge><lt>5.5.29</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>mariadb-server</name>
|
|
<range><ge>5.3</ge><lt>5.3.12</lt></range>
|
|
<range><ge>5.5</ge><lt>5.5.29</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>percona-server</name>
|
|
<range><ge>5.5</ge><lt>5.5.29.29.4</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>ORACLE reports:</p>
|
|
<blockquote cite="http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html">
|
|
<p>Multiple SQL injection vulnerabilities in the replication code</p>
|
|
<p>Stack-based buffer overflow</p>
|
|
<p>Heap-based buffer overflow</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-4414</cvename>
|
|
<cvename>CVE-2012-5611</cvename>
|
|
<cvename>CVE-2012-5612</cvename>
|
|
<cvename>CVE-2012-5615</cvename>
|
|
<cvename>CVE-2012-5627</cvename>
|
|
<url>https://mariadb.atlassian.net/browse/MDEV-4029</url>
|
|
<url>https://mariadb.atlassian.net/browse/MDEV-MDEV-729</url>
|
|
<url>https://mariadb.atlassian.net/browse/MDEV-MDEV-729</url>
|
|
<url>http://www.mysqlperformanceblog.com/2013/01/23/announcing-percona-server-5-5-29-29-4/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-12-01</discovery>
|
|
<entry>2013-02-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ea0f45e2-6c4b-11e2-98d9-003067c2616f">
|
|
<topic>opera -- execution of arbitrary code</topic>
|
|
<affects>
|
|
<package>
|
|
<name>opera</name>
|
|
<name>opera-devel</name>
|
|
<name>linux-opera</name>
|
|
<name>linux-opera-devel</name>
|
|
<range><lt>12.13</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Opera reports:</p>
|
|
<blockquote cite="http://www.opera.com/support/kb/view/1042/">
|
|
<p>Particular DOM event manipulations can cause Opera to crash. In
|
|
some cases, this crash might occur in a way that allows execution
|
|
of arbitrary code. To inject code, additional techniques would
|
|
have to be employed.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.opera.com/support/kb/view/1042/</url>
|
|
<url>http://www.opera.com/support/kb/view/1043/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-30</discovery>
|
|
<entry>2013-02-01</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="2ea6ce3d-6afd-11e2-9d4e-bcaec524bf84">
|
|
<topic>upnp -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>upnp</name>
|
|
<range><lt>1.6.18</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Project changelog reports:</p>
|
|
<blockquote cite="http://pupnp.sourceforge.net/ChangeLog">
|
|
<p>This patch addresses three possible buffer overflows in
|
|
function unique_service_name().The three issues have the
|
|
folowing CVE numbers:</p>
|
|
<ul>
|
|
<li>CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf</li>
|
|
<li>CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN</li>
|
|
<li>CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN</li>
|
|
</ul>
|
|
<p>Notice that the following issues have already been dealt by
|
|
previous work:</p>
|
|
<ul>
|
|
<li>CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN</li>
|
|
<li>CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType</li>
|
|
<li>CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN</li>
|
|
<li>CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType</li>
|
|
<li>CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-5958</cvename>
|
|
<cvename>CVE-2012-5959</cvename>
|
|
<cvename>CVE-2012-5960</cvename>
|
|
<cvename>CVE-2012-5961</cvename>
|
|
<cvename>CVE-2012-5962</cvename>
|
|
<cvename>CVE-2012-5963</cvename>
|
|
<cvename>CVE-2012-5964</cvename>
|
|
<cvename>CVE-2012-5965</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-11-21</discovery>
|
|
<entry>2013-01-30</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="559e00b7-6a4d-11e2-b6b0-10bf48230856">
|
|
<topic>wordpress -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>wordpress</name>
|
|
<range><lt>3.5.1,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>zh-wordpress-zh_CN</name>
|
|
<range><lt>3.5.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>zh-wordpress-zh_TW</name>
|
|
<range><lt>3.5.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>de-wordpress</name>
|
|
<range><lt>3.5.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ja-wordpress</name>
|
|
<range><lt>3.5.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ru-wordpress</name>
|
|
<range><lt>3.5.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Wordpress reports:</p>
|
|
<blockquote cite="http://wordpress.org/news/2013/01/wordpress-3-5-1/">
|
|
<p>WordPress 3.5.1 also addresses the following security issues:</p>
|
|
<ul>
|
|
<li>A server-side request forgery vulnerability and remote port
|
|
scanning using pingbacks. This vulnerability, which could
|
|
potentially be used to expose information and compromise a
|
|
site, affects all previous WordPress versions. This was fixed
|
|
by the WordPress security team. We'd like to thank security
|
|
researchers <a href="http://codeseekah.com/">Gennady
|
|
Kovshenin</a> and <a href="http://www.ethicalhack3r.co.uk/">Ryan
|
|
Dewhurst</a> for reviewing our work.</li>
|
|
<li>Two instances of cross-site scripting via shortcodes and post
|
|
content. These issues were discovered by Jon Cave of the WordPress
|
|
security team.</li>
|
|
<li>A cross-site scripting vulnerability in the external library
|
|
Plupload. Thanks to the Moxiecode team for working with us on
|
|
this, and for releasing Plupload 1.5.5 to address this issue.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0235</cvename>
|
|
<cvename>CVE-2013-0236</cvename>
|
|
<cvename>CVE-2013-0237</cvename>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-24</discovery>
|
|
<entry>2013-01-29</entry>
|
|
<modified>2014-04-30</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3886cafe-668c-11e2-94b8-1c4bd681f0cf">
|
|
<topic>django-cms -- XSS Vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>py-django-cms</name>
|
|
<range><lt>2.3.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Cross-site scripting (XSS) vulnerability</p>
|
|
<blockquote cite="https://www.django-cms.org/en/blog/2012/12/04/2-3-5-security-release/">
|
|
<p>Jonas Obrist reports: The security issue allows users with limited
|
|
admin access to elevate their privileges through XSS injection
|
|
using the page_attribute template tag. Only users with admin access
|
|
and the permission to edit at least one django CMS page object
|
|
could exploit this vulnerability. Websites that do not use the
|
|
page_attribute template tag are not affected.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://www.django-cms.org/en/blog/2012/12/04/2-3-5-security-release/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-12-04</discovery>
|
|
<entry>2013-01-25</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1827f213-633e-11e2-8d93-c8600054b392">
|
|
<topic>drupal -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>drupal6</name>
|
|
<range><lt>6.28</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>drupal7</name>
|
|
<range><lt>7.19</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Drupal Security Team reports:</p>
|
|
<blockquote cite="https://drupal.org/SA-CORE-2013-001">
|
|
<p>Cross-site scripting (Various core and contributed modules)</p>
|
|
<p>Access bypass (Book module printer friendly version)</p>
|
|
<p>Access bypass (Image module)</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://drupal.org/SA-CORE-2013-001</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-16</discovery>
|
|
<entry>2013-01-20</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1b9b199f-5efd-11e2-a1ee-c48508086173">
|
|
<topic>ettercap -- buffer overflow in target list parsing</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ettercap</name>
|
|
<range><lt>0.7.4.1</lt></range>
|
|
<range><ge>0.7.5</ge><lt>0.7.5.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Host target list parsing routine in ettercap
|
|
0.7.4-series prior to 0.7.4.1 and 0.7.5-series
|
|
is prone to the stack-based buffer overflow that
|
|
may lead to the code execution with the privileges
|
|
of the ettercap process.</p>
|
|
<p>In order to trigger this vulnerability, user or service
|
|
that use ettercap should be tricked to pass the crafted list
|
|
of targets via the "-j" option.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0722</cvename>
|
|
<url>http://www.exploit-db.com/exploits/23945/</url>
|
|
<url>https://secunia.com/advisories/51731/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-07</discovery>
|
|
<entry>2013-01-16</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="d5e0317e-5e45-11e2-a113-c48508086173">
|
|
<topic>java 7.x -- security manager bypass</topic>
|
|
<affects>
|
|
<package>
|
|
<name>openjdk7</name>
|
|
<range><gt>0</gt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-sun-jdk</name>
|
|
<range><ge>7.0</ge><lt>7.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-sun-jre</name>
|
|
<range><ge>7.0</ge><lt>7.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>US CERT reports:</p>
|
|
<blockquote cite="http://www.kb.cert.org/vuls/id/625617">
|
|
<p>Java 7 Update 10 and earlier versions of Java 7 contain a
|
|
vulnerability that can allow a remote, unauthenticated
|
|
attacker to execute arbitrary code on a vulnerable
|
|
system.</p>
|
|
<p>The Java JRE plug-in provides its own Security Manager.
|
|
Typically, a web applet runs with a security manager
|
|
provided by the browser or Java Web Start plugin. Oracle's
|
|
document states, "If there is a security manager already
|
|
installed, this method first calls the security manager's
|
|
checkPermission method with a
|
|
RuntimePermission("setSecurityManager") permission to ensure
|
|
it's safe to replace the existing security manager. This may
|
|
result in throwing a SecurityException".</p>
|
|
<p>By leveraging the vulnerability in the Java Management
|
|
Extensions (JMX) MBean components, unprivileged Java code
|
|
can access restricted classes. By using that vulnerability
|
|
in conjunction with a second vulnerability involving the
|
|
Reflection API and the invokeWithArguments method of the
|
|
MethodHandle class, an untrusted Java applet can escalate
|
|
its privileges by calling the the setSecurityManager()
|
|
function to allow full privileges, without requiring code
|
|
signing. Oracle Java 7 update 10 and earlier Java 7 versions
|
|
are affected. The invokeWithArguments method was introduced
|
|
with Java 7, so therefore Java 6 is not affected.</p>
|
|
<p>This vulnerability is being attacked in the wild, and is
|
|
reported to be incorporated into exploit kits. Exploit code
|
|
for this vulnerability is also publicly available.</p>
|
|
</blockquote>
|
|
<p>Esteban Guillardoy from Immunity Inc. additionally clarifies
|
|
on the recursive reflection exploitation technique:</p>
|
|
<blockquote cite="https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf">
|
|
<p>The real issue is in the native
|
|
sun.reflect.Reflection.getCallerClass method.</p>
|
|
<p>We can see the following information in the Reflection
|
|
source code:</p>
|
|
<p>Returns the class of the method realFramesToSkip frames
|
|
up the stack (zero-based), ignoring frames associated with
|
|
java.lang.reflect.Method.invoke() and its
|
|
implementation.</p>
|
|
<p>So what is happening here is that they forgot to skip the
|
|
frames related to the new Reflection API and only the old
|
|
reflection API is taken into account.</p>
|
|
</blockquote>
|
|
<p>This exploit does not only affect Java applets, but every
|
|
piece of software that relies on the Java Security Manager for
|
|
sandboxing executable code is affected: malicious code can
|
|
totally disable Security Manager.</p>
|
|
<p>For users who are running native Web browsers with enabled
|
|
Java plugin, the workaround is to remove the java/icedtea-web
|
|
port and restart all browser instances.</p>
|
|
<p>For users who are running Linux Web browser flavors, the
|
|
workaround is either to disable the Java plugin in browser
|
|
or to upgrade linux-sun-* packages to the non-vulnerable
|
|
version.</p>
|
|
<p>It is not recommended to run untrusted applets using
|
|
appletviewer, since this may lead to the execution of the
|
|
malicious code on vulnerable versions on JDK/JRE.</p>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0433</cvename>
|
|
<certvu>625617</certvu>
|
|
<url>http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html</url>
|
|
<url>https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-10</discovery>
|
|
<entry>2013-01-14</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="97c22a94-5b8b-11e2-b131-000c299b62e1">
|
|
<topic>nagios -- buffer overflow in history.cgi</topic>
|
|
<affects>
|
|
<package>
|
|
<name>nagios</name>
|
|
<range><lt>3.4.3_1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>full disclosure reports:</p>
|
|
<blockquote cite="http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html">
|
|
<p>history.cgi is vulnerable to a buffer overflow due to the use of
|
|
sprintf with user supplied data that has not been restricted in size.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-6096</cvename>
|
|
<url>http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html</url>
|
|
<url>http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-12-21</discovery>
|
|
<entry>2013-01-10</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a4ed6632-5aa9-11e2-8fcb-c8600054b392">
|
|
<topic>mozilla -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>firefox</name>
|
|
<range><gt>11.0,1</gt><lt>17.0.2,1</lt></range>
|
|
<range><lt>10.0.12,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-firefox</name>
|
|
<range><lt>17.0.2,1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-seamonkey</name>
|
|
<range><lt>2.15</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>linux-thunderbird</name>
|
|
<range><lt>17.0.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>seamonkey</name>
|
|
<range><lt>2.15</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>thunderbird</name>
|
|
<range><gt>11.0</gt><lt>17.0.2</lt></range>
|
|
<range><lt>10.0.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>libxul</name>
|
|
<range><gt>1.9.2.*</gt><lt>10.0.12</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>ca_root_nss</name>
|
|
<range><lt>3.14.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Mozilla Project reports:</p>
|
|
<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
|
|
<p>MFSA 2013-01 Miscellaneous memory safety hazards (rv:18.0/
|
|
rv:10.0.12 / rv:17.0.2)</p>
|
|
<p>MFSA 2013-02 Use-after-free and buffer overflow issues found using
|
|
Address Sanitizer</p>
|
|
<p>MFSA 2013-03 Buffer Overflow in Canvas</p>
|
|
<p>MFSA 2013-04 URL spoofing in addressbar during page loads</p>
|
|
<p>MFSA 2013-05 Use-after-free when displaying table with many
|
|
columns and column groups</p>
|
|
<p>MFSA 2013-06 Touch events are shared across iframes</p>
|
|
<p>MFSA 2013-07 Crash due to handling of SSL on threads</p>
|
|
<p>MFSA 2013-08 AutoWrapperChanger fails to keep objects alive during
|
|
garbage collection</p>
|
|
<p>MFSA 2013-09 Compartment mismatch with quickstubs returned values</p>
|
|
<p>MFSA 2013-10 Event manipulation in plugin handler to bypass
|
|
same-origin policy</p>
|
|
<p>MFSA 2013-11 Address space layout leaked in XBL objects</p>
|
|
<p>MFSA 2013-12 Buffer overflow in Javascript string concatenation</p>
|
|
<p>MFSA 2013-13 Memory corruption in XBL with XML bindings containing
|
|
SVG</p>
|
|
<p>MFSA 2013-14 Chrome Object Wrapper (COW) bypass through changing
|
|
prototype</p>
|
|
<p>MFSA 2013-15 Privilege escalation through plugin objects</p>
|
|
<p>MFSA 2013-16 Use-after-free in serializeToStream</p>
|
|
<p>MFSA 2013-17 Use-after-free in ListenerManager</p>
|
|
<p>MFSA 2013-18 Use-after-free in Vibrate</p>
|
|
<p>MFSA 2013-19 Use-after-free in Javascript Proxy objects</p>
|
|
<p>MFSA 2013-20 Mis-issued TURKTRUST certificates</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-5829</cvename>
|
|
<cvename>CVE-2013-0743</cvename>
|
|
<cvename>CVE-2013-0744</cvename>
|
|
<cvename>CVE-2013-0745</cvename>
|
|
<cvename>CVE-2013-0746</cvename>
|
|
<cvename>CVE-2013-0747</cvename>
|
|
<cvename>CVE-2013-0748</cvename>
|
|
<cvename>CVE-2013-0749</cvename>
|
|
<cvename>CVE-2013-0750</cvename>
|
|
<cvename>CVE-2013-0751</cvename>
|
|
<cvename>CVE-2013-0752</cvename>
|
|
<cvename>CVE-2013-0753</cvename>
|
|
<cvename>CVE-2013-0754</cvename>
|
|
<cvename>CVE-2013-0755</cvename>
|
|
<cvename>CVE-2013-0756</cvename>
|
|
<cvename>CVE-2013-0757</cvename>
|
|
<cvename>CVE-2013-0758</cvename>
|
|
<cvename>CVE-2013-0759</cvename>
|
|
<cvename>CVE-2013-0760</cvename>
|
|
<cvename>CVE-2013-0761</cvename>
|
|
<cvename>CVE-2013-0762</cvename>
|
|
<cvename>CVE-2013-0763</cvename>
|
|
<cvename>CVE-2013-0764</cvename>
|
|
<cvename>CVE-2013-0766</cvename>
|
|
<cvename>CVE-2013-0767</cvename>
|
|
<cvename>CVE-2013-0768</cvename>
|
|
<cvename>CVE-2013-0769</cvename>
|
|
<cvename>CVE-2013-0770</cvename>
|
|
<cvename>CVE-2013-0771</cvename>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-01.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-02.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-03.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-04.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-05.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-06.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-07.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-08.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-09.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-10.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-11.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-12.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-13.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-14.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-15.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-16.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-17.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-18.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-19.html</url>
|
|
<url>http://www.mozilla.org/security/announce/2013/mfsa2013-20.html</url>
|
|
<url>http://www.mozilla.org/security/known-vulnerabilities/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-08</discovery>
|
|
<entry>2013-01-09</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="ca5d3272-59e3-11e2-853b-00262d5ed8ee">
|
|
<topic>rubygem-rails -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rubygem-rails</name>
|
|
<range><lt>3.2.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-actionpack</name>
|
|
<range><lt>3.2.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-activerecord</name>
|
|
<range><lt>3.2.11</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>rubygem-activesupport</name>
|
|
<range><lt>3.2.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby on Rails team reports:</p>
|
|
<blockquote cite="http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/">
|
|
<p>Two high-risk vulnerabilities have been discovered:</p>
|
|
<p>(CVE-2013-0155) There is a vulnerability when Active Record is
|
|
used in conjunction with JSON parameter parsing.</p>
|
|
<p>Due to the way Active Record interprets parameters in combination
|
|
with the way that JSON parameters are parsed, it is possible for an
|
|
attacker to issue unexpected database queries with "IS NULL" or
|
|
empty "WHERE" clauses. This issue does not let an attacker insert
|
|
arbitrary values into an SQL query, however they can cause the
|
|
query to check for NULL or eliminate a WHERE clause when most users
|
|
would not expect it.</p>
|
|
<p>(CVE-2013-0156) There are multiple weaknesses in the parameter
|
|
parsing code for Ruby on Rails which allows attackers to bypass
|
|
authentication systems, inject arbitrary SQL, inject and execute
|
|
arbitrary code, or perform a DoS attack on a Rails application.</p>
|
|
<p>The parameter parsing code of Ruby on Rails allows applications to
|
|
automatically cast values from strings to certain data types.
|
|
Unfortunately the type casting code supported certain conversions
|
|
which were not suitable for performing on user-provided data
|
|
including creating Symbols and parsing YAML. These unsuitable
|
|
conversions can be used by an attacker to compromise a Rails
|
|
application.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2013-0155</cvename>
|
|
<cvename>CVE-2013-0156</cvename>
|
|
<url>http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/</url>
|
|
<url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/t1WFuuQyavI</url>
|
|
<url>https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/61bkgvnSGTQ</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-08</discovery>
|
|
<entry>2013-01-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="b4051b52-58fa-11e2-853b-00262d5ed8ee">
|
|
<topic>rubygem-rails -- SQL injection vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>rubygem-rails</name>
|
|
<range><lt>3.2.10</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Ruby on Rails team reports:</p>
|
|
<blockquote cite="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM">
|
|
<p>There is a SQL injection vulnerability in Active Record in ALL
|
|
versions. Due to the way dynamic finders in Active Record extract
|
|
options from method parameters, a method parameter can mistakenly
|
|
be used as a scope. Carefully crafted requests can use the scope
|
|
to inject arbitrary SQL.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-5664</cvename>
|
|
<url>https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-02</discovery>
|
|
<entry>2013-01-07</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="3a65d33b-5950-11e2-b66b-00e0814cab4e">
|
|
<topic>jenkins -- HTTP access to the server to retrieve the master cryptographic key</topic>
|
|
<affects>
|
|
<package>
|
|
<name>jenkins</name>
|
|
<range><lt>1.498</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Jenkins Security Advisory reports:</p>
|
|
<blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04">
|
|
<p>This advisory announces a security vulnerability that was found
|
|
in Jenkins core.</p>
|
|
<p>An attacker can then use this master cryptographic key to mount
|
|
remote code execution attack against the Jenkins master, or
|
|
impersonate arbitrary users in making REST API calls.</p>
|
|
<p>There are several factors that mitigate some of these problems
|
|
that may apply to specific installations.</p>
|
|
<ul>
|
|
<li>The particular attack vector is only applicable on Jenkins
|
|
instances that have slaves attached to them, and allow
|
|
anonymous read access.</li>
|
|
<li>Jenkins allows users to re-generate the API tokens. Those
|
|
re-generated API tokens cannot be impersonated by the
|
|
attacker.</li>
|
|
</ul>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-04</discovery>
|
|
<entry>2013-01-08</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1b769b72-582b-11e2-b66b-00e0814cab4e">
|
|
<topic>django -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>django</name>
|
|
<range><lt>1.4.3</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>django13</name>
|
|
<range><lt>1.3.5</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The Django Project reports:</p>
|
|
<blockquote cite="https://www.djangoproject.com/weblog/2012/dec/10/security/">
|
|
<ol>
|
|
<li>
|
|
<p>Host header poisoning</p>
|
|
<p>Several earlier Django security releases focused on the issue of
|
|
poisoning the HTTP Host header, causing Django to generate URLs
|
|
pointing to arbitrary, potentially-malicious domains.</p>
|
|
<p>In response to further input received and reports of continuing
|
|
issues following the previous release, we're taking additional
|
|
steps to tighten Host header validation. Rather than attempt to
|
|
accommodate all features HTTP supports here, Django's Host header
|
|
validation attempts to support a smaller, but far more common, subset:</p>
|
|
<ul>
|
|
<li>Hostnames must consist of characters [A-Za-z0-9] plus hyphen
|
|
('-') or dot ('.').</li>
|
|
<li>IP addresses -- both IPv4 and IPv6 -- are permitted.</li>
|
|
<li>Port, if specified, is numeric.</li>
|
|
</ul>
|
|
<p>Any deviation from this will now be rejected, raising the exception
|
|
django.core.exceptions.SuspiciousOperation.</p>
|
|
</li>
|
|
<li>
|
|
<p>Redirect poisoning</p>
|
|
<p>Also following up on a previous issue: in July of this year, we made
|
|
changes to Django's HTTP redirect classes, performing additional
|
|
validation of the scheme of the URL to redirect to (since, both
|
|
within Django's own supplied applications and many third-party
|
|
applications, accepting a user-supplied redirect target is a common
|
|
pattern).</p>
|
|
<p>Since then, two independent audits of the code turned up further
|
|
potential problems. So, similar to the Host-header issue, we are
|
|
taking steps to provide tighter validation in response to reported
|
|
problems (primarily with third-party applications, but to a certain
|
|
extent also within Django itself). This comes in two parts:</p>
|
|
<ol>
|
|
<li>A new utility function, django.utils.http.is_safe_url, is
|
|
added; this function takes a URL and a hostname, and checks
|
|
that the URL is either relative, or if absolute matches the
|
|
supplied hostname. This function is intended for use whenever
|
|
user-supplied redirect targets are accepted, to ensure that
|
|
such redirects cannot lead to arbitrary third-party sites.</li>
|
|
<li>All of Django's own built-in views -- primarily in the
|
|
authentication system -- which allow user-supplied redirect
|
|
targets now use is_safe_url to validate the supplied URL.</li>
|
|
</ol>
|
|
</li>
|
|
</ol>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>https://www.djangoproject.com/weblog/2012/dec/10/security/</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-12-10</discovery>
|
|
<entry>2013-01-06</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="1ae613c3-5728-11e2-9483-14dae938ec40">
|
|
<topic>freetype -- Multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>freetype2</name>
|
|
<range><lt>2.4.11</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>The FreeType Project reports:</p>
|
|
<blockquote cite="http://sourceforge.net/projects/freetype/files/freetype2/2.4.11/README/view">
|
|
<p>Some vulnerabilities in the BDF implementation have been fixed.
|
|
Users of this font format should upgrade.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://sourceforge.net/projects/freetype/files/freetype2/2.4.11/README/view</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-12-20</discovery>
|
|
<entry>2013-01-05</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="a264b1b0-5726-11e2-9483-14dae938ec40">
|
|
<topic>moinmoin -- Multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>moinmoin</name>
|
|
<range><lt>1.9.6</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>MoinMoin developers report the following vulnerabilities
|
|
as fixed in version 1.9.6:</p>
|
|
<blockquote cite="http://hg.moinmo.in/moin/1.9/raw-file/1.9.6/docs/CHANGES">
|
|
<ul>
|
|
<li>remote code execution vulnerability in
|
|
twikidraw/anywikidraw action,</li>
|
|
<li>path traversal vulnerability in AttachFile action,</li>
|
|
<li>XSS issue, escape page name in rss link.</li>
|
|
</ul>
|
|
</blockquote>
|
|
<p>CVE entries at MITRE furher clarify:</p>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-6081">
|
|
<p>Multiple unrestricted file upload vulnerabilities in the
|
|
(1) twikidraw (action/twikidraw.py) and (2) anywikidraw
|
|
(action/anywikidraw.py) actions in MoinMoin before 1.9.6
|
|
allow remote authenticated users with write permissions to
|
|
execute arbitrary code by uploading a file with an
|
|
executable extension, then accessing it via a direct request
|
|
to the file in an unspecified directory, as exploited in the
|
|
wild in July 2012.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-6080">
|
|
<p>Directory traversal vulnerability in the
|
|
_do_attachment_move function in the AttachFile action
|
|
(action/AttachFile.py) in MoinMoin 1.9.3 through 1.9.5
|
|
allows remote attackers to overwrite arbitrary files via a
|
|
.. (dot dot) in a file name.</p>
|
|
</blockquote>
|
|
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-6082">
|
|
<p>Cross-site scripting (XSS) vulnerability in the rsslink
|
|
function in theme/__init__.py in MoinMoin 1.9.5 allows
|
|
remote attackers to inject arbitrary web script or HTML
|
|
via the page name in a rss link.</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-6081</cvename>
|
|
<cvename>CVE-2012-6080</cvename>
|
|
<cvename>CVE-2012-6082</cvename>
|
|
<url>http://hg.moinmo.in/moin/1.9/raw-file/1.9.6/docs/CHANGES</url>
|
|
<url>http://www.debian.org/security/2012/dsa-2593</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-12-29</discovery>
|
|
<entry>2013-01-05</entry>
|
|
<modified>2013-01-06</modified>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="f7c87a8a-55d5-11e2-a255-c8600054b392">
|
|
<topic>asterisk -- multiple vulnerabilities</topic>
|
|
<affects>
|
|
<package>
|
|
<name>asterisk11</name>
|
|
<range><gt>11.*</gt><lt>11.1.2</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>asterisk10</name>
|
|
<range><gt>10.*</gt><lt>10.11.1</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>asterisk18</name>
|
|
<range><gt>1.8.*</gt><lt>1.8.19.1</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>Asterisk project reports:</p>
|
|
<blockquote cite="https://www.asterisk.org/security">
|
|
<p>Crashes due to large stack allocations when using TCP</p>
|
|
<p>Denial of Service Through Exploitation of Device State Caching</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<cvename>CVE-2012-5976</cvename>
|
|
<cvename>CVE-2012-5977</cvename>
|
|
<url>http://downloads.digium.com/pub/security/AST-2012-014.html</url>
|
|
<url>http://downloads.digium.com/pub/security/AST-2012-015.html</url>
|
|
<url>https://www.asterisk.org/security</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2013-01-02</discovery>
|
|
<entry>2013-01-03</entry>
|
|
</dates>
|
|
</vuln>
|
|
|
|
<vuln vid="4108cc57-54d7-11e2-9483-14dae938ec40">
|
|
<topic>ircd-ratbox and charybdis -- remote DoS vulnerability</topic>
|
|
<affects>
|
|
<package>
|
|
<name>ircd-ratbox</name>
|
|
<range><gt>2.*</gt><lt>3.0.8</lt></range>
|
|
</package>
|
|
<package>
|
|
<name>charybdis</name>
|
|
<range><lt>3.4.2</lt></range>
|
|
</package>
|
|
</affects>
|
|
<description>
|
|
<body xmlns="http://www.w3.org/1999/xhtml">
|
|
<p>atheme.org reports:</p>
|
|
<blockquote cite="http://www.ratbox.org/ASA-2012-12-31.txt">
|
|
<p>All versions of Charybdis are vulnerable to a remotely-triggered
|
|
crash bug caused by code originating from ircd-ratbox 2.0.
|
|
(Incidentally, this means all versions since ircd-ratbox 2.0 are
|
|
also vulnerable.)</p>
|
|
</blockquote>
|
|
</body>
|
|
</description>
|
|
<references>
|
|
<url>http://www.ratbox.org/ASA-2012-12-31.txt</url>
|
|
</references>
|
|
<dates>
|
|
<discovery>2012-12-31</discovery>
|
|
<entry>2013-01-02</entry>
|
|
</dates>
|
|
</vuln>
|